Commit Graph

423 Commits

Author SHA1 Message Date
Markus Armbruster
778358d0a8 rocker: Use g_new() & friends where that makes obvious sense
g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
for two reasons.  One, it catches multiplication overflowing size_t.
Two, it returns T * rather than void *, which lets the compiler catch
more type errors.

This commit only touches allocations with size arguments of the form
sizeof(T).  Same Coccinelle semantic patchas in commit b45c03f.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-10-08 19:46:47 +03:00
Jason Wang
0cf33fb6b4 virtio-net: correctly drop truncated packets
When packet is truncated during receiving, we drop the packets but
neither discard the descriptor nor add and signal used
descriptor. This will lead several issues:

- sg mappings are leaked
- rx will be stalled if a lots of packets were truncated

In order to be consistent with vhost, fix by discarding the descriptor
in this case.

Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-10-01 16:16:52 +03:00
Peter Maydell
690b286fef Remove muldiv64() by using period instead of frequency
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJWBVIdAAoJEPMMOL0/L748BXUP/2j+TRnsaU/gMHoL2IGP78BK
 LLLOL7yyV8ZrsrOFvyv8IW0DtpldoYsvObty/bNAr0iq+QwqwGWn9Gw4im5DtIkN
 s7e1WcxLgFHHcT1QLa70MUjjVtRrflTmcW9TVIW79PQ+HsCqnb7EmFZ96HxzH3zN
 YM93eBT6cJV3axsLwJsE82igCXsLo3raKGNb0jt8b6/XwMoR3iUb1Kgs2dJXZUJw
 TYPtHv7sJpQiLQY8Y8o4EjyyjdFuWPVeIfokgPahoOdVA1PSCx6Qh8o+FV1GZ+nF
 vmAr7Jolri6tdbMgRWtIgQQs2YSvPNIUEOYTXVu/4p287JGZPNU5790V2aIczERc
 gEPTqjI6w1AYy8/yMlO3WpfFxXWZH6ZsNBmxCmhH/mczA2dx3DzDlyI7SofQsCHW
 +81U6GSc/Ryy47C+b6m/YZNQDx3yG8rUFtY4PqCcjJwPZdSEhLEM7crC2XWJwy+0
 rg3SnVvXuE2vC/k7UHEYbnFOyVbvezUYJnigbppMilO8nfXIsyuvc7G4AT96jxbt
 4HQJT6ESGEsIToslWObJ53z3jzoAA17xp4gzkZjx7RwSofkFFIaT7jjaA/D2cxFn
 UOXZgAfde6mfg4Ak0czcBYYvm+peEjXBC+DfsBjfAcQ1dz6WSGyd3QZY0J7i9/7y
 iSNiuCE9J6Ha7XVVYzd2
 =krOI
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/vivier-misc/tags/pull-muldiv64-20150925' into staging

Remove muldiv64() by using period instead of frequency

# gpg: Signature made Fri 25 Sep 2015 14:54:37 BST using RSA key ID 3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>"
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>"
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier-misc/tags/pull-muldiv64-20150925:
  net: remove muldiv64()
  bt: remove muldiv64()
  hpet: remove muldiv64()
  arm: clarify the use of muldiv64()
  openrisc: remove muldiv64()
  mips: remove muldiv64()
  pcnet: remove muldiv64()
  rtl8139: remove muldiv64()
  i6300esb: remove muldiv64()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-09-25 18:03:19 +01:00
Laurent Vivier
c6acbe861f pcnet: remove muldiv64()
Originally, timers were ticks based, and it made sense to
add ticks to current time to know when to trigger an alarm.

But since commit:

7447545 change all other clock references to use nanosecond resolution accessors

All timers use nanoseconds and we need to convert ticks to nanoseconds, by
doing something like:

    y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

where x is the number of device ticks and y the number of system ticks.

y is used as nanoseconds in timer functions,
it works because 1 tick is 1 nanosecond.
(get_ticks_per_sec() is 10^9)

But as PCI frequency is 33 MHz, we can also do:

    y = x * 30; /* 33 MHz PCI period is 30 ns */

Which is much more simple.

This implies a 33.333333 MHz PCI frequency,
but this is correct.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-25 14:53:50 +02:00
Laurent Vivier
37b9ab92f7 rtl8139: remove muldiv64()
Originally, timers were ticks based, and it made sense to
add ticks to current time to know when to trigger an alarm.

But since commit:

7447545 change all other clock references to use nanosecond resolution accessors

All timers use nanoseconds and we need to convert ticks to nanoseconds, by
doing something like:

    y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

where x is the number of device ticks and y the number of system ticks.

y is used as nanoseconds in timer functions,
it works because 1 tick is 1 nanosecond.
(get_ticks_per_sec() is 10^9)

But as PCI frequency is 33 MHz, we can also do:

    y = x * 30; /* 33 MHz PCI period is 30 ns */

Which is much more simple.

This implies a 33.333333 MHz PCI frequency,
but this is correct.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-25 14:53:29 +02:00
Changchun Ouyang
7263a0ad78 vhost-user: add a new message to disable/enable a specific virt queue.
Add a new message, VHOST_USER_SET_VRING_ENABLE, to enable or disable
a specific virt queue, which is similar to attach/detach queue for
tap device.

virtio driver on guest doesn't have to use max virt queue pair, it
could enable any number of virt queue ranging from 1 to max virt
queue pair.

Signed-off-by: Changchun Ouyang <changchun.ouyang@intel.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Tested-by: Marcel Apfelbaum <marcel@redhat.com>
2015-09-24 16:27:53 +03:00
Changchun Ouyang
b931bfbf04 vhost-user: add multiple queue support
This patch is initially based a patch from Nikolay Nikolaev.

This patch adds vhost-user multiple queue support, by creating a nc
and vhost_net pair for each queue.

Qemu exits if find that the backend can't support the number of requested
queues (by providing queues=# option). The max number is queried by a
new message, VHOST_USER_GET_QUEUE_NUM, and is sent only when protocol
feature VHOST_USER_PROTOCOL_F_MQ is present first.

The max queue check is done at vhost-user initiation stage. We initiate
one queue first, which, in the meantime, also gets the max_queues the
backend supports.

In older version, it was reported that some messages are sent more times
than necessary. Here we came an agreement with Michael that we could
categorize vhost user messages to 2 types: non-vring specific messages,
which should be sent only once, and vring specific messages, which should
be sent per queue.

Here I introduced a helper function vhost_user_one_time_request(), which
lists following messages as non-vring specific messages:

        VHOST_USER_SET_OWNER
        VHOST_USER_RESET_DEVICE
        VHOST_USER_SET_MEM_TABLE
        VHOST_USER_GET_QUEUE_NUM

For above messages, we simply ignore them when they are not sent the first
time.

Signed-off-by: Nikolay Nikolaev <n.nikolaev@virtualopensystems.com>
Signed-off-by: Changchun Ouyang <changchun.ouyang@intel.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Tested-by: Marcel Apfelbaum <marcel@redhat.com>
2015-09-24 16:27:53 +03:00
Yuanhan Liu
e2051e9e00 vhost-user: add VHOST_USER_GET_QUEUE_NUM message
This is for querying how many queues the backend supports if it has mq
support(when VHOST_USER_PROTOCOL_F_MQ flag is set from the quried
protocol features).

vhost_net_get_max_queues() is the interface to export that value, and
to tell if the backend supports # of queues user requested, which is
done in the following patch.

Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Tested-by: Marcel Apfelbaum <marcel@redhat.com>
2015-09-24 16:27:52 +03:00
Yuanhan Liu
d1f8b30ec8 vhost: rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE
Quote from Michael:

    We really should rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE.

Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
Tested-by: Marcel Apfelbaum <marcel@redhat.com>
2015-09-24 16:27:52 +03:00
Michael S. Tsirkin
dcb10c000c vhost-user: add protocol feature negotiation
Support a separate bitmask for vhost-user protocol features,
and messages to get/set protocol features.

Invoke them at init.

No features are defined yet.

[ leverage vhost_user_call for request handling -- Yuanhan Liu ]

Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
Tested-by: Marcel Apfelbaum <marcel@redhat.com>
2015-09-24 16:27:52 +03:00
Jason Wang
1f8828ef57 virtio-net: unbreak self announcement and guest offloads after migration
After commit 019a3edbb2 ("virtio: make
features 64bit wide"). Device's guest_features was actually set after
vdc->load(). This breaks the assumption that device specific load()
function can check guest_features. For virtio-net, self announcement
and guest offloads won't work after migration.

Fixing this by defer them to virtio_net_load() where guest_features
were guaranteed to be set. Other virtio devices looks fine.

Fixes: 019a3edbb2
       ("virtio: make features 64bit wide")
Cc: qemu-stable@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2015-09-24 13:39:46 +03:00
Markus Armbruster
f8ed85ac99 Fix bad error handling after memory_region_init_ram()
Symptom:

    $ qemu-system-x86_64 -m 10000000
    Unexpected error in ram_block_add() at /work/armbru/qemu/exec.c:1456:
    upstream-qemu: cannot set up guest memory 'pc.ram': Cannot allocate memory
    Aborted (core dumped)

Root cause: commit ef701d7 screwed up handling of out-of-memory
conditions.  Before the commit, we report the error and exit(1), in
one place, ram_block_add().  The commit lifts the error handling up
the call chain some, to three places.  Fine.  Except it uses
&error_abort in these places, changing the behavior from exit(1) to
abort(), and thus undoing the work of commit 3922825 "exec: Don't
abort when we can't allocate guest memory".

The three places are:

* memory_region_init_ram()

  Commit 4994653 (right after commit ef701d7) lifted the error
  handling further, through memory_region_init_ram(), multiplying the
  incorrect use of &error_abort.  Later on, imitation of existing
  (bad) code may have created more.

* memory_region_init_ram_ptr()

  The &error_abort is still there.

* memory_region_init_rom_device()

  Doesn't need fixing, because commit 33e0eb5 (soon after commit
  ef701d7) lifted the error handling further, and in the process
  changed it from &error_abort to passing it up the call chain.
  Correct, because the callers are realize() methods.

Fix the error handling after memory_region_init_ram() with a
Coccinelle semantic patch:

    @r@
    expression mr, owner, name, size, err;
    position p;
    @@
            memory_region_init_ram(mr, owner, name, size,
    (
    -                              &error_abort
    +                              &error_fatal
    |
                                   err@p
    )
                                  );
    @script:python@
        p << r.p;
    @@
    print "%s:%s:%s" % (p[0].file, p[0].line, p[0].column)

When the last argument is &error_abort, it gets replaced by
&error_fatal.  This is the fix.

If the last argument is anything else, its position is reported.  This
lets us check the fix is complete.  Four positions get reported:

* ram_backend_memory_alloc()

  Error is passed up the call chain, ultimately through
  user_creatable_complete().  As far as I can tell, it's callers all
  handle the error sanely.

* fsl_imx25_realize(), fsl_imx31_realize(), dp8393x_realize()

  DeviceClass.realize() methods, errors handled sanely further up the
  call chain.

We're good.  Test case again behaves:

    $ qemu-system-x86_64 -m 10000000
    qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory
    [Exit 1 ]

The next commits will repair the rest of commit ef701d7's damage.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1441983105-26376-3-git-send-email-armbru@redhat.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
2015-09-18 14:39:29 +02:00
Peter Crosthwaite
271a234a23 net: smc91c111: flush packets on RCR register changes
The SOFT_RST or RXEN in the control register can be used as a condition
to unblock the net layer via can_receive(). So check for possible
flushes on RCR changes. This will drop all pending packets on soft
reset or disable which is the functional intent of the can_receive()
logic.

Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Tested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Message-id: b114d4c96f4afbdaa15f1361d9c07e3021755915.1441873621.git.crosthwaite.peter@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-17 12:36:03 +01:00
Peter Crosthwaite
e62cb54cd5 net: smc91c111: gate can_receive() on rx FIFO having a slot
Return false from can_receive() when the FIFO doesn't have a free RX
slot. This fixes a bug in the current code where the allocated buffer
is freed before the fifo pop, triggering a premature flush of queued RX
packets. It also will handle a corner case, where the guest manually
frees the allocated buffer before popping the rx FIFO (hence it is not
enough to just delay the flush_queued_packets()).

Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Tested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Message-id: 97bfdfc5cbce0bd5e0cbbbff35ce7a1bf6f8603d.1441873621.git.crosthwaite.peter@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-17 12:36:03 +01:00
Peter Crosthwaite
8d06b14927 net: smc91c111: guard flush_queued_packets() on can_rx()
Check that the core can once again receive packets before asking the
net layer to do a flush. This will make it more convenient to flush
packets when adding new conditions to can_receive.

Add missing if braces while moving the can_receive() core code.

Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Tested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Message-id: 92e15e12a6964274f4bc0eb71b61a7d94326f6c6.1441873621.git.crosthwaite.peter@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-17 12:36:03 +01:00
P J P
737d2b3c41 net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-15 12:51:14 +01:00
P J P
9bbdbc66e5 net: add checks to validate ring buffer pointers(CVE-2015-5279)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-15 12:51:14 +01:00
P J P
b947ac2bf2 e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
2015-09-15 12:51:02 +01:00
Veres Lajos
67cc32ebfd typofixes - v4
Signed-off-by: Veres Lajos <vlajos@gmail.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:45:43 +03:00
Markus Armbruster
012aef0734 maint: avoid useless "if (foo) free(foo)" pattern
My Coccinelle semantic patch finds a few more, because it also fixes up
the equally pointless conditional

    if (foo) {
        free(foo);
        foo = NULL;
    }

Result (feel free to squash it into your patch):

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Daniel P. Berrange
ef1e1e0782 maint: avoid useless "if (foo) free(foo)" pattern
The free() and g_free() functions both happily accept
NULL on any platform QEMU builds on. As such putting a
conditional 'if (foo)' check before calls to 'free(foo)'
merely serves to bloat the lines of code.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Daniel P. Berrange
1618d2ae7f maint: remove unused include for signal.h
A number of files were including signal.h but not using any
of the functions it provides

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Daniel P. Berrange
b6af097528 maint: remove / fix many doubled words
Many source files have doubled words (eg "the the", "to to",
and so on). Most of these can simply be removed, but a couple
were actual mis-spellings (eg "to to" instead of "to do").
There was even one triple word score "to to to" :-)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Cornelia Huck
95129d6fc9 virtio: avoid leading underscores for helpers
Commit ef546f1275 ("virtio: add
feature checking helpers") introduced a helper __virtio_has_feature.
We don't want to use reserved identifiers, though, so let's
rename __virtio_has_feature to virtio_has_feature and virtio_has_feature
to virtio_vdev_has_feature.

Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-09-10 11:06:05 +03:00
Alistair Francis
7777b7a0ba cadence_gem: Correct Marvell PHY SPCFC reset value
Bit 15 of the PHY Specific Status Register is reserved and
should remain 0. Fix the reset value to ensure that the 15th
bit is not set.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: c795069e49040ff770fe2ece19dfe1791b729e22.1441316450.git.alistair.francis@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-09-08 17:38:45 +01:00
Jean-Christophe Dubois
fcbd8018e6 i.MX: Add FEC Ethernet Emulator
This is based on mcf_fec.c FEC implementation for Coldfire

  * A generic PHY was added (borrowwed from LAN9118)
  * The buffer management is also modified as buffers are
    slightly different between Coldfire and i.MX

Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: fb314f8a120aa49f8f6ad886f312c649b484fb5a.1441057361.git.jcd@tribudubois.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-09-07 10:39:30 +01:00
Fam Zheng
c5a9378045 ne2000: Drop ne2000_can_receive
ne2000_receive already checks the same conditions and drops the packet
if it's not ready, removing the .can_receive callback avoids the
necessity to add explicit flushes when the conditions turn true (which
is required by the new semantics of .can_receive since 6e99c63
"net/socket: Drop net_socket_can_send").

Plus the "return 1" if E8390_STOP is also suspicious.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 14:51:07 +01:00
Fam Zheng
2734a20b81 vmxnet3: Drop net_vmxnet3_info.can_receive
Commit 6e99c63 ("net/socket: Drop net_socket_can_send") changed the
semantics around .can_receive for sockets to now require the device to
flush queued pkts when transitioning to a .can_receive=true state. But
it's OK to drop incoming packets when the link is not active.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 14:50:25 +01:00
Vladislav Yasevich
26c4e7ca72 rtl8139: Do not consume the packet during overflow in standard mode.
When operation in standard mode, we currently return the size
of packet during buffer overflow.  This consumes the overflow
packet.  Return 0 instead so we can re-process the overflow packet
when we have room.

This fixes issues with lost/dropped fragments of large messages.

Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1441121206-6997-3-git-send-email-vyasevic@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 13:42:31 +01:00
Vladislav Yasevich
fabdcd3392 rtl8139: Fix receive buffer overflow check
rtl8139_do_receive() tries to check for the overflow condition
by making sure that packet_size + 8 does not exceed the
available buffer space.  The issue here is that RxBuffAddr,
used to calculate available buffer space, is aligned to a
a 4 byte boundry after every update.  So it is possible that
every packet ends up being slightly padded when written
to the receive buffer.  This padding is not taken into
account when checking for overflow and we may end up missing
the overflow condition can causing buffer overwrite.

This patch takes alignment into consideration when
checking for overflow condition.

Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1441121206-6997-2-git-send-email-vyasevic@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 13:42:31 +01:00
Stefan Hajnoczi
26c0114d3f rtl8139: use ldl/stl wrapper for unaligned 32-bit access
The tx offload feature accesses a 16-bit aligned TCP header struct.  The
32-bit fields must be accessed using ldl/stl wrappers since some host
architectures fault on unaligned access.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1438604157-29664-4-git-send-email-stefanha@redhat.com
2015-09-02 13:24:13 +01:00
Stefan Hajnoczi
1bf11332c4 rtl8139: use net/eth.h macros instead of custom macros
Eliminate the following "custom" macros since they are just duplicates
of net/eth.h macros under a different name:

  ETHER_ADDR_LEN -> ETH_ALEN
  ETH_P_8021Q -> ETH_P_VLAN
  IP_HEADER_LENGTH -> IP_HDR_GET_LEN
  TCP_FLAG_FIN -> TH_FIN
  TCP_FLAG_PUSH -> TH_PUSH

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1438604157-29664-3-git-send-email-stefanha@redhat.com
2015-09-02 13:24:13 +01:00
Stefan Hajnoczi
5d61721a62 rtl8139: remove duplicate net/eth.h definitions
The transmit offload features inspect Ethernet, IP, TCP, and UDP
headers.  Avoid redefining these net/eth.h structs.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1438604157-29664-2-git-send-email-stefanha@redhat.com
2015-09-02 13:24:13 +01:00
Peter Maydell
6b324b3e59 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJVzgK/AAoJEJykq7OBq3PIx7gH/RU2ifJuspllRLBRBfw9K9yg
 78eE4RmGVI7Tx5s1rvpgRF8fe2drG3Hy57kUbvJAhkLQKFqynkvfetOruWmeMV+u
 9Q2Xz4Xxo6XRj27xaPAoUwak7HA7YPniRu3RbHAjGv1P4PUobPELmtDEzqB+ZsTp
 FSmftcZWipILpHorJR1Glqq2LY66WUljwAxPzBYqyCRMjTK1RnwOTChRVLo/0lGr
 DHR6oHS7kmHuJcJ63EkZFWX+Xxi/WKk3p+xoiF0/L3q9dtnFcVrCq/SuFPwlCyqI
 I5jnvZ8ojC2lmJULJcV12V8nbuj6nIxfa6+tySdpjW5Jxd/QL+k0X/4I0bYsoeQ=
 =M3sM
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

# gpg: Signature made Fri 14 Aug 2015 16:01:19 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  tests: test rx recovery from cont
  tests: introduce basic pci test for virtio-net
  net/vmxnet3: Fix incorrect debug message

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-08-14 18:06:44 +01:00
Jason Wang
bd89dd98b2 virtio-net: remove useless codes
After commit 40bad8f3deba15e2074ff34cfe923c12916b1cc5("virtio-net: fix
used len for tx"), async_tx.len was no longer used afterwards. So
remove useless codes with it.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-08-13 14:08:29 +03:00
Dana Rubin
b9f7c377df net/vmxnet3: Fix incorrect debug message
From: Dana Rubin <dana.rubin@ravellosystems.com>

In commit 80da311d81,
   "net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets"
a debug message was introduced in vmxnet3_rx_need_csum_calculate() for
an unlikely input condition.

The message accidentally printed 'len' variable instead of 'pkt_len'.
Fix, providing the correct argument.

Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Message-id: 1438109090-18957-1-git-send-email-shmulik.ladkani@ravellosystems.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-04 09:41:22 +01:00
Stefan Hajnoczi
8357946b15 rtl8139: check TCP Data Offset field (CVE-2015-5165)
The TCP Data Offset field contains the length of the header.  Make sure
it is valid and does not exceed the IP data length.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:10 +01:00
Stefan Hajnoczi
4240be4563 rtl8139: skip offload on short TCP header (CVE-2015-5165)
TCP Large Segment Offload accesses the TCP header in the packet.  If the
packet is too short we must not attempt to access header fields:

  tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
  int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:07 +01:00
Stefan Hajnoczi
c6296ea88d rtl8139: check IP Total Length field (CVE-2015-5165)
The IP Total Length field includes the IP header and data.  Make sure it
is valid and does not exceed the Ethernet payload size.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:06 +01:00
Stefan Hajnoczi
03247d43c5 rtl8139: check IP Header Length field (CVE-2015-5165)
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:03 +01:00
Stefan Hajnoczi
e1c120a9c5 rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
Transmit offload features access Ethernet and IP headers the packet.  If
the packet is too short we must not attempt to access header fields:

  int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
  ...
  eth_payload_data = saved_buffer + ETH_HLEN;
  ...
  ip = (ip_header*)eth_payload_data;
  if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:00 +01:00
Stefan Hajnoczi
d6812d60e7 rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
The previous patch stopped using the ip pointer as an indicator that the
IP header is present.  When we reach the if (ip) {...} statement we know
ip is always non-NULL.

Remove the if statement to reduce nesting.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:07:54 +01:00
Stefan Hajnoczi
39b8e7dcaf rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Transmit offload needs to parse packet headers.  If header fields have
unexpected values the offload processing is skipped.

The code currently uses nested ifs because there is relatively little
input validation.  The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:06:59 +01:00
Peter Maydell
b83d017d88 Pull request
These two .can_receive() are now reviewed.  The net subsystem queue for 2.4 is now empty.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJVt3TbAAoJEJykq7OBq3PIxcQH/2LEY8q3zetJdNe9Zu1bQMhQ
 J/Ah+szCNCCHOpNfQEBI6zRT4wUMZZTlIUM1el2ykYnYqRYd585GK/+RZ0/yWQUG
 yYNWAFfj/b586+aazk2+BnosSywVjCZ1f32OtaAsh14c+3aoXkQyahljA4onIuVp
 kLi1psmnBZgRf6AeICnuUTTOYq8BBX6CTg0sxPpIbZe57epwGkK+6gtZV6aSW/Ra
 lbkhXNrmyyvycGuOLDpyjE3yUvHuwn+H+JFeRklTEA2pKyMg1AYVMrIKvBeQej8u
 g4+sYYME0rMuFL9iISwVYnkTBjYZnE8+6on2ELkElGvWf28kqb1rYWYciyRhf1Y=
 =K3Fg
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

Pull request

These two .can_receive() are now reviewed.  The net subsystem queue for 2.4 is now empty.

# gpg: Signature made Tue Jul 28 13:26:03 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  xen: Drop net_rx_ok
  hw/net: handle flow control in mcf_fec driver receiver

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28 19:02:04 +01:00
Peter Maydell
170f209d78 virtio fixes for 2.4
Mostly virtio 1 spec compliance fixes.
 We are unlikely to make it perfectly compliant in
 the first release, but it seems worth it to try.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJVtprUAAoJECgfDbjSjVRpgu4H/AljqEXBYIS/+7aZBGO4UnK/
 LSyxiOfw/sQPwYr8xqhYtoITVPQqkBnCajBFuDw3IaGrTDQ1pHfG8z5qt3Fri+yC
 RtiqiFg1LVR/AI8W/dUDuLAf8xq1GukZr1o59mi3hAA0pcPxUtVjPkZcaq63d0P+
 uzCgRw0qlg8nbT7SN2O9HZz7AT2emaUkaJBF2eRBb7r1kg3ZzM0FOtmCWaRhtS5s
 8AuHS+038BWA0J/S7yd5YooQh7NfvmWFpRNukMttJrtOmi7f5LCJJF9rxcXAnzOn
 Soc0afauCtUTfxJ4gkLqxQ586eKpREQ+7lzkJDQ62g1oD/+VatOMcbu3jdnJEtQ=
 =AoJS
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio fixes for 2.4

Mostly virtio 1 spec compliance fixes.
We are unlikely to make it perfectly compliant in
the first release, but it seems worth it to try.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon Jul 27 21:55:48 2015 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  virtio: minor cleanup
  acpi: fix pvpanic device is not shown in ui
  virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device
  virtio-blk: fail get_features when both scsi and 1.0 were set
  virtio: get_features() can fail
  virtio-pci: fix memory MR cleanup for modern
  virtio: set any_layout in virtio core
  virtio-9p: fix any_layout
  virtio-serial: fix ANY_LAYOUT
  virtio: hide legacy features from modern guests

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28 17:09:56 +01:00
Fam Zheng
7bba83bf80 xen: Drop net_rx_ok
Let net_rx_packet() (which checks the same conditions) drops the packet
if the device is not ready. Drop net_xen_info.can_receive and update the
return value for the buffer full case.

We rely on the qemu_flush_queued_packets() in net_event() to wake up
the peer when the buffer becomes available again.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1438077176-378-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-28 11:35:54 +01:00
Greg Ungerer
ff1d2ac949 hw/net: handle flow control in mcf_fec driver receiver
The network mcf_fec driver emulated receive side method is not dealing
with network queue flow control properly.

Modify the receive side to check if we have enough space in the
descriptors to store the current packet. If not we process none of it
and return 0. When the guest frees up some buffers through its descriptors
we signal the qemu net layer to send more packets.

[Fixed coding style: 4-space indent and curly braces on if statement.
--Stefan]

Signed-off-by: Greg Ungerer <gerg@uclinux.org>
Message-id: 1438045374-10358-1-git-send-email-gerg@uclinux.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-28 11:27:53 +01:00
Hervé Poussineau
52579c681c net/dp8393x: do not use memory_region_init_rom_device with NULL
Replace memory_region_init_rom_device() with memory_region_init_ram() and
memory_region_set_readonly().
This fixes a guest-triggerable QEMU crash when guest tries to write to PROM.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
[leon.alrae@imgtec.com: shorten subject length]
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28 09:30:10 +01:00
Hervé Poussineau
30dfa9a46c net/dp8393x: remove check of runt packets
Ethernet requires that messages are at least 64 bytes on the wire. This
limitation does not exist on emulation (no wire message), so remove the
check. Netcard is now able to receive small network packets.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28 09:30:09 +01:00
Hervé Poussineau
f6351288b6 net/dp8393x: disable user creation
Netcard needs an address space to write data to, which can't be specified
on command line.
This fixes a crash when user starts QEMU with "-device dp8393x"

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28 09:29:25 +01:00