[PULL 0/5] Net patches
[PULL 0/3] Net patches
1
The following changes since commit 23895cbd82be95428e90168b12e925d0d3ca2f06:
1
The following changes since commit 44a3aa0608f01274418487b655d42467c1d8334e:
2
2
3
Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20201123.0' into staging (2020-11-23 18:51:13 +0000)
3
Merge tag 'sev-hashes-pull-request' of https://gitlab.com/berrange/qemu into staging (2021-11-18 15:06:05 +0100)
4
4
5
are available in the git repository at:
5
are available in the git repository at:
6
6
7
https://github.com/jasowang/qemu.git tags/net-pull-request
7
https://github.com/jasowang/qemu.git tags/net-pull-request
8
8
9
for you to fetch changes up to 9925990d01a92564af55f6f69d0f5f59b47609b1:
9
for you to fetch changes up to 0656fbc7ddccdade1709742a9b56ae07dd3c280a:
10
10
11
net: Use correct default-path macro for downscript (2020-11-24 10:40:17 +0800)
11
net/colo-compare.c: Fix incorrect return when input wrong size (2021-11-19 11:44:22 +0800)
12
12
13
----------------------------------------------------------------
13
----------------------------------------------------------------
14
14
15
----------------------------------------------------------------
15
----------------------------------------------------------------
16
Keqian Zhu (1):
16
Prasad J Pandit (1):
17
net: Use correct default-path macro for downscript
17
net: vmxnet3: validate configuration values during activate (CVE-2021-20203)
18
18
19
Paolo Bonzini (1):
19
Zhang Chen (2):
20
net: do not exit on "netdev_add help" monitor command
20
net/colo-compare.c: Fix ACK track reverse issue
21
net/colo-compare.c: Fix incorrect return when input wrong size
21
22
22
Prasad J Pandit (1):
23
hw/net/vmxnet3.c | 13 +++++++++++++
23
hw/net/e1000e: advance desc_offset in case of null descriptor
24
net/colo-compare.c | 8 +++++---
24
25
2 files changed, 18 insertions(+), 3 deletions(-)
25
Yuri Benditovich (1):
26
net: purge queued rx packets on queue deletion
27
28
yuanjungong (1):
29
tap: fix a memory leak
30
31
hw/net/e1000e_core.c | 8 +++---
32
include/net/net.h | 1 +
33
monitor/hmp-cmds.c | 6 ++++
34
net/net.c | 80 +++++++++++++++++++++++++++-------------------------
35
net/tap.c | 5 +++-
36
5 files changed, 57 insertions(+), 43 deletions(-)
37
26
38
27
28
diff view generated by jsdifflib
[PULL 1/5] hw/net/e1000e: advance desc_offset in case of null descriptor
[PULL 1/3] net: vmxnet3: validate configuration values during activate (CVE-2021-20203)
1
From: Prasad J Pandit <pjp@fedoraproject.org>
1
From: Prasad J Pandit <pjp@fedoraproject.org>
2
2
3
While receiving packets via e1000e_write_packet_to_guest() routine,
3
While activating device in vmxnet3_acticate_device(), it does not
4
'desc_offset' is advanced only when RX descriptor is processed. And
4
validate guest supplied configuration values against predefined
5
RX descriptor is not processed if it has NULL buffer address.
5
minimum - maximum limits. This may lead to integer overflow or
6
This may lead to an infinite loop condition. Increament 'desc_offset'
6
OOB access issues. Add checks to avoid it.
7
to process next descriptor in the ring to avoid infinite loop.
8
7
9
Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
8
Fixes: CVE-2021-20203
9
Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
10
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
10
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
11
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
11
Signed-off-by: Jason Wang <jasowang@redhat.com>
12
Signed-off-by: Jason Wang <jasowang@redhat.com>
12
---
13
---
13
hw/net/e1000e_core.c | 8 ++++----
14
hw/net/vmxnet3.c | 13 +++++++++++++
14
1 file changed, 4 insertions(+), 4 deletions(-)
15
1 file changed, 13 insertions(+)
15
16
16
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
17
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
17
index XXXXXXX..XXXXXXX 100644
18
index XXXXXXX..XXXXXXX 100644
18
--- a/hw/net/e1000e_core.c
19
--- a/hw/net/vmxnet3.c
19
+++ b/hw/net/e1000e_core.c
20
+++ b/hw/net/vmxnet3.c
20
@@ -XXX,XX +XXX,XX @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
21
@@ -XXX,XX +XXX,XX @@ static void vmxnet3_activate_device(VMXNET3State *s)
21
(const char *) &fcs_pad, e1000x_fcs_len(core->mac));
22
vmxnet3_setup_rx_filtering(s);
22
}
23
/* Cache fields from shared memory */
23
}
24
s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
24
- desc_offset += desc_size;
25
+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
25
- if (desc_offset >= total_size) {
26
VMW_CFPRN("MTU is %u", s->mtu);
26
- is_last = true;
27
27
- }
28
s->max_rx_frags =
28
} else { /* as per intel docs; skip descriptors with null buf addr */
29
@@ -XXX,XX +XXX,XX @@ static void vmxnet3_activate_device(VMXNET3State *s)
29
trace_e1000e_rx_null_descriptor();
30
/* Read rings memory locations for TX queues */
30
}
31
pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
31
+ desc_offset += desc_size;
32
size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
32
+ if (desc_offset >= total_size) {
33
+ if (size > VMXNET3_TX_RING_MAX_SIZE) {
33
+ is_last = true;
34
+ size = VMXNET3_TX_RING_MAX_SIZE;
34
+ }
35
+ }
35
36
36
e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
37
vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
37
rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
38
sizeof(struct Vmxnet3_TxDesc), false);
39
@@ -XXX,XX +XXX,XX @@ static void vmxnet3_activate_device(VMXNET3State *s)
40
/* TXC ring */
41
pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
42
size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
43
+ if (size > VMXNET3_TC_RING_MAX_SIZE) {
44
+ size = VMXNET3_TC_RING_MAX_SIZE;
45
+ }
46
vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
47
sizeof(struct Vmxnet3_TxCompDesc), true);
48
VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
49
@@ -XXX,XX +XXX,XX @@ static void vmxnet3_activate_device(VMXNET3State *s)
50
/* RX rings */
51
pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
52
size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
53
+ if (size > VMXNET3_RX_RING_MAX_SIZE) {
54
+ size = VMXNET3_RX_RING_MAX_SIZE;
55
+ }
56
vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
57
sizeof(struct Vmxnet3_RxDesc), false);
58
VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
59
@@ -XXX,XX +XXX,XX @@ static void vmxnet3_activate_device(VMXNET3State *s)
60
/* RXC ring */
61
pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
62
size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
63
+ if (size > VMXNET3_RC_RING_MAX_SIZE) {
64
+ size = VMXNET3_RC_RING_MAX_SIZE;
65
+ }
66
vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
67
sizeof(struct Vmxnet3_RxCompDesc), true);
68
VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
38
--
69
--
39
2.7.4
70
2.7.4
40
71
41
72
diff view generated by jsdifflib
[PULL 2/5] net: do not exit on "netdev_add help" monitor command
Deleted patch
1
From: Paolo Bonzini <pbonzini@redhat.com>
2
1
3
"netdev_add help" is causing QEMU to exit because the code that
4
invokes show_netdevs is shared between CLI and HMP processing.
5
Move the check to the callers so that exit(0) remains only
6
in the CLI flow.
7
8
"netdev_add help" is not fixed by this patch; that is left for
9
later work.
10
11
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
12
Signed-off-by: Jason Wang <jasowang@redhat.com>
13
---
14
include/net/net.h | 1 +
15
monitor/hmp-cmds.c | 6 +++++
16
net/net.c | 68 +++++++++++++++++++++++++++---------------------------
17
3 files changed, 41 insertions(+), 34 deletions(-)
18
19
diff --git a/include/net/net.h b/include/net/net.h
20
index XXXXXXX..XXXXXXX 100644
21
--- a/include/net/net.h
22
+++ b/include/net/net.h
23
@@ -XXX,XX +XXX,XX @@ extern const char *host_net_devices[];
24
25
/* from net.c */
26
int net_client_parse(QemuOptsList *opts_list, const char *str);
27
+void show_netdevs(void);
28
int net_init_clients(Error **errp);
29
void net_check_clients(void);
30
void net_cleanup(void);
31
diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
32
index XXXXXXX..XXXXXXX 100644
33
--- a/monitor/hmp-cmds.c
34
+++ b/monitor/hmp-cmds.c
35
@@ -XXX,XX +XXX,XX @@
36
#include "qemu/option.h"
37
#include "qemu/timer.h"
38
#include "qemu/sockets.h"
39
+#include "qemu/help_option.h"
40
#include "monitor/monitor-internal.h"
41
#include "qapi/error.h"
42
#include "qapi/clone-visitor.h"
43
@@ -XXX,XX +XXX,XX @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict)
44
{
45
Error *err = NULL;
46
QemuOpts *opts;
47
+ const char *type = qdict_get_try_str(qdict, "type");
48
49
+ if (type && is_help_option(type)) {
50
+ show_netdevs();
51
+ return;
52
+ }
53
opts = qemu_opts_from_qdict(qemu_find_opts("netdev"), qdict, &err);
54
if (err) {
55
goto out;
56
diff --git a/net/net.c b/net/net.c
57
index XXXXXXX..XXXXXXX 100644
58
--- a/net/net.c
59
+++ b/net/net.c
60
@@ -XXX,XX +XXX,XX @@
61
#include "qemu/config-file.h"
62
#include "qemu/ctype.h"
63
#include "qemu/iov.h"
64
+#include "qemu/qemu-print.h"
65
#include "qemu/main-loop.h"
66
#include "qemu/option.h"
67
#include "qapi/error.h"
68
@@ -XXX,XX +XXX,XX @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
69
return 0;
70
}
71
72
-static void show_netdevs(void)
73
+void show_netdevs(void)
74
{
75
int idx;
76
const char *available_netdevs[] = {
77
@@ -XXX,XX +XXX,XX @@ static void show_netdevs(void)
78
#endif
79
};
80
81
- printf("Available netdev backend types:\n");
82
+ qemu_printf("Available netdev backend types:\n");
83
for (idx = 0; idx < ARRAY_SIZE(available_netdevs); idx++) {
84
- puts(available_netdevs[idx]);
85
+ qemu_printf("%s\n", available_netdevs[idx]);
86
}
87
}
88
89
@@ -XXX,XX +XXX,XX @@ static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
90
int ret = -1;
91
Visitor *v = opts_visitor_new(opts);
92
93
- const char *type = qemu_opt_get(opts, "type");
94
-
95
- if (is_netdev && type && is_help_option(type)) {
96
- show_netdevs();
97
- exit(0);
98
- } else {
99
- /* Parse convenience option format ip6-net=fec0::0[/64] */
100
- const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
101
+ /* Parse convenience option format ip6-net=fec0::0[/64] */
102
+ const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
103
104
- if (ip6_net) {
105
- char *prefix_addr;
106
- unsigned long prefix_len = 64; /* Default 64bit prefix length. */
107
+ if (ip6_net) {
108
+ char *prefix_addr;
109
+ unsigned long prefix_len = 64; /* Default 64bit prefix length. */
110
111
- substrings = g_strsplit(ip6_net, "/", 2);
112
- if (!substrings || !substrings[0]) {
113
- error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
114
- "a valid IPv6 prefix");
115
- goto out;
116
- }
117
+ substrings = g_strsplit(ip6_net, "/", 2);
118
+ if (!substrings || !substrings[0]) {
119
+ error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "ipv6-net",
120
+ "a valid IPv6 prefix");
121
+ goto out;
122
+ }
123
124
- prefix_addr = substrings[0];
125
+ prefix_addr = substrings[0];
126
127
- /* Handle user-specified prefix length. */
128
- if (substrings[1] &&
129
- qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
130
- {
131
- error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
132
- "ipv6-prefixlen", "a number");
133
- goto out;
134
- }
135
-
136
- qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
137
- qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
138
- &error_abort);
139
- qemu_opt_unset(opts, "ipv6-net");
140
+ /* Handle user-specified prefix length. */
141
+ if (substrings[1] &&
142
+ qemu_strtoul(substrings[1], NULL, 10, &prefix_len))
143
+ {
144
+ error_setg(errp, QERR_INVALID_PARAMETER_VALUE,
145
+ "ipv6-prefixlen", "a number");
146
+ goto out;
147
}
148
+
149
+ qemu_opt_set(opts, "ipv6-prefix", prefix_addr, &error_abort);
150
+ qemu_opt_set_number(opts, "ipv6-prefixlen", prefix_len,
151
+ &error_abort);
152
+ qemu_opt_unset(opts, "ipv6-net");
153
}
154
155
/* Create an ID for -net if the user did not specify one */
156
@@ -XXX,XX +XXX,XX @@ static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
157
158
static int net_init_netdev(void *dummy, QemuOpts *opts, Error **errp)
159
{
160
+ const char *type = qemu_opt_get(opts, "type");
161
+
162
+ if (type && is_help_option(type)) {
163
+ show_netdevs();
164
+ exit(0);
165
+ }
166
return net_client_init(opts, true, errp);
167
}
168
169
--
170
2.7.4
171
172
diff view generated by jsdifflib
[PULL 5/5] net: Use correct default-path macro for downscript
[PULL 2/3] net/colo-compare.c: Fix ACK track reverse issue
1
From: Keqian Zhu <zhukeqian1@huawei.com>
1
From: Zhang Chen <chen.zhang@intel.com>
2
2
3
Fixes: 63c4db4c2e6d (net: relocate paths to helpers and scripts)
3
The TCP protocol ACK maybe bigger than uint32_t MAX.
4
Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
4
At this time, the ACK will reverse to 0. This patch
5
fix the max_ack and min_ack track issue.
6
7
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
5
Signed-off-by: Jason Wang <jasowang@redhat.com>
8
Signed-off-by: Jason Wang <jasowang@redhat.com>
6
---
9
---
7
net/tap.c | 3 ++-
10
net/colo-compare.c | 6 ++++--
8
1 file changed, 2 insertions(+), 1 deletion(-)
11
1 file changed, 4 insertions(+), 2 deletions(-)
9
12
10
diff --git a/net/tap.c b/net/tap.c
13
diff --git a/net/colo-compare.c b/net/colo-compare.c
11
index XXXXXXX..XXXXXXX 100644
14
index XXXXXXX..XXXXXXX 100644
12
--- a/net/tap.c
15
--- a/net/colo-compare.c
13
+++ b/net/tap.c
16
+++ b/net/colo-compare.c
14
@@ -XXX,XX +XXX,XX @@ free_fail:
17
@@ -XXX,XX +XXX,XX @@ static void fill_pkt_tcp_info(void *data, uint32_t *max_ack)
15
script = default_script = get_relocated_path(DEFAULT_NETWORK_SCRIPT);
18
16
}
19
pkt->tcp_seq = ntohl(tcphd->th_seq);
17
if (!downscript) {
20
pkt->tcp_ack = ntohl(tcphd->th_ack);
18
- downscript = default_downscript = get_relocated_path(DEFAULT_NETWORK_SCRIPT);
21
- *max_ack = *max_ack > pkt->tcp_ack ? *max_ack : pkt->tcp_ack;
19
+ downscript = default_downscript =
22
+ /* Need to consider ACK will bigger than uint32_t MAX */
20
+ get_relocated_path(DEFAULT_NETWORK_DOWN_SCRIPT);
23
+ *max_ack = pkt->tcp_ack - *max_ack > 0 ? pkt->tcp_ack : *max_ack;
21
}
24
pkt->header_size = pkt->transport_header - (uint8_t *)pkt->data
22
25
+ (tcphd->th_off << 2);
23
if (tap->has_ifname) {
26
pkt->payload_size = pkt->size - pkt->header_size;
27
@@ -XXX,XX +XXX,XX @@ static void colo_compare_tcp(CompareState *s, Connection *conn)
28
* can ensure that the packet's payload is acknowledged by
29
* primary and secondary.
30
*/
31
- uint32_t min_ack = conn->pack > conn->sack ? conn->sack : conn->pack;
32
+ uint32_t min_ack = conn->pack - conn->sack > 0 ?
33
+ conn->sack : conn->pack;
34
35
pri:
36
if (g_queue_is_empty(&conn->primary_list)) {
24
--
37
--
25
2.7.4
38
2.7.4
26
39
27
40
diff view generated by jsdifflib
[PULL 3/5] net: purge queued rx packets on queue deletion
[PULL 3/3] net/colo-compare.c: Fix incorrect return when input wrong size
1
From: Yuri Benditovich <yuri.benditovich@daynix.com>
1
From: Zhang Chen <chen.zhang@intel.com>
2
2
3
https://bugzilla.redhat.com/show_bug.cgi?id=1829272
3
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
4
When deleting queue pair, purge pending RX packets if any.
5
Example of problematic flow:
6
1. Bring up q35 VM with tap (vhost off) and virtio-net or e1000e
7
2. Run ping flood to the VM NIC ( 1 ms interval)
8
3. Hot unplug the NIC device (device_del)
9
During unplug process one or more packets come, the NIC
10
can't receive, tap disables read_poll
11
4. Hot plug the device (device_add) with the same netdev
12
The tap stays with read_poll disabled and does not receive
13
any packets anymore (tap_send never triggered)
14
15
Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
16
Signed-off-by: Jason Wang <jasowang@redhat.com>
4
Signed-off-by: Jason Wang <jasowang@redhat.com>
17
---
5
---
18
net/net.c | 12 ++++++++----
6
net/colo-compare.c | 2 +-
19
1 file changed, 8 insertions(+), 4 deletions(-)
7
1 file changed, 1 insertion(+), 1 deletion(-)
20
8
21
diff --git a/net/net.c b/net/net.c
9
diff --git a/net/colo-compare.c b/net/colo-compare.c
22
index XXXXXXX..XXXXXXX 100644
10
index XXXXXXX..XXXXXXX 100644
23
--- a/net/net.c
11
--- a/net/colo-compare.c
24
+++ b/net/net.c
12
+++ b/net/colo-compare.c
25
@@ -XXX,XX +XXX,XX @@ void qemu_del_nic(NICState *nic)
13
@@ -XXX,XX +XXX,XX @@ static int compare_chr_send(CompareState *s,
26
27
qemu_macaddr_set_free(&nic->conf->macaddr);
28
29
- /* If this is a peer NIC and peer has already been deleted, free it now. */
30
- if (nic->peer_deleted) {
31
- for (i = 0; i < queues; i++) {
32
- qemu_free_net_client(qemu_get_subqueue(nic, i)->peer);
33
+ for (i = 0; i < queues; i++) {
34
+ NetClientState *nc = qemu_get_subqueue(nic, i);
35
+ /* If this is a peer NIC and peer has already been deleted, free it now. */
36
+ if (nic->peer_deleted) {
37
+ qemu_free_net_client(nc->peer);
38
+ } else if (nc->peer) {
39
+ /* if there are RX packets pending, complete them */
40
+ qemu_purge_queued_packets(nc->peer);
41
}
42
}
14
}
43
15
16
if (!size) {
17
- return 0;
18
+ return -1;
19
}
20
21
entry = g_slice_new(SendEntry);
44
--
22
--
45
2.7.4
23
2.7.4
46
24
47
25
diff view generated by jsdifflib
[PULL 4/5] tap: fix a memory leak
Deleted patch
1
From: yuanjungong <ruc_gongyuanjun@163.com>
2
1
3
Close fd before returning.
4
5
Buglink: https://bugs.launchpad.net/qemu/+bug/1904486
6
7
Signed-off-by: yuanjungong <ruc_gongyuanjun@163.com>
8
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
9
Signed-off-by: Jason Wang <jasowang@redhat.com>
10
---
11
net/tap.c | 2 ++
12
1 file changed, 2 insertions(+)
13
14
diff --git a/net/tap.c b/net/tap.c
15
index XXXXXXX..XXXXXXX 100644
16
--- a/net/tap.c
17
+++ b/net/tap.c
18
@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
19
if (ret < 0) {
20
error_setg_errno(errp, -ret, "%s: Can't use file descriptor %d",
21
name, fd);
22
+ close(fd);
23
return -1;
24
}
25
26
@@ -XXX,XX +XXX,XX @@ int net_init_tap(const Netdev *netdev, const char *name,
27
vhostfdname, vnet_hdr, fd, &err);
28
if (err) {
29
error_propagate(errp, err);
30
+ close(fd);
31
return -1;
32
}
33
} else if (tap->has_fds) {
34
--
35
2.7.4
36
37
diff view generated by jsdifflib

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.