summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2021-09-04vhost-vdpa: remove the unncessary queue_index assignmentJason Wang
The queue_index of NetClientState should be assigned in set_netdev() afterwards, so trying to net_vhost_vdpa_init() is meaningless. This patch removes this. Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-12-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-09-04vhost-vdpa: fix the wrong assertion in vhost_vdpa_init()Jason Wang
Vhost_vdpa_add() can fail for various reasons, so the assertion of the succeed is wrong. Instead, we should free the NetClientState and propagate the error to the caller Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-11-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-09-04vhost-vdpa: tweak the error label in vhost_vdpa_add()Jason Wang
Introduce new error label to avoid the unnecessary checking of net pointer. Fixes: 1e0a84ea49b68 ("vhost-vdpa: introduce vhost-vdpa net client") Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-10-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-09-04vhost-vdpa: fix leaking of vhost_net in vhost_vdpa_add()Jason Wang
Fixes: 1e0a84ea49b68 ("vhost-vdpa: introduce vhost-vdpa net client") Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-9-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-09-04vhost-vdpa: don't cleanup twice in vhost_vdpa_add()Jason Wang
The previous vhost_net_cleanup is sufficient for freeing, calling vhost_vdpa_del() in this case will lead an extra round of free. Note that this kind of "double free" is safe since vhost_dev_cleanup() zero the whole structure. Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-8-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-09-04vhost-vdpa: remove the unnecessary check in vhost_vdpa_add()Jason Wang
The VhostVDPAState is just allocated by qemu_new_net_client() via g_malloc0() in net_vhost_vdpa_init(). So s->vhost_net is NULL for sure, let's remove this unnecessary check in vhost_vdpa_add(). Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-7-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-09-04vhost_net: do not assume nvqs is always 2Jason Wang
This patch switches to initialize dev.nvqs from the VhostNetOptions instead of assuming it was 2. This is useful for implementing control virtqueue support which will be a single vhost_net structure with a single cvq. Note that nvqs is still set to 2 for all users and this patch does not change functionality. Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Eli Cohen <elic@nvidia.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-6-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-09-04vhost-vdpa: remove unused variable "acked_features"Jason Wang
"acked_features" is unused, let's remove that. Signed-off-by: Jason Wang <jasowang@redhat.com> Message-Id: <20210903091031.47303-2-jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-08-26net: Zero sockaddr_in in parse_host_port()Peter Maydell
We don't currently zero-initialize the 'struct sockaddr_in' that parse_host_port() fills in, so any fields we don't explicitly initialize might be left as random garbage. POSIX states that implementations may define extensions in sockaddr_in, and that those extensions must not trigger if zero-initialized. So not zero initializing might result in inadvertently triggering an impdef extension. memset() the sockaddr_in before we start to fill it in. Fixes: Coverity CID 1005338 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 20210813150506.7768-2-peter.maydell@linaro.org
2021-08-05chardev: mark explicitly first argument as poisonedMarc-André Lureau
Since commit 9894dc0cdcc397ee5b26370bc53da6d360a363c2 "char: convert from GIOChannel to QIOChannel", the first argument to the watch callback can actually be a QIOChannel, which is not a GIOChannel (but a QEMU Object). Even though we never used that pointer, change the callback type to warn the users. Possibly a better fix later, we may want to store the callback and call it from intermediary functions. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2021-07-26net/checksum: Remove unused variable in net_checksum_add_iovRichard Henderson
From clang-13: ../qemu/net/checksum.c:189:23: error: variable 'buf_off' set but not used \ [-Werror,-Wunused-but-set-variable] Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2021-06-11Fixed calculation error of pkt->header_size in fill_pkt_tcp_info()Rao, Lei
The data pointer has skipped vnet_hdr_len in the function of parse_packet_early().So, we can not subtract vnet_hdr_len again when calculating pkt->header_size in fill_pkt_tcp_info(). Otherwise, it will cause network packet comparsion errors and greatly increase the frequency of checkpoints. Signed-off-by: Lei Rao <lei.rao@intel.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Li Zhijian <lizhijian@fujitsu.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Lukas Straub <lukasstraub2@web.de> Tested-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-11Add the function of colo_compare_cleanupRao, Lei
This patch fixes the following: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f6ae4559859 in __GI_abort () at abort.c:79 #2 0x0000559aaa386720 in error_exit (err=16, msg=0x559aaa5973d0 <__func__.16227> "qemu_mutex_destroy") at util/qemu-thread-posix.c:36 #3 0x0000559aaa3868c5 in qemu_mutex_destroy (mutex=0x559aabffe828) at util/qemu-thread-posix.c:69 #4 0x0000559aaa2f93a8 in char_finalize (obj=0x559aabffe800) at chardev/char.c:285 #5 0x0000559aaa23318a in object_deinit (obj=0x559aabffe800, type=0x559aabfd7d20) at qom/object.c:606 #6 0x0000559aaa2331b8 in object_deinit (obj=0x559aabffe800, type=0x559aabfd9060) at qom/object.c:610 #7 0x0000559aaa233200 in object_finalize (data=0x559aabffe800) at qom/object.c:620 #8 0x0000559aaa234202 in object_unref (obj=0x559aabffe800) at qom/object.c:1074 #9 0x0000559aaa2356b6 in object_finalize_child_property (obj=0x559aac0dac10, name=0x559aac778760 "compare0-0", opaque=0x559aabffe800) at qom/object.c:1584 #10 0x0000559aaa232f70 in object_property_del_all (obj=0x559aac0dac10) at qom/object.c:557 #11 0x0000559aaa2331ed in object_finalize (data=0x559aac0dac10) at qom/object.c:619 #12 0x0000559aaa234202 in object_unref (obj=0x559aac0dac10) at qom/object.c:1074 #13 0x0000559aaa2356b6 in object_finalize_child_property (obj=0x559aac0c75c0, name=0x559aac0dadc0 "chardevs", opaque=0x559aac0dac10) at qom/object.c:1584 #14 0x0000559aaa233071 in object_property_del_child (obj=0x559aac0c75c0, child=0x559aac0dac10, errp=0x0) at qom/object.c:580 #15 0x0000559aaa233155 in object_unparent (obj=0x559aac0dac10) at qom/object.c:599 #16 0x0000559aaa2fb721 in qemu_chr_cleanup () at chardev/char.c:1159 #17 0x0000559aa9f9b110 in main (argc=54, argv=0x7ffeb62fa998, envp=0x7ffeb62fab50) at vl.c:4539 When chardev is cleaned up, chr_write_lock needs to be destroyed. But the colo-compare module is not cleaned up normally before it when the guest poweroff. It is holding chr_write_lock at this time. This will cause qemu crash.So we add the function of colo_compare_cleanup() before qemu_chr_cleanup() to fix the bug. Signed-off-by: Lei Rao <lei.rao@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Lukas Straub <lukasstraub2@web.de> Tested-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-11Add a function named packet_new_nocopy for COLO.Rao, Lei
Use the packet_new_nocopy instead of packet_new in the filter-rewriter module. There will be one less memory copy in the processing of each network packet. Signed-off-by: Lei Rao <lei.rao@intel.com> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-11Optimize the function of filter_sendRao, Lei
The iov_size has been calculated in filter_send(). we can directly return the size.In this way, this is no need to repeat calculations in filter_redirector_receive_iov(); Signed-off-by: Lei Rao <lei.rao@intel.com> Reviewed-by: Li Zhijian <lizhijian@fujitsu.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Lukas Straub <lukasstraub2@web.de> Tested-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-11Remove some duplicate trace code.Rao, Lei
There is the same trace code in the colo_compare_packet_payload. Signed-off-by: Lei Rao <lei.rao@intel.com> Reviewed-by: Li Zhijian <lizhijian@fujitsu.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Lukas Straub <lukasstraub2@web.de> Tested-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-11vhost-vdpa: remove the unused vhost_vdpa_get_acked_features()Jason Wang
No user for this helper, let's remove it. Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-04Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Fri 04 Jun 2021 08:26:16 BST # gpg: using RSA key EF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: MAINTAINERS: Added eBPF maintainers information. docs: Added eBPF documentation. virtio-net: Added eBPF RSS to virtio-net. ebpf: Added eBPF RSS loader. ebpf: Added eBPF RSS program. net: Added SetSteeringEBPF method for NetClientState. net/tap: Added TUNSETSTEERINGEBPF code. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-06-04virtio-net: Added eBPF RSS to virtio-net.Andrew Melnychenko
When RSS is enabled the device tries to load the eBPF program to select RX virtqueue in the TUN. If eBPF can be loaded the RSS will function also with vhost (works with kernel 5.8 and later). Software RSS is used as a fallback with vhost=off when eBPF can't be loaded or when hash population requested by the guest. Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: Andrew Melnychenko <andrew@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-04net: Added SetSteeringEBPF method for NetClientState.Andrew Melnychenko
For now, that method supported only by Linux TAP. Linux TAP uses TUNSETSTEERINGEBPF ioctl. Signed-off-by: Andrew Melnychenko <andrew@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-04net/tap: Added TUNSETSTEERINGEBPF code.Andrew Melnychenko
Additional code that will be used for eBPF setting steering routine. Signed-off-by: Andrew Melnychenko <andrew@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-06-02docs: fix references to docs/devel/tracing.rstStefano Garzarella
Commit e50caf4a5c ("tracing: convert documentation to rST") converted docs/devel/tracing.txt to docs/devel/tracing.rst. We still have several references to the old file, so let's fix them with the following command: sed -i s/tracing.txt/tracing.rst/ $(git grep -l docs/devel/tracing.txt) Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210517151702.109066-2-sgarzare@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-05-28Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into ↵Peter Maydell
staging # gpg: Signature made Thu 27 May 2021 04:06:17 BST # gpg: using RSA key EF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: tap-bsd: Remove special casing for older OpenBSD releases virtio-net: failover: add missing remove_migration_state_change_notifier() hw/net/imx_fec: return 0xffff when accessing non-existing PHY Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-05-27tap-bsd: Remove special casing for older OpenBSD releasesBrad Smith
OpenBSD added support for tap(4) 10 releases ago. Remove the special casing for older releases. Signed-off-by: Brad Smith <brad@comstyle.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-05-06Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into ↵Peter Maydell
staging * NetBSD NVMM support * RateLimit mutex * Prepare for Meson 0.57 upgrade # gpg: Signature made Tue 04 May 2021 13:15:37 BST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini-gitlab/tags/for-upstream: glib-compat: accept G_TEST_SLOW environment variable gitlab-ci: use --meson=internal for CFI jobs configure: handle meson options that have changed type configure: reindent meson invocation slirp: add configure option to disable smbd ratelimit: protect with a mutex Add NVMM Accelerator: add maintainers for NetBSD/NVMM Add NVMM accelerator: acceleration enlightenments Add NVMM accelerator: x86 CPU support Add NVMM accelerator: configure and build logic oslib-win32: do not rely on macro to get redefined function name Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-05-04slirp: add configure option to disable smbdJoelle van Dyne
Replace Windows specific macro with a more generic feature detection macro. Allows slirp smb feature to be disabled manually as well. Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Joelle van Dyne <j@getutm.app> Message-Id: <20210315180341.31638-5-j@getutm.app> [Use $default_feature as the default. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-05-02Do not include sysemu/sysemu.h if it's not really necessaryThomas Huth
Stop including sysemu/sysemu.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-2-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-05-02hw: Do not include qemu/log.h if it is not necessaryThomas Huth
Many files include qemu/log.h without needing it. Remove the superfluous include statements. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20210328054833.2351597-1-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-04-23net: check the existence of peer before trying to padJason Wang
There could be case that peer is NULL. This can happen when during network device hot-add where net device needs to be added first. So the patch check the existence of peer before trying to do the pad. Fixes: 969e50b61a285 ("net: Pad short frames to minimum size before sending from SLiRP/TAP") Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Stefan Weil <sw@weilnetz.de> Message-id: 20210423031803.1479-1-jasowang@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-08tap-win32: correctly recycle buffersJason Wang
Commit 969e50b61a28 ("net: Pad short frames to minimum size before sending from SLiRP/TAP") tries to pad frames but try to recyle the local array that is used for padding to tap thread. This patch fixes this by recyling the original buffer. Fixes: 969e50b61a28 ("net: Pad short frames to minimum size before sending from SLiRP/TAP") Tested-by: Howard Spoelstra <hsp.cat7@gmail.com> Tested-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-04-08Revert "qapi: net: Add query-netdev command"Jason Wang
Several issues has been reported for query-netdev series. Consider it's late in the rc, this reverts commit d32ad10a14d46dfe9304e3ed5858a11dcd5c71a0. Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-04-08Revert "net: Move NetClientState.info_str to dynamic allocations"Jason Wang
Several issues has been reported for query-netdev info series. Consider it's late in the rc, this reverts commit commit 59b5437eb732d6b103a9bc279c3482c834d1eff9. Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-04-08Revert "hmp: Use QAPI NetdevInfo in hmp_info_network"Jason Wang
Several issues has been reported for query-netdev info series. Consider it's late in the rc, this reverts commit a0724776c5a98a08fc946bb5a4ad16410ca64c0e. Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-04-08Revert "net: Do not fill legacy info_str for backends"Jason Wang
Several issues has been reported for query-netdev info series. Consider it's late in the rc, this reverts commit f2e8319d456724c3d8514d943dc4607e2f08e88a. Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Add an assert() and invert if() statement to simplify codePhilippe Mathieu-Daudé
To simplify the function body, invert the if() statement, returning earlier. Since we already checked there is enough data in the iovec buffer, simply add an assert() call to consume the bytes_read variable. Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Read ip6_ext_hdr_routing buffer before accessing itPhilippe Mathieu-Daudé
We can't know the caller read enough data in the memory pointed by ext_hdr to cast it as a ip6_ext_hdr_routing. Declare rt_hdr on the stack and fill it again from the iovec. Since we already checked there is enough data in the iovec buffer, simply add an assert() call to consume the bytes_read variable. This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported by QEMU fuzzer: $ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \ -accel qtest -monitor none \ -serial none -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001004 outw 0xcfc 0x7 write 0x25 0x1 0x86 write 0x26 0x1 0xdd write 0x4f 0x1 0x2b write 0xe1020030 0x4 0x190002e1 write 0xe102003a 0x2 0x0807 write 0xe1020048 0x4 0x12077cdd write 0xe1020400 0x4 0xba077cdd write 0xe1020420 0x4 0x190002e1 write 0xe1020428 0x4 0x3509d807 write 0xe1020438 0x1 0xe2 EOF ================================================================= ==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818 READ of size 1 at 0x7ffdef904902 thread T0 #0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17 #1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17 #2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14 #3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9 #4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29 #5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9 #6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9 #7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9 #8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5 Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame #0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486 This frame has 1 object(s): [32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr Shadow bytes around the buggy address: 0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Stack left redzone: f1 Stack right redzone: f3 ==2859770==ABORTING Add the corresponding qtest case with the fuzzer reproducer. FWIW GCC 11 similarly reported: net/eth.c: In function 'eth_parse_ipv6_hdr': net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds] 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { | ~~~~~^~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds] 410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { | ~~~~~^~~~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1879531 Reported-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: Miroslav Rezanina <mrezanin@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality") Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Check iovec has enough data earlierPhilippe Mathieu-Daudé
We want to check fields from ip6_ext_hdr_routing structure and if correct read the full in6_address. Let's directly check if our iovec contains enough data for everything, else return early. Suggested-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()Philippe Mathieu-Daudé
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argumentPhilippe Mathieu-Daudé
The 'offset' argument represents the offset to the ip6_ext_hdr header, rename it as 'ext_hdr_offset'. Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Simplify _eth_get_rss_ex_dst_addr()Philippe Mathieu-Daudé
The length field is already contained in the ip6_ext_hdr structure. Check it direcly in eth_parse_ipv6_hdr() before calling _eth_get_rss_ex_dst_addr(), which gets a bit simplified. Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()Philippe Mathieu-Daudé
The in6_address comes after the ip6_ext_hdr_routing header, not after the ip6_ext_hdr one. Fix the offset. Cc: qemu-stable@nongnu.org Reported-by: Stefano Garzarella <sgarzare@redhat.com> Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality") Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/colo-compare.c: Optimize removal of secondary packetLukas Straub
g_queue_remove needs to look up the list entry first, but we already have it as result and can remove it directly with g_queue_delete_link. Signed-off-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net/colo-compare.c: Fix memory leak for non-tcp packetLukas Straub
Additional to removing the packet from the secondary queue, we also need to free it. Signed-off-by: Lukas Straub <lukasstraub2@web.de> Signed-off-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net: Pad short frames to minimum size before sending from SLiRP/TAPBin Meng
The minimum Ethernet frame length is 60 bytes. For short frames with smaller length like ARP packets (only 42 bytes), on a real world NIC it can choose either padding its length to the minimum required 60 bytes, or sending it out directly to the wire. Such behavior can be hardcoded or controled by a register bit. Similarly on the receive path, NICs can choose either dropping such short frames directly or handing them over to software to handle. On the other hand, for the network backends like SLiRP/TAP, they don't expose a way to control the short frame behavior. As of today they just send/receive data from/to the other end connected to them, which means any sized packet is acceptable. So they can send and receive short frames without any problem. It is observed that ARP packets sent from SLiRP/TAP are 42 bytes, and SLiRP/TAP just send these ARP packets to the other end which might be a NIC model that does not allow short frames to pass through. To provide better compatibility, for packets sent from QEMU network backends like SLiRP/TAP, we change to pad short frames before sending it out to the other end, if the other end does not forbid it via the nc->do_not_pad flag. This ensures a backend as an Ethernet sender does not violate the spec. But with this change, the behavior of dropping short frames from SLiRP/TAP interfaces in the NIC model cannot be emulated because it always receives a packet that is spec complaint. The capability of sending short frames from NIC models is still supported and short frames can still pass through SLiRP/TAP. This commit should be able to fix the issue as reported with some NIC models before, that ARP requests get dropped, preventing the guest from becoming visible on the network. It was workarounded in these NIC models on the receive path, that when a short frame is received, it is padded up to 60 bytes. The following 2 commits seem to be the one to workaround this issue in e1000 and vmxenet3 before, and should probably be reverted. commit 78aeb23eded2 ("e1000: Pad short frames to minimum size (60 bytes)") commit 40a87c6c9b11 ("vmxnet3: Pad short frames to minimum size (60 bytes)") Signed-off-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-22net: eth: Add a helper to pad a short Ethernet frameBin Meng
Add a helper to pad a short Ethernet frame to the minimum required length, which can be used by backends' code. Signed-off-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: Do not fill legacy info_str for backendsAlexey Kirillov
As we use QAPI NetClientState->stored_config to store and get information about backend network devices, we can drop fill of legacy field info_str for them. We still use info_str field for NIC and hubports, so we can not completely remove it. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15hmp: Use QAPI NetdevInfo in hmp_info_networkAlexey Kirillov
Replace usage of legacy field info_str of NetClientState for backend network devices with QAPI NetdevInfo stored_config that already used in QMP query-netdev. This change increases the detail of the "info network" output and takes a more general approach to composing the output. NIC and hubports still use legacy info_str field. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: Move NetClientState.info_str to dynamic allocationsAlexey Kirillov
The info_str field of the NetClientState structure is static and has a size of 256 bytes. This amount is often unclaimed, and the field itself is used exclusively for HMP "info network". The patch translates info_str to dynamic memory allocation. This action is also allows us to painlessly discard usage of this field for backend devices. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15qapi: net: Add query-netdev commandAlexey Kirillov
The query-netdev command is used to get the configuration of the current network device backends (netdevs). This is the QMP analog of the HMP command "info network" but only for netdevs (i.e. excluding NIC and hubports). The query-netdev command returns an array of objects of the NetdevInfo type, which are an extension of Netdev type. It means that response can be used for netdev-add after small modification. This can be useful for recreate the same netdev configuration. Information about the network device is filled in when it is created or modified and is available through the NetClientState->stored_config. Signed-off-by: Alexey Kirillov <lekiravi@yandex-team.ru> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2021-03-15net: introduce qemu_receive_packet()Jason Wang
Some NIC supports loopback mode and this is done by calling nc->info->receive() directly which in fact suppresses the effort of reentrancy check that is done in qemu_net_queue_send(). Unfortunately we can't use qemu_net_queue_send() here since for loopback there's no sender as peer, so this patch introduce a qemu_receive_packet() which is used for implementing loopback mode for a NIC with this check. NIC that supports loopback mode will be converted to this helper. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>