On 221115 1119, Peter Xu wrote:
> On Fri, Oct 28, 2022 at 03:16:42PM -0400, Alexander Bulekov wrote:
> > +/* Do not allow more than one simultanous access to a device's IO
> > Regions */
> > +if (mr->owner &&
> > +!mr->ram_dev
On 220722 2210, Claudio Fontana wrote:
> Hi Richard,
>
> On 7/22/22 21:20, Richard Liu wrote:
> > This RFC adds a virtual device for snapshot/restores within QEMU. I am
> > working
> > on this as a part of QEMU Google Summer of Code 2022. Fast snapshot/restores
> > within QEMU is helpful for code
On 240320 0024, Vladimir Sementsov-Ogievskiy wrote:
> Hi all!
>
> From fuzzing I've got a fuzz-data, which produces the following crash:
>
> qemu-fuzz-x86_64: ../hw/net/virtio-net.c:134: void
> flush_or_purge_queued_packets(NetClientState *): Assertion
> `!virtio_net_get_subqueue(nc)->async_tx.
On 240321 2208, Vladimir Sementsov-Ogievskiy wrote:
> On 21.03.24 18:01, Alexander Bulekov wrote:
> > On 240320 0024, Vladimir Sementsov-Ogievskiy wrote:
> > > Hi all!
> > >
> > > From fuzzing I've got a fuzz-data, which produces the following crash:
check-patch
Alexander Bulekov (22):
softmmu: move vl.c to softmmu/
softmmu: split off vl.c:main() into main.c
module: check module wasn't already initialized
fuzz: add FUZZ_TARGET module type
qtest: add qtest_server_send abstraction
libqtest: add a layer of abstraction to send
module.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Reviewed-by: Philippe Mathieu-Daudé
---
util/module.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/util/module.c b/util/module.c
index 8c5315a7a3..236a7bb52a 100644
--- a/util/module.c
Move vl.c to a separate directory, similar to linux-user/
Update the chechpatch and get_maintainer scripts, since they relied on
/vl.c for top_of_tree checks.
Signed-off-by: Alexander Bulekov
---
MAINTAINERS | 2 +-
Makefile.objs | 2 --
Makefile.target | 1
perform some initialization before running the softmmu
initialization. Now, main simply calls three vl.c functions which
handle the guest initialization, main loop and cleanup.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
MAINTAINERS | 1
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
same process (inproc)
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Acked-by: Thomas Huth
---
include/sysemu/qtest.h | 3 +++
qtest.c| 18 --
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/include
The qtest-based fuzzer makes use of forking to reset-state between
tests. Keep the callback enabled, so the call_rcu thread gets created
within the child process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Acked-by: Stefan Hajnoczi
---
softmmu/vl.c | 12 +++-
1 file
and ones that are qos-test specific into different
variables.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
---
tests/qtest/Makefile.include | 71 ++--
1 file changed, 36 insertions
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 2 +
tests/qtest/fuzz/qos_fuzz.c | 234 ++
tests/qtest/fuzz/qos_fuzz.h | 33 +
3 files changed, 269 insertions(+)
create mode 100644 tests/qtest
Ram blocks were marked MADV_DONTFORK breaking fuzzing-tests which
execute each test-input in a forked process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
exec.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a
: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 48 ++
1 file changed, 39 insertions(+), 9 deletions(-)
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index 76c9f8eade..e5056a1d0f 100644
: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/Makefile.include | 3 +
tests/qtest/fuzz/i440fx_fuzz.c| 193 ++
2 files changed, 196 insertions(+)
create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
diff --git a/tests
e benefits of the direct socket_send call, while adding
support for in-process qtest calls.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 71 --
tests/qtest/libqtest.h | 4 +++
2 file
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest
y the location of the
counters/coverage bitmap. As a workaround, we rely on a custom linker
script which forces all of the bitmaps we care about to be placed in a
contiguous region, which is easy to locate and mmap over.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/sysemu/qtest.h | 1 +
qtest.c| 13
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 115dc38085..bd873177ad 100755
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.txt | 116 +
1 file changed, 116 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan
ich should be used to define new fuzz
targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
MAINTAINERS | 8 ++
tests/qtest/fuzz/Makefile.include | 6 +
tests/qtest/fuzz/fuzz.c | 179 +++
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
---
Makefile| 15 ++-
Makefile.target | 16
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index f0e1a2fc1d..36ca26f0f5 100644
--- a
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest/fuzz/virtio_net_fuzz.c | 198
On 191107 1221, Jason Wang wrote:
>
> On 2019/7/22 下午9:24, Oleinik, Alexander wrote:
> > Virtual devices should not try to send zero-sized packets. The caller
> > should check the size prior to calling qemu_sendv_packet_async.
> >
> > Signed-off-by: Alexander Oleinik
> > ---
> > v2:
> >* Imp
e using qtest and qos for fuzzing, as well as using
> > rebooting and forking to reset state, or not resetting it at all.
> >
> > Signed-off-by: Alexander Bulekov
> > Reviewed-by: Stefan Hajnoczi
>
> Reviewed-by: Darren Kenny
>
> A couple of nit below w.r.
On 200205 1357, Darren Kenny wrote:
> On Wed, Jan 29, 2020 at 05:34:27AM +, Bulekov, Alexander wrote:
> > The virtio-net fuzz target feeds inputs to all three virtio-net
> > virtqueues, and uses forking to avoid leaking state between fuzz runs.
> >
> > Signe
On 200205 1318, Darren Kenny wrote:
> On Wed, Jan 29, 2020 at 05:34:24AM +, Bulekov, Alexander wrote:
> > Signed-off-by: Alexander Bulekov
> > Reviewed-by: Stefan Hajnoczi
> > ---
> >
> > +return allocate_objects(qts, current_path + 1, p_alloc);
&g
* rewrite fork-based fuzzer pending patch to libfuzzer
* pass check-patch
Alexander Bulekov (23):
checkpatch: replace vl.c in the top of repo check
softmmu: move vl.c to softmmu/
softmmu: split off vl.c:main() into main.c
module: check module wasn't already initialized
fuzz: add FUZZ_T
Signed-off-by: Alexander Bulekov
---
Makefile.objs | 2 --
Makefile.target | 1 +
softmmu/Makefile.objs | 2 ++
vl.c => softmmu/vl.c | 0
4 files changed, 3 insertions(+), 2 deletions(-)
create mode 100644 softmmu/Makefile.objs
rename vl.c => softmmu/vl.c (100%)
diff -
524b4c2c5c moves vl.c into softmmu/ , breaking the checkpatch
top-of-kernel-tree check. Replace with checks for softmmu and linux-user
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/checkpatch.pl b/scripts
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
perform some initialization before running the softmmu
initialization. Now, main simply calls three vl.c functions which
handle the guest initialization, main loop and cleanup.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
Makefile.target | 2
and ones that are qos-test specific into different
variables.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
---
tests/qtest/Makefile.include | 71 ++--
1 file changed, 36 insertions
The qtest-based fuzzer makes use of forking to reset-state between
tests. Keep the callback enabled, so the call_rcu thread gets created
within the child process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Acked-by: Stefan Hajnoczi
---
softmmu/vl.c | 12 +++-
1 file
module.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Reviewed-by: Philippe Mathieu-Daudé
---
util/module.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/util/module.c b/util/module.c
index 8c5315a7a3..236a7bb52a 100644
--- a/util/module.c
same process (inproc)
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Acked-by: Thomas Huth
---
include/sysemu/qtest.h | 3 +++
qtest.c| 18 --
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/include
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/sysemu/qtest.h | 1 +
qtest.c| 13
ich should be used to define new fuzz
targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/Makefile.include | 6 +
tests/qtest/fuzz/fuzz.c | 179 ++
tests/qtest/fuzz/fuzz.h
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
---
Makefile| 15 ++-
Makefile.target | 16
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index f0e1a2fc1d..36ca26f0f5 100644
--- a
: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 48 ++
1 file changed, 39 insertions(+), 9 deletions(-)
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index 76c9f8eade..e5056a1d0f 100644
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.txt | 116 +
1 file changed, 116 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel
e benefits of the direct socket_send call, while adding
support for in-process qtest calls.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 71 --
tests/qtest/libqtest.h | 4 +++
2 file
: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/Makefile.include | 3 +
tests/qtest/fuzz/i440fx_fuzz.c| 193 ++
2 files changed, 196 insertions(+)
create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
diff --git a/tests
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest/fuzz/virtio_net_fuzz.c | 198
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan
Ram blocks were marked MADV_DONTFORK breaking fuzzing-tests which
execute each test-input in a forked process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
exec.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a
y the location of the
counters/coverage bitmap. As a workaround, we rely on a custom linker
script which forces all of the bitmaps we care about to be placed in a
contiguous region, which is easy to locate and mmap over.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 2 +
tests/qtest/fuzz/qos_fuzz.c | 234 ++
tests/qtest/fuzz/qos_fuzz.h | 33 +
3 files changed, 269 insertions(+)
create mode 100644 tests/qtest
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 115dc38085..bd873177ad 100755
all of the DMA APIs, instead add an
optional reentrancy guard to the BH API.
v2 -> v3: Bite the bullet and modify the DMA APIs, rather than
attempting to guess DeviceStates in BHs.
Alexander Bulekov (3):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard
all of the DMA APIs, instead add an
optional reentrancy guard to the BH API.
v2 -> v3: Bite the bullet and modify the DMA APIs, rather than
attempting to guess DeviceStates in BHs.
Alexander Bulekov (3):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Signed-off-by: Alexander Bulekov
---
docs/devel/multiple-iothreads.txt |
//gitlab.com/qemu-project/qemu/-/issues/827
Signed-off-by: Alexander Bulekov
---
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 15 +++
softmmu/trace-events | 1 +
3 files changed, 23 insertions(+)
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 35fdd
//gitlab.com/qemu-project/qemu/-/issues/827
Signed-off-by: Alexander Bulekov
---
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 15 +++
softmmu/trace-events | 1 +
3 files changed, 23 insertions(+)
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 35fdd
This protects devices from bh->mmio reentrancy issues.
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backend.c| 4 +++-
hw/block/dataplane/virtio-blk.c | 3 ++-
hw/block/dataplane/xen-block.c | 5 +++--
hw/block/virtio-blk.c | 5 +++--
hw/char/virtio-serial-bu
all of the DMA APIs, instead add an
optional reentrancy guard to the BH API.
v2 -> v3: Bite the bullet and modify the DMA APIs, rather than
attempting to guess DeviceStates in BHs.
Alexander Bulekov (3):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard
On 230324 1200, Mauro Matteo Cascella wrote:
> On Fri, Mar 17, 2023 at 10:59 PM Philippe Mathieu-Daudé
> wrote:
> >
> > On 17/3/23 19:18, Karl Heubaum wrote:
> > > Did this CVE fix fall in the cracks during the QEMU 8.0 merge window?
> >
> > The patch isn't reviewed, and apparently almost no activ
On 230214 1148, Mauro Matteo Cascella wrote:
> Hi Philippe,
>
> On Mon, Feb 13, 2023 at 7:26 PM Philippe Mathieu-Daudé
> wrote:
> >
> > Hi Mauro,
> >
> > On 13/2/23 18:41, Mauro Matteo Cascella wrote:
> > > The guest can control the size of buf; an OOB write occurs when buf is 1
> > > or 2
> > >
Cascella
Tested-by: Alexander Bulekov
Thanks
> ---
> hw/usb/dev-wacom.c | 20 +---
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
> index 7177c17f03..ca9e6aa82f 100644
> --- a/hw/usb/dev-wacom.c
> +
On 230328 1859, Markus Armbruster wrote:
> At this moment, arm_load_dtb() can free machine->fdt when
> binfo->dtb_filename is NULL. If there's no 'dtb_filename', 'fdt' will be
> retrieved by binfo->get_dtb(). If get_dtb() returns machine->fdt, as is
> the case of machvirt_dtb() from hw/arm/virt.c,
On 230125 1624, Stefan Hajnoczi wrote:
> On Thu, Jan 19, 2023 at 02:03:07AM -0500, Alexander Bulekov wrote:
> > Devices can pass their MemoryReentrancyGuard (from their DeviceState),
> > when creating new BHes. Then, the async API will toggle the guard
> > before/after cal
On 230120 1447, Peter Maydell wrote:
> On Fri, 20 Jan 2023 at 14:42, Darren Kenny wrote:
> > Generally, this looks good, but I do have a comment below...
> >
> > On Thursday, 2023-01-19 at 02:00:02 -05, Alexander Bulekov wrote:
> > > Add a flag to the DeviceState, w
//gitlab.com/qemu-project/qemu/-/issues/827
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Alexander Bulekov
---
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 17 +
softmmu/trace-events | 1 +
3 files changed, 25 insertions(+)
diff --git a/include/hw/qdev-core.h
ad of changing all of the DMA APIs, instead add an
optional reentrancy guard to the BH API.
v2 -> v3: Bite the bullet and modify the DMA APIs, rather than
attempting to guess DeviceStates in BHs.
Alexander Bulekov (4):
memory: prevent dma-reentracy issues
async: Add an optional re
//gitlab.com/qemu-project/qemu/-/issues/827
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Alexander Bulekov
---
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 17 +
softmmu/trace-events | 1 +
3 files changed, 25 insertions(+)
diff --git a/include/hw/qdev-core.h
ad of changing all of the DMA APIs, instead add an
optional reentrancy guard to the BH API.
v2 -> v3: Bite the bullet and modify the DMA APIs, rather than
attempting to guess DeviceStates in BHs.
Alexander Bulekov (4):
memory: prevent dma-reentracy issues
async: Add an optional re
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Signed-off-by: Alexander Bulekov
---
docs/devel/multiple-iothreads.txt |
This protects devices from bh->mmio reentrancy issues.
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backend.c| 4 +++-
hw/block/dataplane/virtio-blk.c | 3 ++-
hw/block/dataplane/xen-block.c | 5 +++--
hw/block/virtio-blk.c | 5 +++--
Advise authors to use the _guarded versions of the APIs, instead.
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index 6ecabfb2b5..61bb4b0a19 100755
--- a/scripts/checkpatch.pl
On 230130 2251, Akihiko Odaki wrote:
> We found a case where the source passed to flatview_write_continue() may
> overlap with the destination when fuzzing igb, a new proposed network
> device with sanitizers.
>
> igb uses pci_dma_map() to get Tx packet, and pci_dma_write() to write Rx
> buffer. W
On 230130 1528, Peter Xu wrote:
> On Mon, Jan 30, 2023 at 03:03:00PM -0500, Alexander Bulekov wrote:
> > On 230130 2251, Akihiko Odaki wrote:
> > > We found a case where the source passed to flatview_write_continue() may
> > > overlap with the destination when fuzzing
> 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Heap left redzone: fa
> Freed heap region: fd
> ==4028352==ABORTING
>
> Repor
On 211123 1449, Philippe Mathieu-Daudé wrote:
> On 11/23/21 14:42, Hanna Reitz wrote:
> > On 18.11.21 13:06, Philippe Mathieu-Daudé wrote:
> >> From: Alexander Bulekov
> >>
> >> Without the previous commit, when running 'make check-qtest-i386'
>
loongarch_ipi_iocsr MRs rely on re-entrant IO through the ipi_send
function. As such, mark these MRs re-entrancy-safe.
Fixes: a2e1753b80 ("memory: prevent dma-reentracy issues")
Signed-off-by: Alexander Bulekov
---
hw/intc/loongarch_ipi.c | 4
1 file changed, 4 insertions(+)
di
As lpc-hc is designed for re-entrant calls from xscom, mark it
re-entrancy safe.
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
hw/ppc/pnv_lpc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
index 01f44c19eb..67fd049a7f 100644
--- a/hw
On 230511 1104, Cédric Le Goater wrote:
> Hello Alexander
>
> On 5/11/23 10:53, Alexander Bulekov wrote:
> > As lpc-hc is designed for re-entrant calls from xscom, mark it
> > re-entrancy safe.
> >
> > Reported-by: Thomas Huth
> > Signed-off-by: Alexander
engaged_in_io could be unset by an MR with re-entrancy checks disabled.
Ensure that only MRs that can set the engaged_in_io flag can unset it.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1563
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
softmmu/memory.c | 4 +++-
1
On 230516 1105, Thomas Huth wrote:
> While trying to use a SCSI disk on the LSI controller with an
> older version of Fedora (25), I'm getting:
>
> qemu: warning: Blocked re-entrant IO on MemoryRegion: lsi-mmio at addr: 0x34
Do you have a gdb backtrace for this one or is there some easy way to
r
On 220621 1034, David Hildenbrand wrote:
> On 09.06.22 15:58, Alexander Bulekov wrote:
> > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > This flag is set/checked prior to calling a device's MemoryRegion
> > handlers, and set when devic
On 220621 1630, Peter Maydell wrote:
> On Thu, 9 Jun 2022 at 14:59, Alexander Bulekov wrote:
> >
> > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > This flag is set/checked prior to calling a device's MemoryRegion
> > handlers, and se
The sancov filter check still fails when unused arguments are treated as
errors. To work around that, add a SanitizerCoverage flag to the
build-check.
Fixes: aa4f3a3b88 ("build: fix check for -fsanitize-coverage-allowlist")
Signed-off-by: Alexander Bulekov
---
meson.build | 3 +
The non-generic-fuzz targets often time-out, or run out of memory.
Additionally, they create unreproducible bug-reports. It is possible
that this is resulting in failing coverage-reports on OSS-Fuzz. In the
future, these test-cases should be fixed, or removed.
Signed-off-by: Alexander Bulekov
t might read better - but it seems the default is that we don't
> assume that, or am I wrong? (This is probably a question for others on
> the CC-list)
That sounds good to me. Should we change the script to #!/bin/bash, to
be safe?
-Alex
>
> Thanks,
>
> Darren.
>
>
-off-by: Alexander Bulekov
---
scripts/oss-fuzz/build.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/oss-fuzz/build.sh b/scripts/oss-fuzz/build.sh
index 98b56e0521..aaf485cb55 100755
--- a/scripts/oss-fuzz/build.sh
+++ b/scripts/oss-fuzz/build.sh
@@ -1,4 +1,4
rite 0xb800a646028c000e 0x1 0x47
> write 0xb800a646028c0010 0x1 0x02
> write 0xb800a646028c0017 0x1 0x06
> write 0xb800a646028c0036 0x1 0x80
> write 0xe0d9 0x1 0x40
> EOF
>
> Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Maybe instead:
Closes:
//gitlab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Resolves: CVE-2023-0330
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 2 ++
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 14 ++
softmmu/trace-events
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
Reviewed-by
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
Reviewed-by: Darren Kenny
---
include/exec/memory.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 6c0a5e68d3..4e9531bd8a 100644
--- a/include/exec/memory.h
+++ b/include/exec
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
st of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially accessible.
Alexander Bulekov (8):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard to the BH API
checkpatch: add qemu_bh_new/aio_bh_ne
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
As the code is designed for re-entrant calls from bcm2835_property to
bcm2835_mbox and back into bcm2835_property, mark iomem as
reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
hw/misc/bcm2835_property.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/misc/bcm2835_property.c
This is useful for using unit-tests/fuzzing to detect bugs introduced by
the re-entrancy guard mechanism into devices that are intentionally
re-entrant.
Signed-off-by: Alexander Bulekov
---
softmmu/memory.c | 3 +++
util/async.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a
1 - 100 of 1121 matches
Mail list logo
