aboutsummaryrefslogtreecommitdiff
path: root/hw/net
AgeCommit message (Collapse)AuthorFilesLines
2014-06-16Fix typo in eTSEC Ethernet controllerFabien Chouteau1-1/+1
IRQ are lowered when ievent bit is cleared, so irq_pulse makes no sense here... Signed-off-by: Fabien Chouteau <chouteau@adacore.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2014-06-16savevm: Remove all the unneeded version_minimum_id_old (x86)Juan Quintela8-25/+12
After previous Peter patch, they are redundant. This way we don't assign them except when needed. Once there, there were lots of case where the ".fields" indentation was wrong: .fields = (VMStateField []) { and .fields = (VMStateField []) { Change all the combinations to: .fields = (VMStateField[]){ The biggest problem (appart from aesthetics) was that checkpatch complained when we copy&pasted the code from one place to another. Signed-off-by: Juan Quintela <quintela@redhat.com> Acked-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2014-06-16savevm: Remove all the unneeded version_minimum_id_old (ppc)Juan Quintela1-2/+1
After previous Peter patch, they are redundant. This way we don't assign them except when needed. Once there, there were lots of case where the ".fields" indentation was wrong: .fields = (VMStateField []) { and .fields = (VMStateField []) { Change all the combinations to: .fields = (VMStateField[]){ The biggest problem (appart from aesthetics) was that checkpatch complained when we copy&pasted the code from one place to another. Signed-off-by: Juan Quintela <quintela@redhat.com> Acked-by: Alexey Kardashevskiy <aik@ozlabs.ru>
2014-06-10hw/net/ne2000-isa: Register vmstate structPeter Maydell1-0/+1
The ne2000-isa device defines a VMState struct for migration, but we forgot to actually register it. Correct this deficiency by setting dc->vmsd. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-10net: cadence_gem: Remove &desc[0] usagesPeter Crosthwaite1-2/+2
Just use desc instead. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-10net: cadence_gem: Comment spelling sweepPeter Crosthwaite1-6/+6
Fix some typos in comments. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-10net: cadence_gem: Add Tx descriptor fetch printfPeter Crosthwaite1-0/+3
Add a debug printf for TX descriptor fetching. This is helpful to anyone needing to debug TX ring buffer traversal. It is also now consistent with the RX code which has a similar printf. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-10net: cadence_gem: Fix Tx descriptor updatePeter Crosthwaite1-5/+7
The local variable "desc" was being used to read-modify-write the first descriptor (of a multi-desc packet) upon packet completion. desc however continues to be used by the code as the current descriptor. Give this first desc RMW it's own local variable to avoid trampling. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-06-09e1000: remove broken support for 82573LGabriel L. Somlo1-18/+0
Currently, e1000 support is based on the manual for the 8254xx model series. 82573x models are documented in a separate manual (see http://www.intel.com/content/dam/www/public/us/en/documents/manuals/pcie-gbe-controllers-open-source-manual.pdf) and the 82573L device ID no longer works correctly on either Linux (3.14.*) or Windows 7. This patch removes stale code claiming to support 82573L, cleaning up the code base for the remaining 8254xx model series. Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-06-09e1000: allow command-line selection of card modelGabriel L. Somlo2-24/+102
Allow selection of different card models from the qemu command line, to better accomodate a wider range of guests. Signed-off-by: Romain Dolbeau <romain@dolbeau.org> Signed-off-by: Gabriel Somlo <somlo@cmu.edu> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-06-09vmxnet3: fix msix vectors unuseJiri Pirko1-1/+1
In vmxnet3_cleanup_msix(), there is called msix_vector_unuse() with VMXNET3_MAX_INTRS. That is not correct since vector of value VMXNET3_MAX_INTRS was never used. Also all the used vectors are not un-used. So call vmxnet3_unuse_msix_vectors() instead which does the correct job. Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-06-09net: xilinx_ethlite: Fix Rx-pong interruptPeter Crosthwaite1-1/+2
There is no CTRL_I bit in the pong buffer control register. The CTRL_I bit from the ping buffer masks both ping and pong buffers. Fix. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-06-09net: xilinx_ethlite: Convert to realize()Peter Crosthwaite1-11/+14
SysBusDevice::init is depracated. Convert to Object::init and Device::realize as prescribed by QOM conventions. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
2014-06-09net: xilinx_ethlite: Don't reset from initPeter Crosthwaite1-1/+8
This zeroing-out of the rxbuf variable (ping pong state) is a reset side effect. Extract into a proper reset. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
2014-05-26net: cadence_gem: Fix top commentPeter Crosthwaite1-1/+1
To indicate Cadence GEM not Xilinx. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-15Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140515' ↵Peter Maydell3-8/+4
into staging migration/next for 20140515 # gpg: Signature made Thu 15 May 2014 02:32:25 BST using RSA key ID 5872D723 # gpg: Can't check signature: public key not found * remotes/juanquintela/tags/migration/20140515: usb: fix up post load checks migration: show average throughput when migration finishes savevm: Remove all the unneeded version_minimum_id_old (rest) savevm: Remove all the unneeded version_minimum_id_old (usb) Split ram_save_block arch_init: Simplify code for load_xbzrle() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-14savevm: Remove all the unneeded version_minimum_id_old (rest)Juan Quintela3-8/+4
After previous Peter patch, they are redundant. This way we don't assign them except when needed. Once there, there were lots of case where the ".fields" indentation was wrong: .fields = (VMStateField []) { and .fields = (VMStateField []) { Change all the combinations to: .fields = (VMStateField[]){ The biggest problem (appart from aesthetics) was that checkpatch complained when we copy&pasted the code from one place to another. Signed-off-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-13hw/net/cadence_gem: Remove dead codePeter Maydell1-7/+1
Commit 191946c moved the code to handle padding to minimum length from after the handling of the CRC to before it. This means that the CRC code doesn't need to cope with the possibility that the size is less than 60; remove this dead code. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
2014-05-13hw/net/stellaris_enet: Convert to vmstatePeter Maydell1-68/+80
Convert this device to use vmstate for its save/load, including providing a post_load function that sanitizes inbound data to avoid possible buffer overflows if it is malicious. The sanitizing fixes CVE-2013-4532 (though nobody should be relying on the security properties of most of the unmaintained ARM board models anyway, and migration doesn't actually work on this board due to issues in other device models). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-13hw/net/stellaris_enet: Get rid of rx_fifo pointerPeter Maydell1-21/+19
The rx_fifo pointer is awkward to migrate, and is actually redundant since it is always possible to determine it from the current rx[].len/.data and rx_fifo_len. Remove both rx_fifo and rx_fifo_len from the state, replacing them with a simple rx_fifo_offset which points at the current location in the RX fifo. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2014-05-13hw/net/stellaris_enet: Fix debug format stringsPeter Maydell1-3/+3
Fix various debug format strings which were incorrect for the data type, so that building with debug enabled is possible. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2014-05-13hw/net/stellaris_enet: Correctly implement the TR and THR registersPeter Maydell1-2/+15
Packet transmission for the stellaris ethernet controller can be triggered in one of two ways: * by setting a threshold value in the THR register; when the FIFO fill level reaches the threshold, the h/w starts transmitting. Software has to finish filling the FIFO before the transmit process completes to avoid a (silent) underrun * by software writing to the TR register to explicitly trigger transmission Since QEMU transmits packets instantaneously (from the guest's point of view), implement "transmit based on threshold" with our existing mechanism of "transmit as soon as we have the whole packet", with the additional wrinkle that we don't transmit if the packet size is below the specified threshold, and implement "transmit by specific request" properly. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2014-05-13hw/net/stellaris_enet: Rewrite tx fifo handling codePeter Maydell1-42/+77
The datasheet is clear that the frame length written to the DATA register is actually stored in the TX FIFO; this means we don't need to keep both tx_frame_len and tx_fifo_len state separately. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2014-05-13hw/net/stellaris_enet: Correct handling of packet paddingPeter Maydell1-1/+1
The PADEN bit in the transmit control register enables padding of short data packets out to the required minimum length. However a typo here meant we were adjusting tx_fifo_len rather than tx_frame_len, so the padding didn't actually happen. Fix this bug. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Cc: qemu-stable@nongnu.org
2014-05-13hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrunPeter Maydell1-4/+6
The current tx_fifo code has a corner case where the guest can overrun the fifo buffer: if automatic CRCs are disabled we allow the guest to write the CRC word even if there isn't actually space for it in the FIFO. The datasheet is unclear about exactly how the hardware deals with this situation; the most plausible answer seems to be that the CRC word is just lost. Implement this fix by separating the "can we stuff another word in the FIFO" logic from the "should we transmit the packet now" check. This also moves us closer to the real hardware, which has a number of ways it can be configured to trigger sending the packet, some of which we don't implement. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Cc: qemu-stable@nongnu.org
2014-05-13savevm: Remove all the unneeded version_minimum_id_old (arm)Juan Quintela3-4/+3
After commit 767adce2d, they are redundant. This way we don't assign them except when needed. Once there, there were lots of cases where the ".fields" indentation was wrong: .fields = (VMStateField []) { and .fields = (VMStateField []) { Change all the combinations to: .fields = (VMStateField[]){ The biggest problem (apart from aesthetics) was that checkpatch complained when we copy&pasted the code from one place to another. Signed-off-by: Juan Quintela <quintela@redhat.com> [PMM: fixed minor conflict, corrected commit message typos] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07hw: Add missing 'static' attributesStefan Weil3-5/+5
This fixes warnings from the static code analysis (smatch). Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-07Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505' ↵Peter Maydell1-4/+16
into staging migration/next for 20140505 # gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723 # gpg: Can't check signature: public key not found * remotes/juanquintela/tags/migration/20140505: (36 commits) migration: expose xbzrle cache miss rate migration: expose the bitmap_sync_count to the end migration: Add counts of updating the dirty bitmap XBZRLE: Fix one XBZRLE corruption issues migration: remove duplicate code Coverity: Fix failure path for qemu_accept in migration Init the XBZRLE.lock in ram_mig_init Provide init function for ram migration Count used RAMBlock pages for migration_dirty_pages Make qemu_peek_buffer loop until it gets it's data Disallow outward migration while awaiting incoming migration virtio: validate config_len on load virtio-net: out-of-bounds buffer write on load openpic: avoid buffer overrun on incoming migration ssi-sd: fix buffer overrun on invalid state load savevm: Ignore minimum_version_id_old if there is no load_state_old usb: sanity check setup_index+setup_len in post_load vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ virtio-scsi: fix buffer overrun on invalid state load zaurus: fix buffer overrun on invalid state load ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-05virtio-net: out-of-bounds buffer write on loadMichael S. Tsirkin1-4/+11
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c > } else if (n->mac_table.in_use) { > uint8_t *buf = g_malloc0(n->mac_table.in_use); We are allocating buffer of size n->mac_table.in_use > qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); and read to the n->mac_table.in_use size buffer n->mac_table.in_use * ETH_ALEN bytes, corrupting memory. If adversary controls state then memory written there is controlled by adversary. Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05hw: Consistently name Error * objects err, and not errpMarkus Armbruster1-8/+8
Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05virtio-net: out-of-bounds buffer write on invalid state loadMichael S. Tsirkin1-0/+5
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c This code is in hw/net/virtio-net.c: if (n->max_queues > 1) { if (n->max_queues != qemu_get_be16(f)) { error_report("virtio-net: different max_queues "); return -1; } n->curr_queues = qemu_get_be16(f); for (i = 1; i < n->curr_queues; i++) { n->vqs[i].tx_waiting = qemu_get_be32(f); } } Number of vqs is max_queues, so if we get invalid input here, for example if max_queues = 2, curr_queues = 3, we get write beyond end of the buffer, with data that comes from wire. This might be used to corrupt qemu memory in hard to predict ways. Since we have lots of function pointers around, RCE might be possible. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-04-28Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-04-28' ↵Peter Maydell1-1/+1
into staging trivial patches for 2014-04-28 # gpg: Signature made Mon 28 Apr 2014 05:56:01 BST using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 # Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514 66A7 BEE5 9D74 A4C3 D7DB * remotes/mjt/tags/trivial-patches-2014-04-28: slirp/smb: Move ncalrpc directory to tmp po: add proper Language: tags to .po files po/Makefile: fix $SRC_PATH reference init_paths: fix minor memory leak virtfs-proxy-helper: fix call to accept net/net.c: remove unnecessary semicolon Add QEMU logo (SVG file) vl: avoid closing stdout with 'writeconfig' xilinx: Fix typo in comment (Marvel -> Marvell) vl: Eliminate a superfluous local variable vl: Remove useless 'continue' gitignore: cleanups #2 tests/.gitignore: Ignore test-rfifolock move test-* from .gitignore to tests/.gitignore configure: Improve help behavior vl: convert -m to QemuOpts qemu-option: introduce qemu_find_opts_singleton misc: Use cpu_physical_memory_read and cpu_physical_memory_write Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-28xilinx: Fix typo in comment (Marvel -> Marvell)Stefan Weil1-1/+1
Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-25net: xilinx_axienet.c: Add phy soft reset bit clearingNathan Rossi1-0/+3
Clear the BMCR Reset when writing to registers. Signed-off-by: Nathan Rossi <nathan.rossi@xilinx.com> [ PC: * Trivial style fixes to commit message ] Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Reviewed-by: Beniamino Galvani <b.galvani@gmail.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@gmail.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-25pcnet: remove duplicate assignmentPrasad Joshi1-1/+0
Signed-off-by: Prasad Joshi <prasadjoshi.linux@gmail.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-04-17net: cadence_gem: Make phy respond to broadcastPeter Crosthwaite1-2/+2
Phys must respond to address 0 by specification. Implement. Signed-off-by: Nathan Rossi <nathan.rossi@xilinx.com> Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-id: 6f4d53b04ddbfb19895bfb61a595e69f1c08859a.1396594056.git.peter.crosthwaite@xilinx.com Reviewed-by: Beniamino Galvani <b.galvani@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-17allwinner-emac: update irq status after writes to interrupt registersBeniamino Galvani1-0/+2
The irq line status must be updated after writes to the INT_CTL and INT_STA registers. Signed-off-by: Beniamino Galvani <b.galvani@gmail.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-id: 1395771730-16882-8-git-send-email-b.galvani@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-17allwinner-emac: set autonegotiation complete bit on link upBeniamino Galvani1-2/+2
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-id: 1395771730-16882-7-git-send-email-b.galvani@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-14vmxnet3: validate queues configuration read on migrationDmitry Fleytman1-0/+1
CVE-2013-4544 Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 1396604722-11902-5-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-14vmxnet3: validate interrupt indices read on migrationDmitry Fleytman1-0/+2
CVE-2013-4544 Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 1396604722-11902-4-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-14vmxnet3: validate queues configuration coming from guestDmitry Fleytman1-1/+18
CVE-2013-4544 Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 1396604722-11902-3-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-14vmxnet3: validate interrupt indices coming from guestDmitry Fleytman1-2/+34
CVE-2013-4544 Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 1396604722-11902-2-git-send-email-dmitry@daynix.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-04-11virtio-net: fix guest-triggerable buffer overrunMichael S. Tsirkin1-1/+1
When VM guest programs multicast addresses for a virtio net card, it supplies a 32 bit entries counter for the number of addresses. These addresses are read into tail portion of a fixed macs array which has size MAC_TABLE_ENTRIES, at offset equal to in_use. To avoid overflow of this array by guest, qemu attempts to test the size as follows: - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) { however, as mac_data.entries is uint32_t, this sum can overflow, e.g. if in_use is 1 and mac_data.entries is 0xffffffff then in_use + mac_data.entries will be 0. Qemu will then read guest supplied buffer into this memory, overflowing buffer on heap. CVE-2014-0150 Cc: qemu-stable@nongnu.org Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-03-26virtio-net: add vlan receive state to RxFilterInfoAmos Kong1-13/+29
Stefan Fritsch just fixed a virtio-net driver bug [1], virtio-net won't filter out VLAN-tagged packets if VIRTIO_NET_F_CTRL_VLAN isn't negotiated. This patch added a new field to @RxFilterInfo to indicate vlan receive state ('normal', 'none', 'all'). If VIRTIO_NET_F_CTRL_VLAN isn't negotiated, vlan receive state will be 'all', then all VLAN-tagged packets will be received by guest. This patch also fixed a boundary issue in visiting vlan table. [1] http://lists.nongnu.org/archive/html/qemu-devel/2014-02/msg02604.html Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2014-03-26virtio-net: Do not filter VLANs without F_CTRL_VLANStefan Fritsch1-0/+6
If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all VLAN-tagged packets but send them to the guest. This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because the OpenBSD driver started as a port from NetBSD). Signed-off-by: Stefan Fritsch <sf@sfritsch.de> Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-03-20Merge remote-tracking branch 'remotes/afaerber/tags/ppc-for-2.0' into stagingPeter Maydell1-0/+3
PowerPC queue for 2.0 * sPAPR loop fix * SPR reset fix * Reduce allocation size of indirect opcode tables * Restrict number of CPU threads * sPAPR H_SET_MODE fixes * sPAPR firmware path fixes * Static and constness cleanups # gpg: Signature made Thu 20 Mar 2014 01:46:14 GMT using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/ppc-for-2.0: spapr: Implement interface to fix device pathname spapr: QOM'ify pseries machine spapr_vio: Fix firmware names spapr_llan: Add to boot device list qdev: Introduce FWPathProvider interface vl.c: Extend get_boot_devices_list() to ignore suffixes spapr_hcall: Fix little-endian resource handling in H_SET_MODE target-ppc: Introduce powerisa-207-server flag target-ppc: Force CPU threads count to be a power of 2 target-ppc: Fix overallocation of opcode tables target-ppc: Reset SPRs on CPU reset spapr_hcall: Fix h_enter to loop correctly target-ppc: Add missing 'static' and 'const' attributes Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-03-20spapr_llan: Add to boot device listAlexey Kardashevskiy1-0/+3
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-03-19qom: Add check() argument to object_property_add_link()Stefan Hajnoczi1-0/+4
There are currently three types of object_property_add_link() callers: 1. The link property may be set at any time. 2. The link property of a DeviceState instance may only be set before realize. 3. The link property may never be set, it is read-only. Something similar can already be achieved with object_property_add_str()'s set() argument. Follow its example and add a check() argument to object_property_add_link(). Also provide default check() functions for case #1 and #2. Case #3 is covered by passing a NULL function pointer. Cc: Peter Crosthwaite <peter.crosthwaite@petalogix.com> Cc: Alexander Graf <agraf@suse.de> Cc: Anthony Liguori <aliguori@amazon.com> Cc: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> [AF: Tweaked documentation comment] Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-03-19qom: Make QOM link property unref optionalStefan Hajnoczi1-4/+12
Some object_property_add_link() callers expect property deletion to unref the link property object. Other callers expect to manage the refcount themselves. The former are currently broken and therefore leak the link property object. This patch adds a flags argument to object_property_add_link() so the caller can specify which refcount behavior they require. The new OBJ_PROP_LINK_UNREF_ON_RELEASE flag causes the link pointer to be unreferenced when the property is deleted. This fixes refcount leaks in qdev.c, xilinx_axidma.c, xilinx_axienet.c, s390-virtio-bus.c, virtio-pci.c, virtio-rng.c, and ui/console.c. Rationale for refcount behavior: * hw/core/qdev.c - bus children are explicitly unreferenced, don't interfere - parent_bus is essentially a read-only property that doesn't hold a refcount, don't unref - hotplug_handler is leaked, do unref * hw/dma/xilinx_axidma.c - rx stream "dma" links are set using set_link, therefore they need unref - tx streams are set using set_link, therefore they need unref * hw/net/xilinx_axienet.c - same reasoning as hw/dma/xilinx_axidma.c * hw/pcmcia/pxa2xx.c - pxa2xx bypasses set_link and therefore does not use refcounts * hw/s390x/s390-virtio-bus.c * hw/virtio/virtio-pci.c * hw/virtio/virtio-rng.c * ui/console.c - set_link is used and there is no explicit unref, do unref Cc: Peter Crosthwaite <peter.crosthwaite@petalogix.com> Cc: Alexander Graf <agraf@suse.de> Cc: Anthony Liguori <aliguori@amazon.com> Cc: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-03-15FSL eTSEC: Fix typo in rx ringFabien Chouteau1-2/+2
Signed-off-by: Fabien Chouteau <chouteau@adacore.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>