aboutsummaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)AuthorFilesLines
2021-03-22net/eth: Add an assert() and invert if() statement to simplify codePhilippe Mathieu-Daudé1-7/+6
To simplify the function body, invert the if() statement, returning earlier. Since we already checked there is enough data in the iovec buffer, simply add an assert() call to consume the bytes_read variable. Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Read ip6_ext_hdr_routing buffer before accessing itPhilippe Mathieu-Daudé1-5/+8
We can't know the caller read enough data in the memory pointed by ext_hdr to cast it as a ip6_ext_hdr_routing. Declare rt_hdr on the stack and fill it again from the iovec. Since we already checked there is enough data in the iovec buffer, simply add an assert() call to consume the bytes_read variable. This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported by QEMU fuzzer: $ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \ -accel qtest -monitor none \ -serial none -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001004 outw 0xcfc 0x7 write 0x25 0x1 0x86 write 0x26 0x1 0xdd write 0x4f 0x1 0x2b write 0xe1020030 0x4 0x190002e1 write 0xe102003a 0x2 0x0807 write 0xe1020048 0x4 0x12077cdd write 0xe1020400 0x4 0xba077cdd write 0xe1020420 0x4 0x190002e1 write 0xe1020428 0x4 0x3509d807 write 0xe1020438 0x1 0xe2 EOF ================================================================= ==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818 READ of size 1 at 0x7ffdef904902 thread T0 #0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17 #1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17 #2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14 #3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9 #4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29 #5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9 #6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9 #7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9 #8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5 Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame #0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486 This frame has 1 object(s): [32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr Shadow bytes around the buggy address: 0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Stack left redzone: f1 Stack right redzone: f3 ==2859770==ABORTING Add the corresponding qtest case with the fuzzer reproducer. FWIW GCC 11 similarly reported: net/eth.c: In function 'eth_parse_ipv6_hdr': net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds] 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { | ~~~~~^~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds] 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { | ~~~~~^~~~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1879531 Reported-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: Miroslav Rezanina <mrezanin@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality") Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Check iovec has enough data earlierPhilippe Mathieu-Daudé1-1/+1
We want to check fields from ip6_ext_hdr_routing structure and if correct read the full in6_address. Let's directly check if our iovec contains enough data for everything, else return early. Suggested-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()Philippe Mathieu-Daudé1-8/+6
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argumentPhilippe Mathieu-Daudé1-3/+3
The 'offset' argument represents the offset to the ip6_ext_hdr header, rename it as 'ext_hdr_offset'. Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Simplify _eth_get_rss_ex_dst_addr()Philippe Mathieu-Daudé1-7/+7
The length field is already contained in the ip6_ext_hdr structure. Check it direcly in eth_parse_ipv6_hdr() before calling _eth_get_rss_ex_dst_addr(), which gets a bit simplified. Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()Philippe Mathieu-Daudé1-1/+1
The in6_address comes after the ip6_ext_hdr_routing header, not after the ip6_ext_hdr one. Fix the offset. Cc: qemu-stable@nongnu.org Reported-by: Stefano Garzarella <sgarzare@redhat.com> Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality") Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/colo-compare.c: Optimize removal of secondary packetLukas Straub1-1/+1
g_queue_remove needs to look up the list entry first, but we already have it as result and can remove it directly with g_queue_delete_link. Signed-off-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/colo-compare.c: Fix memory leak for non-tcp packetLukas Straub1-0/+1
Additional to removing the packet from the secondary queue, we also need to free it. Signed-off-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net: Pad short frames to minimum size before sending from SLiRP/TAPBin Meng3-0/+30
The minimum Ethernet frame length is 60 bytes. For short frames with smaller length like ARP packets (only 42 bytes), on a real world NIC it can choose either padding its length to the minimum required 60 bytes, or sending it out directly to the wire. Such behavior can be hardcoded or controled by a register bit. Similarly on the receive path, NICs can choose either dropping such short frames directly or handing them over to software to handle. On the other hand, for the network backends like SLiRP/TAP, they don't expose a way to control the short frame behavior. As of today they just send/receive data from/to the other end connected to them, which means any sized packet is acceptable. So they can send and receive short frames without any problem. It is observed that ARP packets sent from SLiRP/TAP are 42 bytes, and SLiRP/TAP just send these ARP packets to the other end which might be a NIC model that does not allow short frames to pass through. To provide better compatibility, for packets sent from QEMU network backends like SLiRP/TAP, we change to pad short frames before sending it out to the other end, if the other end does not forbid it via the nc->do_not_pad flag. This ensures a backend as an Ethernet sender does not violate the spec. But with this change, the behavior of dropping short frames from SLiRP/TAP interfaces in the NIC model cannot be emulated because it always receives a packet that is spec complaint. The capability of sending short frames from NIC models is still supported and short frames can still pass through SLiRP/TAP. This commit should be able to fix the issue as reported with some NIC models before, that ARP requests get dropped, preventing the guest from becoming visible on the network. It was workarounded in these NIC models on the receive path, that when a short frame is received, it is padded up to 60 bytes. The following 2 commits seem to be the one to workaround this issue in e1000 and vmxenet3 before, and should probably be reverted. commit 78aeb23eded2 ("e1000: Pad short frames to minimum size (60 bytes)") commit 40a87c6c9b11 ("vmxnet3: Pad short frames to minimum size (60 bytes)") Signed-off-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net: eth: Add a helper to pad a short Ethernet frameBin Meng1-0/+17
Add a helper to pad a short Ethernet frame to the minimum required length, which can be used by backends' code. Signed-off-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: Do not fill legacy info_str for backendsAlexey Kirillov8-48/+0
As we use QAPI NetClientState->stored_config to store and get information about backend network devices, we can drop fill of legacy field info_str for them. We still use info_str field for NIC and hubports, so we can not completely remove it. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15hmp: Use QAPI NetdevInfo in hmp_info_networkAlexey Kirillov1-1/+30
Replace usage of legacy field info_str of NetClientState for backend network devices with QAPI NetdevInfo stored_config that already used in QMP query-netdev. This change increases the detail of the "info network" output and takes a more general approach to composing the output. NIC and hubports still use legacy info_str field. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: Move NetClientState.info_str to dynamic allocationsAlexey Kirillov9-45/+44
The info_str field of the NetClientState structure is static and has a size of 256 bytes. This amount is often unclaimed, and the field itself is used exclusively for HMP "info network". The patch translates info_str to dynamic memory allocation. This action is also allows us to painlessly discard usage of this field for backend devices. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15qapi: net: Add query-netdev commandAlexey Kirillov10-9/+394
The query-netdev command is used to get the configuration of the current network device backends (netdevs). This is the QMP analog of the HMP command "info network" but only for netdevs (i.e. excluding NIC and hubports). The query-netdev command returns an array of objects of the NetdevInfo type, which are an extension of Netdev type. It means that response can be used for netdev-add after small modification. This can be useful for recreate the same netdev configuration. Information about the network device is filled in when it is created or modified and is available through the NetClientState->stored_config. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: introduce qemu_receive_packet()Jason Wang2-7/+53
Some NIC supports loopback mode and this is done by calling nc->info->receive() directly which in fact suppresses the effort of reentrancy check that is done in qemu_net_queue_send(). Unfortunately we can't use qemu_net_queue_send() here since for loopback there's no sender as peer, so this patch introduce a qemu_receive_packet() which is used for implementing loopback mode for a NIC with this check. NIC that supports loopback mode will be converted to this helper. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: validate that ids are well formedPaolo Bonzini1-0/+5
When a network or network device is created from the command line or HMP, QemuOpts ensures that the id passes the id_wellformed check. However, QMP skips this: $ qemu-system-x86_64 -qmp stdio -S -nic user,id=123/456 qemu-system-x86_64: -nic user,id=123/456: Parameter id expects an identifier Identifiers consist of letters, digits, -, ., _, starting with a letter. $ qemu-system-x86_64 -qmp stdio -S {"execute":"qmp_capabilities"} {"return": {}} {"execute":"netdev_add", "arguments": {"type": "user", "id": "123/456"}} {"return": {}} After: $ qemu-system-x86_64 -qmp stdio -S {"execute":"qmp_capabilities"} {"return": {}} {"execute":"netdev_add", "arguments": {"type": "user", "id": "123/456"}} {"error": {"class": "GenericError", "desc": "Parameter "id" expects an identifier"}} Validity checks should be performed always at the bottom of the call chain, because QMP skips all the steps above. At the same time we know that every call chain should go through either QMP or (for legacy) through QemuOpts. Because the id for -net and -nic is automatically generated and not well-formed by design, just add the check to QMP. Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: Fix build error when DEBUG_NET is onBin Meng1-0/+1
"qemu-common.h" should be included to provide the forward declaration of qemu_hexdump() when DEBUG_NET is on. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-11Merge remote-tracking branch ↵Peter Maydell1-4/+4
'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging Pull request # gpg: Signature made Wed 10 Mar 2021 21:56:09 GMT # gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C # gpg: issuer "laurent@vivier.eu" # gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full] # gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full] # gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full] # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C * remotes/vivier2/tags/trivial-branch-for-6.0-pull-request: (22 commits) sysemu: Let VMChangeStateHandler take boolean 'running' argument sysemu/runstate: Let runstate_is_running() return bool hw/lm32/Kconfig: Have MILKYMIST select LM32_DEVICES hw/lm32/Kconfig: Rename CONFIG_LM32 -> CONFIG_LM32_DEVICES hw/lm32/Kconfig: Introduce CONFIG_LM32_EVR for lm32-evr/uclinux boards qemu-common.h: Update copyright string to 2021 tests/fp/fp-test: Replace the word 'blacklist' qemu-options: Replace the word 'blacklist' seccomp: Replace the word 'blacklist' scripts/tracetool: Replace the word 'whitelist' ui: Replace the word 'whitelist' virtio-gpu: Adjust code space style exec/memory: Use struct Object typedef fuzz-test: remove unneccessary debugging flags net: Use id_generate() in the network subsystem, too MAINTAINERS: Fix the location of tools manuals vhost_user_gpu: Drop dead check for g_malloc() failure backends/dbus-vmstate: Fix short read error handling target/hexagon/gen_tcg_funcs: Fix a typo hw/elf_ops: Fix a typo ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-03-09sysemu: Let VMChangeStateHandler take boolean 'running' argumentPhilippe Mathieu-Daudé1-1/+1
The 'running' argument from VMChangeStateHandler does not require other value than 0 / 1. Make it a plain boolean. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Acked-by: David Gibson <david@gibson.dropbear.id.au> Message-Id: <20210111152020.1422021-3-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-03-09net: Use id_generate() in the network subsystem, tooThomas Huth1-3/+3
We already got a global function called id_generate() to create unique IDs within QEMU. Let's use it in the network subsytem, too, instead of inventing our own ID scheme here. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210215090225.1046239-1-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-03-09qtest: delete superfluous inclusions of qtest.hChen Qun1-1/+0
There are 23 files that include the "sysemu/qtest.h", but they do not use any qtest functions. Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com> Acked-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210226081414.205946-1-kuhn.chenqun@huawei.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-01-29Merge remote-tracking branch ↵Peter Maydell1-1/+1
'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging Trivial patches 20210129 # gpg: Signature made Fri 29 Jan 2021 08:32:17 GMT # gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C # gpg: issuer "laurent@vivier.eu" # gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full] # gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full] # gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full] # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C * remotes/vivier2/tags/trivial-branch-for-6.0-pull-request: target/rx: Fix compiler errors for build with sanitizers net/slirp.c: Fix spelling error in error message tcg/tci: Restrict tci_write_reg16() to 64-bit hosts MAINTAINERS: Update 9pfs tree URL Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-01-29net/slirp.c: Fix spelling error in error messageDoug Evans1-1/+1
DNS should be DHCP Signed-off-by: Doug Evans <dje@google.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Message-Id: <20210122004251.843837-1-dje@google.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-01-28qapi: More complex uses of QAPI_LIST_APPENDEric Blake1-11/+2
These cases require a bit more thought to review; in each case, the code was appending to a list, but not with a FOOList **tail variable. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Message-Id: <20210113221013.390592-6-eblake@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Flawed change to qmp_guest_network_get_interfaces() dropped] Signed-off-by: Markus Armbruster <armbru@redhat.com>
2021-01-28net: Clarify early exit conditionEric Blake1-0/+2
On first glance, the loop in qmp_query_rx_filter() has early return paths that could leak any allocation of filter_list from a previous iteration. But on closer inspection, it is obvious that all of the early exits are guarded by has_name, and that the bulk of the loop body can be executed at most once if the user is filtering by name, thus, any early exit coincides with an empty list. Add asserts to make this obvious. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210113221013.390592-2-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
2021-01-25net: checksum: Introduce fine control over checksum typeBin Meng2-6/+16
At present net_checksum_calculate() blindly calculates all types of checksums (IP, TCP, UDP). Some NICs may have a per type setting in their BDs to control what checksum should be offloaded. To support such hardware behavior, introduce a 'csum_flag' parameter to the net_checksum_calculate() API to allow fine control over what type checksum is calculated. Existing users of this API are updated accordingly. Signed-off-by: Bin Meng <bin.meng@windriver.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-01-25net: checksum: Add IP header checksum calculationGuishan Qin1-2/+6
At present net_checksum_calculate() only calculates TCP/UDP checksum in an IP packet, but assumes the IP header checksum to be provided by the software, e.g.: Linux kernel always calculates the IP header checksum. However this might not always be the case, e.g.: for an IP checksum offload enabled stack like VxWorks, the IP header checksum can be zero. This adds the checksum calculation of the IP header. Signed-off-by: Guishan Qin <guishan.qin@windriver.com> Signed-off-by: Yabing Liu <yabing.liu@windriver.com> Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-01-25net: checksum: Skip fragmented IP packetsMarkus Carlstedt1-0/+4
To calculate the TCP/UDP checksum we need the whole datagram. Unless the hardware has some logic to collect all fragments before sending the whole datagram first, it can only be done by the network stack, which is normally the case for the NICs we have seen so far. Skip these fragmented IP packets to avoid checksum corruption. Signed-off-by: Markus Carlstedt <markus.carlstedt@windriver.com> Signed-off-by: Bin Meng <bin.meng@windriver.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-01-25net: Fix handling of id in netdev_add and netdev_delMarkus Armbruster1-2/+18
CLI -netdev accumulates in option group "netdev". Before commit 08712fcb85 "net: Track netdevs in NetClientState rather than QemuOpt", netdev_add added to the option group, and netdev_del removed from it, both HMP and QMP. Thus, every netdev had a corresponding QemuOpts in this option group. Commit 08712fcb85 dropped this for QMP netdev_add and both netdev_del. Now a netdev has a corresponding QemuOpts only when it was created with CLI or HMP. Two issues: * QMP and HMP netdev_del can leave QemuOpts behind, breaking HMP netdev_add. Reproducer: $ qemu-system-x86_64 -S -display none -nodefaults -monitor stdio QEMU 5.1.92 monitor - type 'help' for more information (qemu) netdev_add user,id=net0 (qemu) info network net0: index=0,type=user,net=10.0.2.0,restrict=off (qemu) netdev_del net0 (qemu) info network (qemu) netdev_add user,id=net0 upstream-qemu: Duplicate ID 'net0' for netdev Try "help netdev_add" for more information Fix by restoring the QemuOpts deletion in qmp_netdev_del(), but with a guard, because the QemuOpts need not exist. * QMP netdev_add loses its "no duplicate ID" check. Reproducer: $ qemu-system-x86_64 -S -display none -qmp stdio {"QMP": {"version": {"qemu": {"micro": 92, "minor": 1, "major": 5}, "package": "v5.2.0-rc2-1-g02c1f0142c"}, "capabilities": ["oob"]}} {"execute": "qmp_capabilities"} {"return": {}} {"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}} {"return": {}} {"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}} {"return": {}} Fix by adding a duplicate ID check to net_client_init1() to replace the lost one. The check is redundant for callers where QemuOpts still checks, i.e. for CLI and HMP. Reported-by: Andrew Melnichenko <andrew@daynix.com> Fixes: 08712fcb851034228b61f75bd922863a984a4f60 Cc: qemu-stable@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-01-08Remove superfluous timer_del() callsPeter Maydell3-3/+0
This commit is the result of running the timer-del-timer-free.cocci script on the whole source tree. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Corey Minyard <cminyard@mvista.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20201215154107.3255-4-peter.maydell@linaro.org
2020-12-15netfilter: Use class propertiesEduardo Habkost5-42/+39
Instance properties make introspection hard and are not shown by "-object ...,help". Convert them to class properties. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <20201111183823.283752-12-ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-12-15netfilter: Reorder functionsEduardo Habkost2-28/+28
Trivial code reordering in some filter backends, to make the next changes easier to review. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <20201111183823.283752-11-ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-12-15can_host: Use class propertiesEduardo Habkost1-11/+5
Instance properties make introspection hard and are not shown by "-object ...,help". Convert them to class properties. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Tested-by: Pavel Pisa <pisa@cmp.felk.cvut.cz> Message-Id: <20201111183823.283752-9-ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-12-11can-host: Fix crash when 'canbus' property is not setKevin Wolf1-0/+5
Providing the 'if' property, but not 'canbus' segfaults like this: #0 0x0000555555b0f14d in can_bus_insert_client (bus=0x0, client=0x555556aa9af0) at ../net/can/can_core.c:88 #1 0x00005555559c3803 in can_host_connect (ch=0x555556aa9ac0, errp=0x7fffffffd568) at ../net/can/can_host.c:62 #2 0x00005555559c386a in can_host_complete (uc=0x555556aa9ac0, errp=0x7fffffffd568) at ../net/can/can_host.c:72 #3 0x0000555555d52de9 in user_creatable_complete (uc=0x555556aa9ac0, errp=0x7fffffffd5c8) at ../qom/object_interfaces.c:23 Add the missing NULL check. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20201130105615.21799-5-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2020-12-10qerror: Eliminate QERR_ macros used in just one placeMarkus Armbruster1-1/+1
Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20201113082626.2725812-3-armbru@redhat.com>
2020-11-24net: Use correct default-path macro for downscriptKeqian Zhu1-1/+2
Fixes: 63c4db4c2e6d (net: relocate paths to helpers and scripts) Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-24tap: fix a memory leakyuanjungong1-0/+2
Close fd before returning. Buglink: https://bugs.launchpad.net/qemu/+bug/1904486 Signed-off-by: yuanjungong <ruc_gongyuanjun@163.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-24net: purge queued rx packets on queue deletionYuri Benditovich1-4/+8
https://bugzilla.redhat.com/show_bug.cgi?id=1829272 When deleting queue pair, purge pending RX packets if any. Example of problematic flow: 1. Bring up q35 VM with tap (vhost off) and virtio-net or e1000e 2. Run ping flood to the VM NIC ( 1 ms interval) 3. Hot unplug the NIC device (device_del) During unplug process one or more packets come, the NIC can't receive, tap disables read_poll 4. Hot plug the device (device_add) with the same netdev The tap stays with read_poll disabled and does not receive any packets anymore (tap_send never triggered) Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-24net: do not exit on "netdev_add help" monitor commandPaolo Bonzini1-34/+34
"netdev_add help" is causing QEMU to exit because the code that invokes show_netdevs is shared between CLI and HMP processing. Move the check to the callers so that exit(0) remains only in the CLI flow. "netdev_add help" is not fixed by this patch; that is left for later work. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11net/l2tpv3: Remove redundant check in net_init_l2tpv3()AlexChen1-6/+3
The result has been checked to be NULL before, it cannot be NULL here, so the check is redundant. Remove it. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: AlexChen <alex.chen@huawei.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11net: remove an assert call in eth_get_gso_typePrasad J Pandit1-3/+3
eth_get_gso_type() routine returns segmentation offload type based on L3 protocol type. It calls g_assert_not_reached if L3 protocol is unknown, making the following return statement unreachable. Remove the g_assert call, it maybe triggered by a guest user. Reported-by: Gaoning Pan <pgn@zju.edu.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11net/colo-compare.c: Increase default queued packet scan frequencyZhang Chen1-1/+1
In my test, use this default parameter looks better. Signed-off-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11net/colo-compare.c: Add secondary old packet detectionZhang Chen1-9/+16
Detect queued secondary packet to sync VM state in time. Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Li Zhijian <lizhijian@cn.fujitsu.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11net/colo-compare.c: Change the timer clock typeZhang Chen1-3/+3
The virtual clock only runs during the emulation. It stops when the virtual machine is stopped. The host clock should be used for device models that emulate accurate real time sources. It will continue to run when the virtual machine is suspended. COLO need to know the host time here. Fixes: dd321ecfc2e ("colo-compare: Use IOThread to Check old packet regularly and Process packets of the primary") Reported-by: Derek Su <dereksu@qnap.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Li Zhijian <lizhijian@cn.fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11net/colo-compare.c: Fix compare_timeout format issueZhang Chen1-6/+6
This parameter need compare with the return of qemu_clock_get_ms(), it is uint64_t. So we need fix this issue here. Fixes: 9cc43c94b31 ("net/colo-compare.c: Expose "compare_timeout" to users") Reported-by: Derek Su <dereksu@qnap.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Li Zhijian <lizhijian@cn.fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11colo-compare: check mark in mutual exclusionLi Zhijian1-4/+2
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11colo-compare: fix missing compare_seq initializationLi Zhijian1-4/+1
Fixes: f449c9e549c ("colo: compare the packet based on the tcp sequence number") Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11Optimize seq_sorter function for colo-compareRao, Lei1-5/+2
The seq of tcp has been filled in fill_pkt_tcp_info, it can be used directly here. Signed-off-by: Lei Rao <lei.rao@intel.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Li Zhijian <lizhijian@cn.fujitsu.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11net/filter-rewriter: destroy g_hash_table in colo_rewriter_cleanupPan Nengyuan1-0/+2
s->connection_track_table forgot to destroy in colo_rewriter_cleanup. Fix it. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com>