[PULL 0/5] Net patches

[PULL 0/5] Net patches

[Jason Wang]

The following changes since commit 23895cbd82be95428e90168b12e925d0d3ca2f06:

  Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20201123.0' into staging (2020-11-23 18:51:13 +0000)

are available in the git repository at:

  https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to 9925990d01a92564af55f6f69d0f5f59b47609b1:

  net: Use correct default-path macro for downscript (2020-11-24 10:40:17 +0800)

----------------------------------------------------------------

----------------------------------------------------------------
Keqian Zhu (1):
      net: Use correct default-path macro for downscript

Paolo Bonzini (1):
      net: do not exit on "netdev_add help" monitor command

Prasad J Pandit (1):
      hw/net/e1000e: advance desc_offset in case of null descriptor

Yuri Benditovich (1):
      net: purge queued rx packets on queue deletion

yuanjungong (1):
      tap: fix a memory leak

 hw/net/e1000e_core.c |  8 +++---
 include/net/net.h    |  1 +
 monitor/hmp-cmds.c   |  6 ++++
 net/net.c            | 80 +++++++++++++++++++++++++++-------------------------
 net/tap.c            |  5 +++-
 5 files changed, 57 insertions(+), 43 deletions(-)

Re: [PULL 0/5] Net patches

[Peter Maydell]

On Tue, 24 Nov 2020 at 02:44, Jason Wang <jasowang@redhat.com> wrote:
>
> The following changes since commit 23895cbd82be95428e90168b12e925d0d3ca2f06:
>
>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20201123.0' into staging (2020-11-23 18:51:13 +0000)
>
> are available in the git repository at:
>
>   https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to 9925990d01a92564af55f6f69d0f5f59b47609b1:
>
>   net: Use correct default-path macro for downscript (2020-11-24 10:40:17 +0800)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.2
for any user-visible changes.

-- PMM

[PULL 0/5] Net patches

[Jason Wang]

The following changes since commit 0c633cf0c221922a0a9f9d0b8866cbb111f5e192:

  Merge remote-tracking branch 'remotes/rth-gitlab/tags/pull-tcg-20210730' into staging (2021-07-31 21:29:57 +0100)

are available in the git repository at:

  https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to cfe6d6841ff46b43ec38792422f690813f4ce3bf:

  hw/net: e1000e: Don't zero out the VLAN tag in the legacy RX descriptor (2021-08-02 12:19:18 +0800)

----------------------------------------------------------------

----------------------------------------------------------------
Christina Wang (3):
      hw/net: e1000: Correct the initial value of VET register
      hw/net: e1000e: Correct the initial value of VET register
      hw/net: e1000e: Don't zero out the VLAN tag in the legacy RX descriptor

Pavel Pisa (1):
      hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes

Thomas Huth (1):
      hw/net/vmxnet3: Do not abort QEMU if guest specified bad queue numbers

 hw/core/machine.c        |  2 ++
 hw/net/can/can_sja1000.c |  8 ++++++++
 hw/net/e1000.c           | 17 +++++++++++++++++
 hw/net/e1000e.c          |  8 +++++++-
 hw/net/e1000e_core.c     | 10 ++++------
 hw/net/vmxnet3.c         | 34 ++++++++++++++++++++++------------
 6 files changed, 60 insertions(+), 19 deletions(-)

Re: [PULL 0/5] Net patches

[Peter Maydell]

On Mon, 2 Aug 2021 at 05:33, Jason Wang <jasowang@redhat.com> wrote:
>
> The following changes since commit 0c633cf0c221922a0a9f9d0b8866cbb111f5e192:
>
>   Merge remote-tracking branch 'remotes/rth-gitlab/tags/pull-tcg-20210730' into staging (2021-07-31 21:29:57 +0100)
>
> are available in the git repository at:
>
>   https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to cfe6d6841ff46b43ec38792422f690813f4ce3bf:
>
>   hw/net: e1000e: Don't zero out the VLAN tag in the legacy RX descriptor (2021-08-02 12:19:18 +0800)
>
> ----------------------------------------------------------------
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

[PULL 0/5] Net patches

[Jason Wang]

The following changes since commit 5012e522aca161be5c141596c66e5cc6082538a9:

  Update version for v9.0.0-rc1 release (2024-03-26 19:46:55 +0000)

are available in the Git repository at:

  https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to d9b33018a0da51eddceb48c42345cfb351065f3e:

  Revert "tap: setting error appropriately when calling net_init_tap_one()" (2024-03-29 14:59:07 +0800)

----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmYGZ7EACgkQ7wSWWzmN
YhHvxgf/SDEYYMlxU7PA1SfwlIYtUG8K1zQnwLXNY6ySCJuCn1IdVoITaUt3BtE5
OtrhKI8cW5WwL4qzkElWlL431vyqomGdmJQedF8agwoR2aIo24i/Ue09MHxJxXUB
ONEOv3bizDCYWUjz+PMHRdIbo0AiSNaUDnB8iY59yD6HZqSLVMDx8Ia2KVrzUKwc
nMuqkDsVIc3gwqFNPbTl3yqVt6k1x+vBCGQUg9BiKE3pkUcONhsJpBYYj4hlY9mn
/BPlQBcRUoLHQD7KGSUKVFSODHPYzDg7BsSz2+EpuZucRRI3VEyHlcB5A6LIVhrK
fpqd+80Fb7VE9CAxA2gFj7gh5uPJ1A==
=shO6
-----END PGP SIGNATURE-----

----------------------------------------------------------------
Akihiko Odaki (5):
      virtio-net: Fix vhost virtqueue notifiers for RSS
      ebpf: Fix indirections table setting
      hw/net/net_tx_pkt: Fix virtio header without checksum offloading
      tap-win32: Remove unnecessary stubs
      Revert "tap: setting error appropriately when calling net_init_tap_one()"

 ebpf/ebpf_rss.c         |  9 +++++++--
 hw/net/net_tx_pkt.c     |  1 +
 hw/net/virtio-net.c     |  4 ++--
 include/net/vhost_net.h |  3 ---
 net/tap-win32.c         | 54 -------------------------------------------------
 net/tap.c               | 22 +++++---------------
 6 files changed, 15 insertions(+), 78 deletions(-)

Re: [PULL 0/5] Net patches

[Peter Maydell]

On Fri, 29 Mar 2024 at 07:11, Jason Wang <jasowang@redhat.com> wrote:
>
> The following changes since commit 5012e522aca161be5c141596c66e5cc6082538a9:
>
>   Update version for v9.0.0-rc1 release (2024-03-26 19:46:55 +0000)
>
> are available in the Git repository at:
>
>   https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to d9b33018a0da51eddceb48c42345cfb351065f3e:
>
>   Revert "tap: setting error appropriately when calling net_init_tap_one()" (2024-03-29 14:59:07 +0800)
>

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/9.0
for any user-visible changes.

-- PMM

Re: [PULL 0/5] Net patches

[Michael Tokarev]

29.03.2024 10:10, Jason Wang:

> Akihiko Odaki (5):
>        virtio-net: Fix vhost virtqueue notifiers for RSS
>        ebpf: Fix indirections table setting
>        hw/net/net_tx_pkt: Fix virtio header without checksum offloading
>        tap-win32: Remove unnecessary stubs
>        Revert "tap: setting error appropriately when calling net_init_tap_one()"

 From the above, I'm picking up

   virtio-net: Fix vhost virtqueue notifiers for RSS
   hw/net/net_tx_pkt: Fix virtio header without checksum offloading

for stable.  Not yet sure about

   Revert "tap: setting error appropriately when calling net_init_tap_one()"

as it's been with us for a long time.

Please Cc: qemu-stable@ for changes which should be picked for stable
series.

Thanks,

/mjt

Re: [PULL 0/5] Net patches

[Jason Wang]

On Mon, Apr 1, 2024 at 3:21 AM Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> 29.03.2024 10:10, Jason Wang:
>
> > Akihiko Odaki (5):
> >        virtio-net: Fix vhost virtqueue notifiers for RSS
> >        ebpf: Fix indirections table setting
> >        hw/net/net_tx_pkt: Fix virtio header without checksum offloading
> >        tap-win32: Remove unnecessary stubs
> >        Revert "tap: setting error appropriately when calling net_init_tap_one()"
>
>  From the above, I'm picking up
>
>    virtio-net: Fix vhost virtqueue notifiers for RSS
>    hw/net/net_tx_pkt: Fix virtio header without checksum offloading

Yes.

>
> for stable.  Not yet sure about
>
>    Revert "tap: setting error appropriately when calling net_init_tap_one()"
>
> as it's been with us for a long time.

It probably isn't worth bothering.

>
> Please Cc: qemu-stable@ for changes which should be picked for stable
> series.
>

Right.

Thanks

> Thanks,
>
> /mjt
>

[PULL 0/5] Net patches

[Jason Wang]

The following changes since commit d9a4282c4b690e45d25c2b933f318bb41eeb271d:

  Merge tag 'pull-tcg-20250308' of https://gitlab.com/rth7680/qemu into staging (2025-03-09 11:45:00 +0800)

are available in the Git repository at:

  https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to ac2ff9b840ce82cc7d5fd9ce4fd3019a434d7dc9:

  tap-linux: Open ipvtap and macvtap (2025-03-10 17:07:16 +0800)

----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmfO1zkACgkQ7wSWWzmN
YhET+wf+PkaGeFTNUrOtWpl35fSMKlmOVbb1fkPfuhVBmeY2Vh1EIN3OjqnzdV0F
wxpuk+wwmFiuV1n6RNuMHQ0nz1mhgsSlZh93N5rArC/PUr3iViaT0cb82RjwxhaI
RODBhhy7V9WxEhT9hR8sCP2ky2mrKgcYbjiIEw+IvFZOVQa58rMr2h/cbAb/iH4l
7T9Wba03JBqOS6qgzSFZOMxvqnYdVjhqXN8M6W9ngRJOjPEAkTB6Evwep6anRjcM
mCUOgkf2sgQwKve8pYAeTMkzXFctvTc/qCU4ZbN8XcoKVVxe2jllGQqdOpMskPEf
slOuINeW5M0K5gyjsb/huqcOTfDI2A==
=/Y0+
-----END PGP SIGNATURE-----

----------------------------------------------------------------
Akihiko Odaki (3):
      util/iov: Do not assert offset is in iov
      Revert "hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()"
      tap-linux: Open ipvtap and macvtap

Eugenio Pérez (2):
      net: parameterize the removing client from nc list
      net: move backend cleanup to NIC cleanup

 hw/net/net_tx_pkt.c |  4 ----
 include/qemu/iov.h  |  5 +++--
 net/net.c           | 44 ++++++++++++++++++++++++++++++++++----------
 net/tap-linux.c     | 17 ++++++++++++++---
 net/vhost-vdpa.c    |  8 --------
 util/iov.c          |  5 -----
 6 files changed, 51 insertions(+), 32 deletions(-)

Re: [PULL 0/5] Net patches

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/10.0 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 0/5] Net patches

[Jason Wang]

The following changes since commit 9febfa94b69b7146582c48a868bd2330ac45037f:

  Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging (2025-11-12 11:47:42 +0100)

are available in the Git repository at:

  https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to a01344d9d78089e9e585faaeb19afccff2050abf:

  net: pad packets to minimum length in qemu_receive_packet() (2025-11-14 09:59:55 +0800)

----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmkWo9EACgkQ7wSWWzmN
YhHargf/Uf801PmKskryVENF9sVe6u5NxJZlT3BUJVsSTGitucBIHWZ5J7MMR1lw
If4tfMho3BX5Wrtl5GuCEzolk9pCz3wmSN6nyOU25C5tKaoJ/uR135K25D0CwVmD
eTOyg+gKktVfogXxJ/zwZpRHMq4XXrk/C2ZP41r/CdcLyaeuDS9GIbd/q4N7f3vv
bEsVqECzjEwWr2JBY9SD0xlIRp3nWwEvRsgRZPzBiQzfjSTlImqGLUsxIpF5V2LV
1BU0V/FShWyrwckBXSqCWBUh6uBUGgEl6qKnK4vH7+ed4Kd9giyp1vWAFEjHgIg+
gZtPaT/MJQOtLyCuzfuSdUpAzz5Sfw==
=Is8a
-----END PGP SIGNATURE-----

----------------------------------------------------------------
Jonah Palmer (1):
      net/hub: make net_hub_port_cleanup idempotent

Peter Maydell (4):
      hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX descriptors
      hw/net/e1000e_core: Correct rx oversize packet checks
      hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers() assert
      net: pad packets to minimum length in qemu_receive_packet()

 hw/net/e1000e_core.c | 85 ++++++++++++++++++++++++++++++++++++----------------
 net/hub.c            |  8 ++++-
 net/net.c            | 10 +++++++
 3 files changed, 76 insertions(+), 27 deletions(-)

[PULL 1/5] net/hub: make net_hub_port_cleanup idempotent

[Jason Wang]

From: Jonah Palmer <jonah.palmer@oracle.com>

Makes the net_hub_port_cleanup function idempotent to avoid double
removals by guarding its QLIST_REMOVE with a flag.

When using a Xen networking device with hubport backends, e.g.:

-accel kvm,xen-version=0x40011
-netdev hubport,...
-device xen-net-device,...

the shutdown order starts with net_cleanup, which walks the list and
deletes netdevs (including hubports). Then Xen's xen_device_unrealize is
called, which eventually leads to a second net_hub_port_cleanup call,
resulting in a segfault.

Fixes: e7891c57 ("net: move backend cleanup to NIC cleanup")
Reported-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Jonah Palmer <jonah.palmer@oracle.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/hub.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/hub.c b/net/hub.c
index e3b58b1c4f..ee5881f6d5 100644
--- a/net/hub.c
+++ b/net/hub.c
@@ -34,6 +34,7 @@ typedef struct NetHubPort {
     QLIST_ENTRY(NetHubPort) next;
     NetHub *hub;
     int id;
+    bool listed;
 } NetHubPort;
 
 struct NetHub {
@@ -129,7 +130,10 @@ static void net_hub_port_cleanup(NetClientState *nc)
 {
     NetHubPort *port = DO_UPCAST(NetHubPort, nc, nc);
 
-    QLIST_REMOVE(port, next);
+    if (port->listed) {
+        QLIST_REMOVE(port, next);
+        port->listed = false;
+    }
 }
 
 static NetClientInfo net_hub_port_info = {
@@ -159,8 +163,10 @@ static NetHubPort *net_hub_port_new(NetHub *hub, const char *name,
     port = DO_UPCAST(NetHubPort, nc, nc);
     port->id = id;
     port->hub = hub;
+    port->listed = false;
 
     QLIST_INSERT_HEAD(&hub->ports, port, next);
+    port->listed = true;
 
     return port;
 }
-- 
2.42.0

[PULL 2/5] hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX descriptors

[Jason Wang]

From: Peter Maydell <peter.maydell@linaro.org>

In e1000e_write_packet_to_guest() we don't write data for RX descriptors
where the buffer address is NULL (as required by the i82574 datasheet
section 7.1.7.2). However, when we do this we still update desc_offset
by the amount of data we would have written to the RX descriptor if
it had a valid buffer pointer, resulting in our dropping that data
entirely. The data sheet is not 100% clear on the subject, but this
seems unlikely to be the correct behaviour.

Rearrange the null-descriptor logic so that we don't treat these
do-nothing descriptors as if we'd really written the data.

This both fixes a bug and also is a prerequisite to cleaning up
the size calculation logic in the next patch.

(Cc to stable largely because it will be needed for the next patch,
which fixes a more serious bug.)

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/e1000e_core.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index 8fef598b49..ba77cb6011 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -1481,7 +1481,6 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
     PCIDevice *d = core->owner;
     dma_addr_t base;
     union e1000_rx_desc_union desc;
-    size_t desc_size;
     size_t desc_offset = 0;
     size_t iov_ofs = 0;
 
@@ -1500,12 +1499,6 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
         E1000EBAState bastate = { { 0 } };
         bool is_last = false;
 
-        desc_size = total_size - desc_offset;
-
-        if (desc_size > core->rx_desc_buf_size) {
-            desc_size = core->rx_desc_buf_size;
-        }
-
         if (e1000e_ring_empty(core, rxi)) {
             return;
         }
@@ -1519,6 +1512,12 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
         e1000e_read_rx_descr(core, &desc, ba);
 
         if (ba[0]) {
+            size_t desc_size = total_size - desc_offset;
+
+            if (desc_size > core->rx_desc_buf_size) {
+                desc_size = core->rx_desc_buf_size;
+            }
+
             if (desc_offset < size) {
                 static const uint32_t fcs_pad;
                 size_t iov_copy;
@@ -1582,13 +1581,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
                           (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
                 }
             }
+            desc_offset += desc_size;
+            if (desc_offset >= total_size) {
+                is_last = true;
+            }
         } else { /* as per intel docs; skip descriptors with null buf addr */
             trace_e1000e_rx_null_descriptor();
         }
-        desc_offset += desc_size;
-        if (desc_offset >= total_size) {
-            is_last = true;
-        }
 
         e1000e_write_rx_descr(core, &desc, is_last ? core->rx_pkt : NULL,
                            rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
-- 
2.42.0

[PULL 3/5] hw/net/e1000e_core: Correct rx oversize packet checks

[Jason Wang]

From: Peter Maydell <peter.maydell@linaro.org>

In e1000e_write_packet_to_guest() we attempt to ensure that we don't
write more of a packet to a descriptor than will fit in the guest
configured receive buffers.  However, this code does not allow for
the "packet split" feature.  When packet splitting is enabled, the
first of up to 4 buffers in the descriptor is used for the packet
header only, with the payload going into buffers 2, 3 and 4.  Our
length check only checks against the total sizes of all 4 buffers,
which meant that if an incoming packet was large enough to fit in (1
+ 2 + 3 + 4) but not into (2 + 3 + 4) and packet splitting was
enabled, we would run into the assertion in
e1000e_write_hdr_frag_to_rx_buffers() that we had enough buffers for
the data:

qemu-system-i386: ../../hw/net/e1000e_core.c:1418: void e1000e_write_payload_frag_to_rx_buffers(E1000ECore *, hwaddr *, E1000EBAState *, const char *, dma_addr_t): Assertion `bastate->cur_idx < MAX_PS_BUFFERS' failed.

A malicious guest could provoke this assertion by configuring the
device into loopback mode, and then sending itself a suitably sized
packet into a suitably arrange rx descriptor.

The code also fails to deal with the possibility that the descriptor
buffers are sized such that the trailing checksum word does not fit
into the last descriptor which has actual data, which might also
trigger this assertion.

Rework the length handling to use two variables:
 * desc_size is the total amount of data DMA'd to the guest
   for the descriptor being processed in this iteration of the loop
 * rx_desc_buf_size is the total amount of space left in it

As we copy data to the guest (packet header, payload, checksum),
update these two variables.  (Previously we attempted to calculate
desc_size once at the top of the loop, but this is too difficult to
do correctly.) Then we can use the variables to ensure that we clamp
the amount of copied payload data to the remaining space in the
descriptor's buffers, even if we've used one of the buffers up in the
packet-split code, and we can tell whether we have enough space for
the full checksum word in this descriptor or whether we're going to
need to split that to the following descriptor.

I have included comments that hopefully help to make the loop
logic a little clearer.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/537
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/e1000e_core.c | 61 ++++++++++++++++++++++++++++++++++----------
 1 file changed, 47 insertions(+), 14 deletions(-)

diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index ba77cb6011..471c3ed20b 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -1495,6 +1495,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
     rxi = rxr->i;
 
     do {
+        /*
+         * Loop processing descriptors while we have packet data to
+         * DMA to the guest.  desc_offset tracks how much data we have
+         * sent to the guest in total over all descriptors, and goes
+         * from 0 up to total_size (the size of everything to send to
+         * the guest including possible trailing 4 bytes of CRC data).
+         */
         hwaddr ba[MAX_PS_BUFFERS];
         E1000EBAState bastate = { { 0 } };
         bool is_last = false;
@@ -1512,23 +1519,27 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
         e1000e_read_rx_descr(core, &desc, ba);
 
         if (ba[0]) {
-            size_t desc_size = total_size - desc_offset;
-
-            if (desc_size > core->rx_desc_buf_size) {
-                desc_size = core->rx_desc_buf_size;
-            }
+            /* Total amount of data DMA'd to the guest in this iteration */
+            size_t desc_size = 0;
+            /*
+             * Total space available in this descriptor (we will update
+             * this as we use it up)
+             */
+            size_t rx_desc_buf_size = core->rx_desc_buf_size;
 
             if (desc_offset < size) {
-                static const uint32_t fcs_pad;
                 size_t iov_copy;
+                /* Amount of data to copy from the incoming packet */
                 size_t copy_size = size - desc_offset;
-                if (copy_size > core->rx_desc_buf_size) {
-                    copy_size = core->rx_desc_buf_size;
-                }
 
                 /* For PS mode copy the packet header first */
                 if (do_ps) {
                     if (is_first) {
+                        /*
+                         * e1000e_do_ps() guarantees that buffer 0 has enough
+                         * space for the header; otherwise we will not split
+                         * the packet (i.e. do_ps is false).
+                         */
                         size_t ps_hdr_copied = 0;
                         do {
                             iov_copy = MIN(ps_hdr_len - ps_hdr_copied,
@@ -1550,14 +1561,26 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
                         } while (ps_hdr_copied < ps_hdr_len);
 
                         is_first = false;
+                        desc_size += ps_hdr_len;
                     } else {
                         /* Leave buffer 0 of each descriptor except first */
                         /* empty as per spec 7.1.5.1                      */
                         e1000e_write_hdr_frag_to_rx_buffers(core, ba, &bastate,
                                                             NULL, 0);
                     }
+                    rx_desc_buf_size -= core->rxbuf_sizes[0];
                 }
 
+                /*
+                 * Clamp the amount of packet data we copy into what will fit
+                 * into the remaining buffers in the descriptor.
+                 */
+                if (copy_size > rx_desc_buf_size) {
+                    copy_size = rx_desc_buf_size;
+                }
+                desc_size += copy_size;
+                rx_desc_buf_size -= copy_size;
+
                 /* Copy packet payload */
                 while (copy_size) {
                     iov_copy = MIN(copy_size, iov->iov_len - iov_ofs);
@@ -1574,12 +1597,22 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
                         iov_ofs = 0;
                     }
                 }
+            }
 
-                if (desc_offset + desc_size >= total_size) {
-                    /* Simulate FCS checksum presence in the last descriptor */
-                    e1000e_write_payload_frag_to_rx_buffers(core, ba, &bastate,
-                          (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
-                }
+            if (rx_desc_buf_size &&
+                desc_offset >= size && desc_offset < total_size) {
+                /*
+                 * We are in the last 4 bytes corresponding to the FCS checksum.
+                 * We only ever write zeroes here (unlike the hardware).
+                 */
+                static const uint32_t fcs_pad;
+                /* Amount of space for the trailing checksum */
+                size_t fcs_len = MIN(rx_desc_buf_size,
+                                     total_size - desc_offset);
+                e1000e_write_payload_frag_to_rx_buffers(core, ba, &bastate,
+                                                        (const char *)&fcs_pad,
+                                                        fcs_len);
+                desc_size += fcs_len;
             }
             desc_offset += desc_size;
             if (desc_offset >= total_size) {
-- 
2.42.0

[PULL 4/5] hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers() assert

[Jason Wang]

From: Peter Maydell <peter.maydell@linaro.org>

An assertion in e1000e_write_payload_frag_to_rx_buffers() attempts to
guard against the calling code accidentally trying to write too much
data to a single RX descriptor, such that the E1000EBAState::cur_idx
indexes off the end of the EB1000BAState::written[] array.

Unfortunately it is overzealous: it asserts that cur_idx is in
range after it has been incremented. This will fire incorrectly
for the case where the guest configures four buffers and exactly
enough bytes are written to fill all four of them.

The only places where we use cur_idx and index in to the written[]
array are the functions e1000e_write_hdr_frag_to_rx_buffers() and
e1000e_write_payload_frag_to_rx_buffers(), so we can rewrite this to
assert before doing the array dereference, rather than asserting
after updating cur_idx.

Cc: qemu-stable@nongnu.org
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/e1000e_core.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index 471c3ed20b..46e156a5dd 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -1392,10 +1392,13 @@ e1000e_write_payload_frag_to_rx_buffers(E1000ECore *core,
                                         dma_addr_t data_len)
 {
     while (data_len > 0) {
-        uint32_t cur_buf_len = core->rxbuf_sizes[bastate->cur_idx];
-        uint32_t cur_buf_bytes_left = cur_buf_len -
-                                      bastate->written[bastate->cur_idx];
-        uint32_t bytes_to_write = MIN(data_len, cur_buf_bytes_left);
+        uint32_t cur_buf_len, cur_buf_bytes_left, bytes_to_write;
+
+        assert(bastate->cur_idx < MAX_PS_BUFFERS);
+
+        cur_buf_len = core->rxbuf_sizes[bastate->cur_idx];
+        cur_buf_bytes_left = cur_buf_len - bastate->written[bastate->cur_idx];
+        bytes_to_write = MIN(data_len, cur_buf_bytes_left);
 
         trace_e1000e_rx_desc_buff_write(bastate->cur_idx,
                                         ba[bastate->cur_idx],
@@ -1414,8 +1417,6 @@ e1000e_write_payload_frag_to_rx_buffers(E1000ECore *core,
         if (bastate->written[bastate->cur_idx] == cur_buf_len) {
             bastate->cur_idx++;
         }
-
-        assert(bastate->cur_idx < MAX_PS_BUFFERS);
     }
 }
 
-- 
2.42.0

[PULL 5/5] net: pad packets to minimum length in qemu_receive_packet()

[Jason Wang]

From: Peter Maydell <peter.maydell@linaro.org>

In commits like 969e50b61a28 ("net: Pad short frames to minimum size
before sending from SLiRP/TAP") we switched away from requiring
network devices to handle short frames to instead having the net core
code do the padding of short frames out to the ETH_ZLEN minimum size.
We then dropped the code for handling short frames from the network
devices in a series of commits like 140eae9c8f7 ("hw/net: e1000:
Remove the logic of padding short frames in the receive path").

This missed one route where the device's receive code can still see a
short frame: if the device is in loopback mode and it transmits a
short frame via the qemu_receive_packet() function, this will be fed
back into its own receive code without being padded.

Add the padding logic to qemu_receive_packet().

This fixes a buffer overrun which can be triggered in the
e1000_receive_iov() logic via the loopback code path.

Other devices that use qemu_receive_packet() to implement loopback
are cadence_gem, dp8393x, lan9118, msf2-emac, pcnet, rtl8139
and sungem.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3043
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/net.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/net.c b/net/net.c
index 27e0d27807..8aefdb3424 100644
--- a/net/net.c
+++ b/net/net.c
@@ -775,10 +775,20 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
 
 ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
 {
+    uint8_t min_pkt[ETH_ZLEN];
+    size_t min_pktsz = sizeof(min_pkt);
+
     if (!qemu_can_receive_packet(nc)) {
         return 0;
     }
 
+    if (net_peer_needs_padding(nc)) {
+        if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) {
+            buf = min_pkt;
+            size = min_pktsz;
+        }
+    }
+
     return qemu_net_queue_receive(nc->incoming_queue, buf, size);
 }
 
-- 
2.42.0

Re: [PULL 0/5] Net patches

[Richard Henderson]

On 11/14/25 04:48, Jason Wang wrote:
> The following changes since commit 9febfa94b69b7146582c48a868bd2330ac45037f:
> 
>    Merge tag 'for-upstream' ofhttps://repo.or.cz/qemu/kevin into staging (2025-11-12 11:47:42 +0100)
> 
> are available in the Git repository at:
> 
>    https://github.com/jasowang/qemu.git tags/net-pull-request
> 
> for you to fetch changes up to a01344d9d78089e9e585faaeb19afccff2050abf:
> 
>    net: pad packets to minimum length in qemu_receive_packet() (2025-11-14 09:59:55 +0800)

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate.

r~

Re: [PULL 0/5] Net patches

[Jason Wang]

On Fri, Nov 14, 2025 at 11:48 AM Jason Wang <jasowang@redhat.com> wrote:
>
> The following changes since commit 9febfa94b69b7146582c48a868bd2330ac45037f:
>
>   Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging (2025-11-12 11:47:42 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to a01344d9d78089e9e585faaeb19afccff2050abf:
>
>   net: pad packets to minimum length in qemu_receive_packet() (2025-11-14 09:59:55 +0800)

Ping.

Thanks

>
> ----------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
>
> iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmkWo9EACgkQ7wSWWzmN
> YhHargf/Uf801PmKskryVENF9sVe6u5NxJZlT3BUJVsSTGitucBIHWZ5J7MMR1lw
> If4tfMho3BX5Wrtl5GuCEzolk9pCz3wmSN6nyOU25C5tKaoJ/uR135K25D0CwVmD
> eTOyg+gKktVfogXxJ/zwZpRHMq4XXrk/C2ZP41r/CdcLyaeuDS9GIbd/q4N7f3vv
> bEsVqECzjEwWr2JBY9SD0xlIRp3nWwEvRsgRZPzBiQzfjSTlImqGLUsxIpF5V2LV
> 1BU0V/FShWyrwckBXSqCWBUh6uBUGgEl6qKnK4vH7+ed4Kd9giyp1vWAFEjHgIg+
> gZtPaT/MJQOtLyCuzfuSdUpAzz5Sfw==
> =Is8a
> -----END PGP SIGNATURE-----
>
> ----------------------------------------------------------------
> Jonah Palmer (1):
>       net/hub: make net_hub_port_cleanup idempotent
>
> Peter Maydell (4):
>       hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX descriptors
>       hw/net/e1000e_core: Correct rx oversize packet checks
>       hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers() assert
>       net: pad packets to minimum length in qemu_receive_packet()
>
>  hw/net/e1000e_core.c | 85 ++++++++++++++++++++++++++++++++++++----------------
>  net/hub.c            |  8 ++++-
>  net/net.c            | 10 +++++++
>  3 files changed, 76 insertions(+), 27 deletions(-)
>
>

Re: [PULL 0/5] Net patches

[Peter Maydell]

On Fri, 21 Nov 2025 at 04:03, Jason Wang <jasowang@redhat.com> wrote:
>
> On Fri, Nov 14, 2025 at 11:48 AM Jason Wang <jasowang@redhat.com> wrote:
> >
> > The following changes since commit 9febfa94b69b7146582c48a868bd2330ac45037f:
> >
> >   Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging (2025-11-12 11:47:42 +0100)
> >
> > are available in the Git repository at:
> >
> >   https://github.com/jasowang/qemu.git tags/net-pull-request
> >
> > for you to fetch changes up to a01344d9d78089e9e585faaeb19afccff2050abf:
> >
> >   net: pad packets to minimum length in qemu_receive_packet() (2025-11-14 09:59:55 +0800)
>
> Ping.

This was merged as commit 409be85c2f5422 a week ago ?

(Richard replied with the usual "applied, thanks" message but it looks
like that went to the list and wasn't cc'd to you.)

-- PMM