When we are building for OSS-Fuzz, we want to ensure that the fuzzer
targets are actually created, regardless of leaks. Leaks will be
detected by the subsequent tests of the individual fuzz-targets.
Signed-off-by: Alexander Bulekov
---
scripts/oss-fuzz/build.sh | 1 +
1 file changed, 1
On 240527 1007, Alexander Bulekov wrote:
> On 240527 0734, Thomas Huth wrote:
> > On 27/05/2024 06.07, Alexander Bulekov wrote:
> > > Fixes test-failure on Fedora 40 CI.
> > >
> > > Reported-by: Thomas Huth
> > > Signed-off-by: Alexande
On 240527 0734, Thomas Huth wrote:
> On 27/05/2024 06.07, Alexander Bulekov wrote:
> > Fixes test-failure on Fedora 40 CI.
> >
> > Reported-by: Thomas Huth
> > Signed-off-by: Alexander Bulekov
> > ---
> > tests/qtest/fuzz/generic_fuzz_configs.h | 3 ++-
&
Fixes test-failure on Fedora 40 CI.
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/generic_fuzz_configs.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
b/tests/qtest/fuzz/generic_fuzz_configs.h
On 240321 2208, Vladimir Sementsov-Ogievskiy wrote:
> On 21.03.24 18:01, Alexander Bulekov wrote:
> > On 240320 0024, Vladimir Sementsov-Ogievskiy wrote:
> > > Hi all!
> > >
> > > From fuzzing I've got a fuzz-data, which produces the following crash:
>
On 240320 0024, Vladimir Sementsov-Ogievskiy wrote:
> Hi all!
>
> From fuzzing I've got a fuzz-data, which produces the following crash:
>
> qemu-fuzz-x86_64: ../hw/net/virtio-net.c:134: void
> flush_or_purge_queued_packets(NetClientState *): Assertion
>
On 231115 1522, Brian Cain wrote:
> Alexander, Bandan, Paolo, Stefan, Manuel,
>
> Hi, I'm Brian and I maintain the Hexagon arch for QEMU. Elia, a security
> researcher at Qualcomm is exploring ways to fuzz some hexagon OS kernel with
> QEMU and in particular leveraging snapshotting, inspired
Reviewed-by: Alexander Bulekov
Thank you
On 231004 1106, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé
> ---
> tests/qtest/fuzz/fuzz.h | 4 ++--
> softmmu/memory.c| 2 +-
> tests/qtest/fuzz/fuzz.c | 2 +-
> 3 files changed, 4 insertio
;> One consequence of the prior behavior was that setting zero sectors
> >> per track could lead to an FPE within ide_set_sector(). Thanks to
> >> Alexander Bulekov for reporting this issue.
> >>
> >> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1243
> >&g
s://gitlab.com/qemu-project/qemu/-/issues/1744
> Signed-off-by: Marc-André Lureau
Reviewed-by: Alexander Bulekov
On 230627 1502, marcandre.lur...@redhat.com wrote:
> From: Marc-André Lureau
>
> Allocate pixman bits for scanouts with qemu_win32_map_alloc() so we can
> set a shareable handle on the associated display surface.
>
> Note: when bits are provided to pixman_image_create_bits(), you must also give
nnée
Reviewed-by: Alexander Bulekov
Thanks
> ---
> tests/docker/test-fuzz | 28
> 1 file changed, 28 insertions(+)
> create mode 100755 tests/docker/test-fuzz
>
> diff --git a/tests/docker/test-fuzz b/tests/docker/test-fuzz
> new file mode 100755
>
On 230626 2259, Alex Bennée wrote:
> An update to the clang tooling detects more issues with the code
> including a memory leak from the g_string_new() allocation. Clean up
> the code with g_autoptr and use ARRAY_SIZE while we are at it.
>
> Signed-off-by: Alex Bennée
Reviewe
On 230329 0542, Alexander Bulekov wrote:
> On 230213 1841, Mauro Matteo Cascella wrote:
> > The guest can control the size of buf; an OOB write occurs when buf is 1 or
> > 2
> > bytes long. Only fill in the buffer as long as there is enough space, throw
> > away
ReentrancyGuard * as a
> parameter of qemu_new_nic().
>
> Signed-off-by: Akihiko Odaki
Reviewed-by: Alexander Bulekov
One minor comment below.
> ---
> include/net/net.h | 1 +
> hw/net/allwinner-sun8i-emac.c | 3 ++-
> hw/net/allwinner_emac.c | 3 ++-
> hw/n
023-3019
> Reported-by: Alexander Bulekov
> Signed-off-by: Akihiko Odaki
Acked-by: Alexander Bulekov
> ---
> include/net/net.h | 1 +
> net/net.c | 14 ++
> 2 files changed, 15 insertions(+)
>
> diff --git a/include/net/net.h b/include/net/net.h
ab.com/qemu-project/qemu/-/issues/1563
> Signed-off-by: Thomas Huth
Reviewed-by: Alexander Bulekov
On 230516 1105, Thomas Huth wrote:
> While trying to use a SCSI disk on the LSI controller with an
> older version of Fedora (25), I'm getting:
>
> qemu: warning: Blocked re-entrant IO on MemoryRegion: lsi-mmio at addr: 0x34
Do you have a gdb backtrace for this one or is there some easy way to
engaged_in_io could be unset by an MR with re-entrancy checks disabled.
Ensure that only MRs that can set the engaged_in_io flag can unset it.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1563
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
softmmu/memory.c | 4 +++-
1
On 230511 1104, Cédric Le Goater wrote:
> Hello Alexander
>
> On 5/11/23 10:53, Alexander Bulekov wrote:
> > As lpc-hc is designed for re-entrant calls from xscom, mark it
> > re-entrancy safe.
> >
> > Reported-by: Thomas Huth
> > Signed-off-by: Alexander
As lpc-hc is designed for re-entrant calls from xscom, mark it
re-entrancy safe.
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
hw/ppc/pnv_lpc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
index 01f44c19eb..67fd049a7f 100644
--- a/hw
loongarch_ipi_iocsr MRs rely on re-entrant IO through the ipi_send
function. As such, mark these MRs re-entrancy-safe.
Fixes: a2e1753b80 ("memory: prevent dma-reentracy issues")
Signed-off-by: Alexander Bulekov
---
hw/intc/loongarch_ipi.c | 4
1 file changed, 4 insertions(+)
Signed-off-by: Alexander Bulekov
---
util/async.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/util/async.c b/util/async.c
index 9df7674b4e..055070ffbd 100644
--- a/util/async.c
+++ b/util/async.c
@@ -156,18 +156,20 @@ void aio_bh_call(QEMUBH *bh)
{
On 230428 1143, Thomas Huth wrote:
> From: Alexander Bulekov
>
> Devices can pass their MemoryReentrancyGuard (from their DeviceState),
> when creating new BHes. Then, the async API will toggle the guard
> before/after calling the BH call-back. This prevents bh->mmio r
On 230428 1015, Thomas Huth wrote:
> On 28/04/2023 10.12, Daniel P. Berrangé wrote:
> > On Thu, Apr 27, 2023 at 05:10:06PM -0400, Alexander Bulekov wrote:
> > > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > > This flag is set/checked
As the code is designed for re-entrant calls from raven_io_ops to
pci-conf, mark raven_io_ops as reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
hw/pci-host/raven.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
index 072ffe3c5e
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
As the code is designed for re-entrant calls from bcm2835_property to
bcm2835_mbox and back into bcm2835_property, mark iomem as
reentrancy-safe.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
hw/misc/bcm2835_property.c | 7 +++
1 file changed, 7 insertions(+)
diff --git
call qemu_bh_new_guarded)
I replaced most of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially accessible.
Alexander Bulekov (8):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard to the BH API
checkpa
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
Reviewed
As the code is designed for re-entrant calls to apic-msi, mark apic-msi
as reentrancy-safe.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
hw/intc/apic.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 20b5a94073..ac3d47d231
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
lab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Resolves: CVE-2023-0330
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
include/exec/memory.h | 5 +
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 16 +
On 230426 1219, Alexander Bulekov wrote:
> This is useful for using unit-tests/fuzzing to detect bugs introduced by
> the re-entrancy guard mechanism into devices that are intentionally
> re-entrant.
>
> Signed-off-by: Alexander Bulekov
> Reviewed-by: Thomas Huth
> ---
Thi
As the code is designed for re-entrant calls to apic-msi, mark apic-msi
as reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
Based-on: <20230426161951.2948996-1-alx...@bu.edu>
hw/intc/apic.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
On 230427 1504, Thomas Huth wrote:
> On 26/04/2023 18.19, Alexander Bulekov wrote:
> > v8-> v9:
> > - Disable reentrancy checks for raven's iomem (Patch 8)
> > - Fix non-bisectable disable_reentrancy_guard patch by squashing it
> >into Patch 1.
>
This is useful for using unit-tests/fuzzing to detect bugs introduced by
the re-entrancy guard mechanism into devices that are intentionally
re-entrant.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
softmmu/memory.c | 3 +++
util/async.c | 3 +++
2 files changed, 6
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
As the code is designed for re-entrant calls from bcm2835_property to
bcm2835_mbox and back into bcm2835_property, mark iomem as
reentrancy-safe.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
hw/misc/bcm2835_property.c | 7 +++
1 file changed, 7 insertions(+)
diff --git
lab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Resolves: CVE-2023-0330
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
include/exec/memory.h | 5 +
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 14 +++
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
Reviewed
As the code is designed for re-entrant calls from raven_io_ops to
pci-conf, mark raven_io_ops as reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
hw/pci-host/raven.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
index 072ffe3c5e
ceState. Thus, this version allows a
device to associate a reentrancy-guard with a bh, when creating it.
(Instead of calling qemu_bh_new, you call qemu_bh_new_guarded)
I replaced most of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially a
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
On 230425 1146, Thomas Huth wrote:
> On 21/04/2023 16.27, Alexander Bulekov wrote:
> > v7 -> v8:
> > - Disable reentrancy checks for bcm2835_property's iomem (Patch 7)
> > - Cache DeviceState* in the MemoryRegion to avoid dynamic cast for
> >each
On 230425 0941, Thomas Huth wrote:
> On 21/04/2023 16.27, Alexander Bulekov wrote:
> > Signed-off-by: Alexander Bulekov
> > Reviewed-by: Thomas Huth
> > Reviewed-by: Darren Kenny
> > ---
> > include/exec/memory.h | 3 +++
> > 1 file changed, 3 insertion
This is useful for using unit-tests/fuzzing to detect bugs introduced by
the re-entrancy guard mechanism into devices that are intentionally
re-entrant.
Signed-off-by: Alexander Bulekov
---
softmmu/memory.c | 3 +++
util/async.c | 3 +++
2 files changed, 6 insertions(+)
diff --git
As the code is designed for re-entrant calls from bcm2835_property to
bcm2835_mbox and back into bcm2835_property, mark iomem as
reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
hw/misc/bcm2835_property.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/misc/bcm2835_property.c
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially accessible.
Alexander Bulekov (8):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard to the BH API
checkpatch: add qemu_bh_new/aio_bh_new che
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
Reviewed-by: Darren Kenny
---
include/exec/memory.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 6c0a5e68d3..4e9531bd8a 100644
--- a/include/exec/memory.h
+++ b/include/exec
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
Reviewed
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
lab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Resolves: CVE-2023-0330
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 2 ++
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 14 ++
softmmu/trace-events |
0a646028c000e 0x1 0x47
> write 0xb800a646028c0010 0x1 0x02
> write 0xb800a646028c0017 0x1 0x06
> write 0xb800a646028c0036 0x1 0x80
> write 0xe0d9 0x1 0x40
> EOF
>
> Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Maybe instead:
Closes: https://g
On 230328 1859, Markus Armbruster wrote:
> At this moment, arm_load_dtb() can free machine->fdt when
> binfo->dtb_filename is NULL. If there's no 'dtb_filename', 'fdt' will be
> retrieved by binfo->get_dtb(). If get_dtb() returns machine->fdt, as is
> the case of machvirt_dtb() from hw/arm/virt.c,
scella
Tested-by: Alexander Bulekov
Thanks
> ---
> hw/usb/dev-wacom.c | 20 +---
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
> index 7177c17f03..ca9e6aa82f 100644
> --- a/hw/usb/dev-wacom.c
> +++ b/
On 230214 1148, Mauro Matteo Cascella wrote:
> Hi Philippe,
>
> On Mon, Feb 13, 2023 at 7:26 PM Philippe Mathieu-Daudé
> wrote:
> >
> > Hi Mauro,
> >
> > On 13/2/23 18:41, Mauro Matteo Cascella wrote:
> > > The guest can control the size of buf; an OOB write occurs when buf is 1
> > > or 2
> >
On 230324 1200, Mauro Matteo Cascella wrote:
> On Fri, Mar 17, 2023 at 10:59 PM Philippe Mathieu-Daudé
> wrote:
> >
> > On 17/3/23 19:18, Karl Heubaum wrote:
> > > Did this CVE fix fall in the cracks during the QEMU 8.0 merge window?
> >
> > The patch isn't reviewed, and apparently almost no
On 230316 2124, Akihiko Odaki wrote:
> A guest may request ask a memory-mapped device to perform DMA. If the
> address specified for DMA is the device performing DMA, it will create
> recursion. It is very unlikely that device implementations are prepared
> for such an abnormal access, which can
On 230313 1608, Peter Maydell wrote:
> On Mon, 13 Mar 2023 at 15:41, Philippe Mathieu-Daudé
> wrote:
> > Now I wonder again if this is a good time to merge this change set.
>
> No, I don't think it is at this point in the release
> cycle. I would vote for merging it when we reopen for 8.1,
> so
On 230313 1502, Thomas Huth wrote:
> On 13/03/2023 09.24, Alexander Bulekov wrote:
> > v6 -> v7:
> > - Fix bad qemu_bh_new_guarded calls found by Thomas (Patch 4)
> > - Add an MR-specific flag to disable reentrancy (Patch 5)
> > - Disable reentrancy ch
On 230313 0515, Alexander Bulekov wrote:
> >
> > At this point I'm not sure anymore this is a device or MR property.
>
> It's designed to be an MR property. If it were MR specific, it wouldn't
Should be "It's designed to be a Device property."
On 230313 0945, Philippe Mathieu-Daudé wrote:
> Hi Alex,
>
> Sorry for the late review, *sigh*.
>
> On 13/3/23 09:24, Alexander Bulekov wrote:
> > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > This flag is set/checked prior to call
lab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Alexander Bulekov
Acked-by: Peter Xu
---
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 17 +
s
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 3 +++
softmmu/memory.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 6fa0b071f0..5154b123d8 100644
--- a/include/exec/memory.h
+++ b/include/exec
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
---
hw/scsi
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backen
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
_bh_new_guarded)
I replaced most of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially accessible.
Alexander Bulekov (6):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard to the BH API
checkpatch: a
On 230302 1103, Carlos López wrote:
> In virtqueue_{split,packed}_get_avail_bytes() descriptors are read
> in a loop via MemoryRegionCache regions and calls to
> vring_{split,packed}_desc_read() - these take a region cache and the
> index of the descriptor to be read.
>
> For direct descriptors
On 230310 0802, Alexander Bulekov wrote:
> On 230310 1245, Peter Maydell wrote:
> > On Fri, 10 Mar 2023 at 12:32, Alexander Bulekov wrote:
> > > This MR seems to be "lsi-ram".
> > >
> > > From hw/scsi/lsi53c895a.c:
> > >
>
On 230310 1245, Peter Maydell wrote:
> On Fri, 10 Mar 2023 at 12:32, Alexander Bulekov wrote:
> > This MR seems to be "lsi-ram".
> >
> > From hw/scsi/lsi53c895a.c:
> >
> > memory_region_init_io(>ram_io, OBJECT(s), _ram_ops, s,
> > &quo
On 230310 0723, Alexander Bulekov wrote:
> On 230310 1214, Fiona Ebner wrote:
> > Am 05.02.23 um 05:07 schrieb Alexander Bulekov:
> > > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > > This flag is set/checked prior to calling a device's
On 230310 1214, Fiona Ebner wrote:
> Am 05.02.23 um 05:07 schrieb Alexander Bulekov:
> > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > This flag is set/checked prior to calling a device's MemoryRegion
> > handlers, and set when device code initia
[[ CCing qemu-devel in case someone can spot something wrong faster than me]]
On 230308 1042, Thomas Huth wrote:
[snip]
> > > I'd really love to see this series included in QEMU 8.0, so to help with
> > > testing a little bit, I've put it in my gitlab-CI for testing. However, it
> > > hit a
On 230302 1627, byzero wrote:
> Hi,
> The bug class of MMIO reentrancy is fixed by adding a member "memory" in
> the struct "MemTxAttrs", but the patch only exists in 7.x version, which is
As a side-note, that patch doesn't fix the entire class of
DMA-reentrnacy bugs. There are still active DMA
On 230216 1214, Thomas Huth wrote:
> On 13/02/2023 03.11, Alexander Bulekov wrote:
> > ping
>
> I think it would be really good to finally get these dma-reentrancy issues
> fixed! Who's supposed to pick up these patches? Paolo? David? Peter?
Ping
>
> Thomas
gt;
> This can be fixed by ensuring we always call g_test_init first in the
> body of main.
>
> Thanks: Daniel Berrange, for diagnosing the problem
> Signed-off-by: Richard W.M. Jones
Reviewed-by: Alexander Bulekov
On 230217 1048, Darren Kenny wrote:
> I know this is a pull request, but if you prefer to have all the patches
> with and R-b, you can add mine here too, but I'll leave it up to you.
>
> Reviewed-by: Darren Kenny
>
Thank you Darren - I missed that this one wasn't reviewed..
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.rst | 22 ++
1 file changed, 2 insertions(+), 20 deletions(-)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 715330c856..3bfcb33fc4 100644
--- a/docs/devel/fuzzing.rst
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/virtio_blk_fuzz.c | 51 --
1 file changed, 7 insertions(+), 44 deletions(-)
diff --git a/tests/qtest/fuzz/virtio_blk_fuzz.c
b/tests/qtest/fuzz/virtio_blk_fuzz.c
index a9fb9ecf6c
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/generic_fuzz.c | 114 ++--
1 file changed, 22 insertions(+), 92 deletions(-)
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 7326f6840b..f4acfa45cc
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/i440fx_fuzz.c | 27 +--
1 file changed, 1 insertion(+), 26 deletions(-)
diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c
index b17fc725df..155fe018f8 100644
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/virtio_scsi_fuzz.c | 51 -
1 file changed, 7 insertions(+), 44 deletions(-)
diff --git a/tests/qtest/fuzz/virtio_scsi_fuzz.c
b/tests/qtest/fuzz/virtio_scsi_fuzz.c
index b3220ef6cb
is no longer in active development). Remove it in favor of other
methods of resetting state between inputs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
meson.build | 4 ---
tests/qtest/fuzz/fork_fuzz.c | 41 -
tests/qtest/fuzz/fork_fuzz.h | 23
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/virtio_net_fuzz.c | 54 +++---
1 file changed, 5 insertions(+), 49 deletions(-)
diff --git a/tests/qtest/fuzz/virtio_net_fuzz.c
b/tests/qtest/fuzz/virtio_net_fuzz.c
index c2c15f07f0
As we are converting most fuzzers to rely on reboots to reset state,
introduce an API to make sure reboots are invoked in a consistent
manner.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/fuzz.c | 6 ++
tests/qtest/fuzz/fuzz.h | 2 +-
2 files changed, 7 insertions(+), 1 deletion
We use sparse-mem for fuzzing. For long-running fuzzing processes, we
eventually end up with many allocated sparse-mem pages. To avoid this,
clear the allocated pages on system-reset.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Philippe Mathieu-Daudé
---
hw/mem
found that slow inputs often attempt to fill overly large DMA
requests. Thus, we can mitigate most timeouts by setting a cap on the
total number of DMA bytes written by an input.
Signed-off-by: Alexander Bulekov
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz
will reboot the guest between inputs.
Alexander Bulekov (10):
hw/sparse-mem: clear memory on reset
fuzz: add fuzz_reset API
fuzz/generic-fuzz: use reboots instead of forks to reset state
fuzz/generic-fuzz: add a limit
On 230213 1426, Darren Kenny wrote:
> Hi Alex,
>
> On Saturday, 2023-02-04 at 23:29:44 -05, Alexander Bulekov wrote:
> > Signed-off-by: Alexander Bulekov
> > ---
> > tests/qtest/fuzz/generic_fuzz.c | 106 +++-
> > 1 file change
On 230213 1438, Darren Kenny wrote:
> Hi Alex,
>
> On Saturday, 2023-02-04 at 23:29:45 -05, Alexander Bulekov wrote:
> > As we have repplaced fork-based fuzzing, with reboots - we can no longer
> > use a timeout+exit() to avoid slow inputs. Libfuzzer has its own timer
>
On 230214 2009, Thomas Huth wrote:
> On 14/02/2023 17.08, Philippe Mathieu-Daudé wrote:
> > On 14/2/23 16:38, Stefan Hajnoczi wrote:
> > > On Sat, Feb 04, 2023 at 11:29:41PM -0500, Alexander Bulekov wrote:
> > > > Hello,
> > > > This series removes fork-
ping
On 230204 2307, Alexander Bulekov wrote:
> These patches aim to solve two types of DMA-reentrancy issues:
>
> 1.) mmio -> dma -> mmio case
> To solve this, we track whether the device is engaged in io by
> checking/setting a reentrancy-guard within APIs used for MMIO
ping
On 230204 2329, Alexander Bulekov wrote:
> Hello,
> This series removes fork-based fuzzing.
> How does fork-based fuzzing work?
> * A single parent process initializes QEMU
> * We identify the devices we wish to fuzz (fuzzer-dependent)
> * Use QTest to PCI enumerate the
1 - 100 of 1118 matches
Mail list logo
