Series comparison

-[PULL 00/16] Net patches
+[PULL 0/5] Net patches
-The following changes since commit f4abdf32714d1845b7c01ec136dd2b04c2f7db47:
+The following changes since commit d9a4282c4b690e45d25c2b933f318bb41eeb271d:
-  Merge remote-tracking branch 'remotes/stsquad/tags/pull-testing-docs-xen-updates-100321-2' into staging (2021-03-11 16:20:58 +0000)
+  Merge tag 'pull-tcg-20250308' of https://gitlab.com/rth7680/qemu into staging (2025-03-09 11:45:00 +0800)
-are available in the git repository at:
+are available in the Git repository at:
   https://github.com/jasowang/qemu.git tags/net-pull-request
-for you to fetch changes up to 9bdb56367679e68e5e71a1c29a1087bda6414b25:
+for you to fetch changes up to ac2ff9b840ce82cc7d5fd9ce4fd3019a434d7dc9:
-  pvrdma: wean code off pvrdma_ring.h kernel header (2021-03-12 14:08:31 +0800)
+  tap-linux: Open ipvtap and macvtap (2025-03-10 17:07:16 +0800)
 ----------------------------------------------------------------
+-----BEGIN PGP SIGNATURE-----
+iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmfO1zkACgkQ7wSWWzmN
+YhET+wf+PkaGeFTNUrOtWpl35fSMKlmOVbb1fkPfuhVBmeY2Vh1EIN3OjqnzdV0F
+wxpuk+wwmFiuV1n6RNuMHQ0nz1mhgsSlZh93N5rArC/PUr3iViaT0cb82RjwxhaI
+RODBhhy7V9WxEhT9hR8sCP2ky2mrKgcYbjiIEw+IvFZOVQa58rMr2h/cbAb/iH4l
+T9Wba03JBqOS6qgzSFZOMxvqnYdVjhqXN8M6W9ngRJOjPEAkTB6Evwep6anRjcM
+mCUOgkf2sgQwKve8pYAeTMkzXFctvTc/qCU4ZbN8XcoKVVxe2jllGQqdOpMskPEf
+slOuINeW5M0K5gyjsb/huqcOTfDI2A==
+=/Y0+
+-----END PGP SIGNATURE-----
 ----------------------------------------------------------------
-Alexander Bulekov (4):
+Akihiko Odaki (3):
-      rtl8139: switch to use qemu_receive_packet() for loopback
+      util/iov: Do not assert offset is in iov
-      pcnet: switch to use qemu_receive_packet() for loopback
+      Revert "hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()"
-      cadence_gem: switch to use qemu_receive_packet() for loopback
+      tap-linux: Open ipvtap and macvtap
       lan9118: switch to use qemu_receive_packet() for loopback
-Bin Meng (1):
+Eugenio Pérez (2):
-      net: Fix build error when DEBUG_NET is on
+      net: parameterize the removing client from nc list
       net: move backend cleanup to NIC cleanup
-Cornelia Huck (1):
+ hw/net/net_tx_pkt.c |  4 ----
-      pvrdma: wean code off pvrdma_ring.h kernel header
+ include/qemu/iov.h  |  5 +++--
+ net/net.c           | 44 ++++++++++++++++++++++++++++++++++----------
-Jason Wang (9):
+ net/tap-linux.c     | 17 ++++++++++++++---
-      virtio-net: calculating proper msix vectors on init
+ net/vhost-vdpa.c    |  8 --------
-      net: unbreak well-form id check for "-nic"
+ util/iov.c          |  5 -----
-      e1000: fail early for evil descriptor
+files changed, 51 insertions(+), 32 deletions(-)
       net: introduce qemu_receive_packet()
       e1000: switch to use qemu_receive_packet() for loopback
       dp8393x: switch to use qemu_receive_packet() for loopback packet
       msf2-mac: switch to use qemu_receive_packet() for loopback
       sungem: switch to use qemu_receive_packet() for loopback
       tx_pkt: switch to use qemu_receive_packet_iov() for loopback
 Paolo Bonzini (1):
       net: validate that ids are well formed
  hw/core/machine.c                                  |   1 +
  hw/net/cadence_gem.c                               |   4 +-
  hw/net/dp8393x.c                                   |   2 +-
  hw/net/e1000.c                                     |   6 +-
  hw/net/lan9118.c                                   |   2 +-
  hw/net/msf2-emac.c                                 |   2 +-
  hw/net/net_tx_pkt.c                                |   2 +-
  hw/net/pcnet.c                                     |   2 +-
  hw/net/rtl8139.c                                   |   2 +-
  hw/net/sungem.c                                    |   2 +-
  hw/rdma/vmw/pvrdma.h                               |   5 +-
  hw/rdma/vmw/pvrdma_cmd.c                           |   6 +-
  hw/rdma/vmw/pvrdma_dev_ring.c                      |  41 ++++----
  hw/rdma/vmw/pvrdma_dev_ring.h                      |   9 +-
  hw/rdma/vmw/pvrdma_main.c                          |   4 +-
  hw/virtio/virtio-net-pci.c                         |  10 +-
  include/net/net.h                                  |   5 +
  include/net/queue.h                                |   8 ++
  .../drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h | 114 ---------------------
  net/net.c                                          |  53 ++++++++--
  net/queue.c                                        |  22 ++++
  scripts/update-linux-headers.sh                    |   3 +-
 files changed, 142 insertions(+), 163 deletions(-)
  delete mode 100644 include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h

-[PULL 01/16] virtio-net: calculating proper msix vectors on init
+Deleted patch
-Currently, the default msix vectors for virtio-net-pci is 3 which is
-obvious not suitable for multiqueue guest, so we depends on the user
-or management tools to pass a correct vectors parameter. In fact, we
-can simplifying this by calculating the number of vectors on realize.
-Consider we have N queues, the number of vectors needed is 2*N + 2
-(#queue pairs + plus one config interrupt and control vq). We didn't
-check whether or not host support control vq because it was added
-unconditionally by qemu to avoid breaking legacy guests such as Minix.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/core/machine.c          |  1 +
- hw/virtio/virtio-net-pci.c | 10 +++++++++-
-files changed, 10 insertions(+), 1 deletion(-)
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -XXX,XX +XXX,XX @@
- GlobalProperty hw_compat_5_2[] = {
-     { "ICH9-LPC", "smm-compat", "on"},
-     { "PIIX4_PM", "smm-compat", "on"},
-+    { "virtio-net-pci", "vectors", "3"},
- };
- const size_t hw_compat_5_2_len = G_N_ELEMENTS(hw_compat_5_2);
-diff --git a/hw/virtio/virtio-net-pci.c b/hw/virtio/virtio-net-pci.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/virtio/virtio-net-pci.c
-+++ b/hw/virtio/virtio-net-pci.c
-@@ -XXX,XX +XXX,XX @@ struct VirtIONetPCI {
- static Property virtio_net_properties[] = {
-     DEFINE_PROP_BIT("ioeventfd", VirtIOPCIProxy, flags,
-                     VIRTIO_PCI_FLAG_USE_IOEVENTFD_BIT, true),
--    DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors, 3),
-+    DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors,
-+                       DEV_NVECTORS_UNSPECIFIED),
-     DEFINE_PROP_END_OF_LIST(),
- };
-@@ -XXX,XX +XXX,XX @@ static void virtio_net_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
-     DeviceState *qdev = DEVICE(vpci_dev);
-     VirtIONetPCI *dev = VIRTIO_NET_PCI(vpci_dev);
-     DeviceState *vdev = DEVICE(&dev->vdev);
-+    VirtIONet *net = VIRTIO_NET(vdev);
-+
-+    if (vpci_dev->nvectors == DEV_NVECTORS_UNSPECIFIED) {
-+        vpci_dev->nvectors = 2 * MAX(net->nic_conf.peers.queues, 1)
-+            + 1 /* Config interrupt */
-+            + 1 /* Control vq */;
-+    }
-     virtio_net_set_netclient_name(&dev->vdev, qdev->id,
-                                   object_get_typename(OBJECT(qdev)));
---
-.7.4

-[PULL 02/16] net: Fix build error when DEBUG_NET is on
+Deleted patch
-From: Bin Meng <bin.meng@windriver.com>
-"qemu-common.h" should be included to provide the forward declaration
-of qemu_hexdump() when DEBUG_NET is on.
-Signed-off-by: Bin Meng <bin.meng@windriver.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- net/net.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/net/net.c b/net/net.c
-index XXXXXXX..XXXXXXX 100644
---- a/net/net.c
-+++ b/net/net.c
-@@ -XXX,XX +XXX,XX @@
-  */
- #include "qemu/osdep.h"
-+#include "qemu-common.h"
- #include "net/net.h"
- #include "clients.h"
---
-.7.4

-[PULL 06/16] net: introduce qemu_receive_packet()
+[PULL 1/5] net: parameterize the removing client from nc list
-Some NIC supports loopback mode and this is done by calling
+From: Eugenio Pérez <eperezma@redhat.com>
 nc->info->receive() directly which in fact suppresses the effort of
 reentrancy check that is done in qemu_net_queue_send().
-Unfortunately we can't use qemu_net_queue_send() here since for
+This change is used in later commits so we can avoid the removal of the
-loopback there's no sender as peer, so this patch introduce a
+netclient if it is delayed.
 qemu_receive_packet() which is used for implementing loopback mode
 for a NIC with this check.
-NIC that supports loopback mode will be converted to this helper.
+No functional change intended.
-This is intended to address CVE-2021-3416.
+Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
-Cc: Prasad J Pandit <ppandit@redhat.com>
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 ---
- include/net/net.h   |  5 +++++
+ net/net.c | 13 ++++++++-----
- include/net/queue.h |  8 ++++++++
+file changed, 8 insertions(+), 5 deletions(-)
  net/net.c           | 38 +++++++++++++++++++++++++++++++-------
  net/queue.c         | 22 ++++++++++++++++++++++
 files changed, 66 insertions(+), 7 deletions(-)
-diff --git a/include/net/net.h b/include/net/net.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/net/net.h
-+++ b/include/net/net.h
-@@ -XXX,XX +XXX,XX @@ void *qemu_get_nic_opaque(NetClientState *nc);
- void qemu_del_net_client(NetClientState *nc);
- typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
- void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
-+int qemu_can_receive_packet(NetClientState *nc);
- int qemu_can_send_packet(NetClientState *nc);
- ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
-                           int iovcnt);
- ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
-                                 int iovcnt, NetPacketSent *sent_cb);
- ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
-+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
-+ssize_t qemu_receive_packet_iov(NetClientState *nc,
-+                                const struct iovec *iov,
-+                                int iovcnt);
- ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
- ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
-                                int size, NetPacketSent *sent_cb);
-diff --git a/include/net/queue.h b/include/net/queue.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/net/queue.h
-+++ b/include/net/queue.h
-@@ -XXX,XX +XXX,XX @@ void qemu_net_queue_append_iov(NetQueue *queue,
- void qemu_del_net_queue(NetQueue *queue);
-+ssize_t qemu_net_queue_receive(NetQueue *queue,
-+                               const uint8_t *data,
-+                               size_t size);
-+
-+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
-+                                   const struct iovec *iov,
-+                                   int iovcnt);
-+
- ssize_t qemu_net_queue_send(NetQueue *queue,
-                             NetClientState *sender,
-                             unsigned flags,
 diff --git a/net/net.c b/net/net.c
 index XXXXXXX..XXXXXXX 100644
 --- a/net/net.c
 +++ b/net/net.c
-@@ -XXX,XX +XXX,XX @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
+@@ -XXX,XX +XXX,XX @@ NetClientState *qemu_get_peer(NetClientState *nc, int queue_index)
- #endif
+     return ncs->peer;
  }
-+int qemu_can_receive_packet(NetClientState *nc)
+-static void qemu_cleanup_net_client(NetClientState *nc)
-+{
++static void qemu_cleanup_net_client(NetClientState *nc,
-+    if (nc->receive_disabled) {
++                                    bool remove_from_net_clients)
-+        return 0;
+ {
-+    } else if (nc->info->can_receive &&
+-    QTAILQ_REMOVE(&net_clients, nc, next);
-+               !nc->info->can_receive(nc)) {
++    if (remove_from_net_clients) {
-+        return 0;
++        QTAILQ_REMOVE(&net_clients, nc, next);
 +    }
-+    return 1;
-+}
+     if (nc->info->cleanup) {
-+
+         nc->info->cleanup(nc);
- int qemu_can_send_packet(NetClientState *sender)
+@@ -XXX,XX +XXX,XX @@ void qemu_del_net_client(NetClientState *nc)
- {
+         }
-     int vm_running = runstate_is_running();
-@@ -XXX,XX +XXX,XX @@ int qemu_can_send_packet(NetClientState *sender)
+         for (i = 0; i < queues; i++) {
-         return 1;
+-            qemu_cleanup_net_client(ncs[i]);
 +            qemu_cleanup_net_client(ncs[i], true);
          }
          return;
      }
--    if (sender->peer->receive_disabled) {
+     for (i = 0; i < queues; i++) {
--        return 0;
+-        qemu_cleanup_net_client(ncs[i]);
--    } else if (sender->peer->info->can_receive &&
++        qemu_cleanup_net_client(ncs[i], true);
--               !sender->peer->info->can_receive(sender->peer)) {
+         qemu_free_net_client(ncs[i]);
--        return 0;
+     }
 -    }
 -    return 1;
 +    return qemu_can_receive_packet(sender->peer);
  }
+@@ -XXX,XX +XXX,XX @@ void qemu_del_nic(NICState *nic)
- static ssize_t filter_receive_iov(NetClientState *nc,
+     for (i = queues - 1; i >= 0; i--) {
-@@ -XXX,XX +XXX,XX @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+         NetClientState *nc = qemu_get_subqueue(nic, i);
-     return qemu_send_packet_async(nc, buf, size, NULL);
- }
+-        qemu_cleanup_net_client(nc);
++        qemu_cleanup_net_client(nc, true);
-+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
+         qemu_free_net_client(nc);
-+{
+     }
-+    if (!qemu_can_receive_packet(nc)) {
 +        return 0;
 +    }
 +
 +    return qemu_net_queue_receive(nc->incoming_queue, buf, size);
 +}
 +
 +ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
 +                                int iovcnt)
 +{
 +    if (!qemu_can_receive_packet(nc)) {
 +        return 0;
 +    }
 +
 +    return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
 +}
 +
  ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
  {
      return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
 diff --git a/net/queue.c b/net/queue.c
 index XXXXXXX..XXXXXXX 100644
 --- a/net/queue.c
 +++ b/net/queue.c
@@ -XXX,XX +XXX,XX @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
      return ret;
  }
 +ssize_t qemu_net_queue_receive(NetQueue *queue,
 +                               const uint8_t *data,
 +                               size_t size)
 +{
 +    if (queue->delivering) {
 +        return 0;
 +    }
 +
 +    return qemu_net_queue_deliver(queue, NULL, 0, data, size);
 +}
 +
 +ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
 +                                   const struct iovec *iov,
 +                                   int iovcnt)
 +{
 +    if (queue->delivering) {
 +        return 0;
 +    }
 +
 +    return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
 +}
 +
  ssize_t qemu_net_queue_send(NetQueue *queue,
                              NetClientState *sender,
                              unsigned flags,
 --
-.7.4
+.42.0

-[PULL 04/16] net: unbreak well-form id check for "-nic"
+[PULL 2/5] net: move backend cleanup to NIC cleanup
-The auto genreated id for "-nic" has "_" prefix which can't satisfy
+From: Eugenio Pérez <eperezma@redhat.com>
 the well-formed id check that is introduced by
 b9834aca517dc2d4941691a1d2082db6f2 ("net: validate that ids are
 well formed"). Fix this by simply removing the "__" prefix.
+Commit a0d7215e33 ("vhost-vdpa: do not cleanup the vdpa/vhost-net
+structures if peer nic is present") effectively delayed the backend
+cleanup, allowing the frontend or the guest to access it resources as
+long as the frontend is still visible to the guest.
+However it does not clean up the resources until the qemu process is
+over.  This causes an effective leak if the device is deleted with
+device_del, as there is no way to close the vdpa device.  This makes
+impossible to re-add that device to this or other QEMU instances until
+the first instance of QEMU is finished.
+Move the cleanup from qemu_cleanup to the NIC deletion and to
+net_cleanup.
+Fixes: a0d7215e33 ("vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present")
+Reported-by: Lei Yang <leiyang@redhat.com>
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Signed-off-by: Jonah Palmer <jonah.palmer@oracle.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 ---
- net/net.c | 2 +-
+ net/net.c        | 33 +++++++++++++++++++++++++++------
-file changed, 1 insertion(+), 1 deletion(-)
+ net/vhost-vdpa.c |  8 --------
 files changed, 27 insertions(+), 14 deletions(-)
 diff --git a/net/net.c b/net/net.c
 index XXXXXXX..XXXXXXX 100644
 --- a/net/net.c
 +++ b/net/net.c
-@@ -XXX,XX +XXX,XX @@ static int net_param_nic(void *dummy, QemuOpts *opts, Error **errp)
+@@ -XXX,XX +XXX,XX @@ void qemu_del_net_client(NetClientState *nc)
-     /* Create an ID if the user did not specify one */
+         object_unparent(OBJECT(nf));
      nd_id = g_strdup(qemu_opts_id(opts));
      if (!nd_id) {
 -        nd_id = g_strdup_printf("__org.qemu.nic%i", idx);
 +        nd_id = g_strdup_printf("org.qemu.nic%i", idx);
          qemu_opts_set_id(opts, nd_id);
      }
+-    /* If there is a peer NIC, delete and cleanup client, but do not free. */
++    /*
++     * If there is a peer NIC, transfer ownership to it.  Delete the client
++     * from net_client list but do not cleanup nor free.  This way NIC can
++     * still access to members of the backend.
++     *
++     * The cleanup and free will be done when the NIC is free.
++     */
+     if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
+         NICState *nic = qemu_get_nic(nc->peer);
+         if (nic->peer_deleted) {
+@@ -XXX,XX +XXX,XX @@ void qemu_del_net_client(NetClientState *nc)
+         for (i = 0; i < queues; i++) {
+             ncs[i]->peer->link_down = true;
++            QTAILQ_REMOVE(&net_clients, ncs[i], next);
+         }
+         if (nc->peer->info->link_status_changed) {
+             nc->peer->info->link_status_changed(nc->peer);
+         }
+-        for (i = 0; i < queues; i++) {
+-            qemu_cleanup_net_client(ncs[i], true);
+-        }
+-
+         return;
+     }
+@@ -XXX,XX +XXX,XX @@ void qemu_del_nic(NICState *nic)
+     for (i = 0; i < queues; i++) {
+         NetClientState *nc = qemu_get_subqueue(nic, i);
+-        /* If this is a peer NIC and peer has already been deleted, free it now. */
++        /*
++         * If this is a peer NIC and peer has already been deleted, clean it up
++         * and free it now.
++         */
+         if (nic->peer_deleted) {
++            qemu_cleanup_net_client(nc->peer, false);
+             qemu_free_net_client(nc->peer);
+         } else if (nc->peer) {
+             /* if there are RX packets pending, complete them */
+@@ -XXX,XX +XXX,XX @@ void net_cleanup(void)
+      * of the latest NET_CLIENT_DRIVER_NIC, and operate on *p as we walk
+      * the list.
+      *
++     * However, the NIC may have peers that trust to be clean beyond this
++     * point.  For example, if they have been removed with device_del.
++     *
+      * The 'nc' variable isn't part of the list traversal; it's purely
+      * for convenience as too much '(*p)->' has a tendency to make the
+      * readers' eyes bleed.
+@@ -XXX,XX +XXX,XX @@ void net_cleanup(void)
+     while (*p) {
+         nc = *p;
+         if (nc->info->type == NET_CLIENT_DRIVER_NIC) {
++            NICState *nic = qemu_get_nic(nc);
++
++            if (nic->peer_deleted) {
++                int queues = MAX(nic->conf->peers.queues, 1);
++
++                for (int i = 0; i < queues; i++) {
++                    nc = qemu_get_subqueue(nic, i);
++                    qemu_cleanup_net_client(nc->peer, false);
++                }
++            }
++
+             /* Skip NET_CLIENT_DRIVER_NIC entries */
+             p = &QTAILQ_NEXT(nc, next);
+         } else {
+diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
+index XXXXXXX..XXXXXXX 100644
+--- a/net/vhost-vdpa.c
++++ b/net/vhost-vdpa.c
+@@ -XXX,XX +XXX,XX @@ static void vhost_vdpa_cleanup(NetClientState *nc)
+ {
+     VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
+-    /*
+-     * If a peer NIC is attached, do not cleanup anything.
+-     * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
+-     * when the guest is shutting down.
+-     */
+-    if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
+-        return;
+-    }
+     munmap(s->cvq_cmd_out_buffer, vhost_vdpa_net_cvq_cmd_page_len());
+     munmap(s->status, vhost_vdpa_net_cvq_cmd_page_len());
+     if (s->vhost_net) {
 --
-.7.4
+.42.0

-[PULL 16/16] pvrdma: wean code off pvrdma_ring.h kernel header
+[PULL 3/5] util/iov: Do not assert offset is in iov
-From: Cornelia Huck <cohuck@redhat.com>
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
-The pvrdma code relies on the pvrdma_ring.h kernel header for some
+iov_from_buf(), iov_to_buf(), iov_memset(), and iov_copy() asserts
-basic ring buffer handling. The content of that header isn't very
+that the given offset fits in the iov while tolerating the specified
-exciting, but contains some (q)atomic_*() invocations that (a)
+number of bytes to operate with to be greater than the size of iov.
-cause manual massaging when doing a headers update, and (b) are
+This is inconsistent so remove the assertions.
 an indication that we probably should not be importing that header
 at all.
-Let's reimplement the ring buffer handling directly in the pvrdma
+Asserting the offset fits in the iov makes sense if it is expected that
-code instead. This arguably also improves readability of the code.
+there are other operations that process the content before the offset
 and the content is processed in order. Under this expectation, the
 offset should point to the end of bytes that are previously processed
 and fit in the iov. However, this expectation depends on the details of
 the caller, and did not hold true at least one case and required code to
 check iov_size(), which is added with commit 83ddb3dbba2e
 ("hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()").
-Importing the header can now be dropped.
+Adding such a check is inefficient and error-prone. These functions
 already tolerate the specified number of bytes to operate with to be
 greater than the size of iov to avoid such checks so remove the
 assertions to tolerate invalid offset as well. They return the number of
 bytes they operated with so their callers can still check the returned
 value to ensure there are sufficient space at the given offset.
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
 Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 ---
- hw/rdma/vmw/pvrdma.h                               |   5 +-
+ include/qemu/iov.h | 5 +++--
- hw/rdma/vmw/pvrdma_cmd.c                           |   6 +-
+ util/iov.c         | 5 -----
- hw/rdma/vmw/pvrdma_dev_ring.c                      |  41 ++++----
+files changed, 3 insertions(+), 7 deletions(-)
  hw/rdma/vmw/pvrdma_dev_ring.h                      |   9 +-
  hw/rdma/vmw/pvrdma_main.c                          |   4 +-
  .../drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h | 114 ---------------------
  scripts/update-linux-headers.sh                    |   3 +-
 files changed, 38 insertions(+), 144 deletions(-)
  delete mode 100644 include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h
-diff --git a/hw/rdma/vmw/pvrdma.h b/hw/rdma/vmw/pvrdma.h
+diff --git a/include/qemu/iov.h b/include/qemu/iov.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/rdma/vmw/pvrdma.h
+--- a/include/qemu/iov.h
-+++ b/hw/rdma/vmw/pvrdma.h
++++ b/include/qemu/iov.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ size_t iov_size(const struct iovec *iov, const unsigned int iov_cnt);
- #include "../rdma_backend_defs.h"
+  * only part of data will be copied, up to the end of the iovec.
- #include "../rdma_rm_defs.h"
+  * Number of bytes actually copied will be returned, which is
+  *  min(bytes, iov_size(iov)-offset)
--#include "standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h"
+- * `Offset' must point to the inside of iovec.
- #include "standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h"
++ * Returns 0 when `offset' points to the outside of iovec.
- #include "pvrdma_dev_ring.h"
+  */
- #include "qom/object.h"
+ size_t iov_from_buf_full(const struct iovec *iov, unsigned int iov_cnt,
-@@ -XXX,XX +XXX,XX @@ typedef struct DSRInfo {
+                          size_t offset, const void *buf, size_t bytes);
-     union pvrdma_cmd_req *req;
+@@ -XXX,XX +XXX,XX @@ iov_to_buf(const struct iovec *iov, const unsigned int iov_cnt,
-     union pvrdma_cmd_resp *rsp;
+ /**
+  * Set data bytes pointed out by iovec `iov' of size `iov_cnt' elements,
--    struct pvrdma_ring *async_ring_state;
+  * starting at byte offset `start', to value `fillc', repeating it
-+    PvrdmaRingState *async_ring_state;
+- * `bytes' number of times.  `Offset' must point to the inside of iovec.
-     PvrdmaRing async;
++ * `bytes' number of times.
+  * If `bytes' is large enough, only last bytes portion of iovec,
--    struct pvrdma_ring *cq_ring_state;
+  * up to the end of it, will be filled with the specified value.
-+    PvrdmaRingState *cq_ring_state;
+  * Function return actual number of bytes processed, which is
-     PvrdmaRing cq;
+  * min(size, iov_size(iov) - offset).
- } DSRInfo;
++ * Returns 0 when `offset' points to the outside of iovec.
+  */
-diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+ size_t iov_memset(const struct iovec *iov, const unsigned int iov_cnt,
                    size_t offset, int fillc, size_t bytes);
 diff --git a/util/iov.c b/util/iov.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/rdma/vmw/pvrdma_cmd.c
+--- a/util/iov.c
-+++ b/hw/rdma/vmw/pvrdma_cmd.c
++++ b/util/iov.c
-@@ -XXX,XX +XXX,XX @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
+@@ -XXX,XX +XXX,XX @@ size_t iov_from_buf_full(const struct iovec *iov, unsigned int iov_cnt,
-     r = g_malloc(sizeof(*r));
+             offset -= iov[i].iov_len;
-     *ring = r;
+         }
 -    r->ring_state = (struct pvrdma_ring *)
 +    r->ring_state = (PvrdmaRingState *)
          rdma_pci_dma_map(pci_dev, tbl[0], TARGET_PAGE_SIZE);
      if (!r->ring_state) {
@@ -XXX,XX +XXX,XX @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
      *rings = sr;
      /* Create send ring */
 -    sr->ring_state = (struct pvrdma_ring *)
 +    sr->ring_state = (PvrdmaRingState *)
          rdma_pci_dma_map(pci_dev, tbl[0], TARGET_PAGE_SIZE);
      if (!sr->ring_state) {
          rdma_error_report("Failed to map to QP ring state");
@@ -XXX,XX +XXX,XX @@ static int create_srq_ring(PCIDevice *pci_dev, PvrdmaRing **ring,
      r = g_malloc(sizeof(*r));
      *ring = r;
 -    r->ring_state = (struct pvrdma_ring *)
 +    r->ring_state = (PvrdmaRingState *)
              rdma_pci_dma_map(pci_dev, tbl[0], TARGET_PAGE_SIZE);
      if (!r->ring_state) {
          rdma_error_report("Failed to map tp SRQ ring state");
 diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/rdma/vmw/pvrdma_dev_ring.c
 +++ b/hw/rdma/vmw/pvrdma_dev_ring.c
@@ -XXX,XX +XXX,XX @@
  #include "trace.h"
  #include "../rdma_utils.h"
 -#include "standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h"
  #include "pvrdma_dev_ring.h"
  int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
 -                     struct pvrdma_ring *ring_state, uint32_t max_elems,
 +                     PvrdmaRingState *ring_state, uint32_t max_elems,
                       size_t elem_sz, dma_addr_t *tbl, uint32_t npages)
  {
      int i;
@@ -XXX,XX +XXX,XX @@ out:
  void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
  {
 -    int e;
 -    unsigned int idx = 0, offset;
 +    unsigned int idx, offset;
 +    const uint32_t tail = qatomic_read(&ring->ring_state->prod_tail);
 +    const uint32_t head = qatomic_read(&ring->ring_state->cons_head);
 -    e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
 -    if (e <= 0) {
 +    if (tail & ~((ring->max_elems << 1) - 1) ||
 +        head & ~((ring->max_elems << 1) - 1) ||
 +        tail == head) {
          trace_pvrdma_ring_next_elem_read_no_data(ring->name);
          return NULL;
      }
+-    assert(offset == 0);
-+    idx = head & (ring->max_elems - 1);
+     return done;
      offset = idx * ring->elem_sz;
      return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
  }
- void pvrdma_ring_read_inc(PvrdmaRing *ring)
+@@ -XXX,XX +XXX,XX @@ size_t iov_to_buf_full(const struct iovec *iov, const unsigned int iov_cnt,
- {
+             offset -= iov[i].iov_len;
--    pvrdma_idx_ring_inc(&ring->ring_state->cons_head, ring->max_elems);
+         }
-+    uint32_t idx = qatomic_read(&ring->ring_state->cons_head);
+     }
-+
+-    assert(offset == 0);
-+    idx = (idx + 1) & ((ring->max_elems << 1) - 1);
+     return done;
 +    qatomic_set(&ring->ring_state->cons_head, idx);
  }
- void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
+@@ -XXX,XX +XXX,XX @@ size_t iov_memset(const struct iovec *iov, const unsigned int iov_cnt,
- {
+             offset -= iov[i].iov_len;
--    int idx;
+         }
 -    unsigned int offset, tail;
 +    unsigned int idx, offset;
 +    const uint32_t tail = qatomic_read(&ring->ring_state->prod_tail);
 +    const uint32_t head = qatomic_read(&ring->ring_state->cons_head);
 -    idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
 -    if (idx <= 0) {
 +    if (tail & ~((ring->max_elems << 1) - 1) ||
 +        head & ~((ring->max_elems << 1) - 1) ||
 +        tail == (head ^ ring->max_elems)) {
          rdma_error_report("CQ is full");
          return NULL;
      }
+-    assert(offset == 0);
--    idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
+     return done;
 -    if (idx < 0 || tail != idx) {
 -        rdma_error_report("Invalid idx %d", idx);
 -        return NULL;
 -    }
 -
 +    idx = tail & (ring->max_elems - 1);
      offset = idx * ring->elem_sz;
      return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
  }
- void pvrdma_ring_write_inc(PvrdmaRing *ring)
+@@ -XXX,XX +XXX,XX @@ unsigned iov_copy(struct iovec *dst_iov, unsigned int dst_iov_cnt,
- {
+         bytes -= len;
--    pvrdma_idx_ring_inc(&ring->ring_state->prod_tail, ring->max_elems);
+         offset = 0;
-+    uint32_t idx = qatomic_read(&ring->ring_state->prod_tail);
+     }
-+
+-    assert(offset == 0);
-+    idx = (idx + 1) & ((ring->max_elems << 1) - 1);
+     return j;
 +    qatomic_set(&ring->ring_state->prod_tail, idx);
  }
- void pvrdma_ring_free(PvrdmaRing *ring)
+@@ -XXX,XX +XXX,XX @@ size_t qemu_iovec_concat_iov(QEMUIOVector *dst,
-diff --git a/hw/rdma/vmw/pvrdma_dev_ring.h b/hw/rdma/vmw/pvrdma_dev_ring.h
+             soffset -= src_iov[i].iov_len;
-index XXXXXXX..XXXXXXX 100644
+         }
---- a/hw/rdma/vmw/pvrdma_dev_ring.h
+     }
-+++ b/hw/rdma/vmw/pvrdma_dev_ring.h
+-    assert(soffset == 0); /* offset beyond end of src */
-@@ -XXX,XX +XXX,XX @@
+     return done;
  #define MAX_RING_NAME_SZ 32
 +typedef struct PvrdmaRingState {
 +    int prod_tail; /* producer tail */
 +    int cons_head; /* consumer head */
 +} PvrdmaRingState;
 +
  typedef struct PvrdmaRing {
      char name[MAX_RING_NAME_SZ];
      PCIDevice *dev;
      uint32_t max_elems;
      size_t elem_sz;
 -    struct pvrdma_ring *ring_state; /* used only for unmap */
 +    PvrdmaRingState *ring_state; /* used only for unmap */
      int npages;
      void **pages;
  } PvrdmaRing;
  int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
 -                     struct pvrdma_ring *ring_state, uint32_t max_elems,
 +                     PvrdmaRingState *ring_state, uint32_t max_elems,
                       size_t elem_sz, dma_addr_t *tbl, uint32_t npages);
  void *pvrdma_ring_next_elem_read(PvrdmaRing *ring);
  void pvrdma_ring_read_inc(PvrdmaRing *ring);
 diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/rdma/vmw/pvrdma_main.c
 +++ b/hw/rdma/vmw/pvrdma_main.c
@@ -XXX,XX +XXX,XX @@ static void free_dev_ring(PCIDevice *pci_dev, PvrdmaRing *ring,
      rdma_pci_dma_unmap(pci_dev, ring_state, TARGET_PAGE_SIZE);
  }
--static int init_dev_ring(PvrdmaRing *ring, struct pvrdma_ring **ring_state,
-+static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
-                          const char *name, PCIDevice *pci_dev,
-                          dma_addr_t dir_addr, uint32_t num_pages)
- {
-@@ -XXX,XX +XXX,XX @@ static int init_dev_ring(PvrdmaRing *ring, struct pvrdma_ring **ring_state,
-     /* RX ring is the second */
-     (*ring_state)++;
-     rc = pvrdma_ring_init(ring, name, pci_dev,
--                          (struct pvrdma_ring *)*ring_state,
-+                          (PvrdmaRingState *)*ring_state,
-                           (num_pages - 1) * TARGET_PAGE_SIZE /
-                           sizeof(struct pvrdma_cqne),
-                           sizeof(struct pvrdma_cqne),
-diff --git a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h
-deleted file mode 100644
-index XXXXXXX..XXXXXXX
---- a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h
-+++ /dev/null
-@@ -XXX,XX +XXX,XX @@
--/*
-- * Copyright (c) 2012-2016 VMware, Inc.  All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or
-- * modify it under the terms of EITHER the GNU General Public License
-- * version 2 as published by the Free Software Foundation or the BSD
-- * 2-Clause License. This program is distributed in the hope that it
-- * will be useful, but WITHOUT ANY WARRANTY; WITHOUT EVEN THE IMPLIED
-- * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-- * See the GNU General Public License version 2 for more details at
-- * http://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program available in the file COPYING in the main
-- * directory of this source tree.
-- *
-- * The BSD 2-Clause License
-- *
-- *     Redistribution and use in source and binary forms, with or
-- *     without modification, are permitted provided that the following
-- *     conditions are met:
-- *
-- *      - Redistributions of source code must retain the above
-- *        copyright notice, this list of conditions and the following
-- *        disclaimer.
-- *
-- *      - Redistributions in binary form must reproduce the above
-- *        copyright notice, this list of conditions and the following
-- *        disclaimer in the documentation and/or other materials
-- *        provided with the distribution.
-- *
-- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-- * OF THE POSSIBILITY OF SUCH DAMAGE.
-- */
--
--#ifndef __PVRDMA_RING_H__
--#define __PVRDMA_RING_H__
--
--#include "standard-headers/linux/types.h"
--
--#define PVRDMA_INVALID_IDX    -1    /* Invalid index. */
--
--struct pvrdma_ring {
--    int prod_tail;    /* Producer tail. */
--    int cons_head;    /* Consumer head. */
--};
--
--struct pvrdma_ring_state {
--    struct pvrdma_ring tx;    /* Tx ring. */
--    struct pvrdma_ring rx;    /* Rx ring. */
--};
--
--static inline int pvrdma_idx_valid(uint32_t idx, uint32_t max_elems)
--{
--    /* Generates fewer instructions than a less-than. */
--    return (idx & ~((max_elems << 1) - 1)) == 0;
--}
--
--static inline int32_t pvrdma_idx(int *var, uint32_t max_elems)
--{
--    const unsigned int idx = qatomic_read(var);
--
--    if (pvrdma_idx_valid(idx, max_elems))
--        return idx & (max_elems - 1);
--    return PVRDMA_INVALID_IDX;
--}
--
--static inline void pvrdma_idx_ring_inc(int *var, uint32_t max_elems)
--{
--    uint32_t idx = qatomic_read(var) + 1;    /* Increment. */
--
--    idx &= (max_elems << 1) - 1;        /* Modulo size, flip gen. */
--    qatomic_set(var, idx);
--}
--
--static inline int32_t pvrdma_idx_ring_has_space(const struct pvrdma_ring *r,
--                          uint32_t max_elems, uint32_t *out_tail)
--{
--    const uint32_t tail = qatomic_read(&r->prod_tail);
--    const uint32_t head = qatomic_read(&r->cons_head);
--
--    if (pvrdma_idx_valid(tail, max_elems) &&
--        pvrdma_idx_valid(head, max_elems)) {
--        *out_tail = tail & (max_elems - 1);
--        return tail != (head ^ max_elems);
--    }
--    return PVRDMA_INVALID_IDX;
--}
--
--static inline int32_t pvrdma_idx_ring_has_data(const struct pvrdma_ring *r,
--                         uint32_t max_elems, uint32_t *out_head)
--{
--    const uint32_t tail = qatomic_read(&r->prod_tail);
--    const uint32_t head = qatomic_read(&r->cons_head);
--
--    if (pvrdma_idx_valid(tail, max_elems) &&
--        pvrdma_idx_valid(head, max_elems)) {
--        *out_head = head & (max_elems - 1);
--        return tail != head;
--    }
--    return PVRDMA_INVALID_IDX;
--}
--
--#endif /* __PVRDMA_RING_H__ */
-diff --git a/scripts/update-linux-headers.sh b/scripts/update-linux-headers.sh
-index XXXXXXX..XXXXXXX 100755
---- a/scripts/update-linux-headers.sh
-+++ b/scripts/update-linux-headers.sh
-@@ -XXX,XX +XXX,XX @@ sed  -e '1h;2,$H;$!d;g'  -e 's/[^};]*pvrdma[^(| ]*([^)]*);//g' \
-     "$linux/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h" > \
-     "$tmp_pvrdma_verbs";
--for i in "$linux/drivers/infiniband/hw/vmw_pvrdma/pvrdma_ring.h" \
--         "$linux/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h" \
-+for i in "$linux/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h" \
-          "$tmp_pvrdma_verbs"; do \
-     cp_portable "$i" \
-          "$output/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/"
 --
-.7.4
+.42.0

-[PULL 11/16] tx_pkt: switch to use qemu_receive_packet_iov() for loopback
+[PULL 4/5] Revert "hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()"
-This patch switches to use qemu_receive_receive_iov() which can detect
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
 reentrancy and return early.
-This is intended to address CVE-2021-3416.
+This reverts commit 83ddb3dbba2ee0f1767442ae6ee665058aeb1093.
-Cc: Prasad J Pandit <ppandit@redhat.com>
+The added check is no longer necessary due to a change of
-Cc: qemu-stable@nongnu.org
+iov_from_buf().
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 ---
- hw/net/net_tx_pkt.c | 2 +-
+ hw/net/net_tx_pkt.c | 4 ----
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 4 deletions(-)
 diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/net/net_tx_pkt.c
 +++ b/hw/net/net_tx_pkt.c
-@@ -XXX,XX +XXX,XX @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
+@@ -XXX,XX +XXX,XX @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt)
-     NetClientState *nc, const struct iovec *iov, int iov_cnt)
+     uint32_t csum = 0;
- {
+     struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
-     if (pkt->is_loopback) {
--        nc->info->receive_iov(nc, iov, iov_cnt);
+-    if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
-+        qemu_receive_packet_iov(nc, iov, iov_cnt);
+-        return false;
-     } else {
+-    }
-         qemu_sendv_packet(nc, iov, iov_cnt);
+-
      if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) {
          return false;
      }
 --
-.7.4
+.42.0

-[PULL 03/16] net: validate that ids are well formed
+[PULL 5/5] tap-linux: Open ipvtap and macvtap
-From: Paolo Bonzini <pbonzini@redhat.com>
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
-When a network or network device is created from the command line or HMP,
+ipvtap and macvtap create a file for each interface unlike tuntap, which
-QemuOpts ensures that the id passes the id_wellformed check.  However,
+creates one file shared by all interfaces. Try to open a file dedicated
-QMP skips this:
+to the interface first for ipvtap and macvtap.
-   $ qemu-system-x86_64 -qmp stdio -S -nic user,id=123/456
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
    qemu-system-x86_64: -nic user,id=123/456: Parameter id expects an identifier
    Identifiers consist of letters, digits, -, ., _, starting with a letter.
    $ qemu-system-x86_64 -qmp stdio -S
    {"execute":"qmp_capabilities"}
    {"return": {}}
    {"execute":"netdev_add", "arguments": {"type": "user", "id": "123/456"}}
    {"return": {}}
 After:
    $ qemu-system-x86_64 -qmp stdio -S
    {"execute":"qmp_capabilities"}
    {"return": {}}
    {"execute":"netdev_add", "arguments": {"type": "user", "id": "123/456"}}
    {"error": {"class": "GenericError", "desc": "Parameter "id" expects an identifier"}}
 Validity checks should be performed always at the bottom of the call chain,
 because QMP skips all the steps above.  Do this for the network subsystem.
 Cc: Jason Wang <jasowang@redhat.com>
 Reviewed-by: Eric Blake <eblake@redhat.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Signed-off-by: Jason Wang <jasowang@redhat.com>
 ---
- net/net.c | 12 ++++++++++++
+ net/tap-linux.c | 17 ++++++++++++++---
-file changed, 12 insertions(+)
+file changed, 14 insertions(+), 3 deletions(-)
-diff --git a/net/net.c b/net/net.c
+diff --git a/net/tap-linux.c b/net/tap-linux.c
 index XXXXXXX..XXXXXXX 100644
---- a/net/net.c
+--- a/net/tap-linux.c
-+++ b/net/net.c
++++ b/net/tap-linux.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ int tap_open(char *ifname, int ifname_size, int *vnet_hdr,
- #include "qemu/cutils.h"
+     int len = sizeof(struct virtio_net_hdr);
- #include "qemu/config-file.h"
+     unsigned int features;
- #include "qemu/ctype.h"
-+#include "qemu/id.h"
+-    fd = RETRY_ON_EINTR(open(PATH_NET_TUN, O_RDWR));
- #include "qemu/iov.h"
++
- #include "qemu/qemu-print.h"
++    ret = if_nametoindex(ifname);
- #include "qemu/main-loop.h"
++    if (ret) {
-@@ -XXX,XX +XXX,XX @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
++        g_autofree char *file = g_strdup_printf("/dev/tap%d", ret);
-         }
++        fd = open(file, O_RDWR);
-     }
++    } else {
++        fd = -1;
 +    /*
 +     * The id for -net has already been checked by QemuOpts and
 +     * could be automatically generated, in which case it is not
 +     * well-formed by design.  HMP and QMP only call us with
 +     * is_netdev == true.
 +     */
 +    if (is_netdev && !id_wellformed(netdev->id)) {
 +        error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "id", "an identifier");
 +        return -1;
 +    }
 +
-     nc = qemu_find_netdev(netdev->id);
+     if (fd < 0) {
-     if (nc) {
+-        error_setg_errno(errp, errno, "could not open %s", PATH_NET_TUN);
-         error_setg(errp, "Duplicate ID '%s'", netdev->id);
+-        return -1;
 +        fd = RETRY_ON_EINTR(open(PATH_NET_TUN, O_RDWR));
 +        if (fd < 0) {
 +            error_setg_errno(errp, errno, "could not open %s", PATH_NET_TUN);
 +            return -1;
 +        }
      }
      memset(&ifr, 0, sizeof(ifr));
      ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
 --
-.7.4
+.42.0

-[PULL 05/16] e1000: fail early for evil descriptor
+Deleted patch
-During procss_tx_desc(), driver can try to chain data descriptor with
-legacy descriptor, when will lead underflow for the following
-calculation in process_tx_desc() for bytes:
-            if (tp->size + bytes > msh)
-                bytes = msh - tp->size;
-This will lead a infinite loop. So check and fail early if tp->size if
-greater or equal to msh.
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/e1000.c | 4 ++++
-file changed, 4 insertions(+)
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -XXX,XX +XXX,XX @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
-         msh = tp->tso_props.hdr_len + tp->tso_props.mss;
-         do {
-             bytes = split_size;
-+            if (tp->size >= msh) {
-+                goto eop;
-+            }
-             if (tp->size + bytes > msh)
-                 bytes = msh - tp->size;
-@@ -XXX,XX +XXX,XX @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
-         tp->size += split_size;
-     }
-+eop:
-     if (!(txd_lower & E1000_TXD_CMD_EOP))
-         return;
-     if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
---
-.7.4

-[PULL 07/16] e1000: switch to use qemu_receive_packet() for loopback
+Deleted patch
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/e1000.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -XXX,XX +XXX,XX @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
-     NetClientState *nc = qemu_get_queue(s->nic);
-     if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
--        nc->info->receive(nc, buf, size);
-+        qemu_receive_packet(nc, buf, size);
-     } else {
-         qemu_send_packet(nc, buf, size);
-     }
---
-.7.4

-[PULL 08/16] dp8393x: switch to use qemu_receive_packet() for loopback packet
+Deleted patch
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/dp8393x.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/dp8393x.c
-+++ b/hw/net/dp8393x.c
-@@ -XXX,XX +XXX,XX @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
-             s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
-             if (nc->info->can_receive(nc)) {
-                 s->loopback_packet = 1;
--                nc->info->receive(nc, s->tx_buffer, tx_len);
-+                qemu_receive_packet(nc, s->tx_buffer, tx_len);
-             }
-         } else {
-             /* Transmit packet */
---
-.7.4

-[PULL 09/16] msf2-mac: switch to use qemu_receive_packet() for loopback
+Deleted patch
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/msf2-emac.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/msf2-emac.c
-+++ b/hw/net/msf2-emac.c
-@@ -XXX,XX +XXX,XX @@ static void msf2_dma_tx(MSF2EmacState *s)
-          * R_CFG1 bit 0 is set.
-          */
-         if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
--            nc->info->receive(nc, buf, size);
-+            qemu_receive_packet(nc, buf, size);
-         } else {
-             qemu_send_packet(nc, buf, size);
-         }
---
-.7.4

-[PULL 10/16] sungem: switch to use qemu_receive_packet() for loopback
+Deleted patch
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/sungem.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/sungem.c b/hw/net/sungem.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/sungem.c
-+++ b/hw/net/sungem.c
-@@ -XXX,XX +XXX,XX @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
-     NetClientState *nc = qemu_get_queue(s->nic);
-     if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
--        nc->info->receive(nc, buf, size);
-+        qemu_receive_packet(nc, buf, size);
-     } else {
-         qemu_send_packet(nc, buf, size);
-     }
---
-.7.4

-[PULL 12/16] rtl8139: switch to use qemu_receive_packet() for loopback
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/rtl8139.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/rtl8139.c
-+++ b/hw/net/rtl8139.c
-@@ -XXX,XX +XXX,XX @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
-         }
-         DPRINTF("+++ transmit loopback mode\n");
--        rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
-+        qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
-         if (iov) {
-             g_free(buf2);
---
-.7.4

-[PULL 13/16] pcnet: switch to use qemu_receive_packet() for loopback
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/pcnet.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/pcnet.c
-+++ b/hw/net/pcnet.c
-@@ -XXX,XX +XXX,XX @@ txagain:
-             if (BCR_SWSTYLE(s) == 1)
-                 add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
-             s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
--            pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
-+            qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
-             s->looptest = 0;
-         } else {
-             if (s->nic) {
---
-.7.4

-[PULL 14/16] cadence_gem: switch to use qemu_receive_packet() for loopback
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/cadence_gem.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/cadence_gem.c
-+++ b/hw/net/cadence_gem.c
-@@ -XXX,XX +XXX,XX @@ static void gem_transmit(CadenceGEMState *s)
-                 /* Send the packet somewhere */
-                 if (s->phy_loop || (s->regs[GEM_NWCTRL] &
-                                     GEM_NWCTRL_LOCALLOOP)) {
--                    gem_receive(qemu_get_queue(s->nic), s->tx_packet,
--                                total_bytes);
-+                    qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
-+                                        total_bytes);
-                 } else {
-                     qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
-                                      total_bytes);
---
-.7.4

-[PULL 15/16] lan9118: switch to use qemu_receive_packet() for loopback
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-This is intended to address CVE-2021-3416.
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/lan9118.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/lan9118.c
-+++ b/hw/net/lan9118.c
-@@ -XXX,XX +XXX,XX @@ static void do_tx_packet(lan9118_state *s)
-     /* FIXME: Honor TX disable, and allow queueing of packets.  */
-     if (s->phy_control & 0x4000)  {
-         /* This assumes the receive routine doesn't touch the VLANClient.  */
--        lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
-+        qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
-     } else {
-         qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
-     }
---
-.7.4

The following changes since commit f4abdf32714d1845b7c01ec136dd2b04c2f7db47:

Merge remote-tracking branch 'remotes/stsquad/tags/pull-testing-docs-xen-updates-100321-2' into staging (2021-03-11 16:20:58 +0000)

are available in the git repository at:

https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to 9bdb56367679e68e5e71a1c29a1087bda6414b25:

pvrdma: wean code off pvrdma_ring.h kernel header (2021-03-12 14:08:31 +0800)

----------------------------------------------------------------

----------------------------------------------------------------
Alexander Bulekov (4):
      rtl8139: switch to use qemu_receive_packet() for loopback
      pcnet: switch to use qemu_receive_packet() for loopback
      cadence_gem: switch to use qemu_receive_packet() for loopback
      lan9118: switch to use qemu_receive_packet() for loopback

Bin Meng (1):
      net: Fix build error when DEBUG_NET is on

Cornelia Huck (1):
      pvrdma: wean code off pvrdma_ring.h kernel header

Jason Wang (9):
      virtio-net: calculating proper msix vectors on init
      net: unbreak well-form id check for "-nic"
      e1000: fail early for evil descriptor
      net: introduce qemu_receive_packet()
      e1000: switch to use qemu_receive_packet() for loopback
      dp8393x: switch to use qemu_receive_packet() for loopback packet
      msf2-mac: switch to use qemu_receive_packet() for loopback
      sungem: switch to use qemu_receive_packet() for loopback
      tx_pkt: switch to use qemu_receive_packet_iov() for loopback

Paolo Bonzini (1):
      net: validate that ids are well formed

Currently, the default msix vectors for virtio-net-pci is 3 which is
obvious not suitable for multiqueue guest, so we depends on the user
or management tools to pass a correct vectors parameter. In fact, we
can simplifying this by calculating the number of vectors on realize.

Consider we have N queues, the number of vectors needed is 2*N + 2
(#queue pairs + plus one config interrupt and control vq). We didn't
check whether or not host support control vq because it was added
unconditionally by qemu to avoid breaking legacy guests such as Minix.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/core/machine.c          |  1 +
 hw/virtio/virtio-net-pci.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/hw/core/machine.c b/hw/core/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@
 GlobalProperty hw_compat_5_2[] = {
     { "ICH9-LPC", "smm-compat", "on"},
     { "PIIX4_PM", "smm-compat", "on"},
+    { "virtio-net-pci", "vectors", "3"},
 };
 const size_t hw_compat_5_2_len = G_N_ELEMENTS(hw_compat_5_2);
 
diff --git a/hw/virtio/virtio-net-pci.c b/hw/virtio/virtio-net-pci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/virtio-net-pci.c
+++ b/hw/virtio/virtio-net-pci.c
@@ -XXX,XX +XXX,XX @@ struct VirtIONetPCI {
 static Property virtio_net_properties[] = {
     DEFINE_PROP_BIT("ioeventfd", VirtIOPCIProxy, flags,
                     VIRTIO_PCI_FLAG_USE_IOEVENTFD_BIT, true),
-    DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors, 3),
+    DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors,
+                       DEV_NVECTORS_UNSPECIFIED),
     DEFINE_PROP_END_OF_LIST(),
 };
 
@@ -XXX,XX +XXX,XX @@ static void virtio_net_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
     DeviceState *qdev = DEVICE(vpci_dev);
     VirtIONetPCI *dev = VIRTIO_NET_PCI(vpci_dev);
     DeviceState *vdev = DEVICE(&dev->vdev);
+    VirtIONet *net = VIRTIO_NET(vdev);
+
+    if (vpci_dev->nvectors == DEV_NVECTORS_UNSPECIFIED) {
+        vpci_dev->nvectors = 2 * MAX(net->nic_conf.peers.queues, 1)
+            + 1 /* Config interrupt */
+            + 1 /* Control vq */;
+    }
 
     virtio_net_set_netclient_name(&dev->vdev, qdev->id,
                                   object_get_typename(OBJECT(qdev)));
-- 
2.7.4

From: Paolo Bonzini <pbonzini@redhat.com>

When a network or network device is created from the command line or HMP,
QemuOpts ensures that the id passes the id_wellformed check.  However,
QMP skips this:

$ qemu-system-x86_64 -qmp stdio -S -nic user,id=123/456
   qemu-system-x86_64: -nic user,id=123/456: Parameter id expects an identifier
   Identifiers consist of letters, digits, -, ., _, starting with a letter.

$ qemu-system-x86_64 -qmp stdio -S
   {"execute":"qmp_capabilities"}
   {"return": {}}
   {"execute":"netdev_add", "arguments": {"type": "user", "id": "123/456"}}
   {"return": {}}

After:

$ qemu-system-x86_64 -qmp stdio -S
   {"execute":"qmp_capabilities"}
   {"return": {}}
   {"execute":"netdev_add", "arguments": {"type": "user", "id": "123/456"}}
   {"error": {"class": "GenericError", "desc": "Parameter "id" expects an identifier"}}

Validity checks should be performed always at the bottom of the call chain,
because QMP skips all the steps above.  Do this for the network subsystem.

Cc: Jason Wang <jasowang@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/net.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net/net.c b/net/net.c
index XXXXXXX..XXXXXXX 100644
--- a/net/net.c
+++ b/net/net.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/cutils.h"
 #include "qemu/config-file.h"
 #include "qemu/ctype.h"
+#include "qemu/id.h"
 #include "qemu/iov.h"
 #include "qemu/qemu-print.h"
 #include "qemu/main-loop.h"
@@ -XXX,XX +XXX,XX @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
         }
     }
 
+    /*
+     * The id for -net has already been checked by QemuOpts and
+     * could be automatically generated, in which case it is not
+     * well-formed by design.  HMP and QMP only call us with
+     * is_netdev == true.
+     */
+    if (is_netdev && !id_wellformed(netdev->id)) {
+        error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "id", "an identifier");
+        return -1;
+    }
+
     nc = qemu_find_netdev(netdev->id);
     if (nc) {
         error_setg(errp, "Duplicate ID '%s'", netdev->id);
-- 
2.7.4

During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:

if (tp->size + bytes > msh)
                bytes = msh - tp->size;

This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/e1000.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -XXX,XX +XXX,XX @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         msh = tp->tso_props.hdr_len + tp->tso_props.mss;
         do {
             bytes = split_size;
+            if (tp->size >= msh) {
+                goto eop;
+            }
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
 
@@ -XXX,XX +XXX,XX @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         tp->size += split_size;
     }
 
+eop:
     if (!(txd_lower & E1000_TXD_CMD_EOP))
         return;
     if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
-- 
2.7.4

Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().

Unfortunately we can't use qemu_net_queue_send() here since for
loopback there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.

NIC that supports loopback mode will be converted to this helper.