Bug 1251379

1. Guest: Win2012r2

2. pass:
ping 10.66.73.164 -c 10
ping 10.66.73.164 -c 10 -s 63000

3. failed from -s 64000
ping 10.66.73.164 -c 10 -s 64000

4. nic: rtl8139
it works fine with virtio_nic

> 
> 3) i first met this problem in z stream
> 
> qemu: qemu-kvm-rhev-2.1.2-23.el7_1.7.x86_64
> kernel: kernel-3.10.0-229.11.1.el7.x86_64


We need to identify whether it's a regression issue.  Could you have a try qemu-kvm-rhev-2.1.2-23.el7_1.6.x86_64? It's pretty important.

Best Regards,
Junyi

1)have downgrade to qemu:qemu-kvm-rhev-2.3.0-13.el7.x86_64,and also has the problem

results:

1. pass:


[root@hp-z420-02 ~]# ping 10.66.73.164 -c 10
PING 10.66.73.164 (10.66.73.164) 56(84) bytes of data.
64 bytes from 10.66.73.164: icmp_seq=1 ttl=128 time=0.483 ms
64 bytes from 10.66.73.164: icmp_seq=2 ttl=128 time=0.243 ms
64 bytes from 10.66.73.164: icmp_seq=3 ttl=128 time=0.244 ms
64 bytes from 10.66.73.164: icmp_seq=4 ttl=128 time=0.215 ms
64 bytes from 10.66.73.164: icmp_seq=5 ttl=128 time=0.279 ms
64 bytes from 10.66.73.164: icmp_seq=6 ttl=128 time=0.240 ms
64 bytes from 10.66.73.164: icmp_seq=7 ttl=128 time=0.225 ms
64 bytes from 10.66.73.164: icmp_seq=8 ttl=128 time=0.272 ms
64 bytes from 10.66.73.164: icmp_seq=9 ttl=128 time=0.242 ms
64 bytes from 10.66.73.164: icmp_seq=10 ttl=128 time=0.225 ms

--- 10.66.73.164 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9006ms
rtt min/avg/max/mdev = 0.215/0.266/0.483/0.077 ms
[root@hp-z420-02 ~]# ping 10.66.73.164 -c 10 -s 63000
PING 10.66.73.164 (10.66.73.164) 63000(63028) bytes of data.
63008 bytes from 10.66.73.164: icmp_seq=1 ttl=128 time=2.91 ms
63008 bytes from 10.66.73.164: icmp_seq=2 ttl=128 time=2.76 ms
63008 bytes from 10.66.73.164: icmp_seq=3 ttl=128 time=2.82 ms
63008 bytes from 10.66.73.164: icmp_seq=4 ttl=128 time=2.89 ms
63008 bytes from 10.66.73.164: icmp_seq=5 ttl=128 time=2.99 ms
63008 bytes from 10.66.73.164: icmp_seq=6 ttl=128 time=2.85 ms
63008 bytes from 10.66.73.164: icmp_seq=7 ttl=128 time=3.28 ms
63008 bytes from 10.66.73.164: icmp_seq=8 ttl=128 time=2.84 ms
63008 bytes from 10.66.73.164: icmp_seq=9 ttl=128 time=2.80 ms
63008 bytes from 10.66.73.164: icmp_seq=10 ttl=128 time=2.76 ms

--- 10.66.73.164 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9013ms
rtt min/avg/max/mdev = 2.760/2.894/3.280/0.148 ms



2. failed:
[root@hp-z420-02 ~]# ping 10.66.73.164 -c 10 -s 64000
PING 10.66.73.164 (10.66.73.164) 64000(64028) bytes of data.

--- 10.66.73.164 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms

[root@hp-z420-02 ~]# ping 10.66.73.164 -c 10 -s 65000
PING 10.66.73.164 (10.66.73.164) 65000(65028) bytes of data.

--- 10.66.73.164 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms

This is an interesting case.  There are 2 issues here and both are in the qemu
emulation of the rtl8139 driver.

The first issue is that if a packet overflows the available emulated ring buffer,
the packet ends up being dropped by qemu.  This is simple enough to fix.

The other issue, which is a bit more interesting, and might have security
implications, is that emulated driver can not determine correctly whether the
receive ring is full.  This happens only in standard operating mode, which just
happens to be what windows uses.
In standard mode, the ring buffer simply uses 2 pointers to track the beginning
and the end of the buffer.  We write new data to the end of the buffer and read
from the beginning.  The buffer is also allowed to wrap.   The emulation assumes
that when begining and the end pointers are the same, the buffer is empty.  This
is not always the case, as the buffer may also be completely full in this case.
It is possible to send a specially sized packet that it after fragmentation it
would fill the emulated buffer completely.  Subsequent sends would end up
overwriting the original contents of the buffer.
Thus is it possible to partially or completely overwrite packet data currently
queued in the emulated ring buffer.

Moving to 7.3.  Not a security issue, not a regression, not a blocker since this
bug has existed or a very long time.

Reproduce on below version:
3.10.0-378.el7.x86_64
qemu-kvm-rhev-2.3.0-31.el7.x86_64

Test steps:
1.launch a win2012r2 guest with rtl8139 NIC.
/usr/libexec/qemu-kvm     -S      -name 'virt-tests-vm1'      -sandbox off      -machine pc      -nodefaults      -vga std      -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20150807-143123-2OZwwnr3,server,nowait     -mon chardev=qmp_id_qmpmonitor1,mode=control      -chardev socket,id=qmp_id_catch_monitor,path=/tmp/monitor-catch_monitor-20150807-143123-2OZwwnr3,server,nowait     -mon chardev=qmp_id_catch_monitor,mode=control      -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20150807-143123-2OZwwnr3,server,nowait     -device isa-serial,chardev=serial_id_serial0      -chardev socket,id=seabioslog_id_20150807-143123-2OZwwnr3,path=/tmp/seabios-20150807-143123-2OZwwnr3,server,nowait     -device isa-debugcon,chardev=seabioslog_id_20150807-143123-2OZwwnr3,iobase=0x402     -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03     -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pci.0,addr=04     -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,format=qcow2,file=/home/win2012-64r2-virtio.qcow2    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=13 -device rtl8139,netdev=macvtap0,mac=32:d7:63:b5:a9:54,id=net1 -netdev tap,id=macvtap0,vhost=on     -m 8192      -smp 8,maxcpus=8,cores=4,threads=1,sockets=2      -cpu 'SandyBridge',+kvm_pv_unhalt,hv_spinlocks=0x1fff,hv_vapic,hv_time       -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1      -vnc :0      -rtc base=localtime,clock=host,driftfix=slew      -boot order=cdn,once=c,menu=off,strict=off     -enable-kvm     -monitor stdio
2.ping guest from host with 63000/64000 size.

[root@dhcp-8-118 qemu230]#  ping 10.66.10.224 -s 63000
PING 10.66.10.224 (10.66.10.224) 63000(63028) bytes of data.
63008 bytes from 10.66.10.224: icmp_seq=40 ttl=128 time=918 ms
63008 bytes from 10.66.10.224: icmp_seq=41 ttl=128 time=2.50 ms

[root@dhcp-8-118 qemu230]#  ping 10.66.10.224 -s 64000
PING 10.66.10.224 (10.66.10.224) 64000(64028) bytes of data.
From 10.66.10.224 icmp_seq=1 Frag reassembly time exceeded
From 10.66.10.224 icmp_seq=2 Frag reassembly time exceeded

ping 64000 byte size failed, so this bug reproduce.

--------------------------------------------------------------
Verify this bug with below version:
3.10.0-378.el7.x86_64
qemu-kvm-rhev-2.6.0-1.el7.x86_64

The same test steps:
[root@dhcp-8-118 qemu260-1]#  ping 10.66.10.224 -s 63000
PING 10.66.10.224 (10.66.10.224) 63000(63028) bytes of data.
63008 bytes from 10.66.10.224: icmp_seq=45 ttl=128 time=2.74 ms

[root@dhcp-8-118 qemu260-1]#  ping 10.66.10.224 -s 64000
PING 10.66.10.224 (10.66.10.224) 64000(64028) bytes of data.
64008 bytes from 10.66.10.224: icmp_seq=1 ttl=128 time=854 ms
64008 bytes from 10.66.10.224: icmp_seq=2 ttl=128 time=2.39 ms

[root@dhcp-8-118 qemu260-1]#  ping 10.66.10.224 -s 65000
PING 10.66.10.224 (10.66.10.224) 65000(65028) bytes of data.
65008 bytes from 10.66.10.224: icmp_seq=1 ttl=128 time=21.3 ms

63000/64000/65000 size all fine, so this bug fix well.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html