Series comparison

-[PULL 0/2] Net patches
+[PULL 0/5] Net patches
-The following changes since commit 5c1c3e4f02e458cf280c677c817ae4fd1ed9bf10:
+The following changes since commit 23895cbd82be95428e90168b12e925d0d3ca2f06:
-  Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200803' into staging (2020-08-03 20:34:26 +0100)
+  Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20201123.0' into staging (2020-11-23 18:51:13 +0000)
 are available in the git repository at:
   https://github.com/jasowang/qemu.git tags/net-pull-request
-for you to fetch changes up to 035e69b063835a5fd23cacabd63690a3d84532a8:
+for you to fetch changes up to 9925990d01a92564af55f6f69d0f5f59b47609b1:
-  hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment() (2020-08-04 14:14:48 +0800)
+  net: Use correct default-path macro for downscript (2020-11-24 10:40:17 +0800)
 ----------------------------------------------------------------
 ----------------------------------------------------------------
-Lukas Straub (1):
+Keqian Zhu (1):
-      colo-compare: Remove superfluous NULL-pointer checks for s->iothread
+      net: Use correct default-path macro for downscript
-Mauro Matteo Cascella (1):
+Paolo Bonzini (1):
-      hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment()
+      net: do not exit on "netdev_add help" monitor command
- hw/net/net_tx_pkt.c | 5 ++++-
+Prasad J Pandit (1):
- net/colo-compare.c  | 8 ++------
+      hw/net/e1000e: advance desc_offset in case of null descriptor
-files changed, 6 insertions(+), 7 deletions(-)
 Yuri Benditovich (1):
       net: purge queued rx packets on queue deletion
 yuanjungong (1):
       tap: fix a memory leak
  hw/net/e1000e_core.c |  8 +++---
  include/net/net.h    |  1 +
  monitor/hmp-cmds.c   |  6 ++++
  net/net.c            | 80 +++++++++++++++++++++++++++-------------------------
  net/tap.c            |  5 +++-
 files changed, 57 insertions(+), 43 deletions(-)

-New patch
+[PULL 1/5] hw/net/e1000e: advance desc_offset in case of null descriptor
+From: Prasad J Pandit <pjp@fedoraproject.org>
+While receiving packets via e1000e_write_packet_to_guest() routine,
+'desc_offset' is advanced only when RX descriptor is processed. And
+RX descriptor is not processed if it has NULL buffer address.
+This may lead to an infinite loop condition. Increament 'desc_offset'
+to process next descriptor in the ring to avoid infinite loop.
+Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/e1000e_core.c | 8 ++++----
+file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -XXX,XX +XXX,XX @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
+                           (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
+                 }
+             }
+-            desc_offset += desc_size;
+-            if (desc_offset >= total_size) {
+-                is_last = true;
+-            }
+         } else { /* as per intel docs; skip descriptors with null buf addr */
+             trace_e1000e_rx_null_descriptor();
+         }
++        desc_offset += desc_size;
++        if (desc_offset >= total_size) {
++            is_last = true;
++        }
+         e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
+                            rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+--
+.7.4

-New patch
+[PULL 2/5] net: do not exit on "netdev_add help" monitor command
+From: Paolo Bonzini <pbonzini@redhat.com>
+"netdev_add help" is causing QEMU to exit because the code that
+invokes show_netdevs is shared between CLI and HMP processing.
+Move the check to the callers so that exit(0) remains only
+in the CLI flow.
+"netdev_add help" is not fixed by this patch; that is left for
+later work.
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ include/net/net.h  |  1 +
+ monitor/hmp-cmds.c |  6 +++++
+ net/net.c          | 68 +++++++++++++++++++++++++++---------------------------
+files changed, 41 insertions(+), 34 deletions(-)
+diff --git a/include/net/net.h b/include/net/net.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/net/net.h
++++ b/include/net/net.h
+@@ -XXX,XX +XXX,XX @@ extern const char *host_net_devices[];
+ /* from net.c */
+ int net_client_parse(QemuOptsList *opts_list, const char *str);
++void show_netdevs(void);
+ int net_init_clients(Error **errp);
+ void net_check_clients(void);
+ void net_cleanup(void);
+diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
+index XXXXXXX..XXXXXXX 100644
+--- a/monitor/hmp-cmds.c
++++ b/monitor/hmp-cmds.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qemu/option.h"
+ #include "qemu/timer.h"
+ #include "qemu/sockets.h"
++#include "qemu/help_option.h"
+ #include "monitor/monitor-internal.h"
+ #include "qapi/error.h"
+ #include "qapi/clone-visitor.h"
+@@ -XXX,XX +XXX,XX @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict)
+ {
+     Error *err = NULL;
+     QemuOpts *opts;
++    const char *type = qdict_get_try_str(qdict, "type");
++    if (type && is_help_option(type)) {
++        show_netdevs();
++        return;
++    }
+     opts = qemu_opts_from_qdict(qemu_find_opts("netdev"), qdict, &err);
+     if (err) {
+         goto out;
+diff --git a/net/net.c b/net/net.c
+index XXXXXXX..XXXXXXX 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qemu/config-file.h"
+ #include "qemu/ctype.h"
+ #include "qemu/iov.h"
++#include "qemu/qemu-print.h"
+ #include "qemu/main-loop.h"
+ #include "qemu/option.h"
+ #include "qapi/error.h"
+@@ -XXX,XX +XXX,XX @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
+     return 0;
+ }
+-static void show_netdevs(void)
++void show_netdevs(void)
+ {
+     int idx;
+     const char *available_netdevs[] = {
+@@ -XXX,XX +XXX,XX @@ static void show_netdevs(void)
+ #endif
+     };
+-    printf("Available netdev backend types:\n");
++    qemu_printf("Available netdev backend types:\n");
+     for (idx = 0; idx < ARRAY_SIZE(available_netdevs); idx++) {
+-        puts(available_netdevs[idx]);
++        qemu_printf("%s\n", available_netdevs[idx]);
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
+     int ret = -1;
+     Visitor *v = opts_visitor_new(opts);
+-    const char *type = qemu_opt_get(opts, "type");
+-
+-    if (is_netdev && type && is_help_option(type)) {
+-        show_netdevs();
+-        exit(0);
+-    } else {
+-        /* Parse convenience option format ip6-net=fec0::0[/64] */
+-        const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
++    /* Parse convenience option format ip6-net=fec0::0[/64] */
++    const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
+-        if (ip6_net) {
+-            char *prefix_addr;
+-            unsigned long prefix_len = 64; /* Default 64bit prefix length. */
++    if (ip6_net) {
++        char *prefix_addr;
++        unsigned long prefix_len = 64; /* Default 64bit prefix length. */
+-            substrings = g_strsplit(ip6_net, "/", 2);
+-            if (!substrings || !substrings[0]) {
+-                error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
+-                           "a valid IPv6 prefix");
+-                goto out;
+-            }
++        substrings = g_strsplit(ip6_net, "/", 2);
++        if (!substrings || !substrings[0]) {
++            error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
++                       "a valid IPv6 prefix");
++            goto out;
++        }
+-            prefix_addr = substrings[0];
++        prefix_addr = substrings[0];
+-            /* Handle user-specified prefix length. */
+-            if (substrings[1] &&
+-                qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
+-            {
+-                error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
+-                           "ipv6-prefixlen", "a number");
+-                goto out;
+-            }
+-
+-            qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
+-            qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
+-                                &error_abort);
+-            qemu_opt_unset(opts, "ipv6-net");
++        /* Handle user-specified prefix length. */
++        if (substrings[1] &&
++            qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
++        {
++            error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
++                       "ipv6-prefixlen", "a number");
++            goto out;
+         }
++
++        qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
++        qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
++                            &error_abort);
++        qemu_opt_unset(opts, "ipv6-net");
+     }
+     /* Create an ID for -net if the user did not specify one */
+@@ -XXX,XX +XXX,XX @@ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
+ static int net_init_netdev(void *dummy, QemuOpts *opts, Error **errp)
+ {
++    const char *type = qemu_opt_get(opts, "type");
++
++    if (type && is_help_option(type)) {
++        show_netdevs();
++        exit(0);
++    }
+     return net_client_init(opts, true, errp);
+ }
+--
+.7.4

-[PULL 1/2] colo-compare: Remove superfluous NULL-pointer checks for s->iothread
+[PULL 3/5] net: purge queued rx packets on queue deletion
-From: Lukas Straub <lukasstraub2@web.de>
+From: Yuri Benditovich <yuri.benditovich@daynix.com>
-s->iothread is checked for NULL on object creation in colo_compare_complete,
+https://bugzilla.redhat.com/show_bug.cgi?id=1829272
-so it's guaranteed not to be NULL.
+When deleting queue pair, purge pending RX packets if any.
-This resolves a false alert from Coverity (CID 1429969).
+Example of problematic flow:
 . Bring up q35 VM with tap (vhost off) and virtio-net or e1000e
 . Run ping flood to the VM NIC ( 1 ms interval)
 . Hot unplug the NIC device (device_del)
    During unplug process one or more packets come, the NIC
    can't receive, tap disables read_poll
 . Hot plug the device (device_add) with the same netdev
 The tap stays with read_poll disabled and does not receive
 any packets anymore (tap_send never triggered)
-Signed-off-by: Lukas Straub <lukasstraub2@web.de>
+Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
 Reviewed-by: Philippe Mathieu-DaudÃ© <philmd@redhat.com>
 Reviewed-by: Li Qiang <liq3ea@gmail.com>
 Reviewed-by: Zhang Chen <chen.zhang@intel.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 ---
- net/colo-compare.c | 8 ++------
+ net/net.c | 12 ++++++++----
-file changed, 2 insertions(+), 6 deletions(-)
+file changed, 8 insertions(+), 4 deletions(-)
-diff --git a/net/colo-compare.c b/net/colo-compare.c
+diff --git a/net/net.c b/net/net.c
 index XXXXXXX..XXXXXXX 100644
---- a/net/colo-compare.c
+--- a/net/net.c
-+++ b/net/colo-compare.c
++++ b/net/net.c
-@@ -XXX,XX +XXX,XX @@ static void colo_compare_finalize(Object *obj)
+@@ -XXX,XX +XXX,XX @@ void qemu_del_nic(NICState *nic)
-         qemu_chr_fe_deinit(&s->chr_notify_dev, false);
      qemu_macaddr_set_free(&nic->conf->macaddr);
 -    /* If this is a peer NIC and peer has already been deleted, free it now. */
 -    if (nic->peer_deleted) {
 -        for (i = 0; i < queues; i++) {
 -            qemu_free_net_client(qemu_get_subqueue(nic, i)->peer);
 +    for (i = 0; i < queues; i++) {
 +        NetClientState *nc = qemu_get_subqueue(nic, i);
 +        /* If this is a peer NIC and peer has already been deleted, free it now. */
 +        if (nic->peer_deleted) {
 +            qemu_free_net_client(nc->peer);
 +        } else if (nc->peer) {
 +            /* if there are RX packets pending, complete them */
 +            qemu_purge_queued_packets(nc->peer);
          }
      }
--    if (s->iothread) {
--        colo_compare_timer_del(s);
--    }
-+    colo_compare_timer_del(s);
-     qemu_bh_delete(s->event_bh);
-@@ -XXX,XX +XXX,XX @@ static void colo_compare_finalize(Object *obj)
-         g_hash_table_destroy(s->connection_track_table);
-     }
--    if (s->iothread) {
--        object_unref(OBJECT(s->iothread));
--    }
-+    object_unref(OBJECT(s->iothread));
-     g_free(s->pri_indev);
-     g_free(s->sec_indev);
 --
 .7.4

-New patch
+[PULL 4/5] tap: fix a memory leak
+From: yuanjungong <ruc_gongyuanjun@163.com>
+Close fd before returning.
+Buglink: https://bugs.launchpad.net/qemu/+bug/1904486
+Signed-off-by: yuanjungong <ruc_gongyuanjun@163.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ net/tap.c | 2 ++
+file changed, 2 insertions(+)
+diff --git a/net/tap.c b/net/tap.c
+index XXXXXXX..XXXXXXX 100644
+--- a/net/tap.c
++++ b/net/tap.c
+@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
+         if (ret < 0) {
+             error_setg_errno(errp, -ret, "%s: Can't use file descriptor %d",
+                              name, fd);
++            close(fd);
+             return -1;
+         }
+@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
+                          vhostfdname, vnet_hdr, fd, &err);
+         if (err) {
+             error_propagate(errp, err);
++            close(fd);
+             return -1;
+         }
+     } else if (tap->has_fds) {
+--
+.7.4

-[PULL 2/2] hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment()
+[PULL 5/5] net: Use correct default-path macro for downscript
-From: Mauro Matteo Cascella <mcascell@redhat.com>
+From: Keqian Zhu <zhukeqian1@huawei.com>
-An assertion failure issue was found in the code that processes network packets
+Fixes: 63c4db4c2e6d (net: relocate paths to helpers and scripts)
-while adding data fragments into the packet context. It could be abused by a
+Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
 malicious guest to abort the QEMU process on the host. This patch replaces the
 affected assert() with a conditional statement, returning false if the current
 data fragment exceeds max_raw_frags.
 Reported-by: Alexander Bulekov <alxndr@bu.edu>
 Reported-by: Ziming Zhang <ezrakiez@gmail.com>
 Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 ---
- hw/net/net_tx_pkt.c | 5 ++++-
+ net/tap.c | 3 ++-
-file changed, 4 insertions(+), 1 deletion(-)
+file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+diff --git a/net/tap.c b/net/tap.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/net_tx_pkt.c
+--- a/net/tap.c
-+++ b/hw/net/net_tx_pkt.c
++++ b/net/tap.c
-@@ -XXX,XX +XXX,XX @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
+@@ -XXX,XX +XXX,XX @@ free_fail:
-     hwaddr mapped_len = 0;
+             script = default_script = get_relocated_path(DEFAULT_NETWORK_SCRIPT);
-     struct iovec *ventry;
+         }
-     assert(pkt);
+         if (!downscript) {
--    assert(pkt->max_raw_frags > pkt->raw_frags);
+-            downscript = default_downscript = get_relocated_path(DEFAULT_NETWORK_SCRIPT);
-+
++            downscript = default_downscript =
-+    if (pkt->raw_frags >= pkt->max_raw_frags) {
++                                 get_relocated_path(DEFAULT_NETWORK_DOWN_SCRIPT);
-+        return false;
+         }
-+    }
+         if (tap->has_ifname) {
      if (!len) {
          return true;
 --
 .7.4

From: Lukas Straub <lukasstraub2@web.de>

s->iothread is checked for NULL on object creation in colo_compare_complete,
so it's guaranteed not to be NULL.
This resolves a false alert from Coverity (CID 1429969).

Signed-off-by: Lukas Straub <lukasstraub2@web.de>
Reviewed-by: Philippe Mathieu-DaudÃ© <philmd@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/colo-compare.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index XXXXXXX..XXXXXXX 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -XXX,XX +XXX,XX @@ static void colo_compare_finalize(Object *obj)
         qemu_chr_fe_deinit(&s->chr_notify_dev, false);
     }
 
-    if (s->iothread) {
-        colo_compare_timer_del(s);
-    }
+    colo_compare_timer_del(s);
 
     qemu_bh_delete(s->event_bh);
 
@@ -XXX,XX +XXX,XX @@ static void colo_compare_finalize(Object *obj)
         g_hash_table_destroy(s->connection_track_table);
     }
 
-    if (s->iothread) {
-        object_unref(OBJECT(s->iothread));
-    }
+    object_unref(OBJECT(s->iothread));
 
     g_free(s->pri_indev);
     g_free(s->sec_indev);
-- 
2.7.4

From: Mauro Matteo Cascella <mcascell@redhat.com>

An assertion failure issue was found in the code that processes network packets
while adding data fragments into the packet context. It could be abused by a
malicious guest to abort the QEMU process on the host. This patch replaces the
affected assert() with a conditional statement, returning false if the current
data fragment exceeds max_raw_frags.

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/net_tx_pkt.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -XXX,XX +XXX,XX @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
     hwaddr mapped_len = 0;
     struct iovec *ventry;
     assert(pkt);
-    assert(pkt->max_raw_frags > pkt->raw_frags);
+
+    if (pkt->raw_frags >= pkt->max_raw_frags) {
+        return false;
+    }
 
     if (!len) {
         return true;
-- 
2.7.4

The following changes since commit 23895cbd82be95428e90168b12e925d0d3ca2f06:

Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20201123.0' into staging (2020-11-23 18:51:13 +0000)

are available in the git repository at:

https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to 9925990d01a92564af55f6f69d0f5f59b47609b1:

net: Use correct default-path macro for downscript (2020-11-24 10:40:17 +0800)

----------------------------------------------------------------

----------------------------------------------------------------
Keqian Zhu (1):
      net: Use correct default-path macro for downscript

Paolo Bonzini (1):
      net: do not exit on "netdev_add help" monitor command

Prasad J Pandit (1):
      hw/net/e1000e: advance desc_offset in case of null descriptor

Yuri Benditovich (1):
      net: purge queued rx packets on queue deletion

yuanjungong (1):
      tap: fix a memory leak

From: Prasad J Pandit <pjp@fedoraproject.org>

While receiving packets via e1000e_write_packet_to_guest() routine,
'desc_offset' is advanced only when RX descriptor is processed. And
RX descriptor is not processed if it has NULL buffer address.
This may lead to an infinite loop condition. Increament 'desc_offset'
to process next descriptor in the ring to avoid infinite loop.

Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/e1000e_core.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -XXX,XX +XXX,XX @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
                           (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
                 }
             }
-            desc_offset += desc_size;
-            if (desc_offset >= total_size) {
-                is_last = true;
-            }
         } else { /* as per intel docs; skip descriptors with null buf addr */
             trace_e1000e_rx_null_descriptor();
         }
+        desc_offset += desc_size;
+        if (desc_offset >= total_size) {
+            is_last = true;
+        }
 
         e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
                            rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
-- 
2.7.4

From: Paolo Bonzini <pbonzini@redhat.com>

"netdev_add help" is causing QEMU to exit because the code that
invokes show_netdevs is shared between CLI and HMP processing.
Move the check to the callers so that exit(0) remains only
in the CLI flow.

"netdev_add help" is not fixed by this patch; that is left for
later work.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 include/net/net.h  |  1 +
 monitor/hmp-cmds.c |  6 +++++
 net/net.c          | 68 +++++++++++++++++++++++++++---------------------------
 3 files changed, 41 insertions(+), 34 deletions(-)

diff --git a/include/net/net.h b/include/net/net.h
index XXXXXXX..XXXXXXX 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -XXX,XX +XXX,XX @@ extern const char *host_net_devices[];
 
 /* from net.c */
 int net_client_parse(QemuOptsList *opts_list, const char *str);
+void show_netdevs(void);
 int net_init_clients(Error **errp);
 void net_check_clients(void);
 void net_cleanup(void);
diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
index XXXXXXX..XXXXXXX 100644
--- a/monitor/hmp-cmds.c
+++ b/monitor/hmp-cmds.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/option.h"
 #include "qemu/timer.h"
 #include "qemu/sockets.h"
+#include "qemu/help_option.h"
 #include "monitor/monitor-internal.h"
 #include "qapi/error.h"
 #include "qapi/clone-visitor.h"
@@ -XXX,XX +XXX,XX @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict)
 {
     Error *err = NULL;
     QemuOpts *opts;
+    const char *type = qdict_get_try_str(qdict, "type");
 
+    if (type && is_help_option(type)) {
+        show_netdevs();
+        return;
+    }
     opts = qemu_opts_from_qdict(qemu_find_opts("netdev"), qdict, &err);
     if (err) {
         goto out;
diff --git a/net/net.c b/net/net.c
index XXXXXXX..XXXXXXX 100644
--- a/net/net.c
+++ b/net/net.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/config-file.h"
 #include "qemu/ctype.h"
 #include "qemu/iov.h"
+#include "qemu/qemu-print.h"
 #include "qemu/main-loop.h"
 #include "qemu/option.h"
 #include "qapi/error.h"
@@ -XXX,XX +XXX,XX @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
     return 0;
 }
 
-static void show_netdevs(void)
+void show_netdevs(void)
 {
     int idx;
     const char *available_netdevs[] = {
@@ -XXX,XX +XXX,XX @@ static void show_netdevs(void)
 #endif
     };
 
-    printf("Available netdev backend types:\n");
+    qemu_printf("Available netdev backend types:\n");
     for (idx = 0; idx < ARRAY_SIZE(available_netdevs); idx++) {
-        puts(available_netdevs[idx]);
+        qemu_printf("%s\n", available_netdevs[idx]);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
     int ret = -1;
     Visitor *v = opts_visitor_new(opts);
 
-    const char *type = qemu_opt_get(opts, "type");
-
-    if (is_netdev && type && is_help_option(type)) {
-        show_netdevs();
-        exit(0);
-    } else {
-        /* Parse convenience option format ip6-net=fec0::0[/64] */
-        const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
+    /* Parse convenience option format ip6-net=fec0::0[/64] */
+    const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
 
-        if (ip6_net) {
-            char *prefix_addr;
-            unsigned long prefix_len = 64; /* Default 64bit prefix length. */
+    if (ip6_net) {
+        char *prefix_addr;
+        unsigned long prefix_len = 64; /* Default 64bit prefix length. */
 
-            substrings = g_strsplit(ip6_net, "/", 2);
-            if (!substrings || !substrings[0]) {
-                error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
-                           "a valid IPv6 prefix");
-                goto out;
-            }
+        substrings = g_strsplit(ip6_net, "/", 2);
+        if (!substrings || !substrings[0]) {
+            error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
+                       "a valid IPv6 prefix");
+            goto out;
+        }
 
-            prefix_addr = substrings[0];
+        prefix_addr = substrings[0];
 
-            /* Handle user-specified prefix length. */
-            if (substrings[1] &&
-                qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
-            {
-                error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
-                           "ipv6-prefixlen", "a number");
-                goto out;
-            }
-
-            qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
-            qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
-                                &error_abort);
-            qemu_opt_unset(opts, "ipv6-net");
+        /* Handle user-specified prefix length. */
+        if (substrings[1] &&
+            qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
+        {
+            error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
+                       "ipv6-prefixlen", "a number");
+            goto out;
         }
+
+        qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
+        qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
+                            &error_abort);
+        qemu_opt_unset(opts, "ipv6-net");
     }
 
     /* Create an ID for -net if the user did not specify one */
@@ -XXX,XX +XXX,XX @@ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
 
 static int net_init_netdev(void *dummy, QemuOpts *opts, Error **errp)
 {
+    const char *type = qemu_opt_get(opts, "type");
+
+    if (type && is_help_option(type)) {
+        show_netdevs();
+        exit(0);
+    }
     return net_client_init(opts, true, errp);
 }
 
-- 
2.7.4

From: Yuri Benditovich <yuri.benditovich@daynix.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1829272
When deleting queue pair, purge pending RX packets if any.
Example of problematic flow:
1. Bring up q35 VM with tap (vhost off) and virtio-net or e1000e
2. Run ping flood to the VM NIC ( 1 ms interval)
3. Hot unplug the NIC device (device_del)
   During unplug process one or more packets come, the NIC
   can't receive, tap disables read_poll
4. Hot plug the device (device_add) with the same netdev
The tap stays with read_poll disabled and does not receive
any packets anymore (tap_send never triggered)

Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/net.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/net.c b/net/net.c
index XXXXXXX..XXXXXXX 100644
--- a/net/net.c
+++ b/net/net.c
@@ -XXX,XX +XXX,XX @@ void qemu_del_nic(NICState *nic)
 
     qemu_macaddr_set_free(&nic->conf->macaddr);
 
-    /* If this is a peer NIC and peer has already been deleted, free it now. */
-    if (nic->peer_deleted) {
-        for (i = 0; i < queues; i++) {
-            qemu_free_net_client(qemu_get_subqueue(nic, i)->peer);
+    for (i = 0; i < queues; i++) {
+        NetClientState *nc = qemu_get_subqueue(nic, i);
+        /* If this is a peer NIC and peer has already been deleted, free it now. */
+        if (nic->peer_deleted) {
+            qemu_free_net_client(nc->peer);
+        } else if (nc->peer) {
+            /* if there are RX packets pending, complete them */
+            qemu_purge_queued_packets(nc->peer);
         }
     }
 
-- 
2.7.4

From: yuanjungong <ruc_gongyuanjun@163.com>

Close fd before returning.

Buglink: https://bugs.launchpad.net/qemu/+bug/1904486

Signed-off-by: yuanjungong <ruc_gongyuanjun@163.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/tap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tap.c b/net/tap.c
index XXXXXXX..XXXXXXX 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
         if (ret < 0) {
             error_setg_errno(errp, -ret, "%s: Can't use file descriptor %d",
                              name, fd);
+            close(fd);
             return -1;
         }
 
@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
                          vhostfdname, vnet_hdr, fd, &err);
         if (err) {
             error_propagate(errp, err);
+            close(fd);
             return -1;
         }
     } else if (tap->has_fds) {
-- 
2.7.4