Commit Graph

412 Commits

Author SHA1 Message Date
Markus Armbruster
f8ed85ac99 Fix bad error handling after memory_region_init_ram()
Symptom:

    $ qemu-system-x86_64 -m 10000000
    Unexpected error in ram_block_add() at /work/armbru/qemu/exec.c:1456:
    upstream-qemu: cannot set up guest memory 'pc.ram': Cannot allocate memory
    Aborted (core dumped)

Root cause: commit ef701d7 screwed up handling of out-of-memory
conditions.  Before the commit, we report the error and exit(1), in
one place, ram_block_add().  The commit lifts the error handling up
the call chain some, to three places.  Fine.  Except it uses
&error_abort in these places, changing the behavior from exit(1) to
abort(), and thus undoing the work of commit 3922825 "exec: Don't
abort when we can't allocate guest memory".

The three places are:

* memory_region_init_ram()

  Commit 4994653 (right after commit ef701d7) lifted the error
  handling further, through memory_region_init_ram(), multiplying the
  incorrect use of &error_abort.  Later on, imitation of existing
  (bad) code may have created more.

* memory_region_init_ram_ptr()

  The &error_abort is still there.

* memory_region_init_rom_device()

  Doesn't need fixing, because commit 33e0eb5 (soon after commit
  ef701d7) lifted the error handling further, and in the process
  changed it from &error_abort to passing it up the call chain.
  Correct, because the callers are realize() methods.

Fix the error handling after memory_region_init_ram() with a
Coccinelle semantic patch:

    @r@
    expression mr, owner, name, size, err;
    position p;
    @@
            memory_region_init_ram(mr, owner, name, size,
    (
    -                              &error_abort
    +                              &error_fatal
    |
                                   err@p
    )
                                  );
    @script:python@
        p << r.p;
    @@
    print "%s:%s:%s" % (p[0].file, p[0].line, p[0].column)

When the last argument is &error_abort, it gets replaced by
&error_fatal.  This is the fix.

If the last argument is anything else, its position is reported.  This
lets us check the fix is complete.  Four positions get reported:

* ram_backend_memory_alloc()

  Error is passed up the call chain, ultimately through
  user_creatable_complete().  As far as I can tell, it's callers all
  handle the error sanely.

* fsl_imx25_realize(), fsl_imx31_realize(), dp8393x_realize()

  DeviceClass.realize() methods, errors handled sanely further up the
  call chain.

We're good.  Test case again behaves:

    $ qemu-system-x86_64 -m 10000000
    qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory
    [Exit 1 ]

The next commits will repair the rest of commit ef701d7's damage.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1441983105-26376-3-git-send-email-armbru@redhat.com>
Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
2015-09-18 14:39:29 +02:00
Peter Crosthwaite
271a234a23 net: smc91c111: flush packets on RCR register changes
The SOFT_RST or RXEN in the control register can be used as a condition
to unblock the net layer via can_receive(). So check for possible
flushes on RCR changes. This will drop all pending packets on soft
reset or disable which is the functional intent of the can_receive()
logic.

Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Tested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Message-id: b114d4c96f4afbdaa15f1361d9c07e3021755915.1441873621.git.crosthwaite.peter@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-17 12:36:03 +01:00
Peter Crosthwaite
e62cb54cd5 net: smc91c111: gate can_receive() on rx FIFO having a slot
Return false from can_receive() when the FIFO doesn't have a free RX
slot. This fixes a bug in the current code where the allocated buffer
is freed before the fifo pop, triggering a premature flush of queued RX
packets. It also will handle a corner case, where the guest manually
frees the allocated buffer before popping the rx FIFO (hence it is not
enough to just delay the flush_queued_packets()).

Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Tested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Message-id: 97bfdfc5cbce0bd5e0cbbbff35ce7a1bf6f8603d.1441873621.git.crosthwaite.peter@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-17 12:36:03 +01:00
Peter Crosthwaite
8d06b14927 net: smc91c111: guard flush_queued_packets() on can_rx()
Check that the core can once again receive packets before asking the
net layer to do a flush. This will make it more convenient to flush
packets when adding new conditions to can_receive.

Add missing if braces while moving the can_receive() core code.

Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Tested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Message-id: 92e15e12a6964274f4bc0eb71b61a7d94326f6c6.1441873621.git.crosthwaite.peter@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-17 12:36:03 +01:00
P J P
737d2b3c41 net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-15 12:51:14 +01:00
P J P
9bbdbc66e5 net: add checks to validate ring buffer pointers(CVE-2015-5279)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-15 12:51:14 +01:00
P J P
b947ac2bf2 e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
2015-09-15 12:51:02 +01:00
Veres Lajos
67cc32ebfd typofixes - v4
Signed-off-by: Veres Lajos <vlajos@gmail.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:45:43 +03:00
Markus Armbruster
012aef0734 maint: avoid useless "if (foo) free(foo)" pattern
My Coccinelle semantic patch finds a few more, because it also fixes up
the equally pointless conditional

    if (foo) {
        free(foo);
        foo = NULL;
    }

Result (feel free to squash it into your patch):

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Daniel P. Berrange
ef1e1e0782 maint: avoid useless "if (foo) free(foo)" pattern
The free() and g_free() functions both happily accept
NULL on any platform QEMU builds on. As such putting a
conditional 'if (foo)' check before calls to 'free(foo)'
merely serves to bloat the lines of code.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Daniel P. Berrange
1618d2ae7f maint: remove unused include for signal.h
A number of files were including signal.h but not using any
of the functions it provides

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Daniel P. Berrange
b6af097528 maint: remove / fix many doubled words
Many source files have doubled words (eg "the the", "to to",
and so on). Most of these can simply be removed, but a couple
were actual mis-spellings (eg "to to" instead of "to do").
There was even one triple word score "to to to" :-)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11 10:21:38 +03:00
Cornelia Huck
95129d6fc9 virtio: avoid leading underscores for helpers
Commit ef546f1275 ("virtio: add
feature checking helpers") introduced a helper __virtio_has_feature.
We don't want to use reserved identifiers, though, so let's
rename __virtio_has_feature to virtio_has_feature and virtio_has_feature
to virtio_vdev_has_feature.

Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-09-10 11:06:05 +03:00
Alistair Francis
7777b7a0ba cadence_gem: Correct Marvell PHY SPCFC reset value
Bit 15 of the PHY Specific Status Register is reserved and
should remain 0. Fix the reset value to ensure that the 15th
bit is not set.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: c795069e49040ff770fe2ece19dfe1791b729e22.1441316450.git.alistair.francis@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-09-08 17:38:45 +01:00
Jean-Christophe Dubois
fcbd8018e6 i.MX: Add FEC Ethernet Emulator
This is based on mcf_fec.c FEC implementation for Coldfire

  * A generic PHY was added (borrowwed from LAN9118)
  * The buffer management is also modified as buffers are
    slightly different between Coldfire and i.MX

Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: fb314f8a120aa49f8f6ad886f312c649b484fb5a.1441057361.git.jcd@tribudubois.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-09-07 10:39:30 +01:00
Fam Zheng
c5a9378045 ne2000: Drop ne2000_can_receive
ne2000_receive already checks the same conditions and drops the packet
if it's not ready, removing the .can_receive callback avoids the
necessity to add explicit flushes when the conditions turn true (which
is required by the new semantics of .can_receive since 6e99c63
"net/socket: Drop net_socket_can_send").

Plus the "return 1" if E8390_STOP is also suspicious.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 14:51:07 +01:00
Fam Zheng
2734a20b81 vmxnet3: Drop net_vmxnet3_info.can_receive
Commit 6e99c63 ("net/socket: Drop net_socket_can_send") changed the
semantics around .can_receive for sockets to now require the device to
flush queued pkts when transitioning to a .can_receive=true state. But
it's OK to drop incoming packets when the link is not active.

Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 14:50:25 +01:00
Vladislav Yasevich
26c4e7ca72 rtl8139: Do not consume the packet during overflow in standard mode.
When operation in standard mode, we currently return the size
of packet during buffer overflow.  This consumes the overflow
packet.  Return 0 instead so we can re-process the overflow packet
when we have room.

This fixes issues with lost/dropped fragments of large messages.

Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1441121206-6997-3-git-send-email-vyasevic@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 13:42:31 +01:00
Vladislav Yasevich
fabdcd3392 rtl8139: Fix receive buffer overflow check
rtl8139_do_receive() tries to check for the overflow condition
by making sure that packet_size + 8 does not exceed the
available buffer space.  The issue here is that RxBuffAddr,
used to calculate available buffer space, is aligned to a
a 4 byte boundry after every update.  So it is possible that
every packet ends up being slightly padded when written
to the receive buffer.  This padding is not taken into
account when checking for overflow and we may end up missing
the overflow condition can causing buffer overwrite.

This patch takes alignment into consideration when
checking for overflow condition.

Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1441121206-6997-2-git-send-email-vyasevic@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-09-02 13:42:31 +01:00
Stefan Hajnoczi
26c0114d3f rtl8139: use ldl/stl wrapper for unaligned 32-bit access
The tx offload feature accesses a 16-bit aligned TCP header struct.  The
32-bit fields must be accessed using ldl/stl wrappers since some host
architectures fault on unaligned access.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1438604157-29664-4-git-send-email-stefanha@redhat.com
2015-09-02 13:24:13 +01:00
Stefan Hajnoczi
1bf11332c4 rtl8139: use net/eth.h macros instead of custom macros
Eliminate the following "custom" macros since they are just duplicates
of net/eth.h macros under a different name:

  ETHER_ADDR_LEN -> ETH_ALEN
  ETH_P_8021Q -> ETH_P_VLAN
  IP_HEADER_LENGTH -> IP_HDR_GET_LEN
  TCP_FLAG_FIN -> TH_FIN
  TCP_FLAG_PUSH -> TH_PUSH

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1438604157-29664-3-git-send-email-stefanha@redhat.com
2015-09-02 13:24:13 +01:00
Stefan Hajnoczi
5d61721a62 rtl8139: remove duplicate net/eth.h definitions
The transmit offload features inspect Ethernet, IP, TCP, and UDP
headers.  Avoid redefining these net/eth.h structs.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1438604157-29664-2-git-send-email-stefanha@redhat.com
2015-09-02 13:24:13 +01:00
Peter Maydell
6b324b3e59 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
 
 iQEcBAABAgAGBQJVzgK/AAoJEJykq7OBq3PIx7gH/RU2ifJuspllRLBRBfw9K9yg
 78eE4RmGVI7Tx5s1rvpgRF8fe2drG3Hy57kUbvJAhkLQKFqynkvfetOruWmeMV+u
 9Q2Xz4Xxo6XRj27xaPAoUwak7HA7YPniRu3RbHAjGv1P4PUobPELmtDEzqB+ZsTp
 FSmftcZWipILpHorJR1Glqq2LY66WUljwAxPzBYqyCRMjTK1RnwOTChRVLo/0lGr
 DHR6oHS7kmHuJcJ63EkZFWX+Xxi/WKk3p+xoiF0/L3q9dtnFcVrCq/SuFPwlCyqI
 I5jnvZ8ojC2lmJULJcV12V8nbuj6nIxfa6+tySdpjW5Jxd/QL+k0X/4I0bYsoeQ=
 =M3sM
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

# gpg: Signature made Fri 14 Aug 2015 16:01:19 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  tests: test rx recovery from cont
  tests: introduce basic pci test for virtio-net
  net/vmxnet3: Fix incorrect debug message

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-08-14 18:06:44 +01:00
Jason Wang
bd89dd98b2 virtio-net: remove useless codes
After commit 40bad8f3deba15e2074ff34cfe923c12916b1cc5("virtio-net: fix
used len for tx"), async_tx.len was no longer used afterwards. So
remove useless codes with it.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2015-08-13 14:08:29 +03:00
Dana Rubin
b9f7c377df net/vmxnet3: Fix incorrect debug message
From: Dana Rubin <dana.rubin@ravellosystems.com>

In commit 80da311d81,
   "net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets"
a debug message was introduced in vmxnet3_rx_need_csum_calculate() for
an unlikely input condition.

The message accidentally printed 'len' variable instead of 'pkt_len'.
Fix, providing the correct argument.

Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Message-id: 1438109090-18957-1-git-send-email-shmulik.ladkani@ravellosystems.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-04 09:41:22 +01:00
Stefan Hajnoczi
8357946b15 rtl8139: check TCP Data Offset field (CVE-2015-5165)
The TCP Data Offset field contains the length of the header.  Make sure
it is valid and does not exceed the IP data length.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:10 +01:00
Stefan Hajnoczi
4240be4563 rtl8139: skip offload on short TCP header (CVE-2015-5165)
TCP Large Segment Offload accesses the TCP header in the packet.  If the
packet is too short we must not attempt to access header fields:

  tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
  int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:07 +01:00
Stefan Hajnoczi
c6296ea88d rtl8139: check IP Total Length field (CVE-2015-5165)
The IP Total Length field includes the IP header and data.  Make sure it
is valid and does not exceed the Ethernet payload size.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:06 +01:00
Stefan Hajnoczi
03247d43c5 rtl8139: check IP Header Length field (CVE-2015-5165)
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:03 +01:00
Stefan Hajnoczi
e1c120a9c5 rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
Transmit offload features access Ethernet and IP headers the packet.  If
the packet is too short we must not attempt to access header fields:

  int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
  ...
  eth_payload_data = saved_buffer + ETH_HLEN;
  ...
  ip = (ip_header*)eth_payload_data;
  if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:08:00 +01:00
Stefan Hajnoczi
d6812d60e7 rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
The previous patch stopped using the ip pointer as an indicator that the
IP header is present.  When we reach the if (ip) {...} statement we know
ip is always non-NULL.

Remove the if statement to reduce nesting.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:07:54 +01:00
Stefan Hajnoczi
39b8e7dcaf rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Transmit offload needs to parse packet headers.  If header fields have
unexpected values the offload processing is skipped.

The code currently uses nested ifs because there is relatively little
input validation.  The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.

Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-08-03 13:06:59 +01:00
Peter Maydell
b83d017d88 Pull request
These two .can_receive() are now reviewed.  The net subsystem queue for 2.4 is now empty.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJVt3TbAAoJEJykq7OBq3PIxcQH/2LEY8q3zetJdNe9Zu1bQMhQ
 J/Ah+szCNCCHOpNfQEBI6zRT4wUMZZTlIUM1el2ykYnYqRYd585GK/+RZ0/yWQUG
 yYNWAFfj/b586+aazk2+BnosSywVjCZ1f32OtaAsh14c+3aoXkQyahljA4onIuVp
 kLi1psmnBZgRf6AeICnuUTTOYq8BBX6CTg0sxPpIbZe57epwGkK+6gtZV6aSW/Ra
 lbkhXNrmyyvycGuOLDpyjE3yUvHuwn+H+JFeRklTEA2pKyMg1AYVMrIKvBeQej8u
 g4+sYYME0rMuFL9iISwVYnkTBjYZnE8+6on2ELkElGvWf28kqb1rYWYciyRhf1Y=
 =K3Fg
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' into staging

Pull request

These two .can_receive() are now reviewed.  The net subsystem queue for 2.4 is now empty.

# gpg: Signature made Tue Jul 28 13:26:03 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  xen: Drop net_rx_ok
  hw/net: handle flow control in mcf_fec driver receiver

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28 19:02:04 +01:00
Peter Maydell
170f209d78 virtio fixes for 2.4
Mostly virtio 1 spec compliance fixes.
 We are unlikely to make it perfectly compliant in
 the first release, but it seems worth it to try.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJVtprUAAoJECgfDbjSjVRpgu4H/AljqEXBYIS/+7aZBGO4UnK/
 LSyxiOfw/sQPwYr8xqhYtoITVPQqkBnCajBFuDw3IaGrTDQ1pHfG8z5qt3Fri+yC
 RtiqiFg1LVR/AI8W/dUDuLAf8xq1GukZr1o59mi3hAA0pcPxUtVjPkZcaq63d0P+
 uzCgRw0qlg8nbT7SN2O9HZz7AT2emaUkaJBF2eRBb7r1kg3ZzM0FOtmCWaRhtS5s
 8AuHS+038BWA0J/S7yd5YooQh7NfvmWFpRNukMttJrtOmi7f5LCJJF9rxcXAnzOn
 Soc0afauCtUTfxJ4gkLqxQ586eKpREQ+7lzkJDQ62g1oD/+VatOMcbu3jdnJEtQ=
 =AoJS
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

virtio fixes for 2.4

Mostly virtio 1 spec compliance fixes.
We are unlikely to make it perfectly compliant in
the first release, but it seems worth it to try.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon Jul 27 21:55:48 2015 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  virtio: minor cleanup
  acpi: fix pvpanic device is not shown in ui
  virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device
  virtio-blk: fail get_features when both scsi and 1.0 were set
  virtio: get_features() can fail
  virtio-pci: fix memory MR cleanup for modern
  virtio: set any_layout in virtio core
  virtio-9p: fix any_layout
  virtio-serial: fix ANY_LAYOUT
  virtio: hide legacy features from modern guests

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-28 17:09:56 +01:00
Fam Zheng
7bba83bf80 xen: Drop net_rx_ok
Let net_rx_packet() (which checks the same conditions) drops the packet
if the device is not ready. Drop net_xen_info.can_receive and update the
return value for the buffer full case.

We rely on the qemu_flush_queued_packets() in net_event() to wake up
the peer when the buffer becomes available again.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1438077176-378-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-28 11:35:54 +01:00
Greg Ungerer
ff1d2ac949 hw/net: handle flow control in mcf_fec driver receiver
The network mcf_fec driver emulated receive side method is not dealing
with network queue flow control properly.

Modify the receive side to check if we have enough space in the
descriptors to store the current packet. If not we process none of it
and return 0. When the guest frees up some buffers through its descriptors
we signal the qemu net layer to send more packets.

[Fixed coding style: 4-space indent and curly braces on if statement.
--Stefan]

Signed-off-by: Greg Ungerer <gerg@uclinux.org>
Message-id: 1438045374-10358-1-git-send-email-gerg@uclinux.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-28 11:27:53 +01:00
Hervé Poussineau
52579c681c net/dp8393x: do not use memory_region_init_rom_device with NULL
Replace memory_region_init_rom_device() with memory_region_init_ram() and
memory_region_set_readonly().
This fixes a guest-triggerable QEMU crash when guest tries to write to PROM.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
[leon.alrae@imgtec.com: shorten subject length]
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28 09:30:10 +01:00
Hervé Poussineau
30dfa9a46c net/dp8393x: remove check of runt packets
Ethernet requires that messages are at least 64 bytes on the wire. This
limitation does not exist on emulation (no wire message), so remove the
check. Netcard is now able to receive small network packets.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28 09:30:09 +01:00
Hervé Poussineau
f6351288b6 net/dp8393x: disable user creation
Netcard needs an address space to write data to, which can't be specified
on command line.
This fixes a crash when user starts QEMU with "-device dp8393x"

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
2015-07-28 09:29:25 +01:00
Jason Wang
9d5b731dd2 virtio: get_features() can fail
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-27 18:11:53 +03:00
Fam Zheng
f9f7492ea4 axienet: Flush queued packets when rx is done
eth_can_rx checks s->rxsize and returns false if it is non-zero. Because
of the .can_receive semantics change, this will make the incoming queue
disabled by peer, until it is explicitly flushed. So we should flush it
when s->rxsize is becoming zero.

Squash eth_can_rx semantics into etx_rx and drop .can_receive()
callback, also add flush when rx buffer becomes available again after a
packet gets queued.

The other conditions, "!axienet_rx_resetting(s) &&
axienet_rx_enabled(s)" are OK because enet_write already calls
qemu_flush_queued_packets when the register bits are changed.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1436955553-22791-13-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
4594f93a73 dp8393x: Flush packets when link comes up
.can_receive callback changes semantics that once return 0, backend will
try sending again until explicitly flushed, change the device to meet
that.

dp8393x_can_receive checks SONIC_CR_RXEN bit in SONIC_CR register and
SONIC_ISR_RBE bit in SONIC_ISR register, try flushing the queue when
either bit is being updated.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1436955553-22791-12-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
1ef4a6069f stellaris_enet: Flush queued packets when read done
If s->np reaches 31, the queue will be disabled by peer when it sees
stellaris_enet_can_receive() returns false, until we explicitly flushes
it which notifies the peer. Do this when guest is done reading all
existing data.

Move the semantics to stellaris_enet_receive, by returning 0 when the
buffer is full, so that new packets will be queued.  In
stellaris_enet_read, flush and restart the queue when guest has done
reading.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1436955553-22791-11-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
1dd58ae058 mipsnet: Flush queued packets when receiving is enabled
Drop .can_receive and move the semantics to mipsnet_receive, by
returning 0.

After 0 is returned, we must flush the queue explicitly to restart it:
Call qemu_flush_queued_packets when s->busy or s->rx_count is being
updated.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1436955553-22791-10-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
3b7031e960 milkymist-minimac2: Flush queued packets when link comes up
Drop .can_receive and move the semantics into minimac2_rx, by returning
0.

That is once minimac2_rx returns 0, incoming packets will be queued
until the queue is explicitly flushed. We do this when s->regs[R_STATE0]
or s->regs[R_STATE1] is changed in minimac2_write.

Also drop the unused trace point.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1436955553-22791-9-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
e813f0d881 mcf_fec: Drop mcf_fec_can_receive
The semantics of .can_receive requires us to flush the queue explicitly
when s->rx_enabled becomes true after it returns 0, but the packet being
queued is not meaningful since the guest hasn't activated the card.
Let's just drop the packet in this case.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1436955553-22791-8-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
575bafd1f3 etsec: Flush queue when rx buffer is consumed
The BH will be scheduled when etsec->rx_buffer_len is becoming 0, which
is the condition of queuing.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1436955553-22791-7-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
b6cb6610c2 etsec: Move etsec_can_receive into etsec_receive
When etsec_reset returns 0, peer would queue the packet as if
.can_receive returns false. Drop etsec_can_receive and let etsec_receive
carry the semantics.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1436955553-22791-6-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
363db4b249 eepro100: Drop nic_can_receive
nic_receive already checks the conditions and drop packets if false.
Due to the new semantics since 6e99c63 ("net/socket: Drop
net_socket_can_send"), having .can_receive returning 0 requires us to
explicitly flush the queued packets when the conditions are becoming
true, but queuing the packets when guest driver is not ready doesn't
make much sense.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1436955553-22791-4-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00
Fam Zheng
b0ba0b9b6b pcnet: Drop pcnet_can_receive
pcnet_receive already checks the conditions and drop packets if false.
Due to the new semantics since 6e99c63 ("net/socket: Drop
net_socket_can_send"), having .can_receive returning 0 requires us to
explicitly flush the queued packets when the conditions are becoming
true, but queuing the packets when guest driver is not ready doesn't
make much sense.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Message-id: 1436955553-22791-3-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-07-27 14:12:18 +01:00