Merge tag 'pull-shadow-2023-09-29' of https://repo.or.cz/qemu/armbru into staging

-Wshadow=local patches patches for 2023-09-29

# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCAAwFiEENUvIs9frKmtoZ05fO

Merge tag 'pull-shadow-2023-09-29' of https://repo.or.cz/qemu/armbru into staging

-Wshadow=local patches patches for 2023-09-29

# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmUWhnsSHGFybWJydUBy
# ZWRoYXQuY29tAAoJEDhwtADrkYZTDBkP/2E8cyH+fn7yehNAZT8fjBuDBaj0x3wf
# Bs4++bMEZpgfA/11le/Mm+N9BFDtoGj4dnDwQ0yN6bcKcfmNvxh+M+lNaRO+xvXA
# qs/kJtFYkJYuEj1wgKK2XXd4YcD/S4Qap+FSuUBv8KE/oeALkB1fEpvMcwtJtQqc
# 7POQEqYNQfUe+MX/wKZ+qditbbrFRwX69dAd8+nGTbFestXd2uFA5I5kv3ebxELg
# VjTBgQdp7s82iTvoXpTtmQ6A9ba13zmelxmsAMLlAihkbffMwbtbrkQ7qIIUOW1o
# I4WPxhIXXyZbB48qARUq5G3GQuh+7dRArcpYWaFel2a6cjm2Z6NmWJeRAr0cIaWV
# P5B79k7DO551YsBZn+ubH0U+qwMLw+zq2apQ+SeH/loE0pP/c2OBOPtaVI46D0Dh
# 2kgaSuTIy9AByAHoYBxKnxy4TVwPKzk8hdzCQdiRSO7KJdMqMsV+/w1eR4oH9dsf
# CAvJXVzLicFMMABA/4O99K+1yjIOQpwmiqAjc+gV6FdhwllSH3yQDiK4RMWNAwRu
# bRQHBCk143t7cM3ts09T+5QxkWB3U0iGMJ4rpn43yjH5xwlWmpTlztvd7XlXwyTR
# 8j2Z+8qxe992HmVk34rKdkGnu0qz4AhJBgAEEk2e0oepZvjfigqodQwEMCQsse5t
# cH51HzTDuen/
# =XVKC
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 Sep 2023 04:10:35 EDT
# gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg: issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653

* tag 'pull-shadow-2023-09-29' of https://repo.or.cz/qemu/armbru: (56 commits)
disas/m68k: clean up local variable shadowing
hw/nvme: Clean up local variable shadowing in nvme_ns_init()
softmmu/device_tree: Fixup local variables shadowing
target/riscv: vector_helper: Fixup local variables shadowing
target/riscv: cpu: Fixup local variables shadowing
hw/riscv: opentitan: Fixup local variables shadowing
qemu-nbd: changes towards enabling -Wshadow=local
seccomp: avoid shadowing of 'action' variable
crypto: remove shadowed 'ret' variable
intel_iommu: Fix shadow local variables on "size"
aspeed/timer: Clean up local variable shadowing
aspeed/i3c: Rename variable shadowing a local
aspeed: Clean up local variable shadowing
aspeed/i2c: Clean up local variable shadowing
hw/arm/smmuv3-internal.h: Don't use locals in statement macros
hw/arm/smmuv3.c: Avoid shadowing variable
hw/misc/arm_sysctl.c: Avoid shadowing local variable
hw/intc/arm_gicv3_its: Avoid shadowing variable in do_process_its_cmd()
hw/acpi: changes towards enabling -Wshadow=local
test-throttle: don't shadow 'index' variable in do_test_accounting()
...

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

show more ...

net/eth: Clean up local variable shadowing

Fix:

net/eth.c:435:20: error: declaration shadows a local variable [-Werror,-Wshadow]
size_t input_size = iov_size(pkt, pkt_frags);

net/eth: Clean up local variable shadowing

Fix:

net/eth.c:435:20: error: declaration shadows a local variable [-Werror,-Wshadow]
size_t input_size = iov_size(pkt, pkt_frags);
^
net/eth.c:413:16: note: previous declaration is here
size_t input_size = iov_size(pkt, pkt_frags);
^

Suggested-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230904161235.84651-16-philmd@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

show more ...

Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging

# -----BEGIN PGP SIGNATURE-----
# Version: GnuPG v1
#
# iQEcBAABAgAGBQJkbGmXAAoJEO8Ells5jWIR4ogH/R5+IgkZi1dwN/IxCpzTIc5H

Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging

# -----BEGIN PGP SIGNATURE-----
# Version: GnuPG v1
#
# iQEcBAABAgAGBQJkbGmXAAoJEO8Ells5jWIR4ogH/R5+IgkZi1dwN/IxCpzTIc5H
# l5ncKK6TCqKCfgpFnFFLNKhcDqDczq4LhO42s/vnuOF8vIXcUVhLAz0HULARb46o
# p/7Ufn1k8Zg/HGtWwIW+9CcTkymsHzTOwFcTRFiCjpdkjaW1Wprb2q968f0Px8eS
# cKqC5xln8U+s02KWQMHlJili6BTPuw1ZNnYV3iq/81Me96WOtPd8c8ZSF4aVR2AB
# Kqah+BBOnk4p4kg9Gs0OvM4TffEBrsab8iu4s6SSQGA6ymCWY6GeCX0Ik4u9P1yE
# 6NtKLixBPO4fqLwWxWuKVJmaLKmuEd/FjZXWwITx9EPNtDuBuGLDKuvW8fJxkhw=
# =dw2I
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 23 May 2023 12:21:59 AM PDT
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211

* tag 'net-pull-request' of https://github.com/jasowang/qemu: (50 commits)
rtl8139: fix large_send_mss divide-by-zero
docs/system/devices/igb: Note igb is tested for DPDK
MAINTAINERS: Add a reviewer for network packet abstractions
vmxnet3: Do not depend on PC
igb: Clear-on-read ICR when ICR.INTA is set
igb: Notify only new interrupts
e1000e: Notify only new interrupts
igb: Implement Tx timestamp
igb: Implement Rx PTP2 timestamp
igb: Implement igb-specific oversize check
igb: Filter with the second VLAN tag for extended VLAN
igb: Strip the second VLAN tag for extended VLAN
igb: Implement Tx SCTP CSO
igb: Implement Rx SCTP CSO
igb: Use UDP for RSS hash
igb: Implement MSI-X single vector mode
tests/qtest/libqos/igb: Set GPIE.Multiple_MSIX
hw/net/net_rx_pkt: Enforce alignment for eth_header
net/eth: Always add VLAN tag
net/eth: Use void pointers
...

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

igb: Strip the second VLAN tag for extended VLAN

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

igb: Implement Rx SCTP CSO

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Jason Wang <jasowang@redhat.com>

net/eth: Always add VLAN tag

It is possible to have another VLAN tag even if the packet is already
tagged.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowan

net/eth: Always add VLAN tag

It is possible to have another VLAN tag even if the packet is already
tagged.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Use void pointers

The uses of uint8_t pointers were misleading as they are never accessed
as an array of octets and it even require more strict alignment to
access as struct eth_header.

Si

net/eth: Use void pointers

The uses of uint8_t pointers were misleading as they are never accessed
as an array of octets and it even require more strict alignment to
access as struct eth_header.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Rename eth_setup_vlan_headers_ex

The old eth_setup_vlan_headers has no user so remove it and rename
eth_setup_vlan_headers_ex.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Revie

net/eth: Rename eth_setup_vlan_headers_ex

The old eth_setup_vlan_headers has no user so remove it and rename
eth_setup_vlan_headers_ex.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols()

igb does not properly ensure the buffer passed to
net_rx_pkt_set_protocols() is contiguous for the entire L2/L3/L4 header.
Allow it to pass s

net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols()

igb does not properly ensure the buffer passed to
net_rx_pkt_set_protocols() is contiguous for the entire L2/L3/L4 header.
Allow it to pass scattered data to net_rx_pkt_set_protocols().

Fixes: 3a977deebe ("Intrdocue igb device emulation")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging

# -----BEGIN PGP SIGNATURE-----
# Version: GnuPG v1
#
# iQEcBAABAgAGBQJkCvgFAAoJEO8Ells5jWIRHiUH/jhydpJHIqnAPxHQAwGtmyhb

Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging

# -----BEGIN PGP SIGNATURE-----
# Version: GnuPG v1
#
# iQEcBAABAgAGBQJkCvgFAAoJEO8Ells5jWIRHiUH/jhydpJHIqnAPxHQAwGtmyhb
# 9Z52UOzW5V6KxfZJ+bQ4RPFkS2UwcxmeadPHY4zvvJTVBLAgG3QVgP4igj8CXKCI
# xRnwMgTNeu655kZQ5P/elTwdBTCJFODk7Egg/bH3H1ZiUhXBhVRhK7q/wMgtlZkZ
# Kexo6txCK4d941RNzEh45ZaGhdELE+B+D7cRuQgBs/DXZtJpsyEzBbP8KYSMHuER
# AXfWo0YIBYj7X3ek9D6j0pbOkB61vqtYd7W6xV4iDrJCcFBIOspJbbBb1tGCHola
# AXo5/OhRmiQnp/c/HTbJIDbrj0sq/r7LxYK4zY1x7UPbewHS9R+wz+FfqSmoBF0=
# =056y
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 10 Mar 2023 09:27:33 GMT
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211

* tag 'net-pull-request' of https://github.com/jasowang/qemu: (44 commits)
ebpf: fix compatibility with libbpf 1.0+
docs/system/devices/igb: Add igb documentation
tests/avocado: Add igb test
igb: Introduce qtest for igb device
tests/qtest/libqos/e1000e: Export macreg functions
tests/qtest/e1000e-test: Fabricate ethernet header
Intrdocue igb device emulation
e1000: Split header files
pcie: Introduce pcie_sriov_num_vfs
net/eth: Introduce EthL4HdrProto
e1000e: Implement system clock
net/eth: Report if headers are actually present
e1000e: Count CRC in Tx statistics
e1000: Count CRC in Tx statistics
e1000e: Combine rx traces
MAINTAINERS: Add e1000e test files
MAINTAINERS: Add Akihiko Odaki as a e1000e reviewer
e1000e: Do not assert when MSI-X is disabled later
hw/net/net_tx_pkt: Check the payload length
hw/net/net_tx_pkt: Implement TCP segmentation
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

net/eth: Introduce EthL4HdrProto

igb, a new network device emulation, will need SCTP checksum offloading.
Currently eth_get_protocols() has a bool parameter for each protocol
currently it supports,

net/eth: Introduce EthL4HdrProto

igb, a new network device emulation, will need SCTP checksum offloading.
Currently eth_get_protocols() has a bool parameter for each protocol
currently it supports, but there will be a bit too many parameters if
we add yet another protocol.

Introduce an enum type, EthL4HdrProto to represent all L4 protocols
eth_get_protocols() support with one parameter.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Report if headers are actually present

The values returned by eth_get_protocols() are used to perform RSS,
checksumming and segmentation. Even when a packet signals the use of the
protocols

net/eth: Report if headers are actually present

The values returned by eth_get_protocols() are used to perform RSS,
checksumming and segmentation. Even when a packet signals the use of the
protocols which these operations can be applied to, the headers for them
may not be present because of too short packet or fragmentation, for
example. In such a case, the operations cannot be applied safely.

Report the presence of headers instead of whether the use of the
protocols are indicated with eth_get_protocols(). This also makes
corresponding changes to the callers of eth_get_protocols() to match
with its new signature and to remove redundant checks for fragmentation.

Fixes: 75020a7021 ("Common definitions for VMWARE devices")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

hw/net/net_tx_pkt: Implement TCP segmentation

There was no proper implementation of TCP segmentation before this
change, and net_tx_pkt relied solely on IPv4 fragmentation. Not only
this is not alig

hw/net/net_tx_pkt: Implement TCP segmentation

There was no proper implementation of TCP segmentation before this
change, and net_tx_pkt relied solely on IPv4 fragmentation. Not only
this is not aligned with the specification, but it also resulted in
corrupted IPv6 packets.

This is particularly problematic for the igb, a new proposed device
implementation; igb provides loopback feature for VMDq and the feature
relies on software segmentation.

Implement proper TCP segmentation in net_tx_pkt to fix such a scenario.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Mon 14 Feb 2022 03:51:14 GMT
# gpg: using RSA key EF04965B398D6211
# gpg: Good

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Mon 14 Feb 2022 03:51:14 GMT
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
net/eth: Don't consider ESP to be an IPv6 option header
hw/net: e1000e: Clear ICR on read when using non MSI-X interrupts
net/filter: Optimize filter_send to coroutine
net/colo-compare.c: Update the default value comments
net/colo-compare.c: Optimize compare order for performance
net: Fix uninitialized data usage
net/tap: Set return code on failure
hw/net/vmxnet3: Log guest-triggerable errors using LOG_GUEST_ERROR

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

net/eth: Don't consider ESP to be an IPv6 option header

The IPv6 option headers all have in common that they start with some
common fields, in particular the type of the next header followed by the

net/eth: Don't consider ESP to be an IPv6 option header

The IPv6 option headers all have in common that they start with some
common fields, in particular the type of the next header followed by the
extention header length. This is used to traverse the list of the
options. The ESP header does not follow that format, which can break the
IPv6 option header traversal code in eth_parse_ipv6_hdr().

The effect of that is that network interfaces such as vmxnet3 that use
the following call chain
eth_is_ip6_extension_header_type
eth_parse_ipv6_hdr
net_tx_pkt_parse_headers
net_tx_pkt_parse
vmxnet3_process_tx_queue
to send packets from the VM out to the host will drop packets of the
following structure:
Ethernet-Header(IPv6-Header(ESP(encrypted data)))

Note that not all types of network interfaces use the net_tx_pkt_parse
function though, leading to inconsistent behavior regarding sending
those packets. The e1000 network interface for example does not suffer
from this limitation.

By not considering ESP to be an IPv6 header we can allow sending those
packets out to the host on all types of network interfaces.

Fixes: 75020a702151 ("Common definitions for VMWARE devices")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/149
Buglink: https://bugs.launchpad.net/qemu/+bug/1758091
Signed-off-by: Thomas Jansen <mithi@mithi.net>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Mon 22 Mar 2021 09:35:08 GMT
# gpg: using RSA key EF04965B398D6211
# gpg: Good

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Mon 22 Mar 2021 09:35:08 GMT
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
net/eth: Add an assert() and invert if() statement to simplify code
net/eth: Read ip6_ext_hdr_routing buffer before accessing it
net/eth: Check iovec has enough data earlier
net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()
net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argument
net/eth: Simplify _eth_get_rss_ex_dst_addr()
net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()
net/colo-compare.c: Optimize removal of secondary packet
net/colo-compare.c: Fix memory leak for non-tcp packet
hw/net: virtio-net: Initialize nc->do_not_pad to true
net: Pad short frames to minimum size before sending from SLiRP/TAP
net: Add a 'do_not_pad" to NetClientState
net: eth: Add a helper to pad a short Ethernet frame

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

net/eth: Add an assert() and invert if() statement to simplify code

To simplify the function body, invert the if() statement, returning
earlier.
Since we already checked there is enough data in the

net/eth: Add an assert() and invert if() statement to simplify code

To simplify the function body, invert the if() statement, returning
earlier.
Since we already checked there is enough data in the iovec buffer,
simply add an assert() call to consume the bytes_read variable.

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Read ip6_ext_hdr_routing buffer before accessing it

We can't know the caller read enough data in the memory pointed
by ext_hdr to cast it as a ip6_ext_hdr_routing.
Declare rt_hdr on the sta

net/eth: Read ip6_ext_hdr_routing buffer before accessing it

We can't know the caller read enough data in the memory pointed
by ext_hdr to cast it as a ip6_ext_hdr_routing.
Declare rt_hdr on the stack and fill it again from the iovec.

Since we already checked there is enough data in the iovec buffer,
simply add an assert() call to consume the bytes_read variable.

This fix a 2 bytes buffer overrun in eth_parse_ipv6_hdr() reported
by QEMU fuzzer:

$ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \
-accel qtest -monitor none \
-serial none -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001004
outw 0xcfc 0x7
write 0x25 0x1 0x86
write 0x26 0x1 0xdd
write 0x4f 0x1 0x2b
write 0xe1020030 0x4 0x190002e1
write 0xe102003a 0x2 0x0807
write 0xe1020048 0x4 0x12077cdd
write 0xe1020400 0x4 0xba077cdd
write 0xe1020420 0x4 0x190002e1
write 0xe1020428 0x4 0x3509d807
write 0xe1020438 0x1 0xe2
EOF
=================================================================
==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818
READ of size 1 at 0x7ffdef904902 thread T0
#0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17
#1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17
#2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14
#3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9
#4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29
#5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9
#6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9
#7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9
#8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5

Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame
#0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486

This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Stack left redzone: f1
Stack right redzone: f3
==2859770==ABORTING

Add the corresponding qtest case with the fuzzer reproducer.

FWIW GCC 11 similarly reported:

net/eth.c: In function 'eth_parse_ipv6_hdr':
net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
| ~~~~~^~~~~~~
net/eth.c:485:24: note: while referencing 'ext_hdr'
485 | struct ip6_ext_hdr ext_hdr;
| ^~~~~~~
net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
| ~~~~~^~~~~~~~~
net/eth.c:485:24: note: while referencing 'ext_hdr'
485 | struct ip6_ext_hdr ext_hdr;
| ^~~~~~~

Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1879531
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Check iovec has enough data earlier

We want to check fields from ip6_ext_hdr_routing structure
and if correct read the full in6_address. Let's directly check
if our iovec contains enough da

net/eth: Check iovec has enough data earlier

We want to check fields from ip6_ext_hdr_routing structure
and if correct read the full in6_address. Let's directly check
if our iovec contains enough data for everything, else return
early.

Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-D

net/eth: Check size earlier in _eth_get_rss_ex_dst_addr()

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argument

The 'offset' argument represents the offset to the ip6_ext_hdr
header, rename it as 'ext_hdr_offset'.

Reviewed-by: Stefano Garzar

net/eth: Better describe _eth_get_rss_ex_dst_addr's offset argument

The 'offset' argument represents the offset to the ip6_ext_hdr
header, rename it as 'ext_hdr_offset'.

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Simplify _eth_get_rss_ex_dst_addr()

The length field is already contained in the ip6_ext_hdr structure.
Check it direcly in eth_parse_ipv6_hdr() before calling
_eth_get_rss_ex_dst_addr(), w

net/eth: Simplify _eth_get_rss_ex_dst_addr()

The length field is already contained in the ip6_ext_hdr structure.
Check it direcly in eth_parse_ipv6_hdr() before calling
_eth_get_rss_ex_dst_addr(), which gets a bit simplified.

Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()

The in6_address comes after the ip6_ext_hdr_routing header,
not after the ip6_ext_hdr one. Fix the offset.

Cc: qemu-stable@nong

net/eth: Use correct in6_address offset in _eth_get_rss_ex_dst_addr()

The in6_address comes after the ip6_ext_hdr_routing header,
not after the ip6_ext_hdr one. Fix the offset.

Cc: qemu-stable@nongnu.org
Reported-by: Stefano Garzarella <sgarzare@redhat.com>
Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality")
Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

net: eth: Add a helper to pad a short Ethernet frame

Add a helper to pad a short Ethernet frame to the minimum required
length, which can be used by backends' code.

Signed-off-by: Bin Meng <bmeng.c

net: eth: Add a helper to pad a short Ethernet frame

Add a helper to pad a short Ethernet frame to the minimum required
length, which can be used by backends' code.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

show more ...

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Wed 11 Nov 2020 13:04:02 GMT
# gpg: using RSA key EF04965B398D6211
# gpg: Good

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging

# gpg: Signature made Wed 11 Nov 2020 13:04:02 GMT
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
hw/net/can/ctucan_core: Use stl_le_p to write to tx_buffers
hw/net/can/ctucan_core: Handle big-endian hosts
hw/net/can/ctucan: Avoid unused value in ctucan_send_ready_buffers()
hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer
net/l2tpv3: Remove redundant check in net_init_l2tpv3()
net: remove an assert call in eth_get_gso_type
net/colo-compare.c: Increase default queued packet scan frequency
net/colo-compare.c: Add secondary old packet detection
net/colo-compare.c: Change the timer clock type
net/colo-compare.c: Fix compare_timeout format issue
colo-compare: check mark in mutual exclusion
colo-compare: fix missing compare_seq initialization
Fix the qemu crash when guest shutdown in COLO mode
Reduce the time of checkpoint for COLO
Optimize seq_sorter function for colo-compare
net/filter-rewriter: destroy g_hash_table in colo_rewriter_cleanup
virtio-net: Set mac address to hardware if the peer is vdpa

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...