On Tue, Apr 30, 2024 at 6:54 PM Alexey Dobriyan <adobri...@yandex-team.ru> wrote: > > Reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1451 > creates small packet (1 segment, len = 10 == n->guest_hdr_len), > then destroys queue. > > "if (n->host_hdr_len != n->guest_hdr_len)" is triggered, if body creates > zero length/zero segment packet as there is nothing after guest header. > > qemu_sendv_packet_async() tries to send it. > > slirp discards it because it is smaller than Ethernet header, > but returns 0 because tx hooks are supposed to return total length of data. > > 0 is propagated upwards and is interpreted as "packet has been sent" > which is terrible because queue is being destroyed, nobody is waiting for TX > to complete and assert it triggered. > > Fix is discard such empty packets instead of sending them. > > Length 1 packets will go via different codepath: > > virtqueue_push(q->tx_vq, elem, 0); > virtio_notify(vdev, q->tx_vq); > g_free(elem); > > and aren't problematic. > > Signed-off-by: Alexey Dobriyan <adobri...@yandex-team.ru> > --- > > hopefully better changelog. > use "if (out_num < 1)" so that discard doesn't calculate iov length > > hw/net/virtio-net.c | 18 ++++++++++++------ > 1 file changed, 12 insertions(+), 6 deletions(-) >
I tweak the title to "drop too short packets early". And queued. Thanks
