4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.

Fix this by only allowing to queue maximum sizeof(buffer) bytes.

This is CVE-2015-3209.

[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]
Signed-off-by: NPetr Matousek <pmatouse@redhat.com>
Reported-by: NMatt Tait <matttait@google.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The next commit will exploit the fact it never fails.  This one makes
it obvious.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NGonglei <arei.gonglei@huawei.com>

Signed-off-by: NDon Koch <dkoch@verizon.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Old users of VMSTATE_TIMER* are mechanically changed to VMSTATE_TIMER_PTR
variants.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

All NICs have a cleanup function that, in most cases, zeroes the pointer
to the NICState.  In some cases, it frees data belonging to the NIC.

However, this function is never called except when exiting from QEMU.
It is not necessary to NULL pointers and free data here; the right place
to do that would be in the device's unrealize function, after calling
qemu_del_nic.  Zeroing the NIC multiple times is also wrong for multiqueue
devices.

This cleanup function gets in the way of making the NetClientStates for
the NIC hold an object_ref reference to the object, so get rid of it.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

s->xmit_pos maybe assigned to a negative value (-1),
but in this branch variable s->xmit_pos as an index to
array s->buffer. Let's add a check for s->xmit_pos.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NJason Wang <jasowang@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

On this way, we can assure the new bootindex take effect
during vm rebooting.
Signed-off-by: NGonglei <arei.gonglei@huawei.com>
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

After previous Peter patch, they are redundant.  This way we don't
assign them except when needed.  Once there, there were lots of case
where the ".fields" indentation was wrong:

     .fields = (VMStateField []) {
and
     .fields =      (VMStateField []) {

Change all the combinations to:

     .fields = (VMStateField[]){

The biggest problem (appart from aesthetics) was that checkpatch complained
when we copy&pasted the code from one place to another.
Signed-off-by: NJuan Quintela <quintela@redhat.com>
Acked-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>

Signed-off-by: NPrasad Joshi <prasadjoshi.linux@gmail.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This is an autogenerated patch using scripts/switch-timer-api.

Switch the entire code base to using the new timer API.

Note this patch may introduce some line length issues.
Signed-off-by: NAlex Bligh <alex@alex.org.uk>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Analogously to other NICs, we have to inform the network layer when
the can_receive handler will no longer report 0. Without this, we may
get stuck waiting on queued incoming packets.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Many headers are used only in a single directory.  These can be
kept in hw/.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This patch tackles all files that are compiled once, moving
them to subdirectories of hw/.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Done with this script:

cd hw
for i in `find . -name '*.h' | sed 's/^..//'`; do
  echo '\,^#.*include.*["<]'$i'[">], s,'$i',hw/&,'
done | sed -i -f - `find . -type f`

This is so that paths remain valid as files are moved.

Instead, files in hw/dataplane are referenced with the relative path.
We know they are not going to move to include/, and they are the only
include files that are in subdirectories _and_ move.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

To support multiqueue, this patch introduces a helper qemu_get_nic() to get
NICState from a NetClientState. The following patches would refactor this helper
to support multiqueue.
Signed-off-by: NJason Wang <jasowang@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

To support multiqueue, the patch introduce a helper qemu_get_queue()
which is used to get the NetClientState of a device. The following patches would
refactor this helper to support multiqueue.
Signed-off-by: NJason Wang <jasowang@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Move public headers to include/net, and leave private headers in net/.
Put the virtio headers in include/net/tap.h, removing the multiple copies
that existed.  Leave include/net/tap.h as the interface for NICs, and
net/tap_int.h as the interface for OS-specific parts of the tap backend.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

target_phys_addr_t is unwieldly, violates the C standard (_t suffixes are
reserved) and its purpose doesn't match the name (most target_phys_addr_t
addresses are not target specific).  Replace it with a finger-friendly,
standards conformant hwaddr.

Outstanding patchsets can be fixed up with the command

  git rebase -i --exec 'find -name "*.[ch]"
                        | xargs s/target_phys_addr_t/hwaddr/g' origin
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The vlan feature is no longer part of net core.  Rename VLANClientState
to NetClientState because net clients are not explicitly associated with
a vlan at all, instead they have a peer net client to which they are
connected.

This patch is a mechanical search-and-replace except for a few
whitespace fixups where changing VLANClientState to NetClientState
misaligned whitespace.
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Reviewed-by: NLaszlo Ersek <lersek@redhat.com>

As long as we have no link and we aren't in internal loopback mode, no
packet must be sent. Instead, LCAR needs to be set in any active TX
descriptor and also CERR in CSR0.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>

pcnet_stop already clears any reason (BABL, CERR, MISS, MERR) why ERR
(bit 15) should be set in CRS0. So we have to clear that bit as well.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>

We already have a QOM interface for this so let's use it.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Right now, DeviceInfo acts as the class for qdev.  In order to switch to a
proper ObjectClass derivative, we need to ween all of the callers off of
interacting directly with the info pointer.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

A device reset does not affect the link state, only set_link does.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

These comments are used by static code analysis tools and in code reviews
to avoid false warnings because of missing break statements.

The case statements handled here were reported by coverity.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Update lnkst on link state changes so that guests can obtain this
information via reading back the LED output pin. Works for Linux but
not for guests that depend on the missing PHY.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This moves BCR defines to the common header and immediately makes use of
them to add BCR_APROMWE, replacing the open-coded write check in
pcnet_aprom_writeb.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The problem is with definitions in hw/pcnet.c such as:

  #define CSR_CRDA(S)      ((S)->csr[28] | ((S)->csr[29] << 16))

"(S)->csr[29]" is a uint16_t, but "(S)->csr[29] << 16" gets promoted to
int, so the overall CSR_CRDA(s) is a (signed) int rather than a uint32_t.

This then gets assigned to a uint64_t using

  target_phys_addr_t crda = CSR_CRDA(s);

so when (S)->csr[29] has the high bit set, we end up with
crda=0xffffffffxxxxxxxx.

From: Michael Brown <mcb30@ipxe.org>
Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

This was done with:

    sed -i 's/qemu_get_clock\>/qemu_get_clock_ns/' \
        $(git grep -l 'qemu_get_clock\>' )
    sed -i 's/qemu_new_timer\>/qemu_new_timer_ns/' \
        $(git grep -l 'qemu_new_timer\>' )

after checking that get_clock and new_timer never occur twice
on the same line.  There were no missed occurrences; however, even
if there had been, they would have been caught by the compiler.

There was exactly one false positive in qemu_run_timers:

     -    current_time = qemu_get_clock (clock);
     +    current_time = qemu_get_clock_ns (clock);

which is of course not in this patch.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The initialization should not be only on reset but also when initializing
the device.
It resolves a bug when hot plugging a pci network device: the mac address
was always null.
Signed-off-by: NWilliam Dauchy <wdauchy@gmail.com>
Signed-off-by: NWen Congyang <wency@cn.fujitsu.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

bugfix under DOS for AMD netware driver:
AMD PCNTNW Ethernet MLID v3.10 (960115), network card not found

bugfix works well under DOS with:
1.) AMD NDIS driver v2.0.1
2.) AMD PCNTNW Ethernet MLID v3.10 (960115)
3.) Knoppix 6.2
Signed-off-by: NGerhard Wiesinger <lists@wiesinger.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

If bootindex is specified on command line a string that describes device
in firmware readable way is added into sorted list. Later this list will
be passed into firmware to control boot order.
Signed-off-by: NGleb Natapov <gleb@redhat.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The core pcnet emulation code is used by both the PCI "pcnet" device
and the SPARC "lance" device.  Split the common code frm the PCI code so
that that can be configures independantly.
Signed-off-by: NPaul Brook <paul@codesourcery.com>

While not explicitly stated in the spec, it was observed on real systems
that enabling loopback testing on the pcnet controller disables
reception of external frames. And some legacy software relies on it, so
provide this behavior.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

pcnet enables memory/io on init, which
does not make sense as BAR values are wrong.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Tested-by: NJan Kiszka <jan.kiszka@siemens.com>

Don't overwrite pci header type.
Otherwise, multi function bit which pci_init_header_type() sets
appropriately is lost.
Anyway PCI_HEADER_TYPE_NORMAL is zero, so it is unnecessary to zero
which is already zero cleared.

how to test:
run qemu and issue info pci to see whether a device in question is
normal device, not pci-to-pci bridge.
This is handy because guest os isn't required.

tested changes:
The following files are covered by using following commands.
sparc64-softmmu
  apb_pci.c, vga-pci.c, cmd646.c, ne2k_pci.c, sun4u.c
ppc-softmmu
  grackle_pci.c, cmd646.c, ne2k_pci.c, vga-pci.c, macio.c
ppc-softmmu -M mac99
  unin_pci.c(uni-north, uni-north-agp)
ppc64-softmmu
  pci-ohci, ne2k_pci, vga-pci, unin_pci.c(u3-agp)
x86_64-softmmu
  acpi_piix4.c, ide/piix.c, piix_pci.c
  -vga vmware vmware_vga.c
  -watchdog i6300esb wdt_i6300esb.c
  -usb usb-uhci.c
  -sound ac97 ac97.c
  -nic model=rtl8139 rtl8139.c
  -nic model=pcnet pcnet.c
  -balloon virtio virtio-pci.c:

untested changes:
The following changes aren't tested.
prep_pci.c: ppc-softmmu -M prep should cover, but core dumped.
unin_pci.c(uni-north-pci): the caller is commented out.
openpic.c: the caller is commented out in ppc_prep.c
Signed-off-by: NIsaku Yamahata <yamahata@valinux.co.jp>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Real pcnet device (AT2450) apparently has subsystem
device and vendor id set to 0, this is out of spec
(which requires that vendor id is obtained from PCI SIG)
but windows xp driver seems to need this in order
to associate.

qemu sets pci subsystem id to qumranet/qemu
since d350d97d,
debian does not yet have this patch.

https://bugzilla.redhat.com/show_bug.cgi?id=521247Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Anthony Liguori <aliguori@us.ibm.com>

According to AMD document 21485D pp.141, APROMWE is bit 8 of BCR2.
Signed-off-by: NChristopher Kilgour <techie@whiterocker.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>