* add --enable/--disable-libgio to configure (Denis)
* small fixes (Pavel, myself) * fuzzing update (Alexander) -----BEGIN PGP SIGNATURE----- iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmBQ+U4UHHBib256aW5p QHJlZGhhdC5jb20ACgkQv/vSX3jHroNAuAf8DO6soVd8Mtr+a/acTzkoquNfoZPZ Xyfi8kvkSfhcPnUObuTfqalzOiP2Gqlddqvtzkh86CGNriaGFc2Wutd708/84GDe fh4NmA9aYieo4sn/3PpZOjoqwO4FtV7yAHijRkgA9aYJnG6ijDByup6FCHqTX42z jKrHa0ldk41Klj9Z03/yJmIcXTACg1/2fRn2h4W6MVRpbWw4CCwdftA5Id+x0lmh JrKsRrdokt4kZG2nIXLJF/eI9QRQMVh1fB5kY9YiG8kHEjMC85IN+YFuDbD8nonp PN1DMsTz3Kl/BgnDMeio945TeaqhW3o8jRwd4Ys9K0hRGNrKdPGaiTS6lw== =RPSp -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging * add --enable/--disable-libgio to configure (Denis) * small fixes (Pavel, myself) * fuzzing update (Alexander) # gpg: Signature made Tue 16 Mar 2021 18:30:38 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini-gitlab/tags/for-upstream: qemu-timer: allow freeing a NULL timer hw/i8254: fix vmstate load scsi: fix sense code for EREMOTEIO Revert "accel: kvm: Add aligment assert for kvm_log_clear_one_slot" configure: add option to explicitly enable/disable libgio fuzz: move some DMA hooks fuzz: configure a sparse-mem device, by default memory: add a sparse memory device for fuzzing fuzz: add a am53c974 generic-fuzzer config fuzz: add instructions for building reproducers fuzz: add a script to build reproducers fuzz: don't leave orphan llvm-symbolizers around fuzz: fix the pro100 generic-fuzzer config MAINTAINERS: Cover fuzzer reproducer tests within 'Device Fuzzing' tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available tests/qtest: Only run fuzz-megasas-test if megasas device is available Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
		
						commit
						56b89f4558
					
				| @ -1773,6 +1773,7 @@ S: Supported | ||||
| F: include/hw/scsi/* | ||||
| F: hw/scsi/* | ||||
| F: tests/qtest/virtio-scsi-test.c | ||||
| F: tests/qtest/fuzz-virtio-scsi-test.c | ||||
| T: git https://github.com/bonzini/qemu.git scsi-next | ||||
| 
 | ||||
| SSI | ||||
| @ -1984,6 +1985,7 @@ S: Supported | ||||
| F: hw/scsi/megasas.c | ||||
| F: hw/scsi/mfi.h | ||||
| F: tests/qtest/megasas-test.c | ||||
| F: tests/qtest/fuzz-megasas-test.c | ||||
| 
 | ||||
| Network packet abstractions | ||||
| M: Dmitry Fleytman <dmitry.fleytman@gmail.com> | ||||
| @ -2647,7 +2649,9 @@ R: Stefan Hajnoczi <stefanha@redhat.com> | ||||
| R: Thomas Huth <thuth@redhat.com> | ||||
| S: Maintained | ||||
| F: tests/qtest/fuzz/ | ||||
| F: tests/qtest/fuzz-*test.c | ||||
| F: scripts/oss-fuzz/ | ||||
| F: hw/mem/sparse-mem.c | ||||
| F: docs/devel/fuzzing.rst | ||||
| 
 | ||||
| Register API | ||||
|  | ||||
| @ -673,10 +673,6 @@ out: | ||||
| #define KVM_CLEAR_LOG_ALIGN  (qemu_real_host_page_size << KVM_CLEAR_LOG_SHIFT) | ||||
| #define KVM_CLEAR_LOG_MASK   (-KVM_CLEAR_LOG_ALIGN) | ||||
| 
 | ||||
| /*
 | ||||
|  * As the granule of kvm dirty log is qemu_real_host_page_size, | ||||
|  * @start and @size are expected and restricted to align to it. | ||||
|  */ | ||||
| static int kvm_log_clear_one_slot(KVMSlot *mem, int as_id, uint64_t start, | ||||
|                                   uint64_t size) | ||||
| { | ||||
| @ -686,9 +682,6 @@ static int kvm_log_clear_one_slot(KVMSlot *mem, int as_id, uint64_t start, | ||||
|     unsigned long *bmap_clear = NULL, psize = qemu_real_host_page_size; | ||||
|     int ret; | ||||
| 
 | ||||
|     /* Make sure start and size are qemu_real_host_page_size aligned */ | ||||
|     assert(QEMU_IS_ALIGNED(start | size, psize)); | ||||
| 
 | ||||
|     /*
 | ||||
|      * We need to extend either the start or the size or both to | ||||
|      * satisfy the KVM interface requirement.  Firstly, do the start | ||||
|  | ||||
							
								
								
									
										36
									
								
								configure
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										36
									
								
								configure
									
									
									
									
										vendored
									
									
								
							| @ -465,6 +465,7 @@ fuse_lseek="auto" | ||||
| multiprocess="auto" | ||||
| 
 | ||||
| malloc_trim="auto" | ||||
| gio="$default_feature" | ||||
| 
 | ||||
| # parse CC options second | ||||
| for opt do | ||||
| @ -1560,6 +1561,10 @@ for opt do | ||||
|   ;; | ||||
|   --disable-multiprocess) multiprocess="disabled" | ||||
|   ;; | ||||
|   --enable-gio) gio=yes | ||||
|   ;; | ||||
|   --disable-gio) gio=no | ||||
|   ;; | ||||
|   *) | ||||
|       echo "ERROR: unknown option $opt" | ||||
|       echo "Try '$0 --help' for more information" | ||||
| @ -1913,6 +1918,7 @@ disabled with --disable-FEATURE, default is enabled if available | ||||
|   fuse            FUSE block device export | ||||
|   fuse-lseek      SEEK_HOLE/SEEK_DATA support for FUSE exports | ||||
|   multiprocess    Out of process device emulation support | ||||
|   gio             libgio support | ||||
| 
 | ||||
| NOTE: The object files are built at the place where configure is launched | ||||
| EOF | ||||
| @ -3319,7 +3325,9 @@ if test "$static" = yes && test "$mingw32" = yes; then | ||||
|     glib_cflags="-DGLIB_STATIC_COMPILATION $glib_cflags" | ||||
| fi | ||||
| 
 | ||||
| if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then | ||||
| if ! test "$gio" = "no"; then | ||||
|     pass=no | ||||
|     if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then | ||||
|         gio_cflags=$($pkg_config --cflags gio-2.0) | ||||
|         gio_libs=$($pkg_config --libs gio-2.0) | ||||
|         gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) | ||||
| @ -3338,17 +3346,27 @@ int main(void) | ||||
| } | ||||
| EOF | ||||
|         if compile_prog "$gio_cflags" "$gio_libs" ; then | ||||
|         gio=yes | ||||
|             pass=yes | ||||
|         else | ||||
|             pass=no | ||||
|         fi | ||||
| 
 | ||||
|         if test "$pass" = "yes" && | ||||
|             $pkg_config --atleast-version=$glib_req_ver gio-unix-2.0; then | ||||
|             gio_cflags="$gio_cflags $($pkg_config --cflags gio-unix-2.0)" | ||||
|             gio_libs="$gio_libs $($pkg_config --libs gio-unix-2.0)" | ||||
|         fi | ||||
|     fi | ||||
| 
 | ||||
|     if test "$pass" = "no"; then | ||||
|         if test "$gio" = "yes"; then | ||||
|             feature_not_found "gio" "Install libgio >= 2.0" | ||||
|         else | ||||
|             gio=no | ||||
|         fi | ||||
| else | ||||
|     gio=no | ||||
| fi | ||||
| 
 | ||||
| if $pkg_config --atleast-version=$glib_req_ver gio-unix-2.0; then | ||||
|     gio_cflags="$gio_cflags $($pkg_config --cflags gio-unix-2.0)" | ||||
|     gio_libs="$gio_libs $($pkg_config --libs gio-unix-2.0)" | ||||
|     else | ||||
|         gio=yes | ||||
|     fi | ||||
| fi | ||||
| 
 | ||||
| # Sanity check that the current size_t matches the | ||||
|  | ||||
| @ -210,6 +210,62 @@ Build details: | ||||
| - The script responsible for building the fuzzers can be found in the | ||||
|   QEMU source tree at ``scripts/oss-fuzz/build.sh`` | ||||
| 
 | ||||
| Building Crash Reproducers | ||||
| ----------------------------------------- | ||||
| When we find a crash, we should try to create an independent reproducer, that | ||||
| can be used on a non-fuzzer build of QEMU. This filters out any potential | ||||
| false-positives, and improves the debugging experience for developers. | ||||
| Here are the steps for building a reproducer for a crash found by the | ||||
| generic-fuzz target. | ||||
| 
 | ||||
| - Ensure the crash reproduces:: | ||||
| 
 | ||||
|     qemu-fuzz-i386 --fuzz-target... ./crash-... | ||||
| 
 | ||||
| - Gather the QTest output for the crash:: | ||||
| 
 | ||||
|     QEMU_FUZZ_TIMEOUT=0 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \ | ||||
|     qemu-fuzz-i386 --fuzz-target... ./crash-... &> /tmp/trace | ||||
| 
 | ||||
| - Reorder and clean-up the resulting trace:: | ||||
| 
 | ||||
|     scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py /tmp/trace > /tmp/reproducer | ||||
| 
 | ||||
| - Get the arguments needed to start qemu, and provide a path to qemu:: | ||||
| 
 | ||||
|     less /tmp/trace # The args should be logged at the top of this file | ||||
|     export QEMU_ARGS="-machine ..." | ||||
|     export QEMU_PATH="path/to/qemu-system" | ||||
| 
 | ||||
| - Ensure the crash reproduces in qemu-system:: | ||||
| 
 | ||||
|     $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer | ||||
| 
 | ||||
| - From the crash output, obtain some string that identifies the crash. This | ||||
|   can be a line in the stack-trace, for example:: | ||||
| 
 | ||||
|     export CRASH_TOKEN="hw/usb/hcd-xhci.c:1865" | ||||
| 
 | ||||
| - Minimize the reproducer:: | ||||
| 
 | ||||
|     scripts/oss-fuzz/minimize_qtest_trace.py -M1 -M2 \ | ||||
|       /tmp/reproducer /tmp/reproducer-minimized | ||||
| 
 | ||||
| - Confirm that the minimized reproducer still crashes:: | ||||
| 
 | ||||
|     $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer-minimized | ||||
| 
 | ||||
| - Create a one-liner reproducer that can be sent over email:: | ||||
| 
 | ||||
|     ./scripts/oss-fuzz/output_reproducer.py -bash /tmp/reproducer-minimized | ||||
| 
 | ||||
| - Output the C source code for a test case that will reproduce the bug:: | ||||
| 
 | ||||
|     ./scripts/oss-fuzz/output_reproducer.py -owner "John Smith <john@smith.com>"\ | ||||
|       -name "test_function_name" /tmp/reproducer-minimized | ||||
| 
 | ||||
| - Report the bug and send a patch with the C reproducer upstream | ||||
| 
 | ||||
| Implementation Details / Fuzzer Lifecycle | ||||
| ----------------------------------------- | ||||
| 
 | ||||
|  | ||||
| @ -1,5 +1,6 @@ | ||||
| mem_ss = ss.source_set() | ||||
| mem_ss.add(files('memory-device.c')) | ||||
| mem_ss.add(when: 'CONFIG_FUZZ', if_true: files('sparse-mem.c')) | ||||
| mem_ss.add(when: 'CONFIG_DIMM', if_true: files('pc-dimm.c')) | ||||
| mem_ss.add(when: 'CONFIG_NPCM7XX', if_true: files('npcm7xx_mc.c')) | ||||
| mem_ss.add(when: 'CONFIG_NVDIMM', if_true: files('nvdimm.c')) | ||||
|  | ||||
							
								
								
									
										151
									
								
								hw/mem/sparse-mem.c
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										151
									
								
								hw/mem/sparse-mem.c
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,151 @@ | ||||
| /*
 | ||||
|  * A sparse memory device. Useful for fuzzing | ||||
|  * | ||||
|  * Copyright Red Hat Inc., 2021 | ||||
|  * | ||||
|  * Authors: | ||||
|  *  Alexander Bulekov   <alxndr@bu.edu> | ||||
|  * | ||||
|  * This work is licensed under the terms of the GNU GPL, version 2 or later. | ||||
|  * See the COPYING file in the top-level directory. | ||||
|  */ | ||||
| 
 | ||||
| #include "qemu/osdep.h" | ||||
| 
 | ||||
| #include "exec/address-spaces.h" | ||||
| #include "hw/qdev-properties.h" | ||||
| #include "hw/sysbus.h" | ||||
| #include "qapi/error.h" | ||||
| #include "qemu/units.h" | ||||
| #include "sysemu/qtest.h" | ||||
| #include "hw/mem/sparse-mem.h" | ||||
| 
 | ||||
| #define SPARSE_MEM(obj) OBJECT_CHECK(SparseMemState, (obj), TYPE_SPARSE_MEM) | ||||
| #define SPARSE_BLOCK_SIZE 0x1000 | ||||
| 
 | ||||
| typedef struct SparseMemState { | ||||
|     SysBusDevice parent_obj; | ||||
|     MemoryRegion mmio; | ||||
|     uint64_t baseaddr; | ||||
|     uint64_t length; | ||||
|     uint64_t size_used; | ||||
|     uint64_t maxsize; | ||||
|     GHashTable *mapped; | ||||
| } SparseMemState; | ||||
| 
 | ||||
| typedef struct sparse_mem_block { | ||||
|     uint8_t data[SPARSE_BLOCK_SIZE]; | ||||
| } sparse_mem_block; | ||||
| 
 | ||||
| static uint64_t sparse_mem_read(void *opaque, hwaddr addr, unsigned int size) | ||||
| { | ||||
|     SparseMemState *s = opaque; | ||||
|     uint64_t ret = 0; | ||||
|     size_t pfn = addr / SPARSE_BLOCK_SIZE; | ||||
|     size_t offset = addr % SPARSE_BLOCK_SIZE; | ||||
|     sparse_mem_block *block; | ||||
| 
 | ||||
|     block = g_hash_table_lookup(s->mapped, (void *)pfn); | ||||
|     if (block) { | ||||
|         assert(offset + size <= sizeof(block->data)); | ||||
|         memcpy(&ret, block->data + offset, size); | ||||
|     } | ||||
|     return ret; | ||||
| } | ||||
| 
 | ||||
| static void sparse_mem_write(void *opaque, hwaddr addr, uint64_t v, | ||||
|                              unsigned int size) | ||||
| { | ||||
|     SparseMemState *s = opaque; | ||||
|     size_t pfn = addr / SPARSE_BLOCK_SIZE; | ||||
|     size_t offset = addr % SPARSE_BLOCK_SIZE; | ||||
|     sparse_mem_block *block; | ||||
| 
 | ||||
|     if (!g_hash_table_lookup(s->mapped, (void *)pfn) && | ||||
|         s->size_used + SPARSE_BLOCK_SIZE < s->maxsize && v) { | ||||
|         g_hash_table_insert(s->mapped, (void *)pfn, | ||||
|                             g_new0(sparse_mem_block, 1)); | ||||
|         s->size_used += sizeof(block->data); | ||||
|     } | ||||
|     block = g_hash_table_lookup(s->mapped, (void *)pfn); | ||||
|     if (!block) { | ||||
|         return; | ||||
|     } | ||||
| 
 | ||||
|     assert(offset + size <= sizeof(block->data)); | ||||
| 
 | ||||
|     memcpy(block->data + offset, &v, size); | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| static const MemoryRegionOps sparse_mem_ops = { | ||||
|     .read = sparse_mem_read, | ||||
|     .write = sparse_mem_write, | ||||
|     .endianness = DEVICE_LITTLE_ENDIAN, | ||||
|     .valid = { | ||||
|             .min_access_size = 1, | ||||
|             .max_access_size = 8, | ||||
|             .unaligned = false, | ||||
|         }, | ||||
| }; | ||||
| 
 | ||||
| static Property sparse_mem_properties[] = { | ||||
|     /* The base address of the memory */ | ||||
|     DEFINE_PROP_UINT64("baseaddr", SparseMemState, baseaddr, 0x0), | ||||
|     /* The length of the sparse memory region */ | ||||
|     DEFINE_PROP_UINT64("length", SparseMemState, length, UINT64_MAX), | ||||
|     /* Max amount of actual memory that can be used to back the sparse memory */ | ||||
|     DEFINE_PROP_UINT64("maxsize", SparseMemState, maxsize, 10 * MiB), | ||||
|     DEFINE_PROP_END_OF_LIST(), | ||||
| }; | ||||
| 
 | ||||
| MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length) | ||||
| { | ||||
|     DeviceState *dev; | ||||
| 
 | ||||
|     dev = qdev_new(TYPE_SPARSE_MEM); | ||||
|     qdev_prop_set_uint64(dev, "baseaddr", addr); | ||||
|     qdev_prop_set_uint64(dev, "length", length); | ||||
|     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); | ||||
|     sysbus_mmio_map_overlap(SYS_BUS_DEVICE(dev), 0, addr, -10000); | ||||
|     return &SPARSE_MEM(dev)->mmio; | ||||
| } | ||||
| 
 | ||||
| static void sparse_mem_realize(DeviceState *dev, Error **errp) | ||||
| { | ||||
|     SparseMemState *s = SPARSE_MEM(dev); | ||||
|     SysBusDevice *sbd = SYS_BUS_DEVICE(dev); | ||||
| 
 | ||||
|     if (!qtest_enabled()) { | ||||
|         error_setg(errp, "sparse_mem device should only be used " | ||||
|                          "for testing with QTest"); | ||||
|         return; | ||||
|     } | ||||
| 
 | ||||
|     assert(s->baseaddr + s->length > s->baseaddr); | ||||
| 
 | ||||
|     s->mapped = g_hash_table_new(NULL, NULL); | ||||
|     memory_region_init_io(&s->mmio, OBJECT(s), &sparse_mem_ops, s, | ||||
|                           "sparse-mem", s->length); | ||||
|     sysbus_init_mmio(sbd, &s->mmio); | ||||
| } | ||||
| 
 | ||||
| static void sparse_mem_class_init(ObjectClass *klass, void *data) | ||||
| { | ||||
|     DeviceClass *dc = DEVICE_CLASS(klass); | ||||
| 
 | ||||
|     device_class_set_props(dc, sparse_mem_properties); | ||||
| 
 | ||||
|     dc->desc = "Sparse Memory Device"; | ||||
|     dc->realize = sparse_mem_realize; | ||||
| } | ||||
| 
 | ||||
| static const TypeInfo sparse_mem_types[] = { | ||||
|     { | ||||
|         .name = TYPE_SPARSE_MEM, | ||||
|         .parent = TYPE_SYS_BUS_DEVICE, | ||||
|         .instance_size = sizeof(SparseMemState), | ||||
|         .class_init = sparse_mem_class_init, | ||||
|     }, | ||||
| }; | ||||
| DEFINE_TYPES(sparse_mem_types); | ||||
| @ -324,7 +324,7 @@ static void pit_post_load(PITCommonState *s) | ||||
| { | ||||
|     PITChannelState *sc = &s->channels[0]; | ||||
| 
 | ||||
|     if (sc->next_transition_time != -1) { | ||||
|     if (sc->next_transition_time != -1 && !sc->irq_disabled) { | ||||
|         timer_mod(sc->irq_timer, sc->next_transition_time); | ||||
|     } else { | ||||
|         timer_del(sc->irq_timer); | ||||
|  | ||||
							
								
								
									
										19
									
								
								include/hw/mem/sparse-mem.h
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								include/hw/mem/sparse-mem.h
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,19 @@ | ||||
| /*
 | ||||
|  * A sparse memory device. Useful for fuzzing | ||||
|  * | ||||
|  * Copyright Red Hat Inc., 2021 | ||||
|  * | ||||
|  * Authors: | ||||
|  *  Alexander Bulekov   <alxndr@bu.edu> | ||||
|  * | ||||
|  * This work is licensed under the terms of the GNU GPL, version 2 or later. | ||||
|  * See the COPYING file in the top-level directory. | ||||
|  */ | ||||
| 
 | ||||
| #ifndef SPARSE_MEM_H | ||||
| #define SPARSE_MEM_H | ||||
| #define TYPE_SPARSE_MEM "sparse-mem" | ||||
| 
 | ||||
| MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length); | ||||
| 
 | ||||
| #endif | ||||
| @ -629,8 +629,10 @@ void timer_del(QEMUTimer *ts); | ||||
|  */ | ||||
| static inline void timer_free(QEMUTimer *ts) | ||||
| { | ||||
|     if (ts) { | ||||
|         timer_del(ts); | ||||
|         g_free(ts); | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| /**
 | ||||
|  | ||||
							
								
								
									
										160
									
								
								scripts/oss-fuzz/output_reproducer.py
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										160
									
								
								scripts/oss-fuzz/output_reproducer.py
									
									
									
									
									
										Executable file
									
								
							| @ -0,0 +1,160 @@ | ||||
| #!/usr/bin/env python3 | ||||
| # -*- coding: utf-8 -*- | ||||
| 
 | ||||
| """ | ||||
| Convert plain qtest traces to C or Bash reproducers | ||||
| 
 | ||||
| Use this to help build bug-reports or create in-tree reproducers for bugs. | ||||
| Note: This will not format C code for you. Pipe the output through | ||||
| clang-format -style="{BasedOnStyle: llvm, IndentWidth: 4, ColumnLimit: 90}" | ||||
| or similar | ||||
| """ | ||||
| 
 | ||||
| import sys | ||||
| import os | ||||
| import argparse | ||||
| import textwrap | ||||
| from datetime import date | ||||
| 
 | ||||
| __author__     = "Alexander Bulekov <alxndr@bu.edu>" | ||||
| __copyright__  = "Copyright (C) 2021, Red Hat, Inc." | ||||
| __license__    = "GPL version 2 or (at your option) any later version" | ||||
| 
 | ||||
| __maintainer__ = "Alexander Bulekov" | ||||
| __email__      = "alxndr@bu.edu" | ||||
| 
 | ||||
| 
 | ||||
| def c_header(owner): | ||||
|     return """/* | ||||
|  * Autogenerated Fuzzer Test Case | ||||
|  * | ||||
|  * Copyright (c) {date} {owner} | ||||
|  * | ||||
|  * This work is licensed under the terms of the GNU GPL, version 2 or later. | ||||
|  * See the COPYING file in the top-level directory. | ||||
|  */ | ||||
| 
 | ||||
| #include "qemu/osdep.h" | ||||
| 
 | ||||
| #include "libqos/libqtest.h" | ||||
| 
 | ||||
|     """.format(date=date.today().year, owner=owner) | ||||
| 
 | ||||
| def c_comment(s): | ||||
|     """ Return a multi-line C comment. Assume the text is already wrapped """ | ||||
|     return "/*\n * " + "\n * ".join(s.splitlines()) + "\n*/" | ||||
| 
 | ||||
| def print_c_function(s): | ||||
|     print("/* ") | ||||
|     for l in s.splitlines(): | ||||
|         print(" * {}".format(l)) | ||||
| 
 | ||||
| def bash_reproducer(path, args, trace): | ||||
|     result = '\\\n'.join(textwrap.wrap("cat << EOF | {} {}".format(path, args), | ||||
|                                        72, break_on_hyphens=False, | ||||
|                                        drop_whitespace=False)) | ||||
|     for l in trace.splitlines(): | ||||
|         result += "\n" + '\\\n'.join(textwrap.wrap(l,72,drop_whitespace=False)) | ||||
|     result += "\nEOF" | ||||
|     return result | ||||
| 
 | ||||
| def c_reproducer(name, args, trace): | ||||
|     result = [] | ||||
|     result.append("""static void {}(void)\n{{""".format(name)) | ||||
| 
 | ||||
|     # libqtest will add its own qtest args, so get rid of them | ||||
|     args = args.replace("-accel qtest","") | ||||
|     args = args.replace(",accel=qtest","") | ||||
|     args = args.replace("-machine accel=qtest","") | ||||
|     args = args.replace("-qtest stdio","") | ||||
|     result.append("""QTestState *s = qtest_init("{}");""".format(args)) | ||||
|     for l in trace.splitlines(): | ||||
|         param = l.split() | ||||
|         cmd = param[0] | ||||
|         if cmd == "write": | ||||
|             buf = param[3][2:] #Get the 0x... buffer and trim the "0x" | ||||
|             assert len(buf)%2 == 0 | ||||
|             bufbytes = [buf[i:i+2] for i in range(0, len(buf), 2)] | ||||
|             bufstring = '\\x'+'\\x'.join(bufbytes) | ||||
|             addr = param[1] | ||||
|             size = param[2] | ||||
|             result.append("""qtest_bufwrite(s, {}, "{}", {});""".format( | ||||
|                           addr, bufstring, size)) | ||||
|         elif cmd.startswith("in") or cmd.startswith("read"): | ||||
|             result.append("qtest_{}(s, {});".format( | ||||
|                           cmd, param[1])) | ||||
|         elif cmd.startswith("out") or cmd.startswith("write"): | ||||
|             result.append("qtest_{}(s, {}, {});".format( | ||||
|                           cmd, param[1], param[2])) | ||||
|         elif cmd == "clock_step": | ||||
|             if len(param) ==1: | ||||
|                 result.append("qtest_clock_step_next(s);") | ||||
|             else: | ||||
|                 result.append("qtest_clock_step(s, {});".format(param[1])) | ||||
|     result.append("qtest_quit(s);\n}") | ||||
|     return "\n".join(result) | ||||
| 
 | ||||
| def c_main(name, arch): | ||||
|     return """int main(int argc, char **argv) | ||||
| {{ | ||||
|     const char *arch = qtest_get_arch(); | ||||
| 
 | ||||
|     g_test_init(&argc, &argv, NULL); | ||||
| 
 | ||||
|    if (strcmp(arch, "{arch}") == 0) {{ | ||||
|         qtest_add_func("fuzz/{name}",{name}); | ||||
|    }} | ||||
| 
 | ||||
|    return g_test_run(); | ||||
| }}""".format(name=name, arch=arch) | ||||
| 
 | ||||
| def main(): | ||||
|     parser = argparse.ArgumentParser() | ||||
|     group = parser.add_mutually_exclusive_group() | ||||
|     group.add_argument("-bash", help="Only output a copy-pastable bash command", | ||||
|                         action="store_true") | ||||
|     group.add_argument("-c", help="Only output a c function", | ||||
|                         action="store_true") | ||||
|     parser.add_argument('-owner', help="If generating complete C source code, \ | ||||
|                         this specifies the Copyright owner", | ||||
|                         nargs='?', default="<name of author>") | ||||
|     parser.add_argument("-no_comment", help="Don't include a bash reproducer \ | ||||
|                         as a comment in the C reproducers", | ||||
|                         action="store_true") | ||||
|     parser.add_argument('-name', help="The name of the c function", | ||||
|                         nargs='?', default="test_fuzz") | ||||
|     parser.add_argument('input_trace', help="input QTest command sequence \ | ||||
|                         (stdin by default)", | ||||
|                         nargs='?', type=argparse.FileType('r'), | ||||
|                         default=sys.stdin) | ||||
|     args = parser.parse_args() | ||||
| 
 | ||||
|     qemu_path = os.getenv("QEMU_PATH") | ||||
|     qemu_args = os.getenv("QEMU_ARGS") | ||||
|     if not qemu_args or not qemu_path: | ||||
|         print("Please set QEMU_PATH and QEMU_ARGS environment variables") | ||||
|         sys.exit(1) | ||||
| 
 | ||||
|     bash_args = qemu_args | ||||
|     if " -qtest stdio" not in  qemu_args: | ||||
|         bash_args += " -qtest stdio" | ||||
| 
 | ||||
|     arch = qemu_path.split("-")[-1] | ||||
|     trace = args.input_trace.read().strip() | ||||
| 
 | ||||
|     if args.bash : | ||||
|         print(bash_reproducer(qemu_path, bash_args, trace)) | ||||
|     else: | ||||
|         output = "" | ||||
|         if not args.c: | ||||
|             output += c_header(args.owner) + "\n" | ||||
|         if not args.no_comment: | ||||
|             output += c_comment(bash_reproducer(qemu_path, bash_args, trace)) | ||||
|         output += c_reproducer(args.name, qemu_args, trace) | ||||
|         if not args.c: | ||||
|             output += c_main(args.name, arch) | ||||
|         print(output) | ||||
| 
 | ||||
| 
 | ||||
| if __name__ == '__main__': | ||||
|     main() | ||||
| @ -589,7 +589,7 @@ int scsi_sense_from_errno(int errno_value, SCSISense *sense) | ||||
|         return TASK_SET_FULL; | ||||
| #ifdef CONFIG_LINUX | ||||
|         /* These errno mapping are specific to Linux.  For more information:
 | ||||
|          * - scsi_decide_disposition in drivers/scsi/scsi_error.c | ||||
|          * - scsi_check_sense and scsi_decide_disposition in drivers/scsi/scsi_error.c | ||||
|          * - scsi_result_to_blk_status in drivers/scsi/scsi_lib.c | ||||
|          * - blk_errors[] in block/blk-core.c | ||||
|          */ | ||||
| @ -599,7 +599,7 @@ int scsi_sense_from_errno(int errno_value, SCSISense *sense) | ||||
|         *sense = SENSE_CODE(READ_ERROR); | ||||
|         return CHECK_CONDITION; | ||||
|     case EREMOTEIO: | ||||
|         *sense = SENSE_CODE(LUN_COMM_FAILURE); | ||||
|         *sense = SENSE_CODE(TARGET_FAILURE); | ||||
|         return CHECK_CONDITION; | ||||
| #endif | ||||
|     case ENOMEDIUM: | ||||
|  | ||||
| @ -1440,7 +1440,6 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr, | ||||
|     unsigned size = memop_size(op); | ||||
|     MemTxResult r; | ||||
| 
 | ||||
|     fuzz_dma_read_cb(addr, size, mr); | ||||
|     if (!memory_region_access_valid(mr, addr, size, false, attrs)) { | ||||
|         *pval = unassigned_mem_read(mr, addr, size); | ||||
|         return MEMTX_DECODE_ERROR; | ||||
|  | ||||
| @ -2801,6 +2801,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, | ||||
|     bool release_lock = false; | ||||
|     uint8_t *buf = ptr; | ||||
| 
 | ||||
|     fuzz_dma_read_cb(addr, len, mr); | ||||
|     for (;;) { | ||||
|         if (!memory_access_is_direct(mr, false)) { | ||||
|             /* I/O case */ | ||||
| @ -2811,7 +2812,6 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, | ||||
|             stn_he_p(buf, l, val); | ||||
|         } else { | ||||
|             /* RAM case */ | ||||
|             fuzz_dma_read_cb(addr, len, mr); | ||||
|             ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false); | ||||
|             memcpy(buf, ram_ptr, l); | ||||
|         } | ||||
|  | ||||
							
								
								
									
										49
									
								
								tests/qtest/fuzz-megasas-test.c
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										49
									
								
								tests/qtest/fuzz-megasas-test.c
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,49 @@ | ||||
| /*
 | ||||
|  * QTest fuzzer-generated testcase for megasas device | ||||
|  * | ||||
|  * Copyright (c) 2020 Li Qiang <liq3ea@gmail.com> | ||||
|  * | ||||
|  * This work is licensed under the terms of the GNU GPL, version 2 or later. | ||||
|  * See the COPYING file in the top-level directory. | ||||
|  */ | ||||
| 
 | ||||
| #include "qemu/osdep.h" | ||||
| 
 | ||||
| #include "libqos/libqtest.h" | ||||
| 
 | ||||
| /*
 | ||||
|  * This used to trigger the assert in scsi_dma_complete | ||||
|  * https://bugs.launchpad.net/qemu/+bug/1878263
 | ||||
|  */ | ||||
| static void test_lp1878263_megasas_zero_iov_cnt(void) | ||||
| { | ||||
|     QTestState *s; | ||||
| 
 | ||||
|     s = qtest_init("-nographic -monitor none -serial none " | ||||
|                    "-M q35 -device megasas -device scsi-cd,drive=null0 " | ||||
|                    "-blockdev driver=null-co,read-zeroes=on,node-name=null0"); | ||||
|     qtest_outl(s, 0xcf8, 0x80001818); | ||||
|     qtest_outl(s, 0xcfc, 0xc101); | ||||
|     qtest_outl(s, 0xcf8, 0x8000181c); | ||||
|     qtest_outl(s, 0xcf8, 0x80001804); | ||||
|     qtest_outw(s, 0xcfc, 0x7); | ||||
|     qtest_outl(s, 0xcf8, 0x8000186a); | ||||
|     qtest_writeb(s, 0x14, 0xfe); | ||||
|     qtest_writeb(s, 0x0, 0x02); | ||||
|     qtest_outb(s, 0xc1c0, 0x17); | ||||
|     qtest_quit(s); | ||||
| } | ||||
| 
 | ||||
| int main(int argc, char **argv) | ||||
| { | ||||
|     const char *arch = qtest_get_arch(); | ||||
| 
 | ||||
|     g_test_init(&argc, &argv, NULL); | ||||
| 
 | ||||
|     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { | ||||
|         qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt", | ||||
|                        test_lp1878263_megasas_zero_iov_cnt); | ||||
|     } | ||||
| 
 | ||||
|     return g_test_run(); | ||||
| } | ||||
| @ -11,29 +11,6 @@ | ||||
| 
 | ||||
| #include "libqos/libqtest.h" | ||||
| 
 | ||||
| /*
 | ||||
|  * This used to trigger the assert in scsi_dma_complete | ||||
|  * https://bugs.launchpad.net/qemu/+bug/1878263
 | ||||
|  */ | ||||
| static void test_lp1878263_megasas_zero_iov_cnt(void) | ||||
| { | ||||
|     QTestState *s; | ||||
| 
 | ||||
|     s = qtest_init("-nographic -monitor none -serial none " | ||||
|                    "-M q35 -device megasas -device scsi-cd,drive=null0 " | ||||
|                    "-blockdev driver=null-co,read-zeroes=on,node-name=null0"); | ||||
|     qtest_outl(s, 0xcf8, 0x80001818); | ||||
|     qtest_outl(s, 0xcfc, 0xc101); | ||||
|     qtest_outl(s, 0xcf8, 0x8000181c); | ||||
|     qtest_outl(s, 0xcf8, 0x80001804); | ||||
|     qtest_outw(s, 0xcfc, 0x7); | ||||
|     qtest_outl(s, 0xcf8, 0x8000186a); | ||||
|     qtest_writeb(s, 0x14, 0xfe); | ||||
|     qtest_writeb(s, 0x0, 0x02); | ||||
|     qtest_outb(s, 0xc1c0, 0x17); | ||||
|     qtest_quit(s); | ||||
| } | ||||
| 
 | ||||
| static void test_lp1878642_pci_bus_get_irq_level_assert(void) | ||||
| { | ||||
|     QTestState *s; | ||||
| @ -47,55 +24,6 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void) | ||||
|     qtest_quit(s); | ||||
| } | ||||
| 
 | ||||
| /*
 | ||||
|  * Here a MemoryRegionCache pointed to an MMIO region but had a | ||||
|  * larger size than the underlying region. | ||||
|  */ | ||||
| static void test_mmio_oob_from_memory_region_cache(void) | ||||
| { | ||||
|     QTestState *s; | ||||
| 
 | ||||
|     s = qtest_init("-M pc-q35-5.2 -display none -m 512M " | ||||
| 		   "-device virtio-scsi,num_queues=8,addr=03.0 "); | ||||
| 
 | ||||
|     qtest_outl(s, 0xcf8, 0x80001811); | ||||
|     qtest_outb(s, 0xcfc, 0x6e); | ||||
|     qtest_outl(s, 0xcf8, 0x80001824); | ||||
|     qtest_outl(s, 0xcf8, 0x80001813); | ||||
|     qtest_outl(s, 0xcfc, 0xa080000); | ||||
|     qtest_outl(s, 0xcf8, 0x80001802); | ||||
|     qtest_outl(s, 0xcfc, 0x5a175a63); | ||||
|     qtest_outb(s, 0x6e08, 0x9e); | ||||
|     qtest_writeb(s, 0x9f003, 0xff); | ||||
|     qtest_writeb(s, 0x9f004, 0x01); | ||||
|     qtest_writeb(s, 0x9e012, 0x0e); | ||||
|     qtest_writeb(s, 0x9e01b, 0x0e); | ||||
|     qtest_writeb(s, 0x9f006, 0x01); | ||||
|     qtest_writeb(s, 0x9f008, 0x01); | ||||
|     qtest_writeb(s, 0x9f00a, 0x01); | ||||
|     qtest_writeb(s, 0x9f00c, 0x01); | ||||
|     qtest_writeb(s, 0x9f00e, 0x01); | ||||
|     qtest_writeb(s, 0x9f010, 0x01); | ||||
|     qtest_writeb(s, 0x9f012, 0x01); | ||||
|     qtest_writeb(s, 0x9f014, 0x01); | ||||
|     qtest_writeb(s, 0x9f016, 0x01); | ||||
|     qtest_writeb(s, 0x9f018, 0x01); | ||||
|     qtest_writeb(s, 0x9f01a, 0x01); | ||||
|     qtest_writeb(s, 0x9f01c, 0x01); | ||||
|     qtest_writeb(s, 0x9f01e, 0x01); | ||||
|     qtest_writeb(s, 0x9f020, 0x01); | ||||
|     qtest_writeb(s, 0x9f022, 0x01); | ||||
|     qtest_writeb(s, 0x9f024, 0x01); | ||||
|     qtest_writeb(s, 0x9f026, 0x01); | ||||
|     qtest_writeb(s, 0x9f028, 0x01); | ||||
|     qtest_writeb(s, 0x9f02a, 0x01); | ||||
|     qtest_writeb(s, 0x9f02c, 0x01); | ||||
|     qtest_writeb(s, 0x9f02e, 0x01); | ||||
|     qtest_writeb(s, 0x9f030, 0x01); | ||||
|     qtest_outb(s, 0x6e10, 0x00); | ||||
|     qtest_quit(s); | ||||
| } | ||||
| 
 | ||||
| int main(int argc, char **argv) | ||||
| { | ||||
|     const char *arch = qtest_get_arch(); | ||||
| @ -103,12 +31,8 @@ int main(int argc, char **argv) | ||||
|     g_test_init(&argc, &argv, NULL); | ||||
| 
 | ||||
|     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { | ||||
|         qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt", | ||||
|                        test_lp1878263_megasas_zero_iov_cnt); | ||||
|         qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert", | ||||
|                        test_lp1878642_pci_bus_get_irq_level_assert); | ||||
|         qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache", | ||||
|                        test_mmio_oob_from_memory_region_cache); | ||||
|     } | ||||
| 
 | ||||
|     return g_test_run(); | ||||
|  | ||||
							
								
								
									
										75
									
								
								tests/qtest/fuzz-virtio-scsi-test.c
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										75
									
								
								tests/qtest/fuzz-virtio-scsi-test.c
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,75 @@ | ||||
| /*
 | ||||
|  * QTest fuzzer-generated testcase for virtio-scsi device | ||||
|  * | ||||
|  * Copyright (c) 2020 Li Qiang <liq3ea@gmail.com> | ||||
|  * | ||||
|  * This work is licensed under the terms of the GNU GPL, version 2 or later. | ||||
|  * See the COPYING file in the top-level directory. | ||||
|  */ | ||||
| 
 | ||||
| #include "qemu/osdep.h" | ||||
| 
 | ||||
| #include "libqos/libqtest.h" | ||||
| 
 | ||||
| /*
 | ||||
|  * Here a MemoryRegionCache pointed to an MMIO region but had a | ||||
|  * larger size than the underlying region. | ||||
|  */ | ||||
| static void test_mmio_oob_from_memory_region_cache(void) | ||||
| { | ||||
|     QTestState *s; | ||||
| 
 | ||||
|     s = qtest_init("-M pc-q35-5.2 -display none -m 512M " | ||||
|                    "-device virtio-scsi,num_queues=8,addr=03.0 "); | ||||
| 
 | ||||
|     qtest_outl(s, 0xcf8, 0x80001811); | ||||
|     qtest_outb(s, 0xcfc, 0x6e); | ||||
|     qtest_outl(s, 0xcf8, 0x80001824); | ||||
|     qtest_outl(s, 0xcf8, 0x80001813); | ||||
|     qtest_outl(s, 0xcfc, 0xa080000); | ||||
|     qtest_outl(s, 0xcf8, 0x80001802); | ||||
|     qtest_outl(s, 0xcfc, 0x5a175a63); | ||||
|     qtest_outb(s, 0x6e08, 0x9e); | ||||
|     qtest_writeb(s, 0x9f003, 0xff); | ||||
|     qtest_writeb(s, 0x9f004, 0x01); | ||||
|     qtest_writeb(s, 0x9e012, 0x0e); | ||||
|     qtest_writeb(s, 0x9e01b, 0x0e); | ||||
|     qtest_writeb(s, 0x9f006, 0x01); | ||||
|     qtest_writeb(s, 0x9f008, 0x01); | ||||
|     qtest_writeb(s, 0x9f00a, 0x01); | ||||
|     qtest_writeb(s, 0x9f00c, 0x01); | ||||
|     qtest_writeb(s, 0x9f00e, 0x01); | ||||
|     qtest_writeb(s, 0x9f010, 0x01); | ||||
|     qtest_writeb(s, 0x9f012, 0x01); | ||||
|     qtest_writeb(s, 0x9f014, 0x01); | ||||
|     qtest_writeb(s, 0x9f016, 0x01); | ||||
|     qtest_writeb(s, 0x9f018, 0x01); | ||||
|     qtest_writeb(s, 0x9f01a, 0x01); | ||||
|     qtest_writeb(s, 0x9f01c, 0x01); | ||||
|     qtest_writeb(s, 0x9f01e, 0x01); | ||||
|     qtest_writeb(s, 0x9f020, 0x01); | ||||
|     qtest_writeb(s, 0x9f022, 0x01); | ||||
|     qtest_writeb(s, 0x9f024, 0x01); | ||||
|     qtest_writeb(s, 0x9f026, 0x01); | ||||
|     qtest_writeb(s, 0x9f028, 0x01); | ||||
|     qtest_writeb(s, 0x9f02a, 0x01); | ||||
|     qtest_writeb(s, 0x9f02c, 0x01); | ||||
|     qtest_writeb(s, 0x9f02e, 0x01); | ||||
|     qtest_writeb(s, 0x9f030, 0x01); | ||||
|     qtest_outb(s, 0x6e10, 0x00); | ||||
|     qtest_quit(s); | ||||
| } | ||||
| 
 | ||||
| int main(int argc, char **argv) | ||||
| { | ||||
|     const char *arch = qtest_get_arch(); | ||||
| 
 | ||||
|     g_test_init(&argc, &argv, NULL); | ||||
| 
 | ||||
|     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { | ||||
|         qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache", | ||||
|                        test_mmio_oob_from_memory_region_cache); | ||||
|     } | ||||
| 
 | ||||
|     return g_test_run(); | ||||
| } | ||||
| @ -28,6 +28,7 @@ | ||||
| #include "hw/pci/pci.h" | ||||
| #include "hw/boards.h" | ||||
| #include "generic_fuzz_configs.h" | ||||
| #include "hw/mem/sparse-mem.h" | ||||
| 
 | ||||
| /*
 | ||||
|  * SEPARATOR is used to separate "operations" in the fuzz input | ||||
| @ -64,6 +65,8 @@ static useconds_t timeout = DEFAULT_TIMEOUT_US; | ||||
| 
 | ||||
| static bool qtest_log_enabled; | ||||
| 
 | ||||
| MemoryRegion *sparse_mem_mr; | ||||
| 
 | ||||
| /*
 | ||||
|  * A pattern used to populate a DMA region or perform a memwrite. This is | ||||
|  * useful for e.g. populating tables of unique addresses. | ||||
| @ -191,8 +194,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr) | ||||
|      */ | ||||
|     if (dma_patterns->len == 0 | ||||
|         || len == 0 | ||||
|         || mr != current_machine->ram | ||||
|         || addr > current_machine->ram_size) { | ||||
|         || (mr != current_machine->ram && mr != sparse_mem_mr)) { | ||||
|         return; | ||||
|     } | ||||
| 
 | ||||
| @ -238,7 +240,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr) | ||||
|                                       MEMTXATTRS_UNSPECIFIED); | ||||
| 
 | ||||
|         if (!(memory_region_is_ram(mr1) || | ||||
|               memory_region_is_romd(mr1))) { | ||||
|               memory_region_is_romd(mr1)) && mr1 != sparse_mem_mr) { | ||||
|             l = memory_access_size(mr1, l, addr1); | ||||
|         } else { | ||||
|             /* ROM/RAM case */ | ||||
| @ -583,6 +585,21 @@ static void handle_timeout(int sig) | ||||
|         fprintf(stderr, "[Timeout]\n"); | ||||
|         fflush(stderr); | ||||
|     } | ||||
| 
 | ||||
|     /*
 | ||||
|      * If there is a crash, libfuzzer/ASAN forks a child to run an | ||||
|      * "llvm-symbolizer" process for printing out a pretty stacktrace. It | ||||
|      * communicates with this child using a pipe.  If we timeout+Exit, while | ||||
|      * libfuzzer is still communicating with the llvm-symbolizer child, we will | ||||
|      * be left with an orphan llvm-symbolizer process. Sometimes, this appears | ||||
|      * to lead to a deadlock in the forkserver. Use waitpid to check if there | ||||
|      * are any waitable children. If so, exit out of the signal-handler, and | ||||
|      * let libfuzzer finish communicating with the child, and exit, on its own. | ||||
|      */ | ||||
|     if (waitpid(-1, NULL, WNOHANG) == 0) { | ||||
|         return; | ||||
|     } | ||||
| 
 | ||||
|     _Exit(0); | ||||
| } | ||||
| 
 | ||||
| @ -799,6 +816,12 @@ static void generic_pre_fuzz(QTestState *s) | ||||
|     } | ||||
|     qts_global = s; | ||||
| 
 | ||||
|     /*
 | ||||
|      * Create a special device that we can use to back DMA buffers at very | ||||
|      * high memory addresses | ||||
|      */ | ||||
|     sparse_mem_mr = sparse_mem_init(0, UINT64_MAX); | ||||
| 
 | ||||
|     dma_regions = g_array_new(false, false, sizeof(address_range)); | ||||
|     dma_patterns = g_array_new(false, false, sizeof(pattern)); | ||||
| 
 | ||||
|  | ||||
| @ -177,7 +177,7 @@ const generic_fuzz_config predefined_configs[] = { | ||||
|         .name = "i82550", | ||||
|         .args = "-machine q35 -nodefaults " | ||||
|         "-device i82550,netdev=net0 -netdev user,id=net0", | ||||
|         .objects = "eepro*" | ||||
|         .objects = "i8255*" | ||||
|     },{ | ||||
|         .name = "sdhci-v3", | ||||
|         .args = "-nodefaults -device sdhci-pci,sd-spec-version=3 " | ||||
| @ -208,6 +208,12 @@ const generic_fuzz_config predefined_configs[] = { | ||||
|         .args = "-machine q35 -nodefaults -device megasas -device scsi-cd,drive=null0 " | ||||
|         "-blockdev driver=null-co,read-zeroes=on,node-name=null0", | ||||
|         .objects = "megasas*", | ||||
|     },{ | ||||
|         .name = "am53c974", | ||||
|         .args = "-device am53c974,id=scsi -device scsi-hd,drive=disk0 " | ||||
|                  "-drive id=disk0,if=none,file=null-co://,format=raw " | ||||
|                  "-nodefaults", | ||||
|         .objects = "*esp* *scsi* *am53c974*", | ||||
|     },{ | ||||
|         .name = "ac97", | ||||
|         .args = "-machine q35 -nodefaults " | ||||
|  | ||||
| @ -17,7 +17,10 @@ slow_qtests = { | ||||
|   'test-hmp' : 120, | ||||
| } | ||||
| 
 | ||||
| qtests_generic = [ | ||||
| qtests_generic = \ | ||||
|   (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ | ||||
|   (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ | ||||
|   [ | ||||
|   'cdrom-test', | ||||
|   'device-introspect-test', | ||||
|   'machine-none-test', | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Peter Maydell
						Peter Maydell