- 10 3月, 2015 1 次提交
-
-
由 Radim Krčmář 提交于
man gcc: Warn about logical not used on the left hand side operand of a comparison. This option does not warn if the RHS operand is of a boolean type. By preferring bool over int where sensible, but without modifying any depending code, make GCC happy in cases like this, qemu-img.c: In function ‘compare_sectors’: qemu-img.c:992:39: error: logical not is only applied to the left hand side of comparison [-Werror=logical-not-parentheses] if (!!memcmp(buf1, buf2, 512) != res) { hw/ide/core.c:1836 doesn't throw an error, assert(!!s->error == !!(s->status & ERR_STAT)); even thought the second operand is int (and first hunk of this patch has a very similar case), maybe GCC developers still have a little faith in C programmers. Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
-
- 26 2月, 2015 2 次提交
-
-
由 Cornelia Huck 提交于
Add a helper function for checking whether a bit is set in the guest features for a vdev as well as one that works on a feature bit set. Convert code that open-coded this: It cleans up the code and makes it easier to extend the guest feature bits. Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Cornelia Huck 提交于
Add virtio_{add,clear}_feature helper functions for manipulating a feature bits variable. This has some benefits over open coding: - add check that the bit is in a sane range - make it obvious at a glance what is going on - have a central point to change when we want to extend feature bits Convert existing code manipulating features to use the new helpers. Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 12 1月, 2015 1 次提交
-
-
由 Paolo Bonzini 提交于
All NICs have a cleanup function that, in most cases, zeroes the pointer to the NICState. In some cases, it frees data belonging to the NIC. However, this function is never called except when exiting from QEMU. It is not necessary to NULL pointers and free data here; the right place to do that would be in the device's unrealize function, after calling qemu_del_nic. Zeroing the NIC multiple times is also wrong for multiqueue devices. This cleanup function gets in the way of making the NetClientStates for the NIC hold an object_ref reference to the object, so get rid of it. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 28 11月, 2014 1 次提交
-
-
由 Jason Wang 提交于
virtio_net_handle_ctrl() and other functions that process control vq request call iov_discard_front() which will shorten the iov. This will lead unmapping in virtqueue_push() leaks mapping. Fixes this by keeping the original iov untouched and using a temp variable in those functions. Cc: Wen Congyang <wency@cn.fujitsu.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: qemu-stable@nongnu.org Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NStefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: NFam Zheng <famz@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Message-id: 1417082643-23907-1-git-send-email-jasowang@redhat.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 15 10月, 2014 2 次提交
-
-
由 Gonglei 提交于
On this way, we can assure the new bootindex take effect during vm rebooting. Signed-off-by: NGonglei <arei.gonglei@huawei.com> Reviewed-by: NGerd Hoffmann <kraxel@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gonglei 提交于
Add a qom property with the same name 'bootindex', when we remove it form qdev property, things will continue to work just fine, and we can use qom features which are not supported by qdev property. Signed-off-by: NGonglei <arei.gonglei@huawei.com> Reviewed-by: NGerd Hoffmann <kraxel@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 19 9月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
On vm stop, vm_running state set to stopped before device is notified, so callbacks can get envoked with vm_running = false; and this is not an error. Cc: qemu-stable@nongnu.org Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 05 9月, 2014 2 次提交
-
-
由 Michael S. Tsirkin 提交于
whenever we start vhost, virtio could have outstanding packets queued, when they complete later we'll modify the ring while vhost is processing it. To prevent this, purge outstanding packets on vhost start. Cc: qemu-stable@nongnu.org Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Michael S. Tsirkin 提交于
commit 783e7706 virtio-net: stop/start bh when appropriate is incomplete: BH might execute within the same main loop iteration but after vmstop, so in theory, we might trigger an assertion. I was unable to reproduce this in practice, but it seems clear enough that the potential is there, so worth fixing. Cc: qemu-stable@nongnu.org Reported-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 02 9月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
commit 783e7706 virtio-net: stop/start bh when appropriate is incomplete: BH might execute within the same main loop iteration but after vmstop, so in theory, we might trigger an assertion. I was unable to reproduce this in practice, but it seems clear enough that the potential is there, so worth fixing. Cc: qemu-stable@nongnu.org Reported-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 30 6月, 2014 4 次提交
-
-
由 Rusty Russell 提交于
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au> Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com> [ pass VirtIODevice * to memory accessors, converted new tswap locations to virtio_tswap, Greg Kurz <gkurz@linux.vnet.ibm.com> ] Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Greg Kurz 提交于
Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NAlexander Graf <agraf@suse.de> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Greg Kurz 提交于
In order to migrate virtio subsections, they should be streamed after the device itself. We need the device specific code to be called from the common migration code to achieve this. This patch introduces load and save methods for this purpose. Suggested-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NAlexander Graf <agraf@suse.de> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Cédric Le Goater 提交于
TCP connectivity fails when the guest has a different endianness. The packets are silently dropped on the host by the tap backend when they are read from user space because the endianness of the virtio-net header is in the wrong order. These lines may appear in the guest console: [ 454.709327] skbuff: bad partial csum: csum=8704/4096 len=74 [ 455.702554] skbuff: bad partial csum: csum=8704/4096 len=74 The issue that got first spotted with a ppc64le PowerKVM guest, but it also exists for the less common case of a x86_64 guest run by a big-endian ppc64 TCG hypervisor. Signed-off-by: NCédric Le Goater <clg@fr.ibm.com> [ Ported from PowerKVM, Greg Kurz <gkurz@linux.vnet.ibm.com> ] Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 27 6月, 2014 1 次提交
-
-
由 Jiri Pirko 提交于
It indicates the number of elements in ncs field and makes sense to have int inside NICPeers. Also in parse_netdev we do not need to access container and work with NICPeers only. Signed-off-by: NJiri Pirko <jiri@resnulli.us> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 23 6月, 2014 1 次提交
-
-
由 Wenchao Xia 提交于
Param name is declared as optional, since in code it is an optional one. Signed-off-by: NWenchao Xia <wenchaoqemu@gmail.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
-
- 19 6月, 2014 4 次提交
-
-
由 Nikolay Nikolaev 提交于
This decouples virtio-net from the TAP netdev backend and allows support for other backends to be implemented. Signed-off-by: NAntonios Motakis <a.motakis@virtualopensystems.com> Signed-off-by: NNikolay Nikolaev <n.nikolaev@virtualopensystems.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Jason Wang 提交于
It's hard to track all mac addresses and their configurations (e.g vlan or ipv6) in qemu. Without this information, it's impossible to build proper garp packet after migration. The only possible solution to this is let guest (who knows all configurations) to do this. So, this patch introduces a new readonly config status bit of virtio-net, VIRTIO_NET_S_ANNOUNCE which is used to notify guest to announce presence of its link through config update interrupt.When guest has done the announcement, it should ack the notification through VIRTIO_NET_CTRL_ANNOUNCE_ACK cmd. This feature is negotiated by a new feature bit VIRTIO_NET_F_ANNOUNCE (which has already been supported by Linux guest). During load, a counter of announcing rounds is set so that after the vm is running it can trigger rounds of config interrupts to notify the guest to build and send the correct garps. Cc: Liuyongan <liuyongan@huawei.com> Cc: Amos Kong <akong@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Markus Armbruster 提交于
Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
- 06 5月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c > } else if (n->mac_table.in_use) { > uint8_t *buf = g_malloc0(n->mac_table.in_use); We are allocating buffer of size n->mac_table.in_use > qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); and read to the n->mac_table.in_use size buffer n->mac_table.in_use * ETH_ALEN bytes, corrupting memory. If adversary controls state then memory written there is controlled by adversary. Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com>
-
- 05 5月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c This code is in hw/net/virtio-net.c: if (n->max_queues > 1) { if (n->max_queues != qemu_get_be16(f)) { error_report("virtio-net: different max_queues "); return -1; } n->curr_queues = qemu_get_be16(f); for (i = 1; i < n->curr_queues; i++) { n->vqs[i].tx_waiting = qemu_get_be32(f); } } Number of vqs is max_queues, so if we get invalid input here, for example if max_queues = 2, curr_queues = 3, we get write beyond end of the buffer, with data that comes from wire. This might be used to corrupt qemu memory in hard to predict ways. Since we have lots of function pointers around, RCE might be possible. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: NJuan Quintela <quintela@redhat.com>
-
- 11 4月, 2014 1 次提交
-
-
由 Michael S. Tsirkin 提交于
When VM guest programs multicast addresses for a virtio net card, it supplies a 32 bit entries counter for the number of addresses. These addresses are read into tail portion of a fixed macs array which has size MAC_TABLE_ENTRIES, at offset equal to in_use. To avoid overflow of this array by guest, qemu attempts to test the size as follows: - if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) { however, as mac_data.entries is uint32_t, this sum can overflow, e.g. if in_use is 1 and mac_data.entries is 0xffffffff then in_use + mac_data.entries will be 0. Qemu will then read guest supplied buffer into this memory, overflowing buffer on heap. CVE-2014-0150 Cc: qemu-stable@nongnu.org Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com Reviewed-by: NMichael Tokarev <mjt@tls.msk.ru> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 26 3月, 2014 2 次提交
-
-
由 Amos Kong 提交于
Stefan Fritsch just fixed a virtio-net driver bug [1], virtio-net won't filter out VLAN-tagged packets if VIRTIO_NET_F_CTRL_VLAN isn't negotiated. This patch added a new field to @RxFilterInfo to indicate vlan receive state ('normal', 'none', 'all'). If VIRTIO_NET_F_CTRL_VLAN isn't negotiated, vlan receive state will be 'all', then all VLAN-tagged packets will be received by guest. This patch also fixed a boundary issue in visiting vlan table. [1] http://lists.nongnu.org/archive/html/qemu-devel/2014-02/msg02604.htmlSigned-off-by: NAmos Kong <akong@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com>
-
由 Stefan Fritsch 提交于
If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all VLAN-tagged packets but send them to the guest. This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because the OpenBSD driver started as a port from NetBSD). Signed-off-by: NStefan Fritsch <sf@sfritsch.de> Signed-off-by: NAmos Kong <akong@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 10 3月, 2014 1 次提交
-
-
由 Joel Stanley 提交于
peer_{de,at}tach were called from inside assert(). We don't support building without NDEBUG but it's not tidy. Rearrange to attach peer outside assert calls. Signed-off-by: NJoel Stanley <joel@jms.id.au> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 25 2月, 2014 3 次提交
-
-
由 Stefan Hajnoczi 提交于
qemu_get_queue() is a shorthand for qemu_get_subqueue(n->nic, 0). Use the shorthand where possible. Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Stefan Hajnoczi 提交于
The virtio_net offload APIs are used on the NIC's peer (i.e. the tap device). The API was defined to implicitly use nc->peer, saving the caller the trouble. This wasn't ideal because: 1. There are callers who have the peer but not the NIC. Currently they are forced to bypass the API and access peer->info->... directly. 2. The rest of the net.h API uses nc, not nc->peer, so it is inconsistent. This patch pushes nc->peer back up to callers. Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Vincenzo Maffione 提交于
With this patch, virtio-net and vmxnet3 frontends make use of the qemu_peer_* API for backend offloadings manipulations, instead of calling TAP-specific functions directly. We also remove the existing checks which prevent those frontends from using offloadings with backends different from TAP (e.g. netmap). Signed-off-by: NVincenzo Maffione <v.maffione@gmail.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 10 12月, 2013 4 次提交
-
-
由 Andreas Färber 提交于
Signed-off-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Andreas Färber 提交于
Signed-off-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Andreas Färber 提交于
Rename variable qdev -> dev since that's what realize's argument is called by convention. Avoid duplicate VIRTIO_DEVICE() cast. Signed-off-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
This ensures hot-unplug is handled properly by the proxy, and avoids leaking bus_name which is freed by virtio_device_exit. Cc: qemu-stable@nongnu.org Acked-by: NAndreas Faerber <afaerber@suse.de> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 09 12月, 2013 1 次提交
-
-
由 Amos Kong 提交于
mac_table was always cleaned up first in handling VIRTIO_NET_CTRL_MAC_TABLE_SET command, and we din't recover mac_table content in error state, it's not correct. This patch makes all the changes in temporal variables, only update the real mac_table if everything is ok. We won't change mac_table in error state, so rxfilter notification isn't needed. This patch also fixed same problame in http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg01188.html (not merge) I will send patch for virtio spec to clarifying this change. Signed-off-by: NAmos Kong <akong@redhat.com> Reviewed-by: NVlad Yasevich <vyasevic@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 03 12月, 2013 1 次提交
-
-
由 Zhi Yong Wu 提交于
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com> Reviewed-by: NFam Zheng <famz@redhat.com> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
-
- 19 11月, 2013 1 次提交
-
-
由 Amos Kong 提交于
object_get_canonical_path() returns a gchar*, it should be freed by the caller. Signed-off-by: NAmos Kong <akong@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NVlad Yasevich <vyasevic@redhat.com> Reviewed-by: NAndreas Färber <afaerber@suse.de> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 10 11月, 2013 1 次提交
-
-
由 Jason Wang 提交于
We delete without check whether it existed during exit. This will lead NULL pointer deference since it was created conditionally depends on guest driver status and features. So add a check of existence before trying to delete it. Cc: qemu-stable@nongnu.org Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 09 11月, 2013 1 次提交
-
-
由 Dmitry Fleytman 提交于
Upon processing of VIRTIO_NET_CTRL_MAC_TABLE_SET command multicast list overwrites unicast list in mac_table. This leads to broken logic for both unicast and multicast RX filtering. Signed-off-by: NDmitry Fleytman <dfleytma@redhat.com> Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
- 07 11月, 2013 1 次提交
-
-
由 Jason Wang 提交于
We delete without check whether it existed during exit. This will lead NULL pointer deference since it was created conditionally depends on guest driver status and features. So add a check of existence before trying to delete it. Cc: qemu-stable@nongnu.org Signed-off-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Message-id: 1383728288-28469-1-git-send-email-jasowang@redhat.com Signed-off-by: NAnthony Liguori <aliguori@amazon.com>
-