[PULL 0/5] Net patches
[PULL 0/2] Net patches
1
The following changes since commit 23895cbd82be95428e90168b12e925d0d3ca2f06:
1
The following changes since commit d1fe59377bbbf91dfded1f08ffe3c636e9db8dc0:
2
2
3
Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20201123.0' into staging (2020-11-23 18:51:13 +0000)
3
Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.2-pull-request' into staging (2021-09-16 16:02:31 +0100)
4
4
5
are available in the git repository at:
5
are available in the git repository at:
6
6
7
https://github.com/jasowang/qemu.git tags/net-pull-request
7
https://github.com/jasowang/qemu.git tags/net-pull-request
8
8
9
for you to fetch changes up to 9925990d01a92564af55f6f69d0f5f59b47609b1:
9
for you to fetch changes up to bedd7e93d01961fcb16a97ae45d93acf357e11f6:
10
10
11
net: Use correct default-path macro for downscript (2020-11-24 10:40:17 +0800)
11
virtio-net: fix use after unmap/free for sg (2021-09-17 16:07:52 +0800)
12
12
13
----------------------------------------------------------------
13
----------------------------------------------------------------
14
14
15
----------------------------------------------------------------
15
----------------------------------------------------------------
16
Keqian Zhu (1):
16
Jason Wang (1):
17
net: Use correct default-path macro for downscript
17
virtio-net: fix use after unmap/free for sg
18
18
19
Paolo Bonzini (1):
19
Paolo Bonzini (1):
20
net: do not exit on "netdev_add help" monitor command
20
ebpf: only include in system emulators
21
21
22
Prasad J Pandit (1):
22
ebpf/meson.build | 2 +-
23
hw/net/e1000e: advance desc_offset in case of null descriptor
23
hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
24
24
2 files changed, 33 insertions(+), 8 deletions(-)
25
Yuri Benditovich (1):
26
net: purge queued rx packets on queue deletion
27
28
yuanjungong (1):
29
tap: fix a memory leak
30
31
hw/net/e1000e_core.c | 8 +++---
32
include/net/net.h | 1 +
33
monitor/hmp-cmds.c | 6 ++++
34
net/net.c | 80 +++++++++++++++++++++++++++-------------------------
35
net/tap.c | 5 +++-
36
5 files changed, 57 insertions(+), 43 deletions(-)
37
25
38
26
diff view generated by jsdifflib
[PULL 1/5] hw/net/e1000e: advance desc_offset in case of null descriptor
Deleted patch
1
From: Prasad J Pandit <pjp@fedoraproject.org>
2
1
3
While receiving packets via e1000e_write_packet_to_guest() routine,
4
'desc_offset' is advanced only when RX descriptor is processed. And
5
RX descriptor is not processed if it has NULL buffer address.
6
This may lead to an infinite loop condition. Increament 'desc_offset'
7
to process next descriptor in the ring to avoid infinite loop.
8
9
Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
10
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
11
Signed-off-by: Jason Wang <jasowang@redhat.com>
12
---
13
hw/net/e1000e_core.c | 8 ++++----
14
1 file changed, 4 insertions(+), 4 deletions(-)
15
16
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
17
index XXXXXXX..XXXXXXX 100644
18
--- a/hw/net/e1000e_core.c
19
+++ b/hw/net/e1000e_core.c
20
@@ -XXX,XX +XXX,XX @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
21
(const char *) &fcs_pad, e1000x_fcs_len(core->mac));
22
}
23
}
24
- desc_offset += desc_size;
25
- if (desc_offset >= total_size) {
26
- is_last = true;
27
- }
28
} else { /* as per intel docs; skip descriptors with null buf addr */
29
trace_e1000e_rx_null_descriptor();
30
}
31
+ desc_offset += desc_size;
32
+ if (desc_offset >= total_size) {
33
+ is_last = true;
34
+ }
35
36
e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
37
rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
38
--
39
2.7.4
40
41
diff view generated by jsdifflib
[PULL 2/5] net: do not exit on "netdev_add help" monitor command
[PULL 1/2] ebpf: only include in system emulators
1
From: Paolo Bonzini <pbonzini@redhat.com>
1
From: Paolo Bonzini <pbonzini@redhat.com>
2
2
3
"netdev_add help" is causing QEMU to exit because the code that
3
eBPF files are being included in user emulators, which is useless and
4
invokes show_netdevs is shared between CLI and HMP processing.
4
also breaks compilation because ebpf/trace-events is only processed
5
Move the check to the callers so that exit(0) remains only
5
if a system emulator is included in the build.
6
in the CLI flow.
7
6
8
"netdev_add help" is not fixed by this patch; that is left for
7
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/566
9
later work.
10
11
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
12
Signed-off-by: Jason Wang <jasowang@redhat.com>
9
Signed-off-by: Jason Wang <jasowang@redhat.com>
13
---
10
---
14
include/net/net.h | 1 +
11
ebpf/meson.build | 2 +-
15
monitor/hmp-cmds.c | 6 +++++
12
1 file changed, 1 insertion(+), 1 deletion(-)
16
net/net.c | 68 +++++++++++++++++++++++++++---------------------------
17
3 files changed, 41 insertions(+), 34 deletions(-)
18
13
19
diff --git a/include/net/net.h b/include/net/net.h
14
diff --git a/ebpf/meson.build b/ebpf/meson.build
20
index XXXXXXX..XXXXXXX 100644
15
index XXXXXXX..XXXXXXX 100644
21
--- a/include/net/net.h
16
--- a/ebpf/meson.build
22
+++ b/include/net/net.h
17
+++ b/ebpf/meson.build
23
@@ -XXX,XX +XXX,XX @@ extern const char *host_net_devices[];
18
@@ -1 +1 @@
24
19
-common_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))
25
/* from net.c */
20
+softmmu_ss.add(when: libbpf, if_true: files('ebpf_rss.c'), if_false: files('ebpf_rss-stub.c'))
26
int net_client_parse(QemuOptsList *opts_list, const char *str);
27
+void show_netdevs(void);
28
int net_init_clients(Error **errp);
29
void net_check_clients(void);
30
void net_cleanup(void);
31
diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
32
index XXXXXXX..XXXXXXX 100644
33
--- a/monitor/hmp-cmds.c
34
+++ b/monitor/hmp-cmds.c
35
@@ -XXX,XX +XXX,XX @@
36
#include "qemu/option.h"
37
#include "qemu/timer.h"
38
#include "qemu/sockets.h"
39
+#include "qemu/help_option.h"
40
#include "monitor/monitor-internal.h"
41
#include "qapi/error.h"
42
#include "qapi/clone-visitor.h"
43
@@ -XXX,XX +XXX,XX @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict)
44
{
45
Error *err = NULL;
46
QemuOpts *opts;
47
+ const char *type = qdict_get_try_str(qdict, "type");
48
49
+ if (type && is_help_option(type)) {
50
+ show_netdevs();
51
+ return;
52
+ }
53
opts = qemu_opts_from_qdict(qemu_find_opts("netdev"), qdict, &err);
54
if (err) {
55
goto out;
56
diff --git a/net/net.c b/net/net.c
57
index XXXXXXX..XXXXXXX 100644
58
--- a/net/net.c
59
+++ b/net/net.c
60
@@ -XXX,XX +XXX,XX @@
61
#include "qemu/config-file.h"
62
#include "qemu/ctype.h"
63
#include "qemu/iov.h"
64
+#include "qemu/qemu-print.h"
65
#include "qemu/main-loop.h"
66
#include "qemu/option.h"
67
#include "qapi/error.h"
68
@@ -XXX,XX +XXX,XX @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
69
return 0;
70
}
71
72
-static void show_netdevs(void)
73
+void show_netdevs(void)
74
{
75
int idx;
76
const char *available_netdevs[] = {
77
@@ -XXX,XX +XXX,XX @@ static void show_netdevs(void)
78
#endif
79
};
80
81
- printf("Available netdev backend types:\n");
82
+ qemu_printf("Available netdev backend types:\n");
83
for (idx = 0; idx < ARRAY_SIZE(available_netdevs); idx++) {
84
- puts(available_netdevs[idx]);
85
+ qemu_printf("%s\n", available_netdevs[idx]);
86
}
87
}
88
89
@@ -XXX,XX +XXX,XX @@ static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
90
int ret = -1;
91
Visitor *v = opts_visitor_new(opts);
92
93
- const char *type = qemu_opt_get(opts, "type");
94
-
95
- if (is_netdev && type && is_help_option(type)) {
96
- show_netdevs();
97
- exit(0);
98
- } else {
99
- /* Parse convenience option format ip6-net=fec0::0[/64] */
100
- const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
101
+ /* Parse convenience option format ip6-net=fec0::0[/64] */
102
+ const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
103
104
- if (ip6_net) {
105
- char *prefix_addr;
106
- unsigned long prefix_len = 64; /* Default 64bit prefix length. */
107
+ if (ip6_net) {
108
+ char *prefix_addr;
109
+ unsigned long prefix_len = 64; /* Default 64bit prefix length. */
110
111
- substrings = g_strsplit(ip6_net, "/", 2);
112
- if (!substrings || !substrings[0]) {
113
- error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
114
- "a valid IPv6 prefix");
115
- goto out;
116
- }
117
+ substrings = g_strsplit(ip6_net, "/", 2);
118
+ if (!substrings || !substrings[0]) {
119
+ error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
120
+ "a valid IPv6 prefix");
121
+ goto out;
122
+ }
123
124
- prefix_addr = substrings[0];
125
+ prefix_addr = substrings[0];
126
127
- /* Handle user-specified prefix length. */
128
- if (substrings[1] &&
129
- qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
130
- {
131
- error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
132
- "ipv6-prefixlen", "a number");
133
- goto out;
134
- }
135
-
136
- qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
137
- qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
138
- &error_abort);
139
- qemu_opt_unset(opts, "ipv6-net");
140
+ /* Handle user-specified prefix length. */
141
+ if (substrings[1] &&
142
+ qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
143
+ {
144
+ error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
145
+ "ipv6-prefixlen", "a number");
146
+ goto out;
147
}
148
+
149
+ qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
150
+ qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
151
+ &error_abort);
152
+ qemu_opt_unset(opts, "ipv6-net");
153
}
154
155
/* Create an ID for -net if the user did not specify one */
156
@@ -XXX,XX +XXX,XX @@ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
157
158
static int net_init_netdev(void *dummy, QemuOpts *opts, Error **errp)
159
{
160
+ const char *type = qemu_opt_get(opts, "type");
161
+
162
+ if (type && is_help_option(type)) {
163
+ show_netdevs();
164
+ exit(0);
165
+ }
166
return net_client_init(opts, true, errp);
167
}
168
169
--
21
--
170
2.7.4
22
2.7.4
171
23
172
24
diff view generated by jsdifflib
[PULL 3/5] net: purge queued rx packets on queue deletion
Deleted patch
1
From: Yuri Benditovich <yuri.benditovich@daynix.com>
2
1
3
https://bugzilla.redhat.com/show_bug.cgi?id=1829272
4
When deleting queue pair, purge pending RX packets if any.
5
Example of problematic flow:
6
1. Bring up q35 VM with tap (vhost off) and virtio-net or e1000e
7
2. Run ping flood to the VM NIC ( 1 ms interval)
8
3. Hot unplug the NIC device (device_del)
9
During unplug process one or more packets come, the NIC
10
can't receive, tap disables read_poll
11
4. Hot plug the device (device_add) with the same netdev
12
The tap stays with read_poll disabled and does not receive
13
any packets anymore (tap_send never triggered)
14
15
Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
16
Signed-off-by: Jason Wang <jasowang@redhat.com>
17
---
18
net/net.c | 12 ++++++++----
19
1 file changed, 8 insertions(+), 4 deletions(-)
20
21
diff --git a/net/net.c b/net/net.c
22
index XXXXXXX..XXXXXXX 100644
23
--- a/net/net.c
24
+++ b/net/net.c
25
@@ -XXX,XX +XXX,XX @@ void qemu_del_nic(NICState *nic)
26
27
qemu_macaddr_set_free(&nic->conf->macaddr);
28
29
- /* If this is a peer NIC and peer has already been deleted, free it now. */
30
- if (nic->peer_deleted) {
31
- for (i = 0; i < queues; i++) {
32
- qemu_free_net_client(qemu_get_subqueue(nic, i)->peer);
33
+ for (i = 0; i < queues; i++) {
34
+ NetClientState *nc = qemu_get_subqueue(nic, i);
35
+ /* If this is a peer NIC and peer has already been deleted, free it now. */
36
+ if (nic->peer_deleted) {
37
+ qemu_free_net_client(nc->peer);
38
+ } else if (nc->peer) {
39
+ /* if there are RX packets pending, complete them */
40
+ qemu_purge_queued_packets(nc->peer);
41
}
42
}
43
44
--
45
2.7.4
46
47
diff view generated by jsdifflib
[PULL 4/5] tap: fix a memory leak
Deleted patch
1
From: yuanjungong <ruc_gongyuanjun@163.com>
2
1
3
Close fd before returning.
4
5
Buglink: https://bugs.launchpad.net/qemu/+bug/1904486
6
7
Signed-off-by: yuanjungong <ruc_gongyuanjun@163.com>
8
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
9
Signed-off-by: Jason Wang <jasowang@redhat.com>
10
---
11
net/tap.c | 2 ++
12
1 file changed, 2 insertions(+)
13
14
diff --git a/net/tap.c b/net/tap.c
15
index XXXXXXX..XXXXXXX 100644
16
--- a/net/tap.c
17
+++ b/net/tap.c
18
@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
19
if (ret < 0) {
20
error_setg_errno(errp, -ret, "%s: Can't use file descriptor %d",
21
name, fd);
22
+ close(fd);
23
return -1;
24
}
25
26
@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
27
vhostfdname, vnet_hdr, fd, &err);
28
if (err) {
29
error_propagate(errp, err);
30
+ close(fd);
31
return -1;
32
}
33
} else if (tap->has_fds) {
34
--
35
2.7.4
36
37
diff view generated by jsdifflib
[PULL 5/5] net: Use correct default-path macro for downscript
[PULL 2/2] virtio-net: fix use after unmap/free for sg
1
From: Keqian Zhu <zhukeqian1@huawei.com>
1
When mergeable buffer is enabled, we try to set the num_buffers after
2
the virtqueue elem has been unmapped. This will lead several issues,
3
E.g a use after free when the descriptor has an address which belongs
4
to the non direct access region. In this case we use bounce buffer
5
that is allocated during address_space_map() and freed during
6
address_space_unmap().
2
7
3
Fixes: 63c4db4c2e6d (net: relocate paths to helpers and scripts)
8
Fixing this by storing the elems temporarily in an array and delay the
4
Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
9
unmap after we set the the num_buffers.
10
11
This addresses CVE-2021-3748.
12
13
Reported-by: Alexander Bulekov <alxndr@bu.edu>
14
Fixes: fbe78f4f55c6 ("virtio-net support")
15
Cc: qemu-stable@nongnu.org
5
Signed-off-by: Jason Wang <jasowang@redhat.com>
16
Signed-off-by: Jason Wang <jasowang@redhat.com>
6
---
17
---
7
net/tap.c | 3 ++-
18
hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
8
1 file changed, 2 insertions(+), 1 deletion(-)
19
1 file changed, 32 insertions(+), 7 deletions(-)
9
20
10
diff --git a/net/tap.c b/net/tap.c
21
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
11
index XXXXXXX..XXXXXXX 100644
22
index XXXXXXX..XXXXXXX 100644
12
--- a/net/tap.c
23
--- a/hw/net/virtio-net.c
13
+++ b/net/tap.c
24
+++ b/hw/net/virtio-net.c
14
@@ -XXX,XX +XXX,XX @@ free_fail:
25
@@ -XXX,XX +XXX,XX @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
15
script = default_script = get_relocated_path(DEFAULT_NETWORK_SCRIPT);
26
VirtIONet *n = qemu_get_nic_opaque(nc);
27
VirtIONetQueue *q = virtio_net_get_subqueue(nc);
28
VirtIODevice *vdev = VIRTIO_DEVICE(n);
29
+ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
30
+ size_t lens[VIRTQUEUE_MAX_SIZE];
31
struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
32
struct virtio_net_hdr_mrg_rxbuf mhdr;
33
unsigned mhdr_cnt = 0;
34
- size_t offset, i, guest_offset;
35
+ size_t offset, i, guest_offset, j;
36
+ ssize_t err;
37
38
if (!virtio_net_can_receive(nc)) {
39
return -1;
40
@@ -XXX,XX +XXX,XX @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
41
42
total = 0;
43
44
+ if (i == VIRTQUEUE_MAX_SIZE) {
45
+ virtio_error(vdev, "virtio-net unexpected long buffer chain");
46
+ err = size;
47
+ goto err;
48
+ }
49
+
50
elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
51
if (!elem) {
52
if (i) {
53
@@ -XXX,XX +XXX,XX @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
54
n->guest_hdr_len, n->host_hdr_len,
55
vdev->guest_features);
56
}
57
- return -1;
58
+ err = -1;
59
+ goto err;
16
}
60
}
17
if (!downscript) {
61
18
- downscript = default_downscript = get_relocated_path(DEFAULT_NETWORK_SCRIPT);
62
if (elem->in_num < 1) {
19
+ downscript = default_downscript =
63
@@ -XXX,XX +XXX,XX @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
20
+ get_relocated_path(DEFAULT_NETWORK_DOWN_SCRIPT);
64
"virtio-net receive queue contains no in buffers");
65
virtqueue_detach_element(q->rx_vq, elem, 0);
66
g_free(elem);
67
- return -1;
68
+ err = -1;
69
+ goto err;
21
}
70
}
22
71
23
if (tap->has_ifname) {
72
sg = elem->in_sg;
73
@@ -XXX,XX +XXX,XX @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
74
if (!n->mergeable_rx_bufs && offset < size) {
75
virtqueue_unpop(q->rx_vq, elem, total);
76
g_free(elem);
77
- return size;
78
+ err = size;
79
+ goto err;
80
}
81
82
- /* signal other side */
83
- virtqueue_fill(q->rx_vq, elem, total, i++);
84
- g_free(elem);
85
+ elems[i] = elem;
86
+ lens[i] = total;
87
+ i++;
88
}
89
90
if (mhdr_cnt) {
91
@@ -XXX,XX +XXX,XX @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
92
&mhdr.num_buffers, sizeof mhdr.num_buffers);
93
}
94
95
+ for (j = 0; j < i; j++) {
96
+ /* signal other side */
97
+ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
98
+ g_free(elems[j]);
99
+ }
100
+
101
virtqueue_flush(q->rx_vq, i);
102
virtio_notify(vdev, q->rx_vq);
103
104
return size;
105
+
106
+err:
107
+ for (j = 0; j < i; j++) {
108
+ g_free(elems[j]);
109
+ }
110
+
111
+ return err;
112
}
113
114
static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
24
--
115
--
25
2.7.4
116
2.7.4
26
117
27
118
diff view generated by jsdifflib

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.