aboutsummaryrefslogtreecommitdiff
path: root/hw/net/rtl8139.c
AgeCommit message (Collapse)Author
2015-09-11maint: avoid useless "if (foo) free(foo)" patternMarkus Armbruster
My Coccinelle semantic patch finds a few more, because it also fixes up the equally pointless conditional if (foo) { free(foo); foo = NULL; } Result (feel free to squash it into your patch): Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11maint: remove / fix many doubled wordsDaniel P. Berrange
Many source files have doubled words (eg "the the", "to to", and so on). Most of these can simply be removed, but a couple were actual mis-spellings (eg "to to" instead of "to do"). There was even one triple word score "to to to" :-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-02rtl8139: Do not consume the packet during overflow in standard mode.Vladislav Yasevich
When operation in standard mode, we currently return the size of packet during buffer overflow. This consumes the overflow packet. Return 0 instead so we can re-process the overflow packet when we have room. This fixes issues with lost/dropped fragments of large messages. Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1441121206-6997-3-git-send-email-vyasevic@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02rtl8139: Fix receive buffer overflow checkVladislav Yasevich
rtl8139_do_receive() tries to check for the overflow condition by making sure that packet_size + 8 does not exceed the available buffer space. The issue here is that RxBuffAddr, used to calculate available buffer space, is aligned to a a 4 byte boundry after every update. So it is possible that every packet ends up being slightly padded when written to the receive buffer. This padding is not taken into account when checking for overflow and we may end up missing the overflow condition can causing buffer overwrite. This patch takes alignment into consideration when checking for overflow condition. Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1441121206-6997-2-git-send-email-vyasevic@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02rtl8139: use ldl/stl wrapper for unaligned 32-bit accessStefan Hajnoczi
The tx offload feature accesses a 16-bit aligned TCP header struct. The 32-bit fields must be accessed using ldl/stl wrappers since some host architectures fault on unaligned access. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1438604157-29664-4-git-send-email-stefanha@redhat.com
2015-09-02rtl8139: use net/eth.h macros instead of custom macrosStefan Hajnoczi
Eliminate the following "custom" macros since they are just duplicates of net/eth.h macros under a different name: ETHER_ADDR_LEN -> ETH_ALEN ETH_P_8021Q -> ETH_P_VLAN IP_HEADER_LENGTH -> IP_HDR_GET_LEN TCP_FLAG_FIN -> TH_FIN TCP_FLAG_PUSH -> TH_PUSH Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1438604157-29664-3-git-send-email-stefanha@redhat.com
2015-09-02rtl8139: remove duplicate net/eth.h definitionsStefan Hajnoczi
The transmit offload features inspect Ethernet, IP, TCP, and UDP headers. Avoid redefining these net/eth.h structs. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1438604157-29664-2-git-send-email-stefanha@redhat.com
2015-08-03rtl8139: check TCP Data Offset field (CVE-2015-5165)Stefan Hajnoczi
The TCP Data Offset field contains the length of the header. Make sure it is valid and does not exceed the IP data length. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03rtl8139: skip offload on short TCP header (CVE-2015-5165)Stefan Hajnoczi
TCP Large Segment Offload accesses the TCP header in the packet. If the packet is too short we must not attempt to access header fields: tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03rtl8139: check IP Total Length field (CVE-2015-5165)Stefan Hajnoczi
The IP Total Length field includes the IP header and data. Make sure it is valid and does not exceed the Ethernet payload size. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03rtl8139: check IP Header Length field (CVE-2015-5165)Stefan Hajnoczi
The IP Header Length field was only checked in the IP checksum case, but is used in other cases too. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)Stefan Hajnoczi
Transmit offload features access Ethernet and IP headers the packet. If the packet is too short we must not attempt to access header fields: int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); ... eth_payload_data = saved_buffer + ETH_HLEN; ... ip = (ip_header*)eth_payload_data; if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)Stefan Hajnoczi
The previous patch stopped using the ip pointer as an indicator that the IP header is present. When we reach the if (ip) {...} statement we know ip is always non-NULL. Remove the if statement to reduce nesting. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)Stefan Hajnoczi
Transmit offload needs to parse packet headers. If header fields have unexpected values the offload processing is skipped. The code currently uses nested ifs because there is relatively little input validation. The next patches will add missing input validation and a goto label is more appropriate to avoid deep if statement nesting. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-06-12migration: Use normal VMStateDescriptions for SubsectionsJuan Quintela
We create optional sections with this patch. But we already have optional subsections. Instead of having two mechanism that do the same, we can just generalize it. For subsections we just change: - Add a needed function to VMStateDescription - Remove VMStateSubsection (after removal of the needed function it is just a VMStateDescription) - Adjust the whole tree, moving the needed function to the corresponding VMStateDescription Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-02-26pci: Trivial device model conversions to realizeMarkus Armbruster
Convert the device models where initialization obviously can't fail. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-02-10rtl8139: g_malloc() can't fail, bury dead error handlingMarkus Armbruster
Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-02-06rtl8139: simplify timer logicPaolo Bonzini
Pavel Dovgalyuk reports that TimerExpire and the timer are not restored correctly on the receiving end of migration. It is not clear to me whether this is really the case, but we can take the occasion to get rid of the complicated code that computes PCSTimeout on the fly upon changes to IntrStatus/IntrMask. Just always keep a timer running, it will fire every ~130 seconds at most if the interrupt is masked with TimerInt != 0. This makes rtl8139_set_next_tctr_time idempotent (when the virtual clock is stopped between two calls, as is the case during migration). Tested with Frediano's qtest. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1421765099-26190-1-git-send-email-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-01-12net: remove all cleanup methods from NIC NetClientInfosPaolo Bonzini
All NICs have a cleanup function that, in most cases, zeroes the pointer to the NICState. In some cases, it frees data belonging to the NIC. However, this function is never called except when exiting from QEMU. It is not necessary to NULL pointers and free data here; the right place to do that would be in the device's unrealize function, after calling qemu_del_nic. Zeroing the NIC multiple times is also wrong for multiqueue devices. This cleanup function gets in the way of making the NetClientStates for the NIC hold an object_ref reference to the object, so get rid of it. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21rtl8139: fix Pointer to local outside scopeGonglei
Coverity spot: Assigning: iov = struct iovec [3]({{buf, 12UL}, {(void *)dot1q_buf, 4UL}, {buf + 12, size - 12}}) (address of temporary variable of type struct iovec [3]). out_of_scope: Temporary variable of type struct iovec [3] goes out of scope. Pointer to local outside scope (RETURN_LOCAL) use_invalid: Using iov, which points to an out-of-scope temporary variable of type struct iovec [3]. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-10-15bootindex: move calling add_boot_device_patch to bootindex setter functionGonglei
On this way, we can assure the new bootindex take effect during vm rebooting. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-15rtl8139: add bootindex to qom propertyGonglei
Add a qom property with the same name 'bootindex', when we remove it form qdev property, things will continue to work just fine, and we can use qom features which are not supported by qdev property. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-08-18memory: remove memory_region_destroyPaolo Bonzini
The function is empty after the previous patch, so remove it. Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-06-16savevm: Remove all the unneeded version_minimum_id_old (x86)Juan Quintela
After previous Peter patch, they are redundant. This way we don't assign them except when needed. Once there, there were lots of case where the ".fields" indentation was wrong: .fields = (VMStateField []) { and .fields = (VMStateField []) { Change all the combinations to: .fields = (VMStateField[]){ The biggest problem (appart from aesthetics) was that checkpatch complained when we copy&pasted the code from one place to another. Signed-off-by: Juan Quintela <quintela@redhat.com> Acked-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2013-11-21Revert "e1000/rtl8139: update HMP NIC when every bit is written"Michael S. Tsirkin
This reverts commit cd5be5829c1ce87aa6b3a7806524fac07ac9a757. Digging into hardware specs shows this does not actually make QEMU behave more like hardware: There are valid arguments backed by the spec to indicate why the version of e1000 prior to cd5be582 was more correct: the high byte actually includes a valid bit, this is why all guests write it last. For rtl8139 there's actually a separate undocumented valid bit, but we don't implement it yet. To summarize all the drivers we know about behave in one way that allows us to make an assumption about write order and avoid spurious, incorrect mac address updates to the monitor. Let's stick to the tried heuristic for 1.7 and possibly revisit for 1.8. Reported-by: Vlad Yasevich <vyasevic@redhat.com> Reviewed-by: Vlad Yasevich <vyasevic@redhat.com> Cc: Amos Kong <akong@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-11-06e1000/rtl8139: update HMP NIC when every bit is writtenAmos Kong
We currently just update the HMP NIC info when the last bit of macaddr is written. This assumes that guest driver will write all the macaddr from bit 0 to bit 5 when it changes the macaddr, this is the current behavior of linux driver (e1000/rtl8139cp), but we can't do this assumption. The macaddr that is used for rx-filter will be updated when every bit is changed. This patch updates the e1000/rtl8139 nic to update HMP NIC info when every bit is changed. It will be same as virtio-net. Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> Message-id: 1383650238-16015-1-git-send-email-akong@redhat.com Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-10-31Merge remote-tracking branch 'mst/tags/for_anthony' into stagingAnthony Liguori
pci, pc, acpi fixes, enhancements This includes some pretty big changes: - pci master abort support by Marcel - pci IRQ API rework by Marcel - acpi generation support by myself Everything has gone through several revisions, latest versions have been on list for a while without any more comments, tested by several people. Please pull for 1.7. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Tue 15 Oct 2013 07:33:48 AM CEST using RSA key ID D28D5469 # gpg: Can't check signature: public key not found * mst/tags/for_anthony: (39 commits) ssdt-proc: update generated file ssdt: fix PBLK length i386: ACPI table generation code from seabios pc: use new api to add builtin tables acpi: add interface to access user-installed tables hpet: add API to find it pvpanic: add API to access io port ich9: APIs for pc guest info piix: APIs for pc guest info acpi/piix: add macros for acpi property names i386: define pc guest info loader: allow adding ROMs in done callbacks i386: add bios linker/loader loader: use file path size from fw_cfg.h acpi: ssdt pcihp: updat generated file acpi: pre-compiled ASL files acpi: add rules to compile ASL source i386: add ACPI table files from seabios q35: expose mmcfg size as a property q35: use macro for MCFG property name ... Message-id: 1381818560-18367-1-git-send-email-mst@redhat.com Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
2013-10-18net/rtl8139: update network information when macaddr is changed in guestAmos Kong
rtl8139 has same problem as e1000, nic info isn't updated when macaddr is changed in guest. This patch updates the nic info when the last bit of macaddr is written. Signed-off-by: Amos Kong <akong@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-18net: update nic info during device resetAmos Kong
macaddr is reset during device reset, but nic info isn't updated, this problem exists in e1000 & rtl8139 Signed-off-by: Amos Kong <akong@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-14hw: set interrupts using pci irq wrappersMarcel Apfelbaum
pci_set_irq and the other pci irq wrappers use PCI_INTERRUPT_PIN config register to compute device INTx pin to assert/deassert. An irq is allocated using pci_allocate_irq wrapper only if is needed by non pci devices. Removed irq related fields from state if not used anymore. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-08-22aio / timers: Switch entire codebase to the new timer APIAlex Bligh
This is an autogenerated patch using scripts/switch-timer-api. Switch the entire code base to using the new timer API. Note this patch may introduce some line length issues. Signed-off-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-07-29devices: Associate devices to their logical categoryMarcel Apfelbaum
The category will be used to sort the devices displayed in the command line help. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-07-23net/rtl8139: QOM parent field cleanupAndreas Färber
Replace direct uses of RTL8139State::dev with QOM casts and rename it to parent_obj. Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-23net/rtl8139: QOM Upcast SweepPeter Crosthwaite
Define and use standard QOM cast macro. Remove usages of DO_UPCAST() and direct -> style upcasting. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-04hw/n*: pass owner to memory_region_init* functionsPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04memory: add owner argument to initialization functionsPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-05-24rtl8139: flush queued packets when RxBufPtr is writtenStefan Hajnoczi
Net queues support efficient "receive disable". For example, tap's file descriptor will not be polled while its peer has receive disabled. This saves CPU cycles for needlessly copying and then dropping packets which the peer cannot receive. rtl8139 is missing the qemu_flush_queued_packets() call that wakes the queue up when receive becomes possible again. As a result, the Windows 7 guest driver reaches a state where the rtl8139 cannot receive packets. The driver has actually refilled the receive buffer but we never resume reception. The bug can be reproduced by running a large FTP 'get' inside a Windows 7 guest: $ qemu -netdev tap,id=tap0,... -device rtl8139,netdev=tap0 The Linux guest driver does not trigger the bug, probably due to a different buffer management strategy. Reported-by: Oliver Francke <oliver.francke@filoo.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-04-08hw: move target-independent files to subdirectoriesPaolo Bonzini
This patch tackles all files that are compiled once, moving them to subdirectories of hw/. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>