aboutsummaryrefslogtreecommitdiff
path: root/hw/net
AgeCommit message (Collapse)AuthorFilesLines
2016-02-08qom: Swap 'name' next to visitor in ObjectPropertyAccessorEric Blake1-4/+6
Similar to the previous patch, it's nice to have all functions in the tree that involve a visitor and a name for conversion to or from QAPI to consistently stick the 'name' parameter next to the Visitor parameter. Done by manually changing include/qom/object.h and qom/object.c, then running this Coccinelle script and touching up the fallout (Coccinelle insisted on adding some trailing whitespace). @ rule1 @ identifier fn; typedef Object, Visitor, Error; identifier obj, v, opaque, name, errp; @@ void fn - (Object *obj, Visitor *v, void *opaque, const char *name, + (Object *obj, Visitor *v, const char *name, void *opaque, Error **errp) { ... } @@ identifier rule1.fn; expression obj, v, opaque, name, errp; @@ fn(obj, v, - opaque, name, + name, opaque, errp) Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-20-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-02-08qapi: Swap visit_* arguments for consistent 'name' placementEric Blake1-2/+2
JSON uses "name":value, but many of our visitor interfaces were called with visit_type_FOO(v, &value, name, errp). This can be a bit confusing to have to mentally swap the parameter order to match JSON order. It's particularly bad for visit_start_struct(), where the 'name' parameter is smack in the middle of the otherwise-related group of 'obj, kind, size' parameters! It's time to do a global swap of the parameter ordering, so that the 'name' parameter is always immediately after the Visitor argument. Additional reason in favor of the swap: the existing include/qjson.h prefers listing 'name' first in json_prop_*(), and I have plans to unify that file with the qapi visitors; listing 'name' first in qapi will minimize churn to the (admittedly few) qjson.h clients. Later patches will then fix docs, object.h, visitor-impl.h, and those clients to match. Done by first patching scripts/qapi*.py by hand to make generated files do what I want, then by running the following Coccinelle script to affect the rest of the code base: $ spatch --sp-file script `git grep -l '\bvisit_' -- '**/*.[ch]'` I then had to apply some touchups (Coccinelle insisted on TAB indentation in visitor.h, and botched the signature of visit_type_enum() by rewriting 'const char *const strings[]' to the syntactically invalid 'const char*const[] strings'). The movement of parameters is sufficient to provoke compiler errors if any callers were missed. // Part 1: Swap declaration order @@ type TV, TErr, TObj, T1, T2; identifier OBJ, ARG1, ARG2; @@ void visit_start_struct -(TV v, TObj OBJ, T1 ARG1, const char *name, T2 ARG2, TErr errp) +(TV v, const char *name, TObj OBJ, T1 ARG1, T2 ARG2, TErr errp) { ... } @@ type bool, TV, T1; identifier ARG1; @@ bool visit_optional -(TV v, T1 ARG1, const char *name) +(TV v, const char *name, T1 ARG1) { ... } @@ type TV, TErr, TObj, T1; identifier OBJ, ARG1; @@ void visit_get_next_type -(TV v, TObj OBJ, T1 ARG1, const char *name, TErr errp) +(TV v, const char *name, TObj OBJ, T1 ARG1, TErr errp) { ... } @@ type TV, TErr, TObj, T1, T2; identifier OBJ, ARG1, ARG2; @@ void visit_type_enum -(TV v, TObj OBJ, T1 ARG1, T2 ARG2, const char *name, TErr errp) +(TV v, const char *name, TObj OBJ, T1 ARG1, T2 ARG2, TErr errp) { ... } @@ type TV, TErr, TObj; identifier OBJ; identifier VISIT_TYPE =~ "^visit_type_"; @@ void VISIT_TYPE -(TV v, TObj OBJ, const char *name, TErr errp) +(TV v, const char *name, TObj OBJ, TErr errp) { ... } // Part 2: swap caller order @@ expression V, NAME, OBJ, ARG1, ARG2, ERR; identifier VISIT_TYPE =~ "^visit_type_"; @@ ( -visit_start_struct(V, OBJ, ARG1, NAME, ARG2, ERR) +visit_start_struct(V, NAME, OBJ, ARG1, ARG2, ERR) | -visit_optional(V, ARG1, NAME) +visit_optional(V, NAME, ARG1) | -visit_get_next_type(V, OBJ, ARG1, NAME, ERR) +visit_get_next_type(V, NAME, OBJ, ARG1, ERR) | -visit_type_enum(V, OBJ, ARG1, ARG2, NAME, ERR) +visit_type_enum(V, NAME, OBJ, ARG1, ARG2, ERR) | -VISIT_TYPE(V, OBJ, NAME, ERR) +VISIT_TYPE(V, NAME, OBJ, ERR) ) Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-19-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-02-08Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell2-38/+54
pc and misc cleanups and fixes, virtio optimizations Included here: Refactoring and bugfix patches in PC/ACPI. New commands for ipmi. Virtio optimizations. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Sat 06 Feb 2016 18:44:26 GMT using RSA key ID D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" * remotes/mst/tags/for_upstream: (45 commits) net: set endianness on all backend devices fix MSI injection on Xen intel_iommu: large page support dimm: Correct type of MemoryHotplugState->base pc: set the OEM fields in the RSDT and the FADT from the SLIC acpi: add function to extract oem_id and oem_table_id from the user's SLIC acpi: expose oem_id and oem_table_id in build_rsdt() acpi: take oem_id in build_header(), optionally pc: Eliminate PcGuestInfo struct pc: Move APIC and NUMA data from PcGuestInfo to PCMachineState pc: Move PcGuestInfo.fw_cfg to PCMachineState pc: Remove PcGuestInfo.isapc_ram_fw field pc: Remove RAM size fields from PcGuestInfo pc: Remove compat fields from PcGuestInfo acpi: Don't save PcGuestInfo on AcpiBuildState acpi: Remove guest_info parameters from functions pc: Simplify xen_load_linux() signature pc: Simplify pc_memory_init() signature pc: Eliminate struct PcGuestInfoState pc: Move PcGuestInfo declaration to top of file ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-02-06net: set endianness on all backend devicesLaurent Vivier1-12/+11
commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991 vhost-net: tell tap backend about the vnet endianness makes vhost net to set the endianness of the device, but only for the first device. In case of multiqueue, we have multiple devices... This patch sets the endianness for all the devices of the interface. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Jason Wang <jasowang@redhat.com>
2016-02-06virtio: move allocation to virtqueue_pop/vring_popPaolo Bonzini1-26/+43
The return code of virtqueue_pop/vring_pop is unused except to check for errors or 0. We can thus easily move allocation inside the functions and just return a pointer to the VirtQueueElement. The advantage is that we will be able to allocate only the space that is needed for the actual size of the s/g list instead of the full VIRTQUEUE_MAX_SIZE items. Currently VirtQueueElement takes about 48K of memory, and this kind of allocation puts a lot of stress on malloc. By cutting the size by two or three orders of magnitude, malloc can use much more efficient algorithms. The patch is pretty large, but changes to each device are testable more or less independently. Splitting it would mostly add churn. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2016-02-04e1000: eliminate infinite loops on out-of-bounds transfer startLaszlo Ersek1-2/+4
The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set of descriptors that the guest's e1000 driver prepares: - the TDLEN and RDLEN registers store the total size of the descriptor area, - while the TDH and RDH registers store the offset (in whole tx / rx descriptors) into the area where the transfer is supposed to start. Each time a descriptor is processed, the TDH and RDH register is bumped (as appropriate for the transfer direction). QEMU already contains logic to deal with bogus transfers submitted by the guest: - Normally, the transmit case wants to increase TDH from its initial value to TDT. (TDT is allowed to be numerically smaller than the initial TDH value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe that QEMU currently has here is a check against reaching the original TDH value again -- a complete wraparound, which should never happen. - In the receive case RDH is increased from its initial value until "total_size" bytes have been received; preferably in a single step, or in "s->rxbuf_size" byte steps, if the latter is smaller. However, null RX descriptors are skipped without receiving data, while RDH is incremented just the same. QEMU tries to prevent an infinite loop (processing only null RX descriptors) by detecting whether RDH assumes its original value during the loop. (Again, wrapping from RDLEN to 0 is normal.) What both directions miss is that the guest could program TDLEN and RDLEN so low, and the initial TDH and RDH so high, that these registers will immediately be truncated to zero, and then never reassume their initial values in the loop -- a full wraparound will never occur. The condition that expresses this is: xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) i.e., TDH or RDH start out after the last whole rx or tx descriptor that fits into the TDLEN or RDLEN sized area. This condition could be checked before we enter the loops, but pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for bogus DMA addresses, so we just extend the existing failsafes with the above condition. This is CVE-2016-1981. Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Prasad Pandit <ppandit@redhat.com> Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-04cadence_gem: fix buffer overflowMichael S. Tsirkin1-0/+8
gem_transmit copies a packet from guest into an tx_packet[2048] array on stack, with size limited by descriptor length set by guest. If guest is malicious and specifies a descriptor length that is too large, and should packet size exceed array size, this results in a buffer overflow. Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-02-04net: cadence_gem: check packet size in gem_recievePrasad J Pandit1-0/+4
While receiving packets in 'gem_receive' routine, if Frame Check Sequence(FCS) is enabled, it copies the packet into a local buffer without checking its size. Add check to validate packet length against the buffer size to avoid buffer overflow. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-29hw/net: Clean up includesPeter Maydell31-5/+31
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-19-git-send-email-peter.maydell@linaro.org
2016-01-29virtio: Clean up includesPeter Maydell1-0/+1
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-15-git-send-email-peter.maydell@linaro.org
2016-01-29xen: Clean up includesPeter Maydell1-10/+1
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-14-git-send-email-peter.maydell@linaro.org
2016-01-29arm: Clean up includesPeter Maydell5-0/+5
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-13-git-send-email-peter.maydell@linaro.org
2016-01-29ppc: Clean up includesPeter Maydell1-0/+1
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-6-git-send-email-peter.maydell@linaro.org
2016-01-29lm32: Clean up includesPeter Maydell1-0/+1
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-5-git-send-email-peter.maydell@linaro.org
2016-01-26xen: Switch to libxengnttab interface for compat shims.Ian Campbell1-9/+9
In Xen 4.7 we are refactoring parts libxenctrl into a number of separate libraries which will provide backward and forward API and ABI compatiblity. One such library will be libxengnttab which provides access to grant tables. In preparation for this switch the compatibility layer in xen_common.h (which support building with older versions of Xen) to use what will be the new library API. This means that the gnttab shim will disappear for versions of Xen which include libxengnttab. To simplify things for the <= 4.0.0 support we wrap the int fd in a malloc(sizeof int) such that the handle is always a pointer. This leads to less typedef headaches and the need for XC_HANDLER_INITIAL_VALUE etc for these interfaces. Note that this patch does not add any support for actually using libxengnttab, it just adjusts the existing shims. Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2016-01-22fpu: Replace uint8 typedef with uint8_tPeter Maydell1-1/+1
Replace the uint8 softfloat-specific typedef with uint8_t. This change was made with find include hw fpu target-* -name '*.[ch]' | xargs sed -i -e 's/\buint8\b/uint8_t/g' together with manual removal of the typedef definition and manual fixing of more erroneous uses found via test compilation. It turns out that the only code using this type is an accidental use where uint8_t was intended anyway... Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Acked-by: Leon Alrae <leon.alrae@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Message-id: 1452603315-27030-7-git-send-email-peter.maydell@linaro.org
2016-01-22fpu: Replace uint32 typedef with uint32_tPeter Maydell1-1/+1
Replace the uint32 softfloat-specific typedef with uint32_t. This change was made with find include hw fpu target-* -name '*.[ch]' | xargs sed -i -e 's/\buint32\b/uint32_t/g' together with manual removal of the typedef definition, manual undoing of various mis-hits, and another couple of fixes found via test compilation. All the uses in hw/ were using the wrong type by mistake. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Acked-by: Leon Alrae <leon.alrae@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Message-id: 1452603315-27030-5-git-send-email-peter.maydell@linaro.org
2016-01-13etraxfs_eth: Don't use hw_error() in init() methodMarkus Armbruster1-1/+3
Device init() methods aren't supposed to call hw_error(), they should report the error and fail cleanly. Do that. Cc: "Edgar E. Iglesias" <edgar.iglesias@gmail.com> Signed-off-by: Markus Armbruster <armbru@pond.sub.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-Id: <1450370121-5768-5-git-send-email-armbru@redhat.com>
2016-01-11ether/slirp: Avoid redefinition of the same constantsDr. David Alan Gilbert1-1/+0
eth.h and slirp.h both define ETH_ALEN and ETH_P_IP rtl8139.c and eth.h both define ETH_HLEN Move the related constant (ETH_P_ARP) from slirp.h to eth.h, and remove the duplicates; make slirp.h include eth.h Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net: ne2000: fix bounds check in ioport operationsPrasad J Pandit1-4/+6
While doing ioport r/w operations, ne2000 device emulation suffers from OOB r/w errors. Update respective array bounds check to avoid OOB access. Reported-by: Ling Liu <liuling-it@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net: rocker: fix an incorrect array bounds checkPrasad J Pandit1-4/+4
While processing transmit(tx) descriptors in 'tx_consume' routine the switch emulator suffers from an off-by-one error, if a descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) fragments. Fix an incorrect bounds check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11vmxnet3: Introduce 'x-disable-pcie' back-compat propertyShmulik Ladkani1-0/+2
Following the previous patch which changed vmxnet3 to be a pci express device, this patch introduces a boolean property 'x-disable-pcie' whose default is false. Setting 'x-disable-pcie' to 'on' preserves the old 'pci device' (non express) behavior. This allows migration to older versions. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11vmxnet3: Report the Device Serial Number capabilityShmulik Ladkani1-2/+26
Report the DSN extended PCI capability at 0x100. DSN value is a transformation of device MAC address, as calculated by VMware virtual hardware. DSN is reported only if device is pcie. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11vmxnet3: The vmxnet3 device is a PCIE endpointShmulik Ladkani1-1/+52
Report the 'express endpoint' capability if on a PCIE bus. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11vmxnet3: coding: Introduce VMXNET3ClassShmulik Ladkani1-0/+10
Introduce a class type for vmxnet3, and the usual DEVICE_CLASS/DEVICE_GET_CLASS macros. No semantic change. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11vmxnet3: Introduce 'x-old-msi-offsets' back-compat propertyShmulik Ladkani1-0/+2
Following the previous patches, where vmxnet3's pci's msi/msix capability offsets and msix's PBA table offsets have been changed, this patch introduces a boolean property 'x-old-msi-offsets' to vmxnet3, whose default is false. Setting 'x-old-msi-offsets' to 'on' preserves the old offsets behavior, which allows migration to older versions. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11vmxnet3: Change the offset of the MSIX PBA tableShmulik Ladkani1-2/+3
Place the PBA table at 0x1000, as placed by VMware virtual hardware. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11vmxnet3: Change offsets of msi/msix pci capabilitiesShmulik Ladkani1-3/+15
Place device reported PCI capabilities at the same offsets as placed by the VMware virtual hardware: MSI at [84], MSI-X at [9c]. Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: rename VMXNET3_DEVICE_VERSION to VMXNET3_UPT_REVISIONMiao Yan1-2/+2
VMXNET3_DEVICE_VERSION is used as return value for accessing UPT Revision Report and Selection register. So rename it to VMXNET3_UPT_REVISION. Signed-off-by: Miao Yan <yanmiaoebest@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: return 0 on unknown commandMiao Yan1-1/+1
Return 0 on unknown command, this is what esxi (5.x+) behaves. Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: return correct value for VMXNET3_CMD_GET_DEV_EXTRA_INFOMiao Yan1-0/+5
VMXNET3_CMD_GET_DEV_EXTRA_INFO should return 0 for emulation mode This behavior can be observed by the following steps: 1) run a Linux distro on esxi server (5.x+) 2) modify vmxnet3 Linux driver to read the register: VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_CMD, VMXNET3_CMD_GET_DEV_EXTRA_INFO); ret = VMXNET3_READ_BAR1_REG(adapter, VMXNET3_REG_CMD); pr_info("vmxnet3 dev_info: 0x%x\n", ret); The kernel log will have some like the following message: [ 7005.111170] vmxnet3 dev_info: 0x0 Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: return correct value for VMXNET3_CMD_GET_DID_* commandMiao Yan1-0/+16
VMXNET3_CMD_GET_DID_LO should return PCI ID of the device and VMXNET3_CMD_GET_DID_HI should return vmxnet3 revision ID. This behavior can be observed by the following steps: 1) run a Linux distro on esxi server (5.x+) 2) modify vmxnet3 Linux driver to read DID_HI and DID_LO: VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_CMD, VMXNET3_CMD_GET_DID_LO); lo = VMXNET3_READ_BAR1_REG(adapter, VMXNET3_REG_CMD); VMXNET3_WRITE_BAR1_REG(adapter, VMXNET3_REG_CMD, VMXNET3_CMD_GET_DID_HI); high = VMXNET3_READ_BAR1_REG(adapter, VMXNET3_REG_CMD); pr_info("vmxnet3 DID lo: 0x%x, high: 0x%x\n", lo, high); The kernel log will have something like the following message: [ 7005.111170] vmxnet3 DID lo: 0x7b0, high: 0x1 Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: return 1 on device activation failureMiao Yan1-1/+1
When reading device status, 0 means device is successfully activated and 1 means error. This behavior can be observed by the following steps: 1) run a Linux distro on esxi server (5.5+) 2) modify vmxnet3 Linux driver to give it an invalid address to 'adapter->shared_pa' which is the shared memory for guest/host communication This will trigger device activation failure and kernel log will have the following message: [ 7138.403256] vmxnet3 0000:03:00.0 eth1: Failed to activate dev: error 1 So return 1 on device activation failure instead of -1; Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net: vmxnet3: avoid memory leakage in activate_deviceP J P1-8/+16
Vmxnet3 device emulator does not check if the device is active before activating it, also it did not free the transmit & receive buffers while deactivating the device, thus resulting in memory leakage on the host. This patch fixes both these issues to avoid host memory leakage. Reported-by: Qinghao Tang <luodalongde@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: remove redundant VMW_SHPRN(...) definitionMiao Yan1-4/+1
Macro VMW_SHPRN(...) is already defined vmxnet3_debug.h, so remove the duplication Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: fix debug macro pattern for vmxnet3Miao Yan1-53/+86
Vmxnet3 uses the following debug macro style: #ifdef SOME_DEBUG # define debug(...) do{ printf(...); } while (0) # else # define debug(...) do{ } while (0) #endif If SOME_DEBUG is undefined, then format string inside the debug macro will never be checked by compiler. Code is likely to break in the future when SOME_DEBUG is enabled because of lack of testing. This patch changes this to the following: #define debug(...) \ do { if (SOME_DEBUG_ENABLED) printf(...); } while (0) Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: use %zu for size_t in printfMiao Yan1-3/+3
Use %zu specifier for size_t in printf, otherwise build would fail on platforms where size_t is not unsigned long Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2016-01-11net/vmxnet3: fix a build error when enabling debug outputMiao Yan1-1/+1
Macro MAC_FMT and MAC_ARG are not defined, but used in vmxnet3_net_init(). This will cause build error when debug level is raised in vmxnet3_debug.h (enable all VMXNET3_DEBUG_xxx). Use VMXNET_MF and VXMNET_MA instead. Signed-off-by: Miao Yan <yanmiaobest@gmail.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell4-11/+29
staging # gpg: Signature made Mon 07 Dec 2015 14:06:07 GMT using RSA key ID 398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: lan9118: log and ignore access to invalid registers, rather than aborting lan9118: fix emulation of MAC address loaded bit in E2P_CMD register vmxnet3: silence warning pcnet: fix rx buffer overflow(CVE-2015-7512) net: pcnet: add check to validate receive data size(CVE-2015-7504) e1000: fix hang of win2k12 shutdown with flood ping Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-07lan9118: log and ignore access to invalid registers, rather than abortingAndrew Baumann1-4/+8
With this change, access to invalid/unimplemented device registers are logged as a "guest error" rather than aborting qemu with hw_error. This enables drivers for similar devices (e.g. SMSC 9221), by simply ignoring the unimplemented writes. It's also closer to what real hardware does. Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07lan9118: fix emulation of MAC address loaded bit in E2P_CMD registerAndrew Baumann1-3/+5
There appears to have been a longstanding typo in the implementation of the "MAC address loaded" bit in the E2P_CMD (EEPROM command) register. The code was using 0x10, but the controller spec says it should be bit 8 (0x100). Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07vmxnet3: silence warningMichael S. Tsirkin1-1/+0
vmxnet3 always produces a warning under qtest. This is not a user error, don't warn. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07pcnet: fix rx buffer overflow(CVE-2015-7512)Jason Wang1-0/+6
Backends could provide a packet whose length is greater than buffer size. Check for this and truncate the packet to avoid rx buffer overflow in this case. Cc: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07net: pcnet: add check to validate receive data size(CVE-2015-7504)Prasad J Pandit1-3/+5
In loopback mode, pcnet_receive routine appends CRC code to the receive buffer. If the data size given is same as the buffer size, the appended CRC code overwrites 4 bytes after s->buffer. Added a check to avoid that. Reported by: Qinghao Tang <luodalongde@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-12-07e1000: fix hang of win2k12 shutdown with flood pingDenis V. Lunev1-0/+5
e1000 driver in Win2k12 is really well rotten. It 100% hangs on shutdown of UP VM under flood ping. The guest checks card state and reinjects itself interrupt in a loop. This is fatal for UP machine. There is no good way to fix this misbehavior but to kludge it. The emulation has interrupt throttling register aka ITR which limits interrupt rate and allows the guest to proceed this phase. There is no problem with this kludge for Linux guests - it adjust the value of it itself. On the other hand according to the initial research in commit e9845f0985f088dd01790f4821026df0afba5795 Author: Vincenzo Maffione <v.maffione@gmail.com> Date: Fri Aug 2 18:30:52 2013 +0200 e1000: add interrupt mitigation support ... Interrupt mitigation boosts performance when the guest suffers from an high interrupt rate (i.e. receiving short UDP packets at high packet rate). For some numerical results see the following link http://info.iet.unipi.it/~luigi/papers/20130520-rizzo-vm.pdf this should also boost performance a bit. See https://bugzilla.redhat.com/show_bug.cgi?id=874406 for additional details. Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Vincenzo Maffione <v.maffione@gmail.com> CC: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-11-27eepro100: Prevent two endless loopsStefan Weil1-0/+16
http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html shows an example how an endless loop in function action_command can be achieved. During my code review, I noticed a 2nd case which can result in an endless loop. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Jason Wang <jasowang@redhat.com>
2015-11-18vhost-user: ignore qemu-only featuresMichael S. Tsirkin1-7/+1
Some features (such as ctrl vq) are supported by qemu without need to communicate with the backend. Drop them from the feature mask so we set them unconditionally. Reported-by: Victor Kaplansky <vkaplans@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-11-16vhost: don't send RESET_OWNER at stopYuanhan Liu1-6/+0
First of all, RESET_OWNER message is sent incorrectly, as it's sent before GET_VRING_BASE. And the reset message would let the later call get nothing correct. And, sending SET_VRING_ENABLE at stop, which has already been done, makes more sense than RESET_OWNER. Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-11-12Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell2-109/+375
staging # gpg: Signature made Thu 12 Nov 2015 08:01:55 GMT using RSA key ID 398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: net: netmap: use error_setg() helpers in place of error_report() net: netmap: Fix compilation issue e1000: Introducing backward compatibility command line parameter e1000: Implementing various counters e1000: Fixing the packet address filtering procedure e1000: Fixing the received/transmitted octets' counters e1000: Fixing the received/transmitted packets' counters e1000: Trivial implementation of various MAC registers e1000: Introduced an array to control the access to the MAC registers e1000: Add support for migrating the entire MAC registers' array e1000: Cosmetic and alignment fixes slirp: Fix type casts and format strings in debug code Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-11-12e1000: Introducing backward compatibility command line parameterLeonid Bloch1-0/+2
This follows the previous patches, where support for migrating the entire MAC registers' array, and some new MAC registers were introduced. This patch introduces the e1000-specific boolean parameter "extra_mac_registers", which is on by default. Setting it to off will enable migration to older versions of QEMU, but will disable the read and write access to the new registers, that were introduced since adding the ability to migrate the entire MAC array. Example for usage to enable backward compatibility and to disable the new MAC registers: qemu-system-x86_64 -device e1000,extra_mac_registers=off,... ... As mentioned above, the default value is "on". Signed-off-by: Leonid Bloch <leonid.bloch@ravellosystems.com> Signed-off-by: Dmitry Fleytman <dmitry.fleytman@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>