Merge branch 'next'

16 files changed, 215 insertions, 50 deletions

diff --git a/arch/sandbox/Kconfig b/arch/sandbox/Kconfig
index 5f55c7f..852a7c8 100644
--- a/arch/sandbox/Kconfig
+++ b/arch/sandbox/Kconfig
@@ -17,11 +17,11 @@ config SANDBOX64
 
 config SANDBOX_RAM_SIZE_MB
 	int "RAM size in MiB"
-	default 128
+	default 256
 	range 64 4095 if !SANDBOX64
 	range 64 268435456 if SANDBOX64
 	help
-	  Memory size of the sandbox in MiB. The default value is 128 MiB.
+	  Memory size of the sandbox in MiB. The default value is 256 MiB.
 	  The minimum value is 64 MiB. The maximum value is 4095 MiB for the
 	  32bit sandbox.
 
diff --git a/arch/sandbox/config.mk b/arch/sandbox/config.mk
index 02a3ba0..3e2c7f9 100644
--- a/arch/sandbox/config.mk
+++ b/arch/sandbox/config.mk
@@ -15,8 +15,19 @@ PLATFORM_LIBS += $(shell $(SDL_CONFIG) --libs)
 PLATFORM_CPPFLAGS += $(shell $(SDL_CONFIG) --cflags)
 endif
 
+SANITIZERS :=
+ifdef CONFIG_ASAN
+SANITIZERS	+= -fsanitize=address
+endif
+ifdef CONFIG_FUZZ
+SANITIZERS	+= -fsanitize=fuzzer
+endif
+KBUILD_CFLAGS	+= $(SANITIZERS)
+
 cmd_u-boot__ = $(CC) -o $@ -Wl,-T u-boot.lds $(u-boot-init) \
-	$(KBUILD_LDFLAGS:%=-Wl,%)$(LTO_FINAL_LDFLAGS) \
+	$(KBUILD_LDFLAGS:%=-Wl,%) \
+	$(SANITIZERS) \
+	$(LTO_FINAL_LDFLAGS) \
 	-Wl,--whole-archive \
 		$(u-boot-main) \
 		$(u-boot-keep-syms-lto) \
@@ -24,7 +35,9 @@ cmd_u-boot__ = $(CC) -o $@ -Wl,-T u-boot.lds $(u-boot-init) \
 	$(PLATFORM_LIBS) -Wl,-Map -Wl,u-boot.map
 
 cmd_u-boot-spl = (cd $(obj) && $(CC) -o $(SPL_BIN) -Wl,-T u-boot-spl.lds \
-	$(KBUILD_LDFLAGS:%=-Wl,%) $(LTO_FINAL_LDFLAGS) \
+	$(KBUILD_LDFLAGS:%=-Wl,%) \
+	$(SANITIZERS) \
+	$(LTO_FINAL_LDFLAGS) \
 	$(patsubst $(obj)/%,%,$(u-boot-spl-init)) \
 	-Wl,--whole-archive \
 		$(patsubst $(obj)/%,%,$(u-boot-spl-main)) \
@@ -44,13 +57,13 @@ EFI_TARGET := --target=efi-app-ia32
 else ifeq ($(HOST_ARCH),$(HOST_ARCH_AARCH64))
 EFI_LDS := ${SRCDIR}/../../../arch/arm/lib/elf_aarch64_efi.lds
 OBJCOPYFLAGS += -j .text -j .secure_text -j .secure_data -j .rodata -j .data \
-		-j .u_boot_list -j .rela.dyn -j .got -j .got.plt \
+		-j __u_boot_list -j .rela.dyn -j .got -j .got.plt \
 		-j .binman_sym_table -j .text_rest \
 		-j .efi_runtime -j .efi_runtime_rel
 else ifeq ($(HOST_ARCH),$(HOST_ARCH_ARM))
 EFI_LDS := ${SRCDIR}/../../../arch/arm/lib/elf_arm_efi.lds
 OBJCOPYFLAGS += -j .text -j .secure_text -j .secure_data -j .rodata -j .hash \
-		-j .data -j .got -j .got.plt -j .u_boot_list -j .rel.dyn \
+		-j .data -j .got -j .got.plt -j __u_boot_list -j .rel.dyn \
 		-j .binman_sym_table -j .text_rest \
 		-j .efi_runtime -j .efi_runtime_rel
 else ifeq ($(HOST_ARCH),$(HOST_ARCH_RISCV32))
diff --git a/arch/sandbox/cpu/cpu.c b/arch/sandbox/cpu/cpu.c
index 7a82798..d077948 100644
--- a/arch/sandbox/cpu/cpu.c
+++ b/arch/sandbox/cpu/cpu.c
@@ -331,27 +331,27 @@ void *board_fdt_blob_setup(int *ret)
 		err = setup_auto_tree(blob);
 		if (!err)
 			goto done;
-		printf("Unable to create empty FDT: %s\n", fdt_strerror(err));
+		os_printf("Unable to create empty FDT: %s\n", fdt_strerror(err));
 		*ret = -EINVAL;
 		goto fail;
 	}
 
 	err = os_get_filesize(fname, &size);
 	if (err < 0) {
-		printf("Failed to find FDT file '%s'\n", fname);
+		os_printf("Failed to find FDT file '%s'\n", fname);
 		*ret = err;
 		goto fail;
 	}
 	fd = os_open(fname, OS_O_RDONLY);
 	if (fd < 0) {
-		printf("Failed to open FDT file '%s'\n", fname);
+		os_printf("Failed to open FDT file '%s'\n", fname);
 		*ret = -EACCES;
 		goto fail;
 	}
 
 	if (os_read(fd, blob, size) != size) {
 		os_close(fd);
-		printf("Failed to read FDT file '%s'\n", fname);
+		os_printf("Failed to read FDT file '%s'\n", fname);
 		*ret =  -EIO;
 		goto fail;
 	}
diff --git a/arch/sandbox/cpu/os.c b/arch/sandbox/cpu/os.c
index 5ea5417..f937991 100644
--- a/arch/sandbox/cpu/os.c
+++ b/arch/sandbox/cpu/os.c
@@ -8,9 +8,11 @@
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <pthread.h>
 #include <getopt.h>
 #include <setjmp.h>
 #include <signal.h>
+#include <stdarg.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>
@@ -26,7 +28,9 @@
 #include <linux/compiler_attributes.h>
 #include <linux/types.h>
 
+#include <asm/fuzzing_engine.h>
 #include <asm/getopt.h>
+#include <asm/main.h>
 #include <asm/sections.h>
 #include <asm/state.h>
 #include <os.h>
@@ -51,6 +55,18 @@ ssize_t os_write(int fd, const void *buf, size_t count)
 	return write(fd, buf, count);
 }
 
+int os_printf(const char *fmt, ...)
+{
+	va_list args;
+	int i;
+
+	va_start(args, fmt);
+	i = vfprintf(stdout, fmt, args);
+	va_end(args);
+
+	return i;
+}
+
 off_t os_lseek(int fd, off_t offset, int whence)
 {
 	if (whence == OS_SEEK_SET)
@@ -1001,3 +1017,76 @@ void os_relaunch(char *argv[])
 	execv(argv[0], argv);
 	os_exit(1);
 }
+
+
+#ifdef CONFIG_FUZZ
+static void *fuzzer_thread(void * ptr)
+{
+	char cmd[64];
+	char *argv[5] = {"./u-boot", "-T", "-c", cmd, NULL};
+	const char *fuzz_test;
+
+	/* Find which test to run from an environment variable. */
+	fuzz_test = getenv("UBOOT_SB_FUZZ_TEST");
+	if (!fuzz_test)
+		os_abort();
+
+	snprintf(cmd, sizeof(cmd), "fuzz %s", fuzz_test);
+
+	sandbox_main(4, argv);
+	os_abort();
+	return NULL;
+}
+
+static bool fuzzer_initialized = false;
+static pthread_mutex_t fuzzer_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t fuzzer_cond = PTHREAD_COND_INITIALIZER;
+static const uint8_t *fuzzer_data;
+static size_t fuzzer_size;
+
+int sandbox_fuzzing_engine_get_input(const uint8_t **data, size_t *size)
+{
+	if (!fuzzer_initialized)
+		return -ENOSYS;
+
+	/* Tell the main thread we need new inputs then wait for them. */
+	pthread_mutex_lock(&fuzzer_mutex);
+	pthread_cond_signal(&fuzzer_cond);
+	pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex);
+	*data = fuzzer_data;
+	*size = fuzzer_size;
+	pthread_mutex_unlock(&fuzzer_mutex);
+	return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	static pthread_t tid;
+
+	pthread_mutex_lock(&fuzzer_mutex);
+
+	/* Initialize the sandbox on another thread. */
+	if (!fuzzer_initialized) {
+		fuzzer_initialized = true;
+		if (pthread_create(&tid, NULL, fuzzer_thread, NULL))
+			os_abort();
+		pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex);
+	}
+
+	/* Hand over the input. */
+	fuzzer_data = data;
+	fuzzer_size = size;
+	pthread_cond_signal(&fuzzer_cond);
+
+	/* Wait for the inputs to be finished with. */
+	pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex);
+	pthread_mutex_unlock(&fuzzer_mutex);
+
+	return 0;
+}
+#else
+int main(int argc, char *argv[])
+{
+	return sandbox_main(argc, argv);
+}
+#endif
diff --git a/arch/sandbox/cpu/start.c b/arch/sandbox/cpu/start.c
index 0f5a873..90a84e9 100644
--- a/arch/sandbox/cpu/start.c
+++ b/arch/sandbox/cpu/start.c
@@ -453,7 +453,7 @@ void sandbox_reset(void)
 	os_relaunch(os_argv);
 }
 
-int main(int argc, char *argv[])
+int sandbox_main(int argc, char *argv[])
 {
 	struct sandbox_state *state;
 	void * text_base;
diff --git a/arch/sandbox/cpu/u-boot-spl.lds b/arch/sandbox/cpu/u-boot-spl.lds
index 206e265..ef885fd 100644
--- a/arch/sandbox/cpu/u-boot-spl.lds
+++ b/arch/sandbox/cpu/u-boot-spl.lds
@@ -9,8 +9,8 @@ SECTIONS
 {
 
 	. = ALIGN(32);
-	.u_boot_list : {
-		KEEP(*(SORT(.u_boot_list*)));
+	__u_boot_list : {
+		KEEP(*(SORT(__u_boot_list*)));
 	}
 
 	/* Private data for devices with OF_PLATDATA_RT */
@@ -22,9 +22,9 @@ SECTIONS
 	}
 
 	_u_boot_sandbox_getopt : {
-		*(.u_boot_sandbox_getopt_start)
-		KEEP(*(.u_boot_sandbox_getopt))
-		*(.u_boot_sandbox_getopt_end)
+		*(_u_boot_sandbox_getopt_start)
+		KEEP(*(_u_boot_sandbox_getopt))
+		*(_u_boot_sandbox_getopt_end)
 	}
 }
 
diff --git a/arch/sandbox/cpu/u-boot.lds b/arch/sandbox/cpu/u-boot.lds
index 92e834a..ba8dee5 100644
--- a/arch/sandbox/cpu/u-boot.lds
+++ b/arch/sandbox/cpu/u-boot.lds
@@ -9,42 +9,40 @@ SECTIONS
 {
 
 	. = ALIGN(32);
-	.u_boot_list : {
-		KEEP(*(SORT(.u_boot_list*)));
+	__u_boot_list : {
+		KEEP(*(SORT(__u_boot_list*)));
 	}
 
 	_u_boot_sandbox_getopt : {
-		*(.u_boot_sandbox_getopt_start)
-		*(.u_boot_sandbox_getopt)
-		*(.u_boot_sandbox_getopt_end)
+		*(_u_boot_sandbox_getopt_start)
+		*(_u_boot_sandbox_getopt)
+		*(_u_boot_sandbox_getopt_end)
 	}
 
-	.__efi_runtime_start : {
-		*(.__efi_runtime_start)
+	efi_runtime_start : {
+		*(___efi_runtime_start)
 	}
 
-	.efi_runtime : {
+	efi_runtime : {
 		*(efi_runtime_text)
 		*(efi_runtime_data)
 	}
 
-	.__efi_runtime_stop : {
-		*(.__efi_runtime_stop)
+	efi_runtime_stop : {
+		*(___efi_runtime_stop)
 	}
 
-	.efi_runtime_rel_start :
-	{
-		*(.__efi_runtime_rel_start)
+	efi_runtime_rel_start : {
+		*(___efi_runtime_rel_start)
 	}
 
-	.efi_runtime_rel : {
+	efi_runtime_rel : {
 		*(.relefi_runtime_text)
 		*(.relefi_runtime_data)
 	}
 
-	.efi_runtime_rel_stop :
-	{
-		*(.__efi_runtime_rel_stop)
+	efi_runtime_rel_stop : {
+		*(___efi_runtime_rel_stop)
 	}
 
 	.dynsym :
diff --git a/arch/sandbox/dts/sandbox.dts b/arch/sandbox/dts/sandbox.dts
index 18fde1c..21f00fc 100644
--- a/arch/sandbox/dts/sandbox.dts
+++ b/arch/sandbox/dts/sandbox.dts
@@ -63,7 +63,6 @@
 	eth@10002000 {
 		compatible = "sandbox,eth";
 		reg = <0x10002000 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 00];
 	};
 
 	host-fs {
diff --git a/arch/sandbox/dts/sandbox64.dts b/arch/sandbox/dts/sandbox64.dts
index ec53106..3eb0457 100644
--- a/arch/sandbox/dts/sandbox64.dts
+++ b/arch/sandbox/dts/sandbox64.dts
@@ -58,7 +58,6 @@
 	eth@10002000 {
 		compatible = "sandbox,eth";
 		reg = <0x0 0x10002000 0x0 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 00];
 	};
 
 	i2c_0: i2c@0 {
diff --git a/arch/sandbox/dts/test.dts b/arch/sandbox/dts/test.dts
index 8f93775..0194b9b 100644
--- a/arch/sandbox/dts/test.dts
+++ b/arch/sandbox/dts/test.dts
@@ -28,6 +28,9 @@
 		ethernet3 = &eth_3;
 		ethernet4 = &dsa_eth0;
 		ethernet5 = &eth_5;
+		ethernet6 = "/eth@10004000";
+		ethernet7 = &swp_1;
+		ethernet8 = &phy_eth0;
 		gpio1 = &gpio_a;
 		gpio2 = &gpio_b;
 		gpio3 = &gpio_c;
@@ -89,6 +92,10 @@
 		};
 	};
 
+	fuzzing-engine {
+		compatible = "sandbox,fuzzing-engine";
+	};
+
 	reboot-mode0 {
 		compatible = "reboot-mode-gpio";
 		gpios = <&gpio_c 0 GPIO_ACTIVE_HIGH>, <&gpio_c 1 GPIO_ACTIVE_HIGH>;
@@ -524,31 +531,31 @@
 	eth@10002000 {
 		compatible = "sandbox,eth";
 		reg = <0x10002000 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 00];
 	};
 
 	eth_5: eth@10003000 {
 		compatible = "sandbox,eth";
 		reg = <0x10003000 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 11];
+		nvmem-cells = <&eth5_addr>;
+		nvmem-cell-names = "mac-address";
 	};
 
 	eth_3: sbe5 {
 		compatible = "sandbox,eth";
 		reg = <0x10005000 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 33];
+		nvmem-cells = <&eth3_addr>;
+		nvmem-cell-names = "mac-address";
 	};
 
 	eth@10004000 {
 		compatible = "sandbox,eth";
 		reg = <0x10004000 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 22];
 	};
 
 	phy_eth0: phy-test-eth {
 		compatible = "sandbox,eth";
 		reg = <0x10007000 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 77];
+		mac-address = [ 02 00 11 22 33 49 ];
 		phy-handle = <&ethphy1>;
 		phy-mode = "2500base-x";
 	};
@@ -556,7 +563,8 @@
 	dsa_eth0: dsa-test-eth {
 		compatible = "sandbox,eth";
 		reg = <0x10006000 0x1000>;
-		fake-host-hwaddr = [00 00 66 44 22 66];
+		nvmem-cells = <&eth4_addr>;
+		nvmem-cell-names = "mac-address";
 	};
 
 	dsa-test {
@@ -700,6 +708,8 @@
 		pinctrl-0 = <&pinmux_i2c0_pins>;
 
 		eeprom@2c {
+			#address-cells = <1>;
+			#size-cells = <1>;
 			reg = <0x2c>;
 			compatible = "i2c-eeprom";
 			sandbox,emul = <&emul_eeprom>;
@@ -711,12 +721,22 @@
 					reg = <10 2>;
 				};
 			};
+
+			eth3_addr: mac-address@24 {
+				reg = <24 6>;
+			};
 		};
 
 		rtc_0: rtc@43 {
+			#address-cells = <1>;
+			#size-cells = <1>;
 			reg = <0x43>;
 			compatible = "sandbox-rtc";
 			sandbox,emul = <&emul0>;
+
+			eth4_addr: mac-address@40 {
+				reg = <0x40 6>;
+			};
 		};
 
 		rtc_1: rtc@61 {
@@ -898,7 +918,13 @@
 	};
 
 	misc-test {
+		#address-cells = <1>;
+		#size-cells = <1>;
 		compatible = "sandbox,misc_sandbox";
+
+		eth5_addr: mac-address@10 {
+			reg = <0x10 6>;
+		};
 	};
 
 	mmc2 {
diff --git a/arch/sandbox/include/asm/fuzzing_engine.h b/arch/sandbox/include/asm/fuzzing_engine.h
new file mode 100644
index 0000000..cf63963
--- /dev/null
+++ b/arch/sandbox/include/asm/fuzzing_engine.h
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2022 Google, Inc.
+ * Written by Andrew Scull <ascull@google.com>
+ */
+
+#ifndef __ASM_FUZZING_ENGINE_H
+#define __ASM_FUZZING_ENGINE_H
+
+/** Function to get fuzzing engine input data. */
+/**
+ * sandbox_fuzzing_engine_get_input() - get an input from the sandbox fuzzing
+ * 					engine
+ *
+ * The function will return a pointer to the input data and the size of the
+ * data pointed to. The pointer will remain valid until the next invocation of
+ * this function.
+ *
+ * @data:	output pointer to input data
+ * @size	output size of input data
+ * Return:	0 if OK, -ve on error
+ */
+int sandbox_fuzzing_engine_get_input(const uint8_t **data, size_t *size);
+
+#endif /* __ASM_FUZZING_ENGINE_H */
diff --git a/arch/sandbox/include/asm/getopt.h b/arch/sandbox/include/asm/getopt.h
index d2145ad..df30572 100644
--- a/arch/sandbox/include/asm/getopt.h
+++ b/arch/sandbox/include/asm/getopt.h
@@ -44,7 +44,7 @@ struct sandbox_cmdline_option {
 		.callback = sandbox_cmdline_cb_##f, \
 	}; \
 	/* Ppointer to the struct in a special section for the linker script */ \
-	static __used __section(".u_boot_sandbox_getopt") \
+	static __used __section("_u_boot_sandbox_getopt") \
 		struct sandbox_cmdline_option \
 			*sandbox_cmdline_option_##f##_ptr = \
 			&sandbox_cmdline_option_##f
diff --git a/arch/sandbox/include/asm/main.h b/arch/sandbox/include/asm/main.h
new file mode 100644
index 0000000..7a2f0d3
--- /dev/null
+++ b/arch/sandbox/include/asm/main.h
@@ -0,0 +1,18 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2022 Google, Inc.
+ * Written by Andrew Scull <ascull@google.com>
+ */
+
+#ifndef __ASM_SANDBOX_MAIN_H
+#define __ASM_SANDBOX_MAIN_H
+
+/**
+ * sandbox_main() - main entrypoint for sandbox
+ *
+ * @argc:	the number of arguments passed to the program
+ * @argv:	array of argc+1 pointers, of which the last one is null
+ */
+int sandbox_main(int argc, char *argv[]);
+
+#endif /* __ASM_SANDBOX_MAIN_H */
diff --git a/arch/sandbox/include/asm/sections.h b/arch/sandbox/include/asm/sections.h
index f4351ae..88837bb 100644
--- a/arch/sandbox/include/asm/sections.h
+++ b/arch/sandbox/include/asm/sections.h
@@ -17,7 +17,7 @@ static inline struct sandbox_cmdline_option **
 __u_boot_sandbox_option_start(void)
 {
 	static char start[0] __aligned(4) __attribute__((unused))
-		__section(".u_boot_sandbox_getopt_start");
+		__section("_u_boot_sandbox_getopt_start");
 
 	return (struct sandbox_cmdline_option **)&start;
 }
@@ -26,7 +26,7 @@ static inline struct sandbox_cmdline_option **
 __u_boot_sandbox_option_end(void)
 {
 	static char end[0] __aligned(4) __attribute__((unused))
-		__section(".u_boot_sandbox_getopt_end");
+		__section("_u_boot_sandbox_getopt_end");
 
 	return (struct sandbox_cmdline_option **)&end;
 }
diff --git a/arch/sandbox/include/asm/spl.h b/arch/sandbox/include/asm/spl.h
index d25dc7c..bf5a585 100644
--- a/arch/sandbox/include/asm/spl.h
+++ b/arch/sandbox/include/asm/spl.h
@@ -6,8 +6,6 @@
 #ifndef __asm_spl_h
 #define __asm_spl_h
 
-#define CONFIG_SPL_BOARD_LOAD_IMAGE
-
 enum {
 	BOOT_DEVICE_BOARD,
 };
diff --git a/arch/sandbox/lib/sections.c b/arch/sandbox/lib/sections.c
index 2559eee..2f2f3fb 100644
--- a/arch/sandbox/lib/sections.c
+++ b/arch/sandbox/lib/sections.c
@@ -5,9 +5,9 @@
  */
 #include <linux/compiler.h>
 
-char __efi_runtime_start[0] __section(".__efi_runtime_start");
-char __efi_runtime_stop[0] __section(".__efi_runtime_stop");
+char __efi_runtime_start[0] __section("___efi_runtime_start");
+char __efi_runtime_stop[0] __section("___efi_runtime_stop");
 char __efi_runtime_rel_start[0]
-		__section(".__efi_runtime_rel_start");
+		__section("___efi_runtime_rel_start");
 char __efi_runtime_rel_stop[0]
-		__section(".__efi_runtime_rel_stop");
+		__section("___efi_runtime_rel_stop");