- 18 6月, 2020 5 次提交
-
-
由 Yuri Benditovich 提交于
Removal of duplicated RSC definitions. Changing names of the fields to ones defined in the Linux header. Signed-off-by: NYuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Yuri Benditovich 提交于
Save and restore RSS/hash report configuration. Signed-off-by: NYuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Yuri Benditovich 提交于
Suggest VIRTIO_NET_F_HASH_REPORT if specified in device parameters. If the VIRTIO_NET_F_HASH_REPORT is set, the device extends configuration space. If the feature is negotiated, the packet layout is extended to accomodate the hash information. In this case deliver packet's hash value and report type in virtio header extension. Use for configuration the same procedure as already used for RSS. We add two fields in rss_data that controls what the device does with the calculated hash if rss_data.enabled is set. If field 'populate' is set the hash is set in the packet, if field 'redirect' is set the hash is used to decide the queue to place the packet to. Signed-off-by: NYuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Yuri Benditovich 提交于
If VIRTIO_NET_F_RSS negotiated and RSS is enabled, process incoming packets, calculate packet's hash and place the packet into respective RX virtqueue. Signed-off-by: NYuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Yuri Benditovich 提交于
Optionally report RSS feature. Handle RSS configuration command and keep RSS parameters in virtio-net device context. Signed-off-by: NYuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
- 16 6月, 2020 5 次提交
-
-
由 Jean-Christophe Dubois 提交于
Signed-off-by: NJean-Christophe Dubois <jcd@tribudubois.net> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> [PMD: Fixed 32-bit format string using PRIx32/PRIx64] Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Erik Smit 提交于
The hardware supports configurable descriptor sizes, configured in the DBLAC register. Most drivers use the default 4 word descriptor, which is currently hardcoded, but Aspeed SDK configures 8 words to store extra data. Signed-off-by: NErik Smit <erik.lucas.smit@gmail.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> [PMM: removed unnecessary parens] Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Markus Armbruster 提交于
Convert from qdev_realize(), qdev_realize_and_unref() with null @bus argument to sysbus_realize(), sysbus_realize_and_unref(). Coccinelle script: @@ expression dev, errp; @@ - qdev_realize(DEVICE(dev), NULL, errp); + sysbus_realize(SYS_BUS_DEVICE(dev), errp); @@ expression sysbus_dev, dev, errp; @@ + sysbus_dev = SYS_BUS_DEVICE(dev); - qdev_realize_and_unref(dev, NULL, errp); + sysbus_realize_and_unref(sysbus_dev, errp); - sysbus_dev = SYS_BUS_DEVICE(dev); @@ expression sysbus_dev, dev, errp; expression expr; @@ sysbus_dev = SYS_BUS_DEVICE(dev); ... when != dev = expr; - qdev_realize_and_unref(dev, NULL, errp); + sysbus_realize_and_unref(sysbus_dev, errp); @@ expression dev, errp; @@ - qdev_realize_and_unref(DEVICE(dev), NULL, errp); + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), errp); @@ expression dev, errp; @@ - qdev_realize_and_unref(dev, NULL, errp); + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), errp); Whitespace changes minimized manually. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Acked-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200610053247.1583243-46-armbru@redhat.com> [Conflicts in hw/misc/empty_slot.c and hw/sparc/leon3.c resolved]
-
由 Markus Armbruster 提交于
All users of object_initialize_child() pass the obvious child size argument. Almost all pass &error_abort and no properties. Tiresome. Rename object_initialize_child() to object_initialize_child_with_props() to free the name. New convenience wrapper object_initialize_child() automates the size argument, and passes &error_abort and no properties. Rename object_initialize_childv() to object_initialize_child_with_propsv() for consistency. Convert callers with this Coccinelle script: @@ expression parent, propname, type; expression child, size; symbol error_abort; @@ - object_initialize_child(parent, propname, OBJECT(child), size, type, &error_abort, NULL) + object_initialize_child(parent, propname, child, size, type, &error_abort, NULL) @@ expression parent, propname, type; expression child; symbol error_abort; @@ - object_initialize_child(parent, propname, child, sizeof(*child), type, &error_abort, NULL) + object_initialize_child(parent, propname, child, type) @@ expression parent, propname, type; expression child; symbol error_abort; @@ - object_initialize_child(parent, propname, &child, sizeof(child), type, &error_abort, NULL) + object_initialize_child(parent, propname, &child, type) @@ expression parent, propname, type; expression child, size, err; expression list props; @@ - object_initialize_child(parent, propname, child, size, type, err, props) + object_initialize_child_with_props(parent, propname, child, size, type, err, props) Note that Coccinelle chokes on ARMSSE typedef vs. macro in hw/arm/armsse.c. Worked around by temporarily renaming the macro for the spatch run. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Acked-by: NAlistair Francis <alistair.francis@wdc.com> [Rebased: machine opentitan is new (commit fe0fe473)] Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200610053247.1583243-37-armbru@redhat.com>
-
由 Markus Armbruster 提交于
This is the transformation explained in the commit before previous. Takes care of just one pattern that needs conversion. More to come in this series. Coccinelle script: @ depends on !(file in "hw/arm/highbank.c")@ expression bus, type_name, dev, expr; @@ - dev = qdev_create(bus, type_name); + dev = qdev_new(type_name); ... when != dev = expr - qdev_init_nofail(dev); + qdev_realize_and_unref(dev, bus, &error_fatal); @@ expression bus, type_name, dev, expr; identifier DOWN; @@ - dev = DOWN(qdev_create(bus, type_name)); + dev = DOWN(qdev_new(type_name)); ... when != dev = expr - qdev_init_nofail(DEVICE(dev)); + qdev_realize_and_unref(DEVICE(dev), bus, &error_fatal); @@ expression bus, type_name, expr; identifier dev; @@ - DeviceState *dev = qdev_create(bus, type_name); + DeviceState *dev = qdev_new(type_name); ... when != dev = expr - qdev_init_nofail(dev); + qdev_realize_and_unref(dev, bus, &error_fatal); @@ expression bus, type_name, dev, expr, errp; symbol true; @@ - dev = qdev_create(bus, type_name); + dev = qdev_new(type_name); ... when != dev = expr - object_property_set_bool(OBJECT(dev), true, "realized", errp); + qdev_realize_and_unref(dev, bus, errp); @@ expression bus, type_name, expr, errp; identifier dev; symbol true; @@ - DeviceState *dev = qdev_create(bus, type_name); + DeviceState *dev = qdev_new(type_name); ... when != dev = expr - object_property_set_bool(OBJECT(dev), true, "realized", errp); + qdev_realize_and_unref(dev, bus, errp); The first rule exempts hw/arm/highbank.c, because it matches along two control flow paths there, with different @type_name. Covered by the next commit's manual conversions. Missing #include "qapi/error.h" added manually. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200610053247.1583243-10-armbru@redhat.com> [Conflicts in hw/misc/empty_slot.c and hw/sparc/leon3.c resolved]
-
- 30 5月, 2020 1 次提交
-
-
由 Philippe Mathieu-Daudé 提交于
hw_error() calls exit(). This a bit overkill when we can log the accesses as unimplemented or guest error. When fuzzing the devices, we don't want the whole process to exit. Replace some hw_error() calls by qemu_log_mask(). Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200526094052.1723-3-f4bug@amsat.org> Reviewed-by: NThomas Huth <huth@tuxfamily.org> Signed-off-by: NThomas Huth <huth@tuxfamily.org>
-
- 15 5月, 2020 6 次提交
-
-
由 Philippe Mathieu-Daudé 提交于
The DEVICE() macro is defined as: #define DEVICE(obj) OBJECT_CHECK(DeviceState, (obj), TYPE_DEVICE) which expands to: ((DeviceState *)object_dynamic_cast_assert((Object *)(obj), (name), __FILE__, __LINE__, __func__)) This assertion can only fail when @obj points to something other than its stated type, i.e. when we're in undefined behavior country. Remove the unnecessary DEVICE() casts when we already know the pointer is of DeviceState type. Patch created mechanically using spatch with this script: @@ typedef DeviceState; DeviceState *s; @@ - DEVICE(s) + s Acked-by: NDavid Gibson <david@gibson.dropbear.id.au> Acked-by: NPaul Durrant <paul@xen.org> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Acked-by: NJohn Snow <jsnow@redhat.com> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200512070020.22782-4-f4bug@amsat.org>
-
由 Markus Armbruster 提交于
Devices may have component devices and buses. Device realization may fail. Realization is recursive: a device's realize() method realizes its components, and device_set_realized() realizes its buses (which should in turn realize the devices on that bus, except bus_set_realized() doesn't implement that, yet). When realization of a component or bus fails, we need to roll back: unrealize everything we realized so far. If any of these unrealizes failed, the device would be left in an inconsistent state. Must not happen. device_set_realized() lets it happen: it ignores errors in the roll back code starting at label child_realize_fail. Since realization is recursive, unrealization must be recursive, too. But how could a partly failed unrealize be rolled back? We'd have to re-realize, which can fail. This design is fundamentally broken. device_set_realized() does not roll back at all. Instead, it keeps unrealizing, ignoring further errors. It can screw up even for a device with no buses: if the lone dc->unrealize() fails, it still unregisters vmstate, and calls listeners' unrealize() callback. bus_set_realized() does not roll back either. Instead, it stops unrealizing. Fortunately, no unrealize method can fail, as we'll see below. To fix the design error, drop parameter @errp from all the unrealize methods. Any unrealize method that uses @errp now needs an update. This leads us to unrealize() methods that can fail. Merely passing it to another unrealize method cannot cause failure, though. Here are the ones that do other things with @errp: * virtio_serial_device_unrealize() Fails when qbus_set_hotplug_handler() fails, but still does all the other work. On failure, the device would stay realized with its resources completely gone. Oops. Can't happen, because qbus_set_hotplug_handler() can't actually fail here. Pass &error_abort to qbus_set_hotplug_handler() instead. * hw/ppc/spapr_drc.c's unrealize() Fails when object_property_del() fails, but all the other work is already done. On failure, the device would stay realized with its vmstate registration gone. Oops. Can't happen, because object_property_del() can't actually fail here. Pass &error_abort to object_property_del() instead. * spapr_phb_unrealize() Fails and bails out when remove_drcs() fails, but other work is already done. On failure, the device would stay realized with some of its resources gone. Oops. remove_drcs() fails only when chassis_from_bus()'s object_property_get_uint() fails, and it can't here. Pass &error_abort to remove_drcs() instead. Therefore, no unrealize method can fail before this patch. device_set_realized()'s recursive unrealization via bus uses object_property_set_bool(). Can't drop @errp there, so pass &error_abort. We similarly unrealize with object_property_set_bool() elsewhere, always ignoring errors. Pass &error_abort instead. Several unrealize methods no longer handle errors from other unrealize methods: virtio_9p_device_unrealize(), virtio_input_device_unrealize(), scsi_qdev_unrealize(), ... Much of the deleted error handling looks wrong anyway. One unrealize methods no longer ignore such errors: usb_ehci_pci_exit(). Several realize methods no longer ignore errors when rolling back: v9fs_device_realize_common(), pci_qdev_unrealize(), spapr_phb_realize(), usb_qdev_realize(), vfio_ccw_realize(), virtio_device_realize(). Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200505152926.18877-17-armbru@redhat.com>
-
由 Markus Armbruster 提交于
Several functions can't fail anymore: ich9_pm_add_properties(), device_add_bootindex_property(), ppc_compat_add_property(), spapr_caps_add_properties(), PropertyInfo.create(). Drop their @errp parameter. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200505152926.18877-16-armbru@redhat.com>
-
由 Markus Armbruster 提交于
The only way object_property_add() can fail is when a property with the same name already exists. Since our property names are all hardcoded, failure is a programming error, and the appropriate way to handle it is passing &error_abort. Same for its variants, except for object_property_add_child(), which additionally fails when the child already has a parent. Parentage is also under program control, so this is a programming error, too. We have a bit over 500 callers. Almost half of them pass &error_abort, slightly fewer ignore errors, one test case handles errors, and the remaining few callers pass them to their own callers. The previous few commits demonstrated once again that ignoring programming errors is a bad idea. Of the few ones that pass on errors, several violate the Error API. The Error ** argument must be NULL, &error_abort, &error_fatal, or a pointer to a variable containing NULL. Passing an argument of the latter kind twice without clearing it in between is wrong: if the first call sets an error, it no longer points to NULL for the second call. ich9_pm_add_properties(), sparc32_ledma_realize(), sparc32_dma_realize(), xilinx_axidma_realize(), xilinx_enet_realize() are wrong that way. When the one appropriate choice of argument is &error_abort, letting users pick the argument is a bad idea. Drop parameter @errp and assert the preconditions instead. There's one exception to "duplicate property name is a programming error": the way object_property_add() implements the magic (and undocumented) "automatic arrayification". Don't drop @errp there. Instead, rename object_property_add() to object_property_try_add(), and add the obvious wrapper object_property_add(). Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200505152926.18877-15-armbru@redhat.com> [Two semantic rebase conflicts resolved]
-
由 Markus Armbruster 提交于
QOM object initialization runs .instance_init() for the type and all its supertypes; see object_init_with_type(). Both TYPE_E1000_BASE and its concrete subtypes set .instance_init() to e1000_instance_init(). For the concrete subtypes, it duly gets run twice. The second run fails, but the error gets ignored (a later commit will change that). Remove it from the subtypes. Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200505152926.18877-12-armbru@redhat.com>
-
由 Markus Armbruster 提交于
Uses of gchar * in qom/object.h: * ObjectProperty member @name Functions that take a property name argument all use char *. Change the member to match. * ObjectProperty member @type Functions that take a property type argument or return it all use char *. Change the member to match. * ObjectProperty member @description Functions that take a property description argument all use char *. Change the member to match. * object_resolve_path_component() parameter @part Path components are property names. Most callers pass char * arguments. Change the parameter to match. Adjust the few callers that pass gchar * to pass char *. * Return value of object_get_canonical_path_component(), object_get_canonical_path() Most callers convert their return values right back to char *. Change the return value to match. Adjust the few callers where that would add a conversion to gchar * to use char * instead. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Message-Id: <20200505152926.18877-3-armbru@redhat.com>
-
- 14 5月, 2020 5 次提交
-
-
由 Edgar E. Iglesias 提交于
Add support for fragmented packets from the DMA. Reviewed-by: NFrancisco Iglesias <frasse.iglesias@gmail.com> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Message-Id: <20200506082513.18751-7-edgar.iglesias@gmail.com>
-
由 Edgar E. Iglesias 提交于
Some stream clients stream an endless stream of data while other clients stream data in packets. Stream interfaces usually have a way to signal the end of a packet or the last beat of a transfer. This adds an end-of-packet flag to the push interface. Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NFrancisco Iglesias <frasse.iglesias@gmail.com> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Message-Id: <20200506082513.18751-6-edgar.iglesias@gmail.com>
-
由 Edgar E. Iglesias 提交于
Remove unncessary cast, buf is already uint8_t *. No functional change. Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NFrancisco Iglesias <frasse.iglesias@gmail.com> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200506082513.18751-4-edgar.iglesias@gmail.com>
-
由 Edgar E. Iglesias 提交于
Split the shared stream_class_init function to assign stream->push with better type-safety. Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NFrancisco Iglesias <frasse.iglesias@gmail.com> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200506082513.18751-3-edgar.iglesias@gmail.com>
-
由 Edgar E. Iglesias 提交于
Auto-clear PHY CR Autoneg bits. This makes this model work with recent Linux kernels. Reviewed-by: NFrancisco Iglesias <frasse.iglesias@gmail.com> Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Message-Id: <20200506082513.18751-2-edgar.iglesias@gmail.com>
-
- 30 4月, 2020 3 次提交
-
-
由 Ramon Fried 提交于
The RX ring descriptors control field is used for setting SOF and EOF (start of frame and end of frame). The SOF and EOF weren't cleared from the previous descriptors, causing inconsistencies in ring buffer. Fix that by clearing the control field of every descriptors we're processing. Signed-off-by: NRamon Fried <rfried.dev@gmail.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20200418085145.489726-1-rfried.dev@gmail.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Ramon Fried 提交于
Wraparound of TX descriptor cyclic buffer only updated the low 32 bits of the descriptor. Fix that by checking if we're working with 64bit descriptors. Signed-off-by: NRamon Fried <rfried.dev@gmail.com> Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20200417171736.441607-1-rfried.dev@gmail.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Subbaraya Sundeep 提交于
Modelled Ethernet MAC of Smartfusion2 SoC. Micrel KSZ8051 PHY is present on Emcraft's SOM kit hence same PHY is emulated. Signed-off-by: NSubbaraya Sundeep <sundeep.lkml@gmail.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1587048891-30493-2-git-send-email-sundeep.lkml@gmail.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 29 4月, 2020 2 次提交
-
-
由 Markus Armbruster 提交于
virtio_net_device_realize() rejects invalid duplex and speed values. The error handling is broken: $ ../qemu/bld-sani/x86_64-softmmu/qemu-system-x86_64 -S -display none -monitor stdio QEMU 4.2.93 monitor - type 'help' for more information (qemu) device_add virtio-net,duplex=x Error: 'duplex' must be 'half' or 'full' (qemu) c ================================================================= ==15654==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000014590 at pc 0x560b75c8dc13 bp 0x7fffdf1a6950 sp 0x7fffdf1a6940 READ of size 8 at 0x62e000014590 thread T0 #0 0x560b75c8dc12 in object_dynamic_cast_assert /work/armbru/qemu/qom/object.c:826 #1 0x560b74c38ac0 in virtio_vmstate_change /work/armbru/qemu/hw/virtio/virtio.c:3210 #2 0x560b74d9765e in vm_state_notify /work/armbru/qemu/softmmu/vl.c:1271 #3 0x560b7494ba72 in vm_prepare_start /work/armbru/qemu/cpus.c:2156 #4 0x560b7494bacd in vm_start /work/armbru/qemu/cpus.c:2162 #5 0x560b75a7d890 in qmp_cont /work/armbru/qemu/monitor/qmp-cmds.c:160 #6 0x560b75a8d70a in hmp_cont /work/armbru/qemu/monitor/hmp-cmds.c:1043 #7 0x560b75a799f2 in handle_hmp_command /work/armbru/qemu/monitor/hmp.c:1082 [...] 0x62e000014590 is located 33168 bytes inside of 42288-byte region [0x62e00000c400,0x62e000016930) freed by thread T1 here: #0 0x7feadd39491f in __interceptor_free (/lib64/libasan.so.5+0x10d91f) #1 0x7feadcebcd7c in g_free (/lib64/libglib-2.0.so.0+0x55d7c) #2 0x560b75c8fd40 in object_unref /work/armbru/qemu/qom/object.c:1128 #3 0x560b7498a625 in memory_region_unref /work/armbru/qemu/memory.c:1762 #4 0x560b74999fa4 in do_address_space_destroy /work/armbru/qemu/memory.c:2788 #5 0x560b762362fc in call_rcu_thread /work/armbru/qemu/util/rcu.c:283 #6 0x560b761c8884 in qemu_thread_start /work/armbru/qemu/util/qemu-thread-posix.c:519 #7 0x7fead9be34bf in start_thread (/lib64/libpthread.so.0+0x84bf) previously allocated by thread T0 here: #0 0x7feadd394d18 in __interceptor_malloc (/lib64/libasan.so.5+0x10dd18) #1 0x7feadcebcc88 in g_malloc (/lib64/libglib-2.0.so.0+0x55c88) #2 0x560b75c8cf8a in object_new /work/armbru/qemu/qom/object.c:699 #3 0x560b75010ad9 in qdev_device_add /work/armbru/qemu/qdev-monitor.c:654 #4 0x560b750120c2 in qmp_device_add /work/armbru/qemu/qdev-monitor.c:805 #5 0x560b75012c1b in hmp_device_add /work/armbru/qemu/qdev-monitor.c:905 [...] ==15654==ABORTING Cause: virtio_net_device_realize() neglects to bail out after setting the error. Fix that. Fixes: 9473939e Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200422130719.28225-9-armbru@redhat.com> Acked-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
Fixes the following coccinelle warnings: $ spatch --sp-file --verbose-parsing ... \ scripts/coccinelle/remove_local_err.cocci ... SUSPICIOUS: a \ character appears outside of a #define at ./target/ppc/translate_init.inc.c:5213 SUSPICIOUS: a \ character appears outside of a #define at ./target/ppc/translate_init.inc.c:5261 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:166 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:167 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:169 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:170 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:171 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:172 SUSPICIOUS: a \ character appears outside of a #define at ./target/microblaze/cpu.c:173 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5787 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5789 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5800 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5801 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5802 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5804 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5805 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:5806 SUSPICIOUS: a \ character appears outside of a #define at ./target/i386/cpu.c:6329 SUSPICIOUS: a \ character appears outside of a #define at ./hw/sd/sdhci.c:1133 SUSPICIOUS: a \ character appears outside of a #define at ./hw/scsi/scsi-disk.c:3081 SUSPICIOUS: a \ character appears outside of a #define at ./hw/net/virtio-net.c:1529 SUSPICIOUS: a \ character appears outside of a #define at ./hw/riscv/sifive_u.c:468 SUSPICIOUS: a \ character appears outside of a #define at ./dump/dump.c:1895 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2209 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2215 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2221 SUSPICIOUS: a \ character appears outside of a #define at ./block/vhdx.c:2222 SUSPICIOUS: a \ character appears outside of a #define at ./block/replication.c:172 SUSPICIOUS: a \ character appears outside of a #define at ./block/replication.c:173 Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200412223619.11284-2-f4bug@amsat.org> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Acked-by: NDavid Gibson <david@gibson.dropbear.id.au> Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
-
- 28 4月, 2020 1 次提交
-
-
由 Cornelia Huck 提交于
virtio_net_rsc_ext_num_{packets,dupacks} needs to be available independently of the presence of VIRTIO_NET_HDR_F_RSC_INFO. Fixes: 2974e916 ("virtio-net: support RSC v4/v6 tcp traffic for Windows HCK") Signed-off-by: NCornelia Huck <cohuck@redhat.com> Message-Id: <20200427102415.10915-2-cohuck@redhat.com>
-
- 31 3月, 2020 11 次提交
-
-
由 Peter Maydell 提交于
Coverity points out (CID 1421926) that the read code for REG_ADDR_HIGH reads off the end of the buffer, because it does a 32-bit read from byte 4 of a 6-byte buffer. The code also has an endianness issue for both REG_ADDR_HIGH and REG_ADDR_LOW, because it will do the wrong thing on a big-endian host. Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this; the write code is not incorrect, but for consistency we make it use stl_le_p() and stw_le_p(). Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Tested-by: NNiek Linnenbank <nieklinnenbank@gmail.com> Reviewed-by: NNiek Linnenbank <nieklinnenbank@gmail.com> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Prasad J Pandit 提交于
Tulip network driver while copying tx/rx buffers does not check frame size against r/w data length. This may lead to OOB buffer access. Add check to avoid it. Limit iterations over descriptors to avoid potential infinite loop issue in tulip_xmit_list_update. Reported-by: NLi Qiang <pangpei.lq@antfin.com> Reported-by: NZiming Zhang <ezrakiez@gmail.com> Reported-by: NJason Wang <jasowang@redhat.com> Tested-by: NLi Qiang <liq3ea@gmail.com> Reviewed-by: NLi Qiang <liq3ea@gmail.com> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
The CanBusClientInfo::can_receive handler return whether the device can or can not receive new frames. Make it obvious by returning a boolean type. Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
The NetCanReceive handler return whether the device can or can not receive new packets. Make it obvious by returning a boolean type. Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Acked-by: NDavid Gibson <david@gibson.dropbear.id.au> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
We will modify this code in the next commit. Clean it up first to avoid checkpatch.pl errors. Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
Rewrite: if (E) { return A; } else { return B; } /* EOF */ } as: if (E) { return A; } return B; } Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
The smc91c111_can_receive() function simply returns a boolean value. Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NCédric Le Goater <clg@kaod.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
The e1000e_can_receive() function simply returns a boolean value. Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NAlistair Francis <alistair.francis@wdc.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Andrew Melnychenko 提交于
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1737400 Fixed setting max_queue_num if there are no peers in NICConf. qemu_new_nic() creates NICState with 1 NetClientState(index 0) without peers, set max_queue_num to 0 - It prevents undefined behavior and possible crashes, especially during pcie hotplug. Fixes: 6f3fbe4e ("net: Introduce e1000e device emulation") Signed-off-by: NAndrew Melnychenko <andrew@daynix.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NDmitry Fleytman <dmitry.fleytman@gmail.com> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Peter Maydell 提交于
The i82596_receive() function attempts to pass the guest a buffer which is effectively the concatenation of the data it is passed and a 4 byte CRC value. However, rather than implementing this as "write the data; then write the CRC" it instead bumps the length value of the data by 4, and writes 4 extra bytes from beyond the end of the buffer, which it then overwrites with the CRC. It also assumed that we could always fit all four bytes of the CRC into the final receive buffer, which might not be true if the CRC needs to be split over two receive buffers. Calculate separately how many bytes we need to transfer into the guest's receive buffer from the source buffer, and how many we need to transfer from the CRC work. We add a count 'bufsz' of the number of bytes left in the source buffer, which we use purely to assert() that we don't overrun. Spotted by Coverity (CID 1419396) for the specific case when we end up using a local array as the source buffer. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
The command is 32-bit, but we are loading the 16 upper bits with the 'get_uint16(s->scb + 2)' call. Once shifted by 16, the command bits match the status bits: - Command Bit 31 ACK-CX Acknowledges that the CU completed an Action Command. Bit 30 ACK-FR Acknowledges that the RU received a frame. Bit 29 ACK-CNA Acknowledges that the Command Unit became not active. Bit 28 ACK-RNR Acknowledges that the Receive Unit became not ready. - Status Bit 15 CX The CU finished executing a command with its I(interrupt) bit set. Bit 14 FR The RU finished receiving a frame. Bit 13 CNA The Command Unit left the Active state. Bit 12 RNR The Receive Unit left the Ready state. Add the SCB_COMMAND_ACK_MASK definition to simplify the code. This fixes Coverity 1419392 (CONSTANT_EXPRESSION_RESULT): /hw/net/i82596.c: 352 in examine_scb() 346 cuc = (command >> 8) & 0x7; 347 ruc = (command >> 4) & 0x7; 348 DBG(printf("MAIN COMMAND %04x cuc %02x ruc %02x\n", command, cuc, ruc)); 349 /* and clear the scb command word */ 350 set_uint16(s->scb + 2, 0); 351 >>> CID 1419392: (CONSTANT_EXPRESSION_RESULT) >>> "command & (2147483648UL /* 1UL << 31 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if". 352 if (command & BIT(31)) /* ACK-CX */ 353 s->scb_status &= ~SCB_STATUS_CX; >>> CID 1419392: (CONSTANT_EXPRESSION_RESULT) >>> "command & (1073741824UL /* 1UL << 30 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if". 354 if (command & BIT(30)) /*ACK-FR */ 355 s->scb_status &= ~SCB_STATUS_FR; >>> CID 1419392: (CONSTANT_EXPRESSION_RESULT) >>> "command & (536870912UL /* 1UL << 29 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if". 356 if (command & BIT(29)) /*ACK-CNA */ 357 s->scb_status &= ~SCB_STATUS_CNA; >>> CID 1419392: (CONSTANT_EXPRESSION_RESULT) >>> "command & (268435456UL /* 1UL << 28 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if". 358 if (command & BIT(28)) /*ACK-RNR */ 359 s->scb_status &= ~SCB_STATUS_RNR; Fixes: Covertiy CID 1419392 (commit 376b8519) Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NJason Wang <jasowang@redhat.com>
-
- 17 3月, 2020 1 次提交
-
-
由 Philippe Mathieu-Daudé 提交于
This commit was produced with the Coccinelle script scripts/coccinelle/memory-region-housekeeping.cocci. Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
-