Now, AER capa version is fixed to v2, if assigned device isn't v2,
then this value will be inconsistent between guest and host
Signed-off-by: NDou Liyang <douly.fnst@cn.fujitsu.com>
Signed-off-by: NCao jin <caoj.fnst@cn.fujitsu.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

When user specify invalid value for property aer_log_max, device should
fail to create, and report appropriate message.
Signed-off-by: NCao jin <caoj.fnst@cn.fujitsu.com>
Reviewed-by: NMarcel Apfelbaum <marcel@redhat.com>
Acked-by: NDmitry Fleytman <dmitry@daynix.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Current code that handles Tx buffer desciprtor ring scanning employs the
following algorithm:

	1. Restore current buffer descriptor pointer from TBPTRn

	2. Process current descriptor

	3. If current descriptor has BD_WRAP flag set set current
	   descriptor pointer to start of the descriptor ring

	4. If current descriptor points to start of the ring exit the
	   loop, otherwise increment current descriptor pointer and go
	   to #2

	5. Store current descriptor in TBPTRn

The way the code is implemented results in buffer descriptor ring being
scanned starting at offset/descriptor #0. While covering 99% of the
cases, this algorithm becomes problematic for a number of edge cases.

Consider the following scenario: guest OS driver initializes descriptor
ring to N individual descriptors and starts sending data out. Depending
on the volume of traffic and probably guest OS driver implementation it
is possible that an edge case where a packet, spread across 2
descriptors is placed in descriptors N - 1 and 0 in that order(it is
easy to imagine similar examples involving more than 2 descriptors).

What happens then is aforementioned algorithm starts at descriptor 0,
sees a descriptor marked as BD_LAST, which it happily sends out as a
separate packet(very much malformed at this point) then the iteration
continues and the first part of the original packet is tacked to the
next transmission which ends up being bogus as well.

This behvaiour can be pretty reliably observed when scp'ing data from a
guest OS via TAP interface for files larger than 160K (every time for
700K+).

This patch changes the scanning algorithm to do the following:

	1. Restore "current" buffer descriptor pointer from
	   TBPTRn

	2. If "current" descriptor does not have BD_TX_READY set, goto #6

	3. Process current descriptor

	4. If "current" descriptor has BD_WRAP flag set "current"
	   descriptor pointer to start of the descriptor ring otherwise
	   set increment "current" by the size of one descriptor

	5. Goto #1

	6. Save "current" buffer descriptor in TBPTRn

This way we preserve the information about which descriptor was
processed last and always start where we left off avoiding the original
problem. On top of that, judging by the following excerpt from
MPC8548ERM (p. 14-48):

"... When the end of the TxBD ring is reached, eTSEC initializes TBPTRn
to the value in the corresponding TBASEn. The TBPTR register is
internally written by the eTSEC’s DMA controller during
transmission. The pointer increments by eight (bytes) each time a
descriptor is closed successfully by the eTSEC..."

revised algorithm might also a more correct way of emulating this aspect
of eTSEC peripheral.

Cc: Alexander Graf <agraf@suse.de>
Cc: Scott Wood <scottwood@freescale.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: qemu-devel@nongnu.org
Signed-off-by: NAndrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

According to datasheet:
"[Bit 15 of Basic Mode Control Register] sets the status and control registers
of the PHY (register 0062-0074) in a default state. This bit is self-clearing.
1 = software reset; 0 = normal operation."

This fixes the netcard detection failure in Minoca OS.
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Fix various small problems in hexdump code, such as:
    - Reference to non-existing field etsec->nic->nc.name is replaced
    with nc->name

    - Type mismatch warnings
Signed-off-by: NAndrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Depending on QEMU network setup it is possible for us to receive a
complete Ethernet packet that is less 64 bytes long. One such example is
when QEMU is configured to use a standalone TAP device (not set to be a
part of any bridge) receives and ARP packet. In cases like that we need
to add more than just 4-bytes of CRC padding and ensure that our payload
is at least 60 bytes long, such that, when combined with CRC padding
bytes the resulting size is at least 802.3 minimum MTU bytes
long (64). Failing to do that results in code in etsec_walk_rx_ring()
setting BD_RX_SH which, in turn, makes corresponding Linux driver of
emulated host to reject buffer as a runt packet
Signed-off-by: NAndrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

ColdFire Fast Ethernet Controller uses a receive buffer size
register(EMRBR) to hold maximum size of all receive buffers.
It is set by a user before any operation. If it was set to be
zero, ColdFire emulator would go into an infinite loop while
receiving data in mcf_fec_receive. Add check to avoid it.
Reported-by: NWjjzhang <wjjzhang@tencent.com>
Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: NJason Wang <jasowang@redhat.com>

virtio 1.0 spec says this is a legacy feature bit,
hide it from guests in modern mode.

Note: for cross-version migration compatibility,
we keep the bit set in host_features.
The result will be that a guest migrating cross-version
will see host features change under it.
As guests only seem to read it once, this should
not be an issue. Meanwhile, will work to fix guests to
ignore this bit in virtio1 mode, too.

Cc: qemu-stable@nongnu.org
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com>

The function undoes the effect of virtqueue_pop and doesn't do anything
destructive or irreversible so virtqueue_unpop is a more fitting name.
Signed-off-by: NLadi Prosek <lprosek@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1373816
qemu core dump happens during repetitive unpug-plug
with multiple queues and Windows RSS-capable guest.
If back-end delete requested during virtio-net device
initialization, driver still can try configure the device
for multiple queues. The virtio-net device is expected
to be removed as soon as the initialization is done.
Signed-off-by: NYuri Benditovich <yuri.benditovich@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Prepare xen_be_send_notify to be shared with frontends:
 * xen_be_send_notify -> xen_pv_send_notify
Signed-off-by: NEmil Condrea <emilcondrea@gmail.com>
Signed-off-by: NStefano Stabellini <sstabellini@kernel.org>
Signed-off-by: NQuan Xu <xuquan8@huawei.com>
Acked-by: NAnthony PERARD <anthony.perard@citrix.com>

Prepare xen_be_unbind_evtchn to be shared with frontends:
 * xen_be_unbind_evtchn -> xen_pv_unbind_evtchn
Signed-off-by: NEmil Condrea <emilcondrea@gmail.com>
Signed-off-by: NStefano Stabellini <sstabellini@kernel.org>
Signed-off-by: NQuan Xu <xuquan8@huawei.com>
Acked-by: NAnthony PERARD <anthony.perard@citrix.com>

Prepare xen_be_printf to be used by both backend and frontends:
 * xen_be_printf -> xen_pv_printf
Signed-off-by: NEmil Condrea <emilcondrea@gmail.com>
Signed-off-by: NStefano Stabellini <sstabellini@kernel.org>
Signed-off-by: NQuan Xu <xuquan8@huawei.com>
Acked-by: NAnthony PERARD <anthony.perard@citrix.com>

Fixes:
 * WARNING: line over 80 characters
Signed-off-by: NEmil Condrea <emilcondrea@gmail.com>
Signed-off-by: NStefano Stabellini <sstabellini@kernel.org>
Signed-off-by: NQuan Xu <xuquan8@huawei.com>
Acked-by: NAnthony PERARD <anthony.perard@citrix.com>

Fixes the following errors:
 * ERROR: line over 90 characters
 * ERROR: code indent should never use tabs
 * ERROR: space prohibited after that open square bracket '['
 * ERROR: do not initialise statics to 0 or NULL
 * ERROR: "(foo*)" should be "(foo *)"
Signed-off-by: NEmil Condrea <emilcondrea@gmail.com>
Signed-off-by: NStefano Stabellini <sstabellini@kernel.org>
Signed-off-by: NQuan Xu <xuquan8@huawei.com>
Acked-by: NAnthony PERARD <anthony.perard@citrix.com>

RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.
Reported-by: NAndrew Henderson <hendersa@icculus.org>
Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: NJason Wang <jasowang@redhat.com>

In Vmxnet3 device emulator while processing transmit(tx) queue,
when it reaches end of packet, it calls vmxnet3_complete_packet.
In that local 'txcq_descr' object is not initialised, which could
leak host memory bytes a guest.
Reported-by: NLi Qiang <liqiang6-s@360.cn>
Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

The e1000e emulation zeroes out any used rx descriptor and then writes a
completely newly constructed value there. By doing this, it doesn't only
update the write-back area of the descriptors (as it's supposed to do),
but it also clears the buffer address, which real hardware doesn't do.

The spec explicitly mentions in chapter 7.1.8 that it is valid for a
driver to reuse a descriptor and only update the status field while
doing so, i.e. reusing the old buffer address:

    If software statically allocates buffers, and uses memory read to
    check for completed descriptors, it simply has to zero the status
    byte in the descriptor to make it ready for reuse by hardware.

This patch fixes the behaviour to leave the buffer address in
descriptors unchanged even after the descriptor has been used.
Signed-off-by: NKevin Wolf <mail@kevin-wolf.de>
Reviewed-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.
Reported-by: NHuawei PSIRT <psirt@huawei.com>
Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: NJiri Pirko <jiri@mellanox.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

The exit dispatch of eepro100 network card device doesn't free
the 's->vmstate' field which was allocated in device realize thus
leading a host memory leak. This patch avoid this.
Signed-off-by: NLi Qiang <liqiang6-s@360.cn>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Fix indentations and source format at few places. Add braces
around 'if' and 'while' statements.
Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: NJason Wang <jasowang@redhat.com>

The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
Reported-by: NLi Qiang <liqiang6-s@360.cn>
Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Now all the usages of the old version of VMSTATE_VIRTIO_DEVICE are gone,
so we can get rid of the conditionals, and the old macro.
Signed-off-by: NHalil Pasic <pasic@linux.vnet.ibm.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Use the new VMSTATE_VIRTIO_DEVICE macro.
Signed-off-by: NHalil Pasic <pasic@linux.vnet.ibm.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

All these errors are caused by a buggy guest: let's switch the device to
the broken state instead of terminating QEMU. Also we detach the element
from the virtqueue and free it.

If this happens, virtio_net_flush_tx() also returns -EINVAL, so that all
callers can stop processing the virtqueue immediatly.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

All these errors are caused by a buggy guest: let's switch the device to
the broken state instead of terminating QEMU. Also we detach the element
from the virtqueue and free it.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

This error is caused by a buggy guest: let's switch the device to the
broken state instead of terminating QEMU. Also we detach the element
from the virtqueue and free it.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

There was an error with some of the register implementation assuming
there are 16 priority queues supported when the IP only supports 8. This
patch corrects the registers to only support 8 queues.
Signed-off-by: NAlistair Francis <alistair.francis@xilinx.com>
Reported-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 33bf2d28326d22875602234b8b15cf56fb678333.1474911607.git.alistair.francis@xilinx.com
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This uses the wrong frame size for packets composed of multiple
descriptors.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

This uses the wrong frame size for packets composed of multiple
descriptors.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: NLi Qiang <liqiang6-s@360.cn>
Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

This patch fixes 2 issues:

1. Bits set in EIAC register should be cleared
   from IMS when EIAM is not used.
2. Only bit that corresonds to the interrupt being
   raised should be cleared.

See spec. 10.2.4.7 Interrupt Auto Clear
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Do not raise ACK interrupts when
RFCTL.ACKDIS bit is set (see spec. 10.2.5.16).
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Interrupt mask for legacy OTHER causes should
not apply to MSI-X OTHER cause.
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

This patch fixes incorrect check for
interrypt type being used.

PBSCLR register is valid for MSI-X only.

See spec. 10.2.3.13 MSI—X PBA Clear
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

CTRL_EXT.EIAME bit controls clearing of IAM bits,
but current code clears IMS bits instead.

See spec. 10.2.2.5 Extended Device Control Register.
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

Before this patch first netdev queue only was flushed.
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

hw/net/e1000e_core.c:56: warning: e1000e_set_interrupt_cause declared inline after being called
hw/net/e1000e_core.c:56: warning: previous declaration of e1000e_set_interrupt_cause was here
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>

This allows increasing the rx queue size up to 1024: unlike with tx,
guests don't put in huge S/G lists into RX so the risk of running into
the max 1024 limitation due to some off-by-one seems small.

It's helpful for users like OVS-DPDK which don't do any buffering on the
host - 1K roughly matches 500 entries in tun + 256 in the current rx
queue, which seems to work reasonably well. We could probably make do
with ~750 entries but virtio spec limits us to powers of two.
It might be a good idea to specify an s/g size limit in a future
version.

It also might be possible to make the queue size smaller down the road, 64
seems like the minimal value which will still work (as guests seem to
assume a queue full of 1.5K buffers is enough to process the largest
incoming packet, which is ~64K).  No one actually asked for this, and
with virtio 1 guests can reduce ring size without need for host
configuration, so don't bother with this for now.

Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: Jason Wang <jasowang@redhat.com>
Suggested-by: NPatrik Hermansson <phermansson@gmail.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NCornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>