commit 783e7706
    virtio-net: stop/start bh when appropriate

is incomplete: BH might execute within the same main loop iteration but
after vmstop, so in theory, we might trigger an assertion.
I was unable to reproduce this in practice,
but it seems clear enough that the potential is there, so worth fixing.

Cc: qemu-stable@nongnu.org
Reported-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
[ pass VirtIODevice * to memory accessors,
  converted new tswap locations to virtio_tswap,
  Greg Kurz <gkurz@linux.vnet.ibm.com> ]
Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: NAlexander Graf <agraf@suse.de>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

In order to migrate virtio subsections, they should be streamed after
the device itself. We need the device specific code to be called from
the common migration code to achieve this. This patch introduces load
and save methods for this purpose.
Suggested-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: NAlexander Graf <agraf@suse.de>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

TCP connectivity fails when the guest has a different endianness.
The packets are silently dropped on the host by the tap backend
when they are read from user space because the endianness of the
virtio-net header is in the wrong order. These lines may appear
in the guest console:

[  454.709327] skbuff: bad partial csum: csum=8704/4096 len=74
[  455.702554] skbuff: bad partial csum: csum=8704/4096 len=74

The issue that got first spotted with a ppc64le PowerKVM guest,
but it also exists for the less common case of a x86_64 guest run
by a big-endian ppc64 TCG hypervisor.
Signed-off-by: NCédric Le Goater <clg@fr.ibm.com>
[ Ported from PowerKVM,
  Greg Kurz <gkurz@linux.vnet.ibm.com> ]
Signed-off-by: NGreg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

It indicates the number of elements in ncs field and makes sense to have
int inside NICPeers. Also in parse_netdev we do not need to access
container and work with NICPeers only.
Signed-off-by: NJiri Pirko <jiri@resnulli.us>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Param name is declared as optional, since in code it is an optional
one.
Signed-off-by: NWenchao Xia <wenchaoqemu@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>

This decouples virtio-net from the TAP netdev backend and allows support
for other backends to be implemented.
Signed-off-by: NAntonios Motakis <a.motakis@virtualopensystems.com>
Signed-off-by: NNikolay Nikolaev <n.nikolaev@virtualopensystems.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

It's hard to track all mac addresses and their configurations (e.g
vlan or ipv6) in qemu. Without this information, it's impossible to
build proper garp packet after migration. The only possible solution
to this is let guest (who knows all configurations) to do this.

So, this patch introduces a new readonly config status bit of virtio-net,
VIRTIO_NET_S_ANNOUNCE which is used to notify guest to announce
presence of its link through config update interrupt.When guest has
done the announcement, it should ack the notification through
VIRTIO_NET_CTRL_ANNOUNCE_ACK cmd. This feature is negotiated by a new
feature bit VIRTIO_NET_F_ANNOUNCE (which has already been supported by
Linux guest).

During load, a counter of announcing rounds is set so that after the vm is
running it can trigger rounds of config interrupts to notify the guest to build
and send the correct garps.

Cc: Liuyongan <liuyongan@huawei.com>
Cc: Amos Kong <akong@redhat.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

This code is in hw/net/virtio-net.c:

    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }

        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }

Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.

This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.

To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {

however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.

Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.

CVE-2014-0150

Cc: qemu-stable@nongnu.org
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com
Reviewed-by: NMichael Tokarev <mjt@tls.msk.ru>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Stefan Fritsch just fixed a virtio-net driver bug [1], virtio-net won't
filter out VLAN-tagged packets if VIRTIO_NET_F_CTRL_VLAN isn't negotiated.

This patch added a new field to @RxFilterInfo to indicate vlan receive
state ('normal', 'none', 'all'). If VIRTIO_NET_F_CTRL_VLAN isn't
negotiated, vlan receive state will be 'all', then all VLAN-tagged packets
will be received by guest.

This patch also fixed a boundary issue in visiting vlan table.

[1] http://lists.nongnu.org/archive/html/qemu-devel/2014-02/msg02604.htmlSigned-off-by: NAmos Kong <akong@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>

If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
VLAN-tagged packets but send them to the guest.

This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
the OpenBSD driver started as a port from NetBSD).
Signed-off-by: NStefan Fritsch <sf@sfritsch.de>
Signed-off-by: NAmos Kong <akong@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

peer_{de,at}tach were called from inside assert().
We don't support building without NDEBUG but it's not tidy.
Rearrange to attach peer outside assert calls.
Signed-off-by: NJoel Stanley <joel@jms.id.au>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

qemu_get_queue() is a shorthand for qemu_get_subqueue(n->nic, 0).  Use
the shorthand where possible.
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The virtio_net offload APIs are used on the NIC's peer (i.e. the tap
device).  The API was defined to implicitly use nc->peer, saving the
caller the trouble.

This wasn't ideal because:
1. There are callers who have the peer but not the NIC.  Currently they
   are forced to bypass the API and access peer->info->... directly.
2. The rest of the net.h API uses nc, not nc->peer, so it is
   inconsistent.

This patch pushes nc->peer back up to callers.
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

With this patch, virtio-net and vmxnet3 frontends make
use of the qemu_peer_* API for backend offloadings manipulations,
instead of calling TAP-specific functions directly.
We also remove the existing checks which prevent those frontends
from using offloadings with backends different from TAP (e.g. netmap).
Signed-off-by: NVincenzo Maffione <v.maffione@gmail.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Rename variable qdev -> dev since that's what realize's argument is
called by convention.

Avoid duplicate VIRTIO_DEVICE() cast.
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This ensures hot-unplug is handled properly by the proxy, and avoids
leaking bus_name which is freed by virtio_device_exit.

Cc: qemu-stable@nongnu.org
Acked-by: NAndreas Faerber <afaerber@suse.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

mac_table was always cleaned up first in handling
VIRTIO_NET_CTRL_MAC_TABLE_SET command, and we din't recover
mac_table content in error state, it's not correct.

This patch makes all the changes in temporal variables,
only update the real mac_table if everything is ok.
We won't change mac_table in error state, so rxfilter
notification isn't needed.

This patch also fixed same problame in
 http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg01188.html
 (not merge)

I will send patch for virtio spec to clarifying this change.
Signed-off-by: NAmos Kong <akong@redhat.com>
Reviewed-by: NVlad Yasevich <vyasevic@redhat.com>
Acked-by: NJason Wang <jasowang@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

object_get_canonical_path() returns a gchar*, it should be freed by the
caller.
Signed-off-by: NAmos Kong <akong@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NVlad Yasevich <vyasevic@redhat.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

We delete without check whether it existed during exit. This will lead NULL
pointer deference since it was created conditionally depends on guest driver
status and features. So add a check of existence before trying to delete it.

Cc: qemu-stable@nongnu.org
Signed-off-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Upon processing of VIRTIO_NET_CTRL_MAC_TABLE_SET command
multicast list overwrites unicast list in mac_table.
This leads to broken logic for both unicast and multicast RX filtering.
Signed-off-by: NDmitry Fleytman <dfleytma@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

We delete without check whether it existed during exit. This will lead NULL
pointer deference since it was created conditionally depends on guest driver
status and features. So add a check of existence before trying to delete it.

Cc: qemu-stable@nongnu.org
Signed-off-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383728288-28469-1-git-send-email-jasowang@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

When mac is updated on reset, info string has stale data.
Fix it up.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

This is an autogenerated patch using scripts/switch-timer-api.

Switch the entire code base to using the new timer API.

Note this patch may introduce some line length issues.
Signed-off-by: NAlex Bligh <alex@alex.org.uk>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The category will be used to sort the devices displayed in
the command line help.
Signed-off-by: NMarcel Apfelbaum <marcel.a@redhat.com>
Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Currently macvtap based macvlan device is working in promiscuous
mode, we want to implement mac-programming over macvtap through
Libvirt for better performance.

Design:
 QEMU notifies Libvirt when rx-filter config is changed in guest,
 then Libvirt query the rx-filter information by a monitor command,
 and sync the change to macvtap device. Related rx-filter config
 of the nic contains main mac, rx-mode items and vlan table.

This patch adds a QMP event to notify management of rx-filter change,
and adds a monitor command for management to query rx-filter
information.

Test:
 If we repeatedly add/remove vlan, and change macaddr of vlan
 interfaces in guest by a loop script.

Result:
 The events will flood the QMP client(management), management takes
 too much resource to process the events.

 Event_throttle API (set rate to 1 ms) can avoid the events to flood
 QMP client, but it could cause an unexpected delay (~1ms), guests
 guests normally expect rx-filter updates immediately.

 So we use a flag for each nic to avoid events flooding, the event
 is emitted once until the query command is executed. The flag
 implementation could not introduce unexpected delay.

There maybe exist an uncontrollable delay if we let Libvirt do the
real change, guests normally expect rx-filter updates immediately.
But it's another separate issue, we can investigate it when the
work in Libvirt side is done.

Michael S. Tsirkin: tweaked to enable events on start
Michael S. Tsirkin: fixed not to crash when no id
Michael S. Tsirkin: fold in patch:
   "additional fixes for mac-programming feature"
Amos Kong: always notify QMP client if mactable is changed
Amos Kong: return NULL list if no net client supports rx-filter query
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Virtio-net driver currently negotiates network offloads
on startup via features mechanism and have no ability to
disable and re-enable offloads later.
This patch introduced a new control command that allows
to configure device network offloads state dynamically.
The patch also introduces a new feature flag
VIRTIO_NET_F_CTRL_GUEST_OFFLOADS.
Signed-off-by: NDmitry Fleytman <dfleytma@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 20130520081814.GA8162@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This adds virtio_net_set_netclient_name, which is used to set the
name and type shown in "info network" command.
Signed-off-by: NKONRAD Frederic <fred.konrad@greensocs.com>
Message-id: 1368619970-23892-2-git-send-email-fred.konrad@greensocs.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Commit 32993698 (vhost: disable on tap link down) tries to disable the vhost
also when the peer's link is down. But the check was not done properly, the
vhost were only started when:

1) peer's link is not down
2) virtio-net has already been started.

Since == have a higher precedence than &&, place a brace to make sure both the
conditions were met then does the check. This fixes the crash when doing a savem
after set the link off which let qemu crash and complains:

virtio_net_save: Assertion `!n->vhost_started' failed.

Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>
Message-id: 1366972060-21606-1-git-send-email-jasowang@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Commit 14f9b664 (hw/virtio-net.c: set config size using host features) tries to
calculate config size based on the host features. But it forgets the
VIRTIO_NET_F_MAC were always set for qemu later. This will lead a zero config
len for virtio-net device when both VIRTIO_NET_F_STATUS and VIRTIO_NET_F_MQ were
disabled form command line. Then qemu will crash when user tries to read the
config of virtio-net.

Fix this by counting VIRTIO_NET_F_MAC and make sure the config at least contains
the mac address.

Cc: Jesse Larrew <jlarrew@linux.vnet.ibm.com>
Signed-off-by: NJason Wang <jasowang@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1366874814-2658-1-git-send-email-jasowang@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Multiqueue patchset conditionally add control vq only when guest negotiate the
feature. Though the spec is not clear on this but it breaks the minix guest
since it will identify the ctrl vq even if it does not support it. Though this
behavior seems a violation on the spec "If the VIRTIO_NET_F_CTRL_VQ feature bit
is negotiated, identify the control virtqueue.", to keep the backward
compatibility, always add the ctrl vq at end of the queues.
Reported-by: NAurelien Jarno <aurelien@aurel32.net>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Tested-by: NAurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NJason Wang <jasowang@redhat.com>
Message-id: 1366874663-2566-1-git-send-email-jasowang@redhat.com
Cc: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NJason Wang <jasowang@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This clean the init and the exit functions and rename virtio_common_cleanup
to virtio_cleanup.
Signed-off-by: NKONRAD Frederic <fred.konrad@greensocs.com>
Message-id: 1366791683-5350-7-git-send-email-fred.konrad@greensocs.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>