aboutsummaryrefslogtreecommitdiff
path: root/hw/net/virtio-net.c
AgeCommit message (Collapse)Author
2014-04-11virtio-net: fix guest-triggerable buffer overrunMichael S. Tsirkin
When VM guest programs multicast addresses for a virtio net card, it supplies a 32 bit entries counter for the number of addresses. These addresses are read into tail portion of a fixed macs array which has size MAC_TABLE_ENTRIES, at offset equal to in_use. To avoid overflow of this array by guest, qemu attempts to test the size as follows: - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) { however, as mac_data.entries is uint32_t, this sum can overflow, e.g. if in_use is 1 and mac_data.entries is 0xffffffff then in_use + mac_data.entries will be 0. Qemu will then read guest supplied buffer into this memory, overflowing buffer on heap. CVE-2014-0150 Cc: qemu-stable@nongnu.org Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-03-26virtio-net: add vlan receive state to RxFilterInfoAmos Kong
Stefan Fritsch just fixed a virtio-net driver bug [1], virtio-net won't filter out VLAN-tagged packets if VIRTIO_NET_F_CTRL_VLAN isn't negotiated. This patch added a new field to @RxFilterInfo to indicate vlan receive state ('normal', 'none', 'all'). If VIRTIO_NET_F_CTRL_VLAN isn't negotiated, vlan receive state will be 'all', then all VLAN-tagged packets will be received by guest. This patch also fixed a boundary issue in visiting vlan table. [1] http://lists.nongnu.org/archive/html/qemu-devel/2014-02/msg02604.html Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2014-03-26virtio-net: Do not filter VLANs without F_CTRL_VLANStefan Fritsch
If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all VLAN-tagged packets but send them to the guest. This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because the OpenBSD driver started as a port from NetBSD). Signed-off-by: Stefan Fritsch <sf@sfritsch.de> Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-03-09virtio-net: remove function calls from assertJoel Stanley
peer_{de,at}tach were called from inside assert(). We don't support building without NDEBUG but it's not tidy. Rearrange to attach peer outside assert calls. Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-02-25virtio-net: use qemu_get_queue() where possibleStefan Hajnoczi
qemu_get_queue() is a shorthand for qemu_get_subqueue(n->nic, 0). Use the shorthand where possible. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-02-25net: remove implicit peer from offload APIStefan Hajnoczi
The virtio_net offload APIs are used on the NIC's peer (i.e. the tap device). The API was defined to implicitly use nc->peer, saving the caller the trouble. This wasn't ideal because: 1. There are callers who have the peer but not the NIC. Currently they are forced to bypass the API and access peer->info->... directly. 2. The rest of the net.h API uses nc, not nc->peer, so it is inconsistent. This patch pushes nc->peer back up to callers. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-02-25net: virtio-net and vmxnet3 use offloading APIVincenzo Maffione
With this patch, virtio-net and vmxnet3 frontends make use of the qemu_peer_* API for backend offloadings manipulations, instead of calling TAP-specific functions directly. We also remove the existing checks which prevent those frontends from using offloadings with backends different from TAP (e.g. netmap). Signed-off-by: Vincenzo Maffione <v.maffione@gmail.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-12-13Merge remote-tracking branch 'bonzini/virtio' into stagingAnthony Liguori
# By Andreas Färber (18) and Paolo Bonzini (12) # Via Paolo Bonzini * bonzini/virtio: (30 commits) virtio: Convert exit to unrealize virtio: Complete converting VirtioDevice to QOM realize virtio-scsi: Convert to QOM realize virtio-rng: Convert to QOM realize virtio-balloon: Convert to QOM realize virtio-net: Convert to QOM realize virtio-serial: Convert to QOM realize virtio-blk: Convert to QOM realize virtio-9p: Convert to QOM realize virtio: Start converting VirtioDevice to QOM realize virtio-scsi: QOM realize preparations virtio-rng: QOM realize preparations virtio-balloon: QOM realize preparations virtio-net: QOM realize preparations virtio-serial: QOM realize preparations virtio-blk: QOM realize preparations virtio-9p: QOM realize preparations virtio-blk-dataplane: Improve error reporting virtio-pci: add device_unplugged callback virtio-rng: switch exit callback to VirtioDeviceClass ...
2013-12-09virtio: Convert exit to unrealizeAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-09virtio-net: Convert to QOM realizeAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-09virtio-net: QOM realize preparationsAndreas Färber
Rename variable qdev -> dev since that's what realize's argument is called by convention. Avoid duplicate VIRTIO_DEVICE() cast. Signed-off-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-09virtio-net: switch exit callback to VirtioDeviceClassPaolo Bonzini
This ensures hot-unplug is handled properly by the proxy, and avoids leaking bus_name which is freed by virtio_device_exit. Cc: qemu-stable@nongnu.org Acked-by: Andreas Faerber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-09virtio-net: don't update mac_table in error stateAmos Kong
mac_table was always cleaned up first in handling VIRTIO_NET_CTRL_MAC_TABLE_SET command, and we din't recover mac_table content in error state, it's not correct. This patch makes all the changes in temporal variables, only update the real mac_table if everything is ok. We won't change mac_table in error state, so rxfilter notification isn't needed. This patch also fixed same problame in http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg01188.html (not merge) I will send patch for virtio spec to clarifying this change. Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Vlad Yasevich <vyasevic@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-12-02virtio-net: fix the indentZhi Yong Wu
Signed-off-by: Zhi Yong Wu <wuzhy@linux.vnet.ibm.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-11-19virtio-net: fix the memory leak in rxfilter_notify()Amos Kong
object_get_canonical_path() returns a gchar*, it should be freed by the caller. Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Vlad Yasevich <vyasevic@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-11-08virtio-net: broken RX filtering logic fixedDmitry Fleytman
Upon processing of VIRTIO_NET_CTRL_MAC_TABLE_SET command multicast list overwrites unicast list in mac_table. This leads to broken logic for both unicast and multicast RX filtering. Signed-off-by: Dmitry Fleytman <dfleytma@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-11-06virtio-net: only delete bh that existedJason Wang
We delete without check whether it existed during exit. This will lead NULL pointer deference since it was created conditionally depends on guest driver status and features. So add a check of existence before trying to delete it. Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1383728288-28469-1-git-send-email-jasowang@redhat.com Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-09-22virtio-net: fix up HMP NIC info string on resetMichael S. Tsirkin
When mac is updated on reset, info string has stale data. Fix it up. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-08-22aio / timers: Switch entire codebase to the new timer APIAlex Bligh
This is an autogenerated patch using scripts/switch-timer-api. Switch the entire code base to using the new timer API. Note this patch may introduce some line length issues. Signed-off-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-07-29devices: Associate devices to their logical categoryMarcel Apfelbaum
The category will be used to sort the devices displayed in the command line help. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-07-15net: add support of mac-programming over macvtap in QEMU sideAmos Kong
Currently macvtap based macvlan device is working in promiscuous mode, we want to implement mac-programming over macvtap through Libvirt for better performance. Design: QEMU notifies Libvirt when rx-filter config is changed in guest, then Libvirt query the rx-filter information by a monitor command, and sync the change to macvtap device. Related rx-filter config of the nic contains main mac, rx-mode items and vlan table. This patch adds a QMP event to notify management of rx-filter change, and adds a monitor command for management to query rx-filter information. Test: If we repeatedly add/remove vlan, and change macaddr of vlan interfaces in guest by a loop script. Result: The events will flood the QMP client(management), management takes too much resource to process the events. Event_throttle API (set rate to 1 ms) can avoid the events to flood QMP client, but it could cause an unexpected delay (~1ms), guests guests normally expect rx-filter updates immediately. So we use a flag for each nic to avoid events flooding, the event is emitted once until the query command is executed. The flag implementation could not introduce unexpected delay. There maybe exist an uncontrollable delay if we let Libvirt do the real change, guests normally expect rx-filter updates immediately. But it's another separate issue, we can investigate it when the work in Libvirt side is done. Michael S. Tsirkin: tweaked to enable events on start Michael S. Tsirkin: fixed not to crash when no id Michael S. Tsirkin: fold in patch: "additional fixes for mac-programming feature" Amos Kong: always notify QMP client if mactable is changed Amos Kong: return NULL list if no net client supports rx-filter query Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Amos Kong <akong@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-05-22virtio-net: dynamic network offloads configurationDmitry Fleytman
Virtio-net driver currently negotiates network offloads on startup via features mechanism and have no ability to disable and re-enable offloads later. This patch introduced a new control command that allows to configure device network offloads state dynamically. The patch also introduces a new feature flag VIRTIO_NET_F_CTRL_GUEST_OFFLOADS. Signed-off-by: Dmitry Fleytman <dfleytma@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 20130520081814.GA8162@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-05-15virtio-net: add virtio_net_set_netclient_name.KONRAD Frederic
This adds virtio_net_set_netclient_name, which is used to set the name and type shown in "info network" command. Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com> Message-id: 1368619970-23892-2-git-send-email-fred.konrad@greensocs.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-05-07virtio-net: properly check the vhost status during status setJason Wang
Commit 32993698 (vhost: disable on tap link down) tries to disable the vhost also when the peer's link is down. But the check was not done properly, the vhost were only started when: 1) peer's link is not down 2) virtio-net has already been started. Since == have a higher precedence than &&, place a brace to make sure both the conditions were met then does the check. This fixes the crash when doing a savem after set the link off which let qemu crash and complains: virtio_net_save: Assertion `!n->vhost_started' failed. Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-id: 1366972060-21606-1-git-send-email-jasowang@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-30virtio-net: count VIRTIO_NET_F_MAC when calculating config_lenJason Wang
Commit 14f9b664 (hw/virtio-net.c: set config size using host features) tries to calculate config size based on the host features. But it forgets the VIRTIO_NET_F_MAC were always set for qemu later. This will lead a zero config len for virtio-net device when both VIRTIO_NET_F_STATUS and VIRTIO_NET_F_MQ were disabled form command line. Then qemu will crash when user tries to read the config of virtio-net. Fix this by counting VIRTIO_NET_F_MAC and make sure the config at least contains the mac address. Cc: Jesse Larrew <jlarrew@linux.vnet.ibm.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1366874814-2658-1-git-send-email-jasowang@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-29virtio-net: unbreak the minix guestJason Wang
Multiqueue patchset conditionally add control vq only when guest negotiate the feature. Though the spec is not clear on this but it breaks the minix guest since it will identify the ctrl vq even if it does not support it. Though this behavior seems a violation on the spec "If the VIRTIO_NET_F_CTRL_VQ feature bit is negotiated, identify the control virtqueue.", to keep the backward compatibility, always add the ctrl vq at end of the queues. Reported-by: Aurelien Jarno <aurelien@aurel32.net> Acked-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-id: 1366874663-2566-1-git-send-email-jasowang@redhat.com Cc: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-24virtio: cleanup: init and exit function.KONRAD Frederic
This clean the init and the exit functions and rename virtio_common_cleanup to virtio_cleanup. Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com> Message-id: 1366791683-5350-7-git-send-email-fred.konrad@greensocs.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-24virtio: remove the function pointer.KONRAD Frederic
This remove the function pointer in VirtIODevice, and use only VirtioDeviceClass function pointer. Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com> Message-id: 1366791683-5350-5-git-send-email-fred.konrad@greensocs.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-17virtio-net: cleanup: init and exit function.KONRAD Frederic
This remove old init and exit function as they are no longer needed. Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com> Tested-by: Cornelia Huck <cornelia.huck@de.ibm.com> Message-id: 1365690602-22729-8-git-send-email-fred.konrad@greensocs.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-17virtio-net: cleanup: use QOM cast.KONRAD Frederic
As the virtio-net-pci and virtio-net-s390 are switched to the new API, we can use QOM casts. Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com> Tested-by: Cornelia Huck <cornelia.huck@de.ibm.com> Message-id: 1365690602-22729-7-git-send-email-fred.konrad@greensocs.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-17virtio-net: add the virtio-net device.KONRAD Frederic
Create virtio-net-device which extends virtio-device, so it can be connected on virtio-bus. Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com> Tested-by: Cornelia Huck <cornelia.huck@de.ibm.com> Message-id: 1365690602-22729-3-git-send-email-fred.konrad@greensocs.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-04-08hw: move virtio devices to hw/ subdirectoriesPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>