aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.cirrus.yml2
-rw-r--r--.gitlab-ci.yml1
-rw-r--r--Makefile44
-rw-r--r--accel/dummy-cpus.c (renamed from accel/qtest/qtest-cpus.c)27
-rw-r--r--accel/meson.build8
-rw-r--r--accel/qtest/meson.build1
-rw-r--r--accel/qtest/qtest-cpus.h17
-rw-r--r--accel/qtest/qtest.c5
-rw-r--r--accel/xen/xen-all.c8
-rw-r--r--block/meson.build3
-rwxr-xr-xconfigure72
-rw-r--r--contrib/vhost-user-gpu/meson.build2
-rw-r--r--docs/devel/fuzzing.txt39
-rw-r--r--docs/devel/testing.rst4
-rw-r--r--docs/system/deprecated.rst23
-rw-r--r--docs/tools/virtiofsd.rst193
-rw-r--r--hw/core/machine.c36
-rw-r--r--hw/core/qdev-clock.c8
-rw-r--r--hw/misc/sifive_u_otp.c95
-rw-r--r--hw/riscv/boot.c56
-rw-r--r--hw/riscv/opentitan.c3
-rw-r--r--hw/riscv/sifive_e.c3
-rw-r--r--hw/riscv/sifive_u.c28
-rw-r--r--hw/riscv/spike.c11
-rw-r--r--hw/riscv/virt.c11
-rw-r--r--hw/s390x/s390-virtio-ccw.c1
-rw-r--r--hw/s390x/sclp.c5
-rw-r--r--hw/sd/sd.c27
-rw-r--r--hw/sd/trace-events2
-rw-r--r--include/exec/memory.h21
-rw-r--r--include/exec/memory_ldst_cached.h.inc3
-rw-r--r--include/hw/boards.h1
-rw-r--r--include/hw/intc/sifive_plic.h (renamed from hw/intc/sifive_plic.h)0
-rw-r--r--include/hw/misc/sifive_u_otp.h5
-rw-r--r--include/hw/riscv/boot.h13
-rw-r--r--include/hw/riscv/sifive_u.h1
-rw-r--r--include/migration/vmstate.h13
-rw-r--r--include/standard-headers/linux/fuse.h11
-rw-r--r--include/sysemu/cpus.h3
-rw-r--r--memory_ldst.c.inc4
-rw-r--r--meson.build179
-rw-r--r--meson_options.txt6
-rw-r--r--migration/block-dirty-bitmap.c26
-rw-r--r--migration/block.c40
-rw-r--r--migration/migration.c69
-rw-r--r--migration/migration.h24
-rw-r--r--migration/page_cache.c13
-rw-r--r--migration/postcopy-ram.c27
-rw-r--r--migration/ram.c14
-rw-r--r--migration/rdma.c7
-rw-r--r--migration/savevm.c61
-rw-r--r--migration/trace-events16
-rw-r--r--migration/vmstate-types.c26
-rw-r--r--migration/vmstate.c10
-rw-r--r--net/meson.build3
-rw-r--r--pc-bios/descriptors/meson.build4
-rw-r--r--pc-bios/meson.build15
-rw-r--r--qemu-options.hx11
-rw-r--r--replay/meson.build4
-rw-r--r--replay/stubs-system.c96
-rwxr-xr-xscripts/oss-fuzz/build.sh14
-rwxr-xr-xscripts/oss-fuzz/minimize_qtest_trace.py157
-rwxr-xr-xscripts/oss-fuzz/reorder_fuzzer_qtest_trace.py103
-rwxr-xr-x[-rw-r--r--]scripts/tracetool.py0
-rw-r--r--scripts/undefsym.py11
-rw-r--r--softmmu/memory.c27
-rw-r--r--softmmu/physmem.c2
-rw-r--r--softmmu/vl.c16
-rw-r--r--stubs/meson.build4
-rw-r--r--stubs/replay-tools.c83
-rw-r--r--stubs/replay-user.c9
-rw-r--r--stubs/replay.c78
-rw-r--r--target/riscv/cpu.h10
-rw-r--r--target/riscv/cpu_helper.c50
-rw-r--r--target/riscv/op_helper.c7
-rw-r--r--target/s390x/cpu_features.c5
-rw-r--r--target/s390x/cpu_features.h4
-rw-r--r--target/s390x/cpu_models.c4
-rw-r--r--target/s390x/kvm.c3
-rw-r--r--tests/acceptance/boot_linux.py30
-rw-r--r--tests/acceptance/boot_linux_console.py24
-rw-r--r--tests/acceptance/machine_m68k_nextcube.py7
-rw-r--r--tests/acceptance/ppc_prep_40p.py4
-rw-r--r--tests/acceptance/virtiofs_submounts.py289
-rw-r--r--tests/acceptance/virtiofs_submounts.py.data/cleanup.sh46
-rw-r--r--tests/acceptance/virtiofs_submounts.py.data/guest-cleanup.sh30
-rw-r--r--tests/acceptance/virtiofs_submounts.py.data/guest.sh138
-rw-r--r--tests/acceptance/virtiofs_submounts.py.data/host.sh127
-rw-r--r--tests/docker/dockerfiles/centos8.docker1
-rw-r--r--tests/docker/dockerfiles/debian-amd64.docker3
-rw-r--r--tests/docker/dockerfiles/fedora.docker1
-rw-r--r--tests/docker/dockerfiles/ubuntu2004.docker1
-rw-r--r--tests/fp/meson.build6
-rw-r--r--tests/ptimer-test-stubs.c5
-rw-r--r--tests/qtest/bios-tables-test.c10
-rw-r--r--tests/qtest/fuzz/fuzz.c13
-rw-r--r--tests/qtest/fuzz/fuzz.h28
-rw-r--r--tests/qtest/fuzz/generic_fuzz.c954
-rw-r--r--tests/qtest/fuzz/generic_fuzz_configs.h121
-rw-r--r--tests/qtest/fuzz/meson.build1
-rw-r--r--tests/qtest/libqtest.c22
-rw-r--r--tests/qtest/meson.build5
-rw-r--r--tests/qtest/migration-helpers.c16
-rw-r--r--tests/qtest/migration-test.c6
-rw-r--r--tests/qtest/qmp-cmd-test.c3
-rw-r--r--tools/meson.build17
-rw-r--r--tools/virtiofsd/fuse_common.h8
-rw-r--r--tools/virtiofsd/fuse_lowlevel.c34
-rw-r--r--tools/virtiofsd/fuse_lowlevel.h20
-rw-r--r--tools/virtiofsd/helper.c9
-rw-r--r--tools/virtiofsd/meson.build2
-rw-r--r--tools/virtiofsd/passthrough_ll.c622
-rw-r--r--trace/control.c6
-rw-r--r--ui/icons/meson.build6
-rw-r--r--ui/meson.build2
-rw-r--r--util/cutils.c2
-rw-r--r--version.texi.in2
117 files changed, 4035 insertions, 634 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index 81a2960..900437d 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -40,7 +40,7 @@ macos_xcode_task:
script:
- mkdir build
- cd build
- - ../configure --extra-cflags='-Wno-error=deprecated-declarations'
+ - ../configure --extra-cflags='-Wno-error=deprecated-declarations' --enable-modules
--enable-werror --cc=clang || { cat config.log meson-logs/meson-log.txt; exit 1; }
- gmake -j$(sysctl -n hw.ncpu)
- gmake check V=1
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 66ad7aa..5d6773e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -66,6 +66,7 @@ include:
- if [ -d ${CI_PROJECT_DIR}/avocado-cache ]; then
du -chs ${CI_PROJECT_DIR}/avocado-cache ;
fi
+ - export AVOCADO_ALLOW_UNTRUSTED_CODE=1
after_script:
- cd build
- python3 -c 'import json; r = json.load(open("tests/results/latest/results.json")); [print(t["logfile"]) for t in r["tests"] if t["status"] not in ("PASS", "SKIP", "CANCEL")]' | xargs cat
diff --git a/Makefile b/Makefile
index 18f026e..4d1fa8b 100644
--- a/Makefile
+++ b/Makefile
@@ -92,39 +92,58 @@ endif
ifeq ($(NINJA),)
.PHONY: config-host.mak
x := $(shell rm -rf meson-private meson-info meson-logs)
+else
+export NINJA
endif
ifeq ($(wildcard build.ninja),)
.PHONY: config-host.mak
x := $(shell rm -rf meson-private meson-info meson-logs)
endif
+ifeq ($(origin prefix),file)
+.PHONY: config-host.mak
+x := $(shell rm -rf meson-private meson-info meson-logs)
+endif
# 1. ensure config-host.mak is up-to-date
config-host.mak: $(SRC_PATH)/configure $(SRC_PATH)/pc-bios $(SRC_PATH)/VERSION
- @echo $@ is out-of-date, running configure
+ @echo config-host.mak is out-of-date, running configure
@if test -f meson-private/coredata.dat; then \
./config.status --skip-meson; \
else \
- ./config.status; \
+ ./config.status && touch build.ninja.stamp; \
fi
-# 2. ensure generated build files are up-to-date
+# 2. meson.stamp exists if meson has run at least once (so ninja reconfigure
+# works), but otherwise never needs to be updated
+meson-private/coredata.dat: meson.stamp
+meson.stamp: config-host.mak
+ @touch meson.stamp
+
+# 3. ensure generated build files are up-to-date
ifneq ($(NINJA),)
-# A separate rule is needed for Makefile dependencies to avoid -n
-export NINJA
Makefile.ninja: build.ninja
- $(quiet-@){ echo 'ninja-targets = \'; $(NINJA) -t targets all | sed 's/:.*//; $$!s/$$/ \\/'; } > $@
+ $(quiet-@){ \
+ echo 'ninja-targets = \'; \
+ $(NINJA) -t targets all | sed 's/:.*//; $$!s/$$/ \\/'; \
+ echo 'build-files = \'; \
+ $(NINJA) -t query build.ninja | sed -n '1,/^ input:/d; /^ outputs:/q; s/$$/ \\/p'; \
+ } > $@.tmp && mv $@.tmp $@
-include Makefile.ninja
+
+# A separate rule is needed for Makefile dependencies to avoid -n
+build.ninja: build.ninja.stamp
+build.ninja.stamp: meson.stamp $(build-files)
+ $(NINJA) $(if $V,-v,) build.ninja && touch $@
endif
ifneq ($(MESON),)
-# The dependency on config-host.mak ensures that meson has run
-Makefile.mtest: build.ninja scripts/mtest2make.py config-host.mak
+Makefile.mtest: build.ninja scripts/mtest2make.py
$(MESON) introspect --targets --tests --benchmarks | $(PYTHON) scripts/mtest2make.py > $@
-include Makefile.mtest
endif
-# 3. Rules to bridge to other makefiles
+# 4. Rules to bridge to other makefiles
ifneq ($(NINJA),)
NINJAFLAGS = $(if $V,-v,) \
@@ -135,7 +154,10 @@ ninja-cmd-goals = $(or $(MAKECMDGOALS), all)
ninja-cmd-goals += $(foreach t, $(.tests), $(.test.deps.$t))
makefile-targets := build.ninja ctags TAGS cscope dist clean uninstall
-ninja-targets := $(filter-out $(makefile-targets), $(ninja-targets))
+# "ninja -t targets" also lists all prerequisites. If build system
+# files are marked as PHONY, however, Make will always try to execute
+# "ninja build.ninja".
+ninja-targets := $(filter-out $(build-files) $(makefile-targets), $(ninja-targets))
.PHONY: $(ninja-targets) run-ninja
$(ninja-targets): run-ninja
@@ -214,7 +236,7 @@ distclean: clean
rm -f qemu-plugins-ld.symbols qemu-plugins-ld64.symbols
rm -f *-config-target.h *-config-devices.mak *-config-devices.h
rm -rf meson-private meson-logs meson-info compile_commands.json
- rm -f Makefile.ninja Makefile.mtest
+ rm -f Makefile.ninja Makefile.mtest build.ninja.stamp meson.stamp
rm -f config.log
rm -f linux-headers/asm
rm -Rf .sdk
diff --git a/accel/qtest/qtest-cpus.c b/accel/dummy-cpus.c
index 7c5399e..10429fd 100644
--- a/accel/qtest/qtest-cpus.c
+++ b/accel/dummy-cpus.c
@@ -1,5 +1,5 @@
/*
- * QTest accelerator code
+ * Dummy cpu thread code
*
* Copyright IBM, Corp. 2011
*
@@ -13,26 +13,13 @@
#include "qemu/osdep.h"
#include "qemu/rcu.h"
-#include "qapi/error.h"
-#include "qemu/module.h"
-#include "qemu/option.h"
-#include "qemu/config-file.h"
-#include "sysemu/accel.h"
-#include "sysemu/qtest.h"
#include "sysemu/cpus.h"
-#include "sysemu/cpu-timers.h"
#include "qemu/guest-random.h"
#include "qemu/main-loop.h"
#include "hw/core/cpu.h"
-#include "qtest-cpus.h"
-
-static void *qtest_cpu_thread_fn(void *arg)
+static void *dummy_cpu_thread_fn(void *arg)
{
-#ifdef _WIN32
- error_report("qtest is not supported under Windows");
- exit(1);
-#else
CPUState *cpu = arg;
sigset_t waitset;
int r;
@@ -69,10 +56,9 @@ static void *qtest_cpu_thread_fn(void *arg)
qemu_mutex_unlock_iothread();
rcu_unregister_thread();
return NULL;
-#endif
}
-static void qtest_start_vcpu_thread(CPUState *cpu)
+void dummy_start_vcpu_thread(CPUState *cpu)
{
char thread_name[VCPU_THREAD_NAME_SIZE];
@@ -81,11 +67,6 @@ static void qtest_start_vcpu_thread(CPUState *cpu)
qemu_cond_init(cpu->halt_cond);
snprintf(thread_name, VCPU_THREAD_NAME_SIZE, "CPU %d/DUMMY",
cpu->cpu_index);
- qemu_thread_create(cpu->thread, thread_name, qtest_cpu_thread_fn, cpu,
+ qemu_thread_create(cpu->thread, thread_name, dummy_cpu_thread_fn, cpu,
QEMU_THREAD_JOINABLE);
}
-
-const CpusAccel qtest_cpus = {
- .create_vcpu_thread = qtest_start_vcpu_thread,
- .get_virtual_clock = qtest_get_virtual_clock,
-};
diff --git a/accel/meson.build b/accel/meson.build
index bb00d0f..b26cca2 100644
--- a/accel/meson.build
+++ b/accel/meson.build
@@ -5,3 +5,11 @@ subdir('kvm')
subdir('tcg')
subdir('xen')
subdir('stubs')
+
+dummy_ss = ss.source_set()
+dummy_ss.add(files(
+ 'dummy-cpus.c',
+))
+
+specific_ss.add_all(when: ['CONFIG_SOFTMMU', 'CONFIG_POSIX'], if_true: dummy_ss)
+specific_ss.add_all(when: ['CONFIG_XEN'], if_true: dummy_ss)
diff --git a/accel/qtest/meson.build b/accel/qtest/meson.build
index e477cb2..a2f3276 100644
--- a/accel/qtest/meson.build
+++ b/accel/qtest/meson.build
@@ -1,7 +1,6 @@
qtest_ss = ss.source_set()
qtest_ss.add(files(
'qtest.c',
- 'qtest-cpus.c',
))
specific_ss.add_all(when: ['CONFIG_SOFTMMU', 'CONFIG_POSIX'], if_true: qtest_ss)
diff --git a/accel/qtest/qtest-cpus.h b/accel/qtest/qtest-cpus.h
deleted file mode 100644
index 739519a..0000000
--- a/accel/qtest/qtest-cpus.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Accelerator CPUS Interface
- *
- * Copyright 2020 SUSE LLC
- *
- * This work is licensed under the terms of the GNU GPL, version 2 or later.
- * See the COPYING file in the top-level directory.
- */
-
-#ifndef QTEST_CPUS_H
-#define QTEST_CPUS_H
-
-#include "sysemu/cpus.h"
-
-extern const CpusAccel qtest_cpus;
-
-#endif /* QTEST_CPUS_H */
diff --git a/accel/qtest/qtest.c b/accel/qtest/qtest.c
index 537e8b4..b282cea 100644
--- a/accel/qtest/qtest.c
+++ b/accel/qtest/qtest.c
@@ -25,7 +25,10 @@
#include "qemu/main-loop.h"
#include "hw/core/cpu.h"
-#include "qtest-cpus.h"
+const CpusAccel qtest_cpus = {
+ .create_vcpu_thread = dummy_start_vcpu_thread,
+ .get_virtual_clock = qtest_get_virtual_clock,
+};
static int qtest_init_accel(MachineState *ms)
{
diff --git a/accel/xen/xen-all.c b/accel/xen/xen-all.c
index 60b971d..878a408 100644
--- a/accel/xen/xen-all.c
+++ b/accel/xen/xen-all.c
@@ -16,6 +16,7 @@
#include "hw/xen/xen_pt.h"
#include "chardev/char.h"
#include "sysemu/accel.h"
+#include "sysemu/cpus.h"
#include "sysemu/xen.h"
#include "sysemu/runstate.h"
#include "migration/misc.h"
@@ -153,6 +154,10 @@ static void xen_setup_post(MachineState *ms, AccelState *accel)
}
}
+const CpusAccel xen_cpus = {
+ .create_vcpu_thread = dummy_start_vcpu_thread,
+};
+
static int xen_init(MachineState *ms)
{
MachineClass *mc = MACHINE_GET_CLASS(ms);
@@ -180,6 +185,9 @@ static int xen_init(MachineState *ms)
* opt out of system RAM being allocated by generic code
*/
mc->default_ram_id = NULL;
+
+ cpus_register_accel(&xen_cpus);
+
return 0;
}
diff --git a/block/meson.build b/block/meson.build
index 78e8b25..5dcc1e5 100644
--- a/block/meson.build
+++ b/block/meson.build
@@ -7,7 +7,6 @@ block_ss.add(files(
'backup-top.c',
'blkdebug.c',
'blklogwrites.c',
- 'blkreplay.c',
'blkverify.c',
'block-backend.c',
'block-copy.c',
@@ -42,6 +41,8 @@ block_ss.add(files(
'write-threshold.c',
), zstd, zlib)
+softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('blkreplay.c'))
+
block_ss.add(when: 'CONFIG_QCOW1', if_true: files('qcow.c'))
block_ss.add(when: 'CONFIG_VDI', if_true: files('vdi.c'))
block_ss.add(when: 'CONFIG_CLOOP', if_true: files('cloop.c'))
diff --git a/configure b/configure
index e6754c1..83610b0 100755
--- a/configure
+++ b/configure
@@ -302,6 +302,7 @@ fdt="auto"
netmap="no"
sdl="auto"
sdl_image="auto"
+virtiofsd="auto"
virtfs=""
libudev="auto"
mpath="auto"
@@ -362,8 +363,7 @@ cocoa="auto"
softmmu="yes"
linux_user="no"
bsd_user="no"
-blobs="yes"
-edk2_blobs="no"
+blobs="true"
pkgversion=""
pie=""
qom_cast_debug="yes"
@@ -962,6 +962,8 @@ for opt do
;;
--docdir=*) docdir="$optarg"
;;
+ --localedir=*) localedir="$optarg"
+ ;;
--sysconfdir=*) sysconfdir="$optarg"
;;
--localstatedir=*) local_statedir="$optarg"
@@ -971,7 +973,7 @@ for opt do
--host=*|--build=*|\
--disable-dependency-tracking|\
--sbindir=*|--sharedstatedir=*|\
- --oldincludedir=*|--datarootdir=*|--infodir=*|--localedir=*|\
+ --oldincludedir=*|--datarootdir=*|--infodir=*|\
--htmldir=*|--dvidir=*|--pdfdir=*|--psdir=*)
# These switches are silently ignored, for compatibility with
# autoconf-generated configure scripts. This allows QEMU's
@@ -998,6 +1000,10 @@ for opt do
;;
--enable-libudev) libudev="enabled"
;;
+ --disable-virtiofsd) virtiofsd="disabled"
+ ;;
+ --enable-virtiofsd) virtiofsd="enabled"
+ ;;
--disable-mpath) mpath="disabled"
;;
--enable-mpath) mpath="enabled"
@@ -1203,7 +1209,7 @@ for opt do
;;
--enable-membarrier) membarrier="yes"
;;
- --disable-blobs) blobs="no"
+ --disable-blobs) blobs="false"
;;
--with-pkgversion=*) pkgversion="$optarg"
;;
@@ -1521,7 +1527,6 @@ for opt do
esac
done
-firmwarepath="${firmwarepath:-$prefix/share/qemu-firmware}"
libdir="${libdir:-$prefix/lib}"
libexecdir="${libexecdir:-$prefix/libexec}"
includedir="${includedir:-$prefix/include}"
@@ -1532,7 +1537,7 @@ if test "$mingw32" = "yes" ; then
docdir="$prefix"
bindir="$prefix"
sysconfdir="$prefix"
- local_statedir=
+ local_statedir="$prefix"
else
mandir="${mandir:-$prefix/share/man}"
datadir="${datadir:-$prefix/share}"
@@ -1541,6 +1546,8 @@ else
sysconfdir="${sysconfdir:-$prefix/etc}"
local_statedir="${local_statedir:-$prefix/var}"
fi
+firmwarepath="${firmwarepath:-$datadir/qemu-firmware}"
+localedir="${localedir:-$datadir/locale}"
case "$cpu" in
ppc)
@@ -1670,6 +1677,7 @@ Advanced options (experts only):
--static enable static build [$static]
--mandir=PATH install man pages in PATH
--datadir=PATH install firmware in PATH/$qemu_suffix
+ --localedir=PATH install translation in PATH/$qemu_suffix
--docdir=PATH install documentation in PATH/$qemu_suffix
--bindir=PATH install binaries in PATH
--libdir=PATH install libraries in PATH
@@ -1755,6 +1763,7 @@ disabled with --disable-FEATURE, default is enabled if available:
vnc-png PNG compression for VNC server
cocoa Cocoa UI (Mac OS X only)
virtfs VirtFS
+ virtiofsd build virtiofs daemon (virtiofsd)
libudev Use libudev to enumerate host devices
mpath Multipath persistent reservation passthrough
xen xen backend driver support
@@ -2217,18 +2226,6 @@ case " $target_list " in
;;
esac
-for target in $target_list; do
- case "$target" in
- arm-softmmu | aarch64-softmmu | i386-softmmu | x86_64-softmmu)
- edk2_blobs="yes"
- ;;
- esac
-done
-# The EDK2 binaries are compressed with bzip2
-if test "$edk2_blobs" = "yes" && ! has bzip2; then
- error_exit "The bzip2 program is required for building QEMU"
-fi
-
feature_not_found() {
feature=$1
remedy=$2
@@ -3608,7 +3605,6 @@ else
if test "$found" = "no"; then
LIBS="$pthread_lib $LIBS"
fi
- PTHREAD_LIB="$pthread_lib"
break
fi
done
@@ -5725,13 +5721,6 @@ if test "$mingw32" = "yes" ; then
done
fi
-qemu_confdir="$sysconfdir/$qemu_suffix"
-qemu_moddir="$libdir/$qemu_suffix"
-qemu_datadir="$datadir/$qemu_suffix"
-qemu_localedir="$datadir/locale"
-qemu_icondir="$datadir/icons"
-qemu_desktopdir="$datadir/applications"
-
# We can only support ivshmem if we have eventfd
if [ "$eventfd" = "yes" ]; then
ivshmem=yes
@@ -5898,23 +5887,6 @@ echo "# Automatically generated by configure - do not modify" > $config_host_mak
echo >> $config_host_mak
echo all: >> $config_host_mak
-echo "prefix=$prefix" >> $config_host_mak
-echo "bindir=$bindir" >> $config_host_mak
-echo "libdir=$libdir" >> $config_host_mak
-echo "libexecdir=$libexecdir" >> $config_host_mak
-echo "includedir=$includedir" >> $config_host_mak
-echo "sysconfdir=$sysconfdir" >> $config_host_mak
-echo "qemu_confdir=$qemu_confdir" >> $config_host_mak
-echo "qemu_datadir=$qemu_datadir" >> $config_host_mak
-echo "qemu_firmwarepath=$firmwarepath" >> $config_host_mak
-echo "qemu_moddir=$qemu_moddir" >> $config_host_mak
-if test "$mingw32" = "no" ; then
- echo "qemu_localstatedir=$local_statedir" >> $config_host_mak
-fi
-echo "qemu_helperdir=$libexecdir" >> $config_host_mak
-echo "qemu_localedir=$qemu_localedir" >> $config_host_mak
-echo "qemu_icondir=$qemu_icondir" >> $config_host_mak
-echo "qemu_desktopdir=$qemu_desktopdir" >> $config_host_mak
echo "GIT=$git" >> $config_host_mak
echo "GIT_SUBMODULES=$git_submodules" >> $config_host_mak
echo "GIT_UPDATE=$git_update" >> $config_host_mak
@@ -6297,9 +6269,6 @@ fi
if test "$vhost_user_fs" = "yes" ; then
echo "CONFIG_VHOST_USER_FS=y" >> $config_host_mak
fi
-if test "$blobs" = "yes" ; then
- echo "INSTALL_BLOBS=yes" >> $config_host_mak
-fi
if test "$iovec" = "yes" ; then
echo "CONFIG_IOVEC=y" >> $config_host_mak
fi
@@ -6762,7 +6731,6 @@ echo "GLIB_LIBS=$glib_libs" >> $config_host_mak
echo "QEMU_LDFLAGS=$QEMU_LDFLAGS" >> $config_host_mak
echo "LDFLAGS_NOPIE=$LDFLAGS_NOPIE" >> $config_host_mak
echo "LD_I386_EMULATION=$ld_i386_emulation" >> $config_host_mak
-echo "PTHREAD_LIB=$PTHREAD_LIB" >> $config_host_mak
echo "EXESUF=$EXESUF" >> $config_host_mak
echo "HOST_DSOSUF=$HOST_DSOSUF" >> $config_host_mak
echo "LIBS_QGA=$libs_qga" >> $config_host_mak
@@ -6777,10 +6745,6 @@ if test "$fuzzing" != "no"; then
fi
echo "FUZZ_EXE_LDFLAGS=$FUZZ_EXE_LDFLAGS" >> $config_host_mak
-if test "$edk2_blobs" = "yes" ; then
- echo "DECOMPRESS_EDK2_BLOBS=y" >> $config_host_mak
-fi
-
if test "$rng_none" = "yes"; then
echo "CONFIG_RNG_NONE=y" >> $config_host_mak
fi
@@ -6997,8 +6961,10 @@ NINJA=$ninja $meson setup \
--datadir "$datadir" \
--mandir "$mandir" \
--sysconfdir "$sysconfdir" \
+ --localedir "$localedir" \
--localstatedir "$local_statedir" \
-Ddocdir="$docdir" \
+ -Dqemu_firmwarepath="$firmwarepath" \
-Dqemu_suffix="$qemu_suffix" \
-Doptimization=$(if test "$debug" = yes; then echo 0; else echo 2; fi) \
-Ddebug=$(if test "$debug_info" = yes; then echo true; else echo false; fi) \
@@ -7012,10 +6978,10 @@ NINJA=$ninja $meson setup \
-Dxen=$xen -Dxen_pci_passthrough=$xen_pci_passthrough -Dtcg=$tcg \
-Dcocoa=$cocoa -Dmpath=$mpath -Dsdl=$sdl -Dsdl_image=$sdl_image \
-Dvnc=$vnc -Dvnc_sasl=$vnc_sasl -Dvnc_jpeg=$vnc_jpeg -Dvnc_png=$vnc_png \
- -Dgettext=$gettext -Dxkbcommon=$xkbcommon -Du2f=$u2f \
+ -Dgettext=$gettext -Dxkbcommon=$xkbcommon -Du2f=$u2f -Dvirtiofsd=$virtiofsd \
-Dcapstone=$capstone -Dslirp=$slirp -Dfdt=$fdt \
-Diconv=$iconv -Dcurses=$curses -Dlibudev=$libudev\
- -Ddocs=$docs -Dsphinx_build=$sphinx_build \
+ -Ddocs=$docs -Dsphinx_build=$sphinx_build -Dinstall_blobs=$blobs \
$cross_arg \
"$PWD" "$source_path"
diff --git a/contrib/vhost-user-gpu/meson.build b/contrib/vhost-user-gpu/meson.build
index 7d9b29d..37ecca1 100644
--- a/contrib/vhost-user-gpu/meson.build
+++ b/contrib/vhost-user-gpu/meson.build
@@ -9,6 +9,6 @@ if 'CONFIG_TOOLS' in config_host and 'CONFIG_VIRGL' in config_host \
configure_file(input: '50-qemu-gpu.json.in',
output: '50-qemu-gpu.json',
- configuration: config_host,
+ configuration: { 'libexecdir' : get_option('libexecdir') },
install_dir: qemu_datadir / 'vhost-user')
endif
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
index 96d71c9..03585c1 100644
--- a/docs/devel/fuzzing.txt
+++ b/docs/devel/fuzzing.txt
@@ -125,6 +125,45 @@ provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly the
fuzzer loops over the byte-array interpreting it as a list of qtest commands,
addresses, or values.
+== The Generic Fuzzer ==
+Writing a fuzz target can be a lot of effort (especially if a device driver has
+not be built-out within libqos). Many devices can be fuzzed to some degree,
+without any device-specific code, using the generic-fuzz target.
+
+The generic-fuzz target is capable of fuzzing devices over their PIO, MMIO,
+and DMA input-spaces. To apply the generic-fuzz to a device, we need to define
+two env-variables, at minimum:
+
+QEMU_FUZZ_ARGS= is the set of QEMU arguments used to configure a machine, with
+the device attached. For example, if we want to fuzz the virtio-net device
+attached to a pc-i440fx machine, we can specify:
+QEMU_FUZZ_ARGS="-M pc -nodefaults -netdev user,id=user0 \
+ -device virtio-net,netdev=user0"
+
+QEMU_FUZZ_OBJECTS= is a set of space-delimited strings used to identify the
+MemoryRegions that will be fuzzed. These strings are compared against
+MemoryRegion names and MemoryRegion owner names, to decide whether each
+MemoryRegion should be fuzzed. These strings support globbing. For the
+virtio-net example, we could use QEMU_FUZZ_OBJECTS=
+ * 'virtio-net'
+ * 'virtio*'
+ * 'virtio* pcspk' (Fuzz the virtio devices and the PC speaker...)
+ * '*' (Fuzz the whole machine)
+
+The "info mtree" and "info qom-tree" monitor commands can be especially useful
+for identifying the MemoryRegion and Object names used for matching.
+
+As a generic rule-of-thumb, the more MemoryRegions/Devices we match, the greater
+the input-space, and the smaller the probability of finding crashing inputs for
+individual devices. As such, it is usually a good idea to limit the fuzzer to
+only a few MemoryRegions.
+
+To ensure that these env variables have been configured correctly, we can use:
+
+./qemu-fuzz-i386 --fuzz-target=generic-fuzz -runs=0
+
+The output should contain a complete list of matched MemoryRegions.
+
= Implementation Details =
== The Fuzzer's Lifecycle ==
diff --git a/docs/devel/testing.rst b/docs/devel/testing.rst
index 0c3e79d..0aa7a13 100644
--- a/docs/devel/testing.rst
+++ b/docs/devel/testing.rst
@@ -654,7 +654,7 @@ To manually install Avocado and its dependencies, run:
Alternatively, follow the instructions on this link:
- http://avocado-framework.readthedocs.io/en/latest/GetStartedGuide.html#installing-avocado
+ https://avocado-framework.readthedocs.io/en/latest/guides/user/chapters/installing.html
Overview
--------
@@ -837,7 +837,7 @@ Parameter reference
To understand how Avocado parameters are accessed by tests, and how
they can be passed to tests, please refer to::
- http://avocado-framework.readthedocs.io/en/latest/WritingTests.html#accessing-test-parameters
+ https://avocado-framework.readthedocs.io/en/latest/guides/writer/chapters/writing.html#accessing-test-parameters
Parameter values can be easily seen in the log files, and will look
like the following:
diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 905628f..0ebce37 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -21,17 +21,6 @@ deprecated.
System emulator command line arguments
--------------------------------------
-``-machine enforce-config-section=on|off`` (since 3.1)
-''''''''''''''''''''''''''''''''''''''''''''''''''''''
-
-The ``enforce-config-section`` parameter is replaced by the
-``-global migration.send-configuration={on|off}`` option.
-
-``-no-kvm`` (since 1.3.0)
-'''''''''''''''''''''''''
-
-The ``-no-kvm`` argument is now a synonym for setting ``-accel tcg``.
-
``-usbdevice`` (since 2.10.0)
'''''''''''''''''''''''''''''
@@ -504,6 +493,12 @@ System emulator command line arguments
The ``name`` parameter of the ``-net`` option was a synonym
for the ``id`` parameter, which should now be used instead.
+``-no-kvm`` (removed in 5.2)
+''''''''''''''''''''''''''''
+
+The ``-no-kvm`` argument was a synonym for setting ``-machine accel=tcg``.
+
+
QEMU Machine Protocol (QMP) commands
------------------------------------
@@ -688,6 +683,12 @@ Support for invalid topologies is removed, the user must ensure
topologies described with -smp include all possible cpus, i.e.
*sockets* * *cores* * *threads* = *maxcpus*.
+``-machine enforce-config-section=on|off`` (removed 5.2)
+''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+The ``enforce-config-section`` property was replaced by the
+``-global migration.send-configuration={on|off}`` option.
+
Block devices
-------------
diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
index 7ecee49..34a9e40 100644
--- a/docs/tools/virtiofsd.rst
+++ b/docs/tools/virtiofsd.rst
@@ -17,13 +17,24 @@ This program is designed to work with QEMU's ``--device vhost-user-fs-pci``
but should work with any virtual machine monitor (VMM) that supports
vhost-user. See the Examples section below.
-This program must be run as the root user. Upon startup the program will
-switch into a new file system namespace with the shared directory tree as its
-root. This prevents "file system escapes" due to symlinks and other file
-system objects that might lead to files outside the shared directory. The
-program also sandboxes itself using seccomp(2) to prevent ptrace(2) and other
-vectors that could allow an attacker to compromise the system after gaining
-control of the virtiofsd process.
+This program must be run as the root user. The program drops privileges where
+possible during startup although it must be able to create and access files
+with any uid/gid:
+
+* The ability to invoke syscalls is limited using seccomp(2).
+* Linux capabilities(7) are dropped.
+
+In "namespace" sandbox mode the program switches into a new file system
+namespace and invokes pivot_root(2) to make the shared directory tree its root.
+A new pid and net namespace is also created to isolate the process.
+
+In "chroot" sandbox mode the program invokes chroot(2) to make the shared
+directory tree its root. This mode is intended for container environments where
+the container runtime has already set up the namespaces and the program does
+not have permission to create namespaces itself.
+
+Both sandbox modes prevent "file system escapes" due to symlinks and other file
+system objects that might lead to files outside the shared directory.
Options
-------
@@ -69,6 +80,13 @@ Options
* readdirplus|no_readdirplus -
Enable/disable readdirplus. The default is ``readdirplus``.
+ * sandbox=namespace|chroot -
+ Sandbox mode:
+ - namespace: Create mount, pid, and net namespaces and pivot_root(2) into
+ the shared directory.
+ - chroot: chroot(2) into shared directory (use in containers).
+ The default is "namespace".
+
* source=PATH -
Share host directory tree located at PATH. This option is required.
@@ -109,6 +127,167 @@ Options
timeout. ``always`` sets a long cache lifetime at the expense of coherency.
The default is ``auto``.
+xattr-mapping
+-------------
+
+By default the name of xattr's used by the client are passed through to the server
+file system. This can be a problem where either those xattr names are used
+by something on the server (e.g. selinux client/server confusion) or if the
+virtiofsd is running in a container with restricted privileges where it cannot
+access some attributes.
+
+A mapping of xattr names can be made using -o xattrmap=mapping where the ``mapping``
+string consists of a series of rules.
+
+The first matching rule terminates the mapping.
+The set of rules must include a terminating rule to match any remaining attributes
+at the end.
+
+Each rule consists of a number of fields separated with a separator that is the
+first non-white space character in the rule. This separator must then be used
+for the whole rule.
+White space may be added before and after each rule.
+
+Using ':' as the separator a rule is of the form:
+
+``:type:scope:key:prepend:``
+
+**scope** is:
+
+- 'client' - match 'key' against a xattr name from the client for
+ setxattr/getxattr/removexattr
+- 'server' - match 'prepend' against a xattr name from the server
+ for listxattr
+- 'all' - can be used to make a single rule where both the server
+ and client matches are triggered.
+
+**type** is one of:
+
+- 'prefix' - is designed to prepend and strip a prefix; the modified
+ attributes then being passed on to the client/server.
+
+- 'ok' - Causes the rule set to be terminated when a match is found
+ while allowing matching xattr's through unchanged.
+ It is intended both as a way of explicitly terminating
+ the list of rules, and to allow some xattr's to skip following rules.
+
+- 'bad' - If a client tries to use a name matching 'key' it's
+ denied using EPERM; when the server passes an attribute
+ name matching 'prepend' it's hidden. In many ways it's use is very like
+ 'ok' as either an explict terminator or for special handling of certain
+ patterns.
+
+**key** is a string tested as a prefix on an attribute name originating
+on the client. It maybe empty in which case a 'client' rule
+will always match on client names.
+
+**prepend** is a string tested as a prefix on an attribute name originating
+on the server, and used as a new prefix. It may be empty
+in which case a 'server' rule will always match on all names from
+the server.
+
+e.g.:
+
+ ``:prefix:client:trusted.:user.virtiofs.:``
+
+ will match 'trusted.' attributes in client calls and prefix them before
+ passing them to the server.
+
+ ``:prefix:server::user.virtiofs.:``
+
+ will strip 'user.virtiofs.' from all server replies.
+
+ ``:prefix:all:trusted.:user.virtiofs.:``
+
+ combines the previous two cases into a single rule.
+
+ ``:ok:client:user.::``
+
+ will allow get/set xattr for 'user.' xattr's and ignore
+ following rules.
+
+ ``:ok:server::security.:``
+
+ will pass 'securty.' xattr's in listxattr from the server
+ and ignore following rules.
+
+ ``:ok:all:::``
+
+ will terminate the rule search passing any remaining attributes
+ in both directions.
+
+ ``:bad:server::security.:``
+
+ would hide 'security.' xattr's in listxattr from the server.
+
+A simpler 'map' type provides a shorter syntax for the common case:
+
+``:map:key:prepend:``
+
+The 'map' type adds a number of separate rules to add **prepend** as a prefix
+to the matched **key** (or all attributes if **key** is empty).
+There may be at most one 'map' rule and it must be the last rule in the set.
+
+xattr-mapping Examples
+----------------------
+
+1) Prefix all attributes with 'user.virtiofs.'
+
+::
+
+-o xattrmap=":prefix:all::user.virtiofs.::bad:all:::"
+
+
+This uses two rules, using : as the field separator;
+the first rule prefixes and strips 'user.virtiofs.',
+the second rule hides any non-prefixed attributes that
+the host set.
+
+This is equivalent to the 'map' rule:
+
+::
+-o xattrmap=":map::user.virtiofs.:"
+
+2) Prefix 'trusted.' attributes, allow others through
+
+::
+
+ "/prefix/all/trusted./user.virtiofs./
+ /bad/server//trusted./
+ /bad/client/user.virtiofs.//
+ /ok/all///"
+
+
+Here there are four rules, using / as the field
+separator, and also demonstrating that new lines can
+be included between rules.
+The first rule is the prefixing of 'trusted.' and
+stripping of 'user.virtiofs.'.
+The second rule hides unprefixed 'trusted.' attributes
+on the host.
+The third rule stops a guest from explicitly setting
+the 'user.virtiofs.' path directly.
+Finally, the fourth rule lets all remaining attributes
+through.
+
+This is equivalent to the 'map' rule:
+
+::
+-o xattrmap="/map/trusted./user.virtiofs./"
+
+3) Hide 'security.' attributes, and allow everything else
+
+::
+
+ "/bad/all/security./security./
+ /ok/all///'
+
+The first rule combines what could be separate client and server
+rules into a single 'all' rule, matching 'security.' in either
+client arguments or lists returned from the host. This stops
+the client seeing any 'security.' attributes on the server and
+stops it setting any.
+
Examples
--------
diff --git a/hw/core/machine.c b/hw/core/machine.c
index d740a7e..c5e0e79 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -411,24 +411,6 @@ static bool machine_get_suppress_vmdesc(Object *obj, Error **errp)
return ms->suppress_vmdesc;
}
-static void machine_set_enforce_config_section(Object *obj, bool value,
- Error **errp)
-{
- MachineState *ms = MACHINE(obj);
-
- warn_report("enforce-config-section is deprecated, please use "
- "-global migration.send-configuration=on|off instead");
-
- ms->enforce_config_section = value;
-}
-
-static bool machine_get_enforce_config_section(Object *obj, Error **errp)
-{
- MachineState *ms = MACHINE(obj);
-
- return ms->enforce_config_section;
-}
-
static char *machine_get_memory_encryption(Object *obj, Error **errp)
{
MachineState *ms = MACHINE(obj);
@@ -857,11 +839,6 @@ static void machine_class_init(ObjectClass *oc, void *data)
object_class_property_set_description(oc, "suppress-vmdesc",
"Set on to disable self-describing migration");
- object_class_property_add_bool(oc, "enforce-config-section",
- machine_get_enforce_config_section, machine_set_enforce_config_section);
- object_class_property_set_description(oc, "enforce-config-section",
- "Set on to enforce configuration section migration");
-
object_class_property_add_str(oc, "memory-encryption",
machine_get_memory_encryption, machine_set_memory_encryption);
object_class_property_set_description(oc, "memory-encryption",
@@ -876,8 +853,12 @@ static void machine_class_init(ObjectClass *oc, void *data)
static void machine_class_base_init(ObjectClass *oc, void *data)
{
+ MachineClass *mc = MACHINE_CLASS(oc);
+ mc->max_cpus = mc->max_cpus ?: 1;
+ mc->min_cpus = mc->min_cpus ?: 1;
+ mc->default_cpus = mc->default_cpus ?: 1;
+
if (!object_class_is_abstract(oc)) {
- MachineClass *mc = MACHINE_CLASS(oc);
const char *cname = object_class_get_name(oc);
assert(g_str_has_suffix(cname, TYPE_MACHINE_SUFFIX));
mc->name = g_strndup(cname,
@@ -926,6 +907,13 @@ static void machine_initfn(Object *obj)
/* Register notifier when init is done for sysbus sanity checks */
ms->sysbus_notifier.notify = machine_init_notify;
qemu_add_machine_init_done_notifier(&ms->sysbus_notifier);
+
+ /* default to mc->default_cpus */
+ ms->smp.cpus = mc->default_cpus;
+ ms->smp.max_cpus = mc->default_cpus;
+ ms->smp.cores = 1;
+ ms->smp.threads = 1;
+ ms->smp.sockets = 1;
}
static void machine_finalize(Object *obj)
diff --git a/hw/core/qdev-clock.c b/hw/core/qdev-clock.c
index 6a9a340..eb05f2a 100644
--- a/hw/core/qdev-clock.c
+++ b/hw/core/qdev-clock.c
@@ -61,6 +61,14 @@ static NamedClockList *qdev_init_clocklist(DeviceState *dev, const char *name,
object_get_typename(OBJECT(clk)),
(Object **) &ncl->clock,
NULL, OBJ_PROP_LINK_STRONG);
+ /*
+ * Since the link property has the OBJ_PROP_LINK_STRONG flag, the clk
+ * object reference count gets decremented on property deletion.
+ * However object_property_add_link does not increment it since it
+ * doesn't know the linked object. Increment it here to ensure the
+ * aliased clock stays alive during this device life-time.
+ */
+ object_ref(OBJECT(clk));
}
ncl->clock = clk;
diff --git a/hw/misc/sifive_u_otp.c b/hw/misc/sifive_u_otp.c
index c2f3c8e..6006637 100644
--- a/hw/misc/sifive_u_otp.c
+++ b/hw/misc/sifive_u_otp.c
@@ -19,11 +19,22 @@
*/
#include "qemu/osdep.h"
+#include "qapi/error.h"
#include "hw/qdev-properties.h"
#include "hw/sysbus.h"
#include "qemu/log.h"
#include "qemu/module.h"
#include "hw/misc/sifive_u_otp.h"
+#include "sysemu/blockdev.h"
+#include "sysemu/block-backend.h"
+
+#define WRITTEN_BIT_ON 0x1
+
+#define SET_FUSEARRAY_BIT(map, i, off, bit) \
+ map[i] = bit ? (map[i] | bit << off) : (map[i] & ~(0x1 << off))
+
+#define GET_FUSEARRAY_BIT(map, i, off) \
+ ((map[i] >> off) & 0x1)
static uint64_t sifive_u_otp_read(void *opaque, hwaddr addr, unsigned int size)
{
@@ -46,6 +57,16 @@ static uint64_t sifive_u_otp_read(void *opaque, hwaddr addr, unsigned int size)
if ((s->pce & SIFIVE_U_OTP_PCE_EN) &&
(s->pdstb & SIFIVE_U_OTP_PDSTB_EN) &&
(s->ptrim & SIFIVE_U_OTP_PTRIM_EN)) {
+
+ /* read from backend */
+ if (s->blk) {
+ int32_t buf;
+
+ blk_pread(s->blk, s->pa * SIFIVE_U_OTP_FUSE_WORD, &buf,
+ SIFIVE_U_OTP_FUSE_WORD);
+ return buf;
+ }
+
return s->fuse[s->pa & SIFIVE_U_OTP_PA_MASK];
} else {
return 0xff;
@@ -123,7 +144,30 @@ static void sifive_u_otp_write(void *opaque, hwaddr addr,
s->ptrim = val32;
break;
case SIFIVE_U_OTP_PWE:
- s->pwe = val32;
+ s->pwe = val32 & SIFIVE_U_OTP_PWE_EN;
+
+ /* PWE is enabled. Ignore PAS=1 (no redundancy cell) */
+ if (s->pwe && !s->pas) {
+ if (GET_FUSEARRAY_BIT(s->fuse_wo, s->pa, s->paio)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "write once error: idx<%u>, bit<%u>\n",
+ s->pa, s->paio);
+ break;
+ }
+
+ /* write bit data */
+ SET_FUSEARRAY_BIT(s->fuse, s->pa, s->paio, s->pdin);
+
+ /* write to backend */
+ if (s->blk) {
+ blk_pwrite(s->blk, s->pa * SIFIVE_U_OTP_FUSE_WORD,
+ &s->fuse[s->pa], SIFIVE_U_OTP_FUSE_WORD, 0);
+ }
+
+ /* update written bit */
+ SET_FUSEARRAY_BIT(s->fuse_wo, s->pa, s->paio, WRITTEN_BIT_ON);
+ }
+
break;
default:
qemu_log_mask(LOG_GUEST_ERROR, "%s: bad write: addr=0x%" HWADDR_PRIx
@@ -143,16 +187,48 @@ static const MemoryRegionOps sifive_u_otp_ops = {
static Property sifive_u_otp_properties[] = {
DEFINE_PROP_UINT32("serial", SiFiveUOTPState, serial, 0),
+ DEFINE_PROP_DRIVE("drive", SiFiveUOTPState, blk),
DEFINE_PROP_END_OF_LIST(),
};
static void sifive_u_otp_realize(DeviceState *dev, Error **errp)
{
SiFiveUOTPState *s = SIFIVE_U_OTP(dev);
+ DriveInfo *dinfo;
memory_region_init_io(&s->mmio, OBJECT(dev), &sifive_u_otp_ops, s,
TYPE_SIFIVE_U_OTP, SIFIVE_U_OTP_REG_SIZE);
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->mmio);
+
+ dinfo = drive_get_next(IF_NONE);
+ if (dinfo) {
+ int ret;
+ uint64_t perm;
+ int filesize;
+ BlockBackend *blk;
+
+ blk = blk_by_legacy_dinfo(dinfo);
+ filesize = SIFIVE_U_OTP_NUM_FUSES * SIFIVE_U_OTP_FUSE_WORD;
+ if (blk_getlength(blk) < filesize) {
+ error_setg(errp, "OTP drive size < 16K");
+ return;
+ }
+
+ qdev_prop_set_drive_err(dev, "drive", blk, errp);
+
+ if (s->blk) {
+ perm = BLK_PERM_CONSISTENT_READ |
+ (blk_is_read_only(s->blk) ? 0 : BLK_PERM_WRITE);
+ ret = blk_set_perm(s->blk, perm, BLK_PERM_ALL, errp);
+ if (ret < 0) {
+ return;
+ }
+
+ if (blk_pread(s->blk, 0, s->fuse, filesize) != filesize) {
+ error_setg(errp, "failed to read the initial flash content");
+ }
+ }
+ }
}
static void sifive_u_otp_reset(DeviceState *dev)
@@ -165,6 +241,23 @@ static void sifive_u_otp_reset(DeviceState *dev)
/* Make a valid content of serial number */
s->fuse[SIFIVE_U_OTP_SERIAL_ADDR] = s->serial;
s->fuse[SIFIVE_U_OTP_SERIAL_ADDR + 1] = ~(s->serial);
+
+ if (s->blk) {
+ /* Put serial number to backend as well*/
+ uint32_t serial_data;
+ int index = SIFIVE_U_OTP_SERIAL_ADDR;
+
+ serial_data = s->serial;
+ blk_pwrite(s->blk, index * SIFIVE_U_OTP_FUSE_WORD,
+ &serial_data, SIFIVE_U_OTP_FUSE_WORD, 0);
+
+ serial_data = ~(s->serial);
+ blk_pwrite(s->blk, (index + 1) * SIFIVE_U_OTP_FUSE_WORD,
+ &serial_data, SIFIVE_U_OTP_FUSE_WORD, 0);
+ }
+
+ /* Initialize write-once map */
+ memset(s->fuse_wo, 0x00, sizeof(s->fuse_wo));
}
static void sifive_u_otp_class_init(ObjectClass *klass, void *data)
diff --git a/hw/riscv/boot.c b/hw/riscv/boot.c
index 21adaae..9b3fe3f 100644
--- a/hw/riscv/boot.c
+++ b/hw/riscv/boot.c
@@ -33,19 +33,36 @@
#include <libfdt.h>
#if defined(TARGET_RISCV32)
-# define KERNEL_BOOT_ADDRESS 0x80400000
#define fw_dynamic_info_data(__val) cpu_to_le32(__val)
#else
-# define KERNEL_BOOT_ADDRESS 0x80200000
#define fw_dynamic_info_data(__val) cpu_to_le64(__val)
#endif
-void riscv_find_and_load_firmware(MachineState *machine,
- const char *default_machine_firmware,
- hwaddr firmware_load_addr,
- symbol_fn_t sym_cb)
+bool riscv_is_32_bit(MachineState *machine)
+{
+ if (!strncmp(machine->cpu_type, "rv32", 4)) {
+ return true;
+ } else {
+ return false;
+ }
+}
+
+target_ulong riscv_calc_kernel_start_addr(MachineState *machine,
+ target_ulong firmware_end_addr) {
+ if (riscv_is_32_bit(machine)) {
+ return QEMU_ALIGN_UP(firmware_end_addr, 4 * MiB);
+ } else {
+ return QEMU_ALIGN_UP(firmware_end_addr, 2 * MiB);
+ }
+}
+
+target_ulong riscv_find_and_load_firmware(MachineState *machine,
+ const char *default_machine_firmware,
+ hwaddr firmware_load_addr,
+ symbol_fn_t sym_cb)
{
char *firmware_filename = NULL;
+ target_ulong firmware_end_addr = firmware_load_addr;
if ((!machine->firmware) || (!strcmp(machine->firmware, "default"))) {
/*
@@ -60,9 +77,12 @@ void riscv_find_and_load_firmware(MachineState *machine,
if (firmware_filename) {
/* If not "none" load the firmware */
- riscv_load_firmware(firmware_filename, firmware_load_addr, sym_cb);
+ firmware_end_addr = riscv_load_firmware(firmware_filename,
+ firmware_load_addr, sym_cb);
g_free(firmware_filename);
}
+
+ return firmware_end_addr;
}
char *riscv_find_firmware(const char *firmware_filename)
@@ -91,24 +111,28 @@ target_ulong riscv_load_firmware(const char *firmware_filename,
hwaddr firmware_load_addr,
symbol_fn_t sym_cb)
{
- uint64_t firmware_entry;
+ uint64_t firmware_entry, firmware_size, firmware_end;
if (load_elf_ram_sym(firmware_filename, NULL, NULL, NULL,
- &firmware_entry, NULL, NULL, NULL,
+ &firmware_entry, NULL, &firmware_end, NULL,
0, EM_RISCV, 1, 0, NULL, true, sym_cb) > 0) {
- return firmware_entry;
+ return firmware_end;
}
- if (load_image_targphys_as(firmware_filename, firmware_load_addr,
- ram_size, NULL) > 0) {
- return firmware_load_addr;
+ firmware_size = load_image_targphys_as(firmware_filename,
+ firmware_load_addr, ram_size, NULL);
+
+ if (firmware_size > 0) {
+ return firmware_load_addr + firmware_size;
}
error_report("could not load firmware '%s'", firmware_filename);
exit(1);
}
-target_ulong riscv_load_kernel(const char *kernel_filename, symbol_fn_t sym_cb)
+target_ulong riscv_load_kernel(const char *kernel_filename,
+ target_ulong kernel_start_addr,
+ symbol_fn_t sym_cb)
{
uint64_t kernel_entry;
@@ -123,9 +147,9 @@ target_ulong riscv_load_kernel(const char *kernel_filename, symbol_fn_t sym_cb)
return kernel_entry;
}
- if (load_image_targphys_as(kernel_filename, KERNEL_BOOT_ADDRESS,
+ if (load_image_targphys_as(kernel_filename, kernel_start_addr,
ram_size, NULL) > 0) {
- return KERNEL_BOOT_ADDRESS;
+ return kernel_start_addr;
}
error_report("could not load kernel '%s'", kernel_filename);
diff --git a/hw/riscv/opentitan.c b/hw/riscv/opentitan.c
index 0531bd8..cc758b7 100644
--- a/hw/riscv/opentitan.c
+++ b/hw/riscv/opentitan.c
@@ -75,7 +75,8 @@ static void opentitan_board_init(MachineState *machine)
}
if (machine->kernel_filename) {
- riscv_load_kernel(machine->kernel_filename, NULL);
+ riscv_load_kernel(machine->kernel_filename,
+ memmap[IBEX_DEV_RAM].base, NULL);
}
}
diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
index fcfac16..59bac4c 100644
--- a/hw/riscv/sifive_e.c
+++ b/hw/riscv/sifive_e.c
@@ -114,7 +114,8 @@ static void sifive_e_machine_init(MachineState *machine)
memmap[SIFIVE_E_DEV_MROM].base, &address_space_memory);
if (machine->kernel_filename) {
- riscv_load_kernel(machine->kernel_filename, NULL);
+ riscv_load_kernel(machine->kernel_filename,
+ memmap[SIFIVE_E_DEV_DTIM].base, NULL);
}
}
diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 6ad975d..b2472c6 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -415,6 +415,7 @@ static void sifive_u_machine_init(MachineState *machine)
MemoryRegion *main_mem = g_new(MemoryRegion, 1);
MemoryRegion *flash0 = g_new(MemoryRegion, 1);
target_ulong start_addr = memmap[SIFIVE_U_DEV_DRAM].base;
+ target_ulong firmware_end_addr, kernel_start_addr;
uint32_t start_addr_hi32 = 0x00000000;
int i;
uint32_t fdt_load_addr;
@@ -424,6 +425,8 @@ static void sifive_u_machine_init(MachineState *machine)
object_initialize_child(OBJECT(machine), "soc", &s->soc, TYPE_RISCV_U_SOC);
object_property_set_uint(OBJECT(&s->soc), "serial", s->serial,
&error_abort);
+ object_property_set_str(OBJECT(&s->soc), "cpu-type", machine->cpu_type,
+ &error_abort);
qdev_realize(DEVICE(&s->soc), NULL, &error_abort);
/* register RAM */
@@ -472,10 +475,15 @@ static void sifive_u_machine_init(MachineState *machine)
break;
}
- riscv_find_and_load_firmware(machine, BIOS_FILENAME, start_addr, NULL);
+ firmware_end_addr = riscv_find_and_load_firmware(machine, BIOS_FILENAME,
+ start_addr, NULL);
if (machine->kernel_filename) {
- kernel_entry = riscv_load_kernel(machine->kernel_filename, NULL);
+ kernel_start_addr = riscv_calc_kernel_start_addr(machine,
+ firmware_end_addr);
+
+ kernel_entry = riscv_load_kernel(machine->kernel_filename,
+ kernel_start_addr, NULL);
if (machine->initrd_filename) {
hwaddr start;
@@ -590,6 +598,11 @@ static void sifive_u_machine_class_init(ObjectClass *oc, void *data)
mc->init = sifive_u_machine_init;
mc->max_cpus = SIFIVE_U_MANAGEMENT_CPU_COUNT + SIFIVE_U_COMPUTE_CPU_COUNT;
mc->min_cpus = SIFIVE_U_MANAGEMENT_CPU_COUNT + 1;
+#if defined(TARGET_RISCV32)
+ mc->default_cpu_type = TYPE_RISCV_CPU_SIFIVE_U34;
+#elif defined(TARGET_RISCV64)
+ mc->default_cpu_type = TYPE_RISCV_CPU_SIFIVE_U54;
+#endif
mc->default_cpus = mc->min_cpus;
object_class_property_add_bool(oc, "start-in-flash",
@@ -618,7 +631,6 @@ type_init(sifive_u_machine_init_register_types)
static void sifive_u_soc_instance_init(Object *obj)
{
- MachineState *ms = MACHINE(qdev_get_machine());
SiFiveUSoCState *s = RISCV_U_SOC(obj);
object_initialize_child(obj, "e-cluster", &s->e_cluster, TYPE_CPU_CLUSTER);
@@ -636,10 +648,6 @@ static void sifive_u_soc_instance_init(Object *obj)
object_initialize_child(OBJECT(&s->u_cluster), "u-cpus", &s->u_cpus,
TYPE_RISCV_HART_ARRAY);
- qdev_prop_set_uint32(DEVICE(&s->u_cpus), "num-harts", ms->smp.cpus - 1);
- qdev_prop_set_uint32(DEVICE(&s->u_cpus), "hartid-base", 1);
- qdev_prop_set_string(DEVICE(&s->u_cpus), "cpu-type", SIFIVE_U_CPU);
- qdev_prop_set_uint64(DEVICE(&s->u_cpus), "resetvec", 0x1004);
object_initialize_child(obj, "prci", &s->prci, TYPE_SIFIVE_U_PRCI);
object_initialize_child(obj, "otp", &s->otp, TYPE_SIFIVE_U_OTP);
@@ -661,6 +669,11 @@ static void sifive_u_soc_realize(DeviceState *dev, Error **errp)
int i;
NICInfo *nd = &nd_table[0];
+ qdev_prop_set_uint32(DEVICE(&s->u_cpus), "num-harts", ms->smp.cpus - 1);
+ qdev_prop_set_uint32(DEVICE(&s->u_cpus), "hartid-base", 1);
+ qdev_prop_set_string(DEVICE(&s->u_cpus), "cpu-type", s->cpu_type);
+ qdev_prop_set_uint64(DEVICE(&s->u_cpus), "resetvec", 0x1004);
+
sysbus_realize(SYS_BUS_DEVICE(&s->e_cpus), &error_abort);
sysbus_realize(SYS_BUS_DEVICE(&s->u_cpus), &error_abort);
/*
@@ -792,6 +805,7 @@ static void sifive_u_soc_realize(DeviceState *dev, Error **errp)
static Property sifive_u_soc_props[] = {
DEFINE_PROP_UINT32("serial", SiFiveUSoCState, serial, OTP_SERIAL),
+ DEFINE_PROP_STRING("cpu-type", SiFiveUSoCState, cpu_type),
DEFINE_PROP_END_OF_LIST()
};
diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
index 3fd152a..facac6e 100644
--- a/hw/riscv/spike.c
+++ b/hw/riscv/spike.c
@@ -195,6 +195,7 @@ static void spike_board_init(MachineState *machine)
MemoryRegion *system_memory = get_system_memory();
MemoryRegion *main_mem = g_new(MemoryRegion, 1);
MemoryRegion *mask_rom = g_new(MemoryRegion, 1);
+ target_ulong firmware_end_addr, kernel_start_addr;
uint32_t fdt_load_addr;
uint64_t kernel_entry;
char *soc_name;
@@ -261,12 +262,16 @@ static void spike_board_init(MachineState *machine)
memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base,
mask_rom);
- riscv_find_and_load_firmware(machine, BIOS_FILENAME,
- memmap[SPIKE_DRAM].base,
- htif_symbol_callback);
+ firmware_end_addr = riscv_find_and_load_firmware(machine, BIOS_FILENAME,
+ memmap[SPIKE_DRAM].base,
+ htif_symbol_callback);
if (machine->kernel_filename) {
+ kernel_start_addr = riscv_calc_kernel_start_addr(machine,
+ firmware_end_addr);
+
kernel_entry = riscv_load_kernel(machine->kernel_filename,
+ kernel_start_addr,
htif_symbol_callback);
if (machine->initrd_filename) {
diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index 41bd2f3..6bfd10d 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -493,6 +493,7 @@ static void virt_machine_init(MachineState *machine)
char *plic_hart_config, *soc_name;
size_t plic_hart_config_len;
target_ulong start_addr = memmap[VIRT_DRAM].base;
+ target_ulong firmware_end_addr, kernel_start_addr;
uint32_t fdt_load_addr;
uint64_t kernel_entry;
DeviceState *mmio_plic, *virtio_plic, *pcie_plic;
@@ -602,11 +603,15 @@ static void virt_machine_init(MachineState *machine)
memory_region_add_subregion(system_memory, memmap[VIRT_MROM].base,
mask_rom);
- riscv_find_and_load_firmware(machine, BIOS_FILENAME,
- memmap[VIRT_DRAM].base, NULL);
+ firmware_end_addr = riscv_find_and_load_firmware(machine, BIOS_FILENAME,
+ start_addr, NULL);
if (machine->kernel_filename) {
- kernel_entry = riscv_load_kernel(machine->kernel_filename, NULL);
+ kernel_start_addr = riscv_calc_kernel_start_addr(machine,
+ firmware_end_addr);
+
+ kernel_entry = riscv_load_kernel(machine->kernel_filename,
+ kernel_start_addr, NULL);
if (machine->initrd_filename) {
hwaddr start;
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index e52182f..2e90033 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -101,6 +101,7 @@ static const char *const reset_dev_types[] = {
"s390-sclp-event-facility",
"s390-flic",
"diag288",
+ TYPE_S390_PCI_HOST_BRIDGE,
};
static void subsystem_reset(void)
diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 00f1e46..0cf2290 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -285,11 +285,6 @@ int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb,
goto out_write;
}
- if (!sccb_verify_boundary(sccb, be16_to_cpu(work_sccb->h.length), code)) {
- work_sccb->h.response_code = cpu_to_be16(SCLP_RC_SCCB_BOUNDARY_VIOLATION);
- goto out_write;
- }
-
sclp_c->execute(sclp, work_sccb, code);
out_write:
s390_cpu_pv_mem_write(env_archcpu(env), 0, work_sccb,
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index c3febed..3091382 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -102,11 +102,14 @@ struct SDState {
uint32_t card_status;
uint8_t sd_status[64];
- /* Configurable properties */
+ /* Static properties */
+
uint8_t spec_version;
BlockBackend *blk;
bool spi;
+ /* Runtime changeables */
+
uint32_t mode; /* current card mode, one of SDCardModes */
int32_t state; /* current card state, one of SDCardStates */
uint32_t vhs;
@@ -251,11 +254,11 @@ static const int sd_cmd_class[SDMMC_CMD_MAX] = {
7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
};
-static uint8_t sd_crc7(void *message, size_t width)
+static uint8_t sd_crc7(const void *message, size_t width)
{
int i, bit;
uint8_t shift_reg = 0x00;
- uint8_t *msg = (uint8_t *) message;
+ const uint8_t *msg = (const uint8_t *)message;
for (i = 0; i < width; i ++, msg ++)
for (bit = 7; bit >= 0; bit --) {
@@ -267,11 +270,11 @@ static uint8_t sd_crc7(void *message, size_t width)
return shift_reg;
}
-static uint16_t sd_crc16(void *message, size_t width)
+static uint16_t sd_crc16(const void *message, size_t width)
{
int i, bit;
uint16_t shift_reg = 0x0000;
- uint16_t *msg = (uint16_t *) message;
+ const uint16_t *msg = (const uint16_t *)message;
width <<= 1;
for (i = 0; i < width; i ++, msg ++)
@@ -824,6 +827,7 @@ static void sd_function_switch(SDState *sd, uint32_t arg)
sd->data[12] = 0x80; /* Supported group 1 functions */
sd->data[13] = 0x03;
+ memset(&sd->data[14], 0, 3);
for (i = 0; i < 6; i ++) {
new_func = (arg >> (i * 4)) & 0x0f;
if (mode && new_func != 0x0f)
@@ -1676,7 +1680,7 @@ static sd_rsp_type_t sd_app_command(SDState *sd,
return sd_illegal;
}
-static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
+static int cmd_valid_while_locked(SDState *sd, const uint8_t cmd)
{
/* Valid commands in locked state:
* basic class (0)
@@ -1687,13 +1691,12 @@ static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
* Anything else provokes an "illegal command" response.
*/
if (sd->expecting_acmd) {
- return req->cmd == 41 || req->cmd == 42;
+ return cmd == 41 || cmd == 42;
}
- if (req->cmd == 16 || req->cmd == 55) {
+ if (cmd == 16 || cmd == 55) {
return 1;
}
- return sd_cmd_class[req->cmd] == 0
- || sd_cmd_class[req->cmd] == 7;
+ return sd_cmd_class[cmd] == 0 || sd_cmd_class[cmd] == 7;
}
int sd_do_command(SDState *sd, SDRequest *req,
@@ -1719,7 +1722,7 @@ int sd_do_command(SDState *sd, SDRequest *req,
}
if (sd->card_status & CARD_IS_LOCKED) {
- if (!cmd_valid_while_locked(sd, req)) {
+ if (!cmd_valid_while_locked(sd, req->cmd)) {
sd->card_status |= ILLEGAL_COMMAND;
sd->expecting_acmd = false;
qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
@@ -1980,7 +1983,7 @@ uint8_t sd_read_byte(SDState *sd)
{
/* TODO: Append CRCs */
uint8_t ret;
- int io_len;
+ uint32_t io_len;
if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
return 0x00;
diff --git a/hw/sd/trace-events b/hw/sd/trace-events
index 96c7ea5..4140e48 100644
--- a/hw/sd/trace-events
+++ b/hw/sd/trace-events
@@ -52,7 +52,7 @@ sdcard_unlock(void) ""
sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
sdcard_write_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint8_t value) "%s %20s/ CMD%02d value 0x%02x"
-sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, int length) "%s %20s/ CMD%02d len %d"
+sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint32_t length) "%s %20s/ CMD%02d len %" PRIu32
sdcard_set_voltage(uint16_t millivolts) "%u mV"
# milkymist-memcard.c
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 622207b..aff6ef7 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -42,6 +42,21 @@ typedef struct IOMMUMemoryRegionClass IOMMUMemoryRegionClass;
DECLARE_OBJ_CHECKERS(IOMMUMemoryRegion, IOMMUMemoryRegionClass,
IOMMU_MEMORY_REGION, TYPE_IOMMU_MEMORY_REGION)
+#ifdef CONFIG_FUZZ
+void fuzz_dma_read_cb(size_t addr,
+ size_t len,
+ MemoryRegion *mr,
+ bool is_write);
+#else
+static inline void fuzz_dma_read_cb(size_t addr,
+ size_t len,
+ MemoryRegion *mr,
+ bool is_write)
+{
+ /* Do Nothing */
+}
+#endif
+
extern bool global_dirty_log;
typedef struct MemoryRegionOps MemoryRegionOps;
@@ -719,6 +734,11 @@ static inline FlatView *address_space_to_flatview(AddressSpace *as)
return qatomic_rcu_read(&as->current_map);
}
+typedef int (*flatview_cb)(Int128 start,
+ Int128 len,
+ const MemoryRegion*, void*);
+
+void flatview_for_each_range(FlatView *fv, flatview_cb cb , void *opaque);
/**
* struct MemoryRegionSection: describes a fragment of a #MemoryRegion
@@ -2442,6 +2462,7 @@ address_space_read_cached(MemoryRegionCache *cache, hwaddr addr,
void *buf, hwaddr len)
{
assert(addr < cache->len && len <= cache->len - addr);
+ fuzz_dma_read_cb(cache->xlat + addr, len, cache->mrs.mr, false);
if (likely(cache->ptr)) {
memcpy(buf, cache->ptr + addr, len);
return MEMTX_OK;
diff --git a/include/exec/memory_ldst_cached.h.inc b/include/exec/memory_ldst_cached.h.inc
index fd4bbb4..aff5740 100644
--- a/include/exec/memory_ldst_cached.h.inc
+++ b/include/exec/memory_ldst_cached.h.inc
@@ -28,6 +28,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(l)(MemoryRegionCache *cache,
hwaddr addr, MemTxAttrs attrs, MemTxResult *result)
{
assert(addr < cache->len && 4 <= cache->len - addr);
+ fuzz_dma_read_cb(cache->xlat + addr, 4, cache->mrs.mr, false);
if (likely(cache->ptr)) {
return LD_P(l)(cache->ptr + addr);
} else {
@@ -39,6 +40,7 @@ static inline uint64_t ADDRESS_SPACE_LD_CACHED(q)(MemoryRegionCache *cache,
hwaddr addr, MemTxAttrs attrs, MemTxResult *result)
{
assert(addr < cache->len && 8 <= cache->len - addr);
+ fuzz_dma_read_cb(cache->xlat + addr, 8, cache->mrs.mr, false);
if (likely(cache->ptr)) {
return LD_P(q)(cache->ptr + addr);
} else {
@@ -50,6 +52,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(uw)(MemoryRegionCache *cache,
hwaddr addr, MemTxAttrs attrs, MemTxResult *result)
{
assert(addr < cache->len && 2 <= cache->len - addr);
+ fuzz_dma_read_cb(cache->xlat + addr, 2, cache->mrs.mr, false);
if (likely(cache->ptr)) {
return LD_P(uw)(cache->ptr + addr);
} else {
diff --git a/include/hw/boards.h b/include/hw/boards.h
index bf53e8a..a49e3a6 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -268,7 +268,6 @@ struct MachineState {
char *firmware;
bool iommu;
bool suppress_vmdesc;
- bool enforce_config_section;
bool enable_graphics;
char *memory_encryption;
char *ram_memdev_id;
diff --git a/hw/intc/sifive_plic.h b/include/hw/intc/sifive_plic.h
index b75b1f1..b75b1f1 100644
--- a/hw/intc/sifive_plic.h
+++ b/include/hw/intc/sifive_plic.h
diff --git a/include/hw/misc/sifive_u_otp.h b/include/hw/misc/sifive_u_otp.h
index 82c9176..5d0d7df 100644
--- a/include/hw/misc/sifive_u_otp.h
+++ b/include/hw/misc/sifive_u_otp.h
@@ -36,6 +36,8 @@
#define SIFIVE_U_OTP_PTRIM 0x34
#define SIFIVE_U_OTP_PWE 0x38
+#define SIFIVE_U_OTP_PWE_EN (1 << 0)
+
#define SIFIVE_U_OTP_PCE_EN (1 << 0)
#define SIFIVE_U_OTP_PDSTB_EN (1 << 0)
@@ -44,6 +46,7 @@
#define SIFIVE_U_OTP_PA_MASK 0xfff
#define SIFIVE_U_OTP_NUM_FUSES 0x1000
+#define SIFIVE_U_OTP_FUSE_WORD 4
#define SIFIVE_U_OTP_SERIAL_ADDR 0xfc
#define SIFIVE_U_OTP_REG_SIZE 0x1000
@@ -75,8 +78,10 @@ struct SiFiveUOTPState {
uint32_t ptrim;
uint32_t pwe;
uint32_t fuse[SIFIVE_U_OTP_NUM_FUSES];
+ uint32_t fuse_wo[SIFIVE_U_OTP_NUM_FUSES];
/* config */
uint32_t serial;
+ BlockBackend *blk;
};
#endif /* HW_SIFIVE_U_OTP_H */
diff --git a/include/hw/riscv/boot.h b/include/hw/riscv/boot.h
index 4513387..0b01988 100644
--- a/include/hw/riscv/boot.h
+++ b/include/hw/riscv/boot.h
@@ -23,15 +23,20 @@
#include "exec/cpu-defs.h"
#include "hw/loader.h"
-void riscv_find_and_load_firmware(MachineState *machine,
- const char *default_machine_firmware,
- hwaddr firmware_load_addr,
- symbol_fn_t sym_cb);
+bool riscv_is_32_bit(MachineState *machine);
+
+target_ulong riscv_calc_kernel_start_addr(MachineState *machine,
+ target_ulong firmware_end_addr);
+target_ulong riscv_find_and_load_firmware(MachineState *machine,
+ const char *default_machine_firmware,
+ hwaddr firmware_load_addr,
+ symbol_fn_t sym_cb);
char *riscv_find_firmware(const char *firmware_filename);
target_ulong riscv_load_firmware(const char *firmware_filename,
hwaddr firmware_load_addr,
symbol_fn_t sym_cb);
target_ulong riscv_load_kernel(const char *kernel_filename,
+ target_ulong firmware_end_addr,
symbol_fn_t sym_cb);
hwaddr riscv_load_initrd(const char *filename, uint64_t mem_size,
uint64_t kernel_entry, hwaddr *start);
diff --git a/include/hw/riscv/sifive_u.h b/include/hw/riscv/sifive_u.h
index 22e7e6e..a9f7b4a 100644
--- a/include/hw/riscv/sifive_u.h
+++ b/include/hw/riscv/sifive_u.h
@@ -48,6 +48,7 @@ typedef struct SiFiveUSoCState {
CadenceGEMState gem;
uint32_t serial;
+ char *cpu_type;
} SiFiveUSoCState;
#define TYPE_RISCV_U_MACHINE MACHINE_TYPE_NAME("sifive_u")
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index f68ed7d..4d71dc8 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -219,7 +219,6 @@ extern const VMStateInfo vmstate_info_uint64;
#define VMS_NULLPTR_MARKER (0x30U) /* '0' */
extern const VMStateInfo vmstate_info_nullptr;
-extern const VMStateInfo vmstate_info_float64;
extern const VMStateInfo vmstate_info_cpudouble;
extern const VMStateInfo vmstate_info_timer;
@@ -997,12 +996,6 @@ extern const VMStateInfo vmstate_info_qlist;
VMSTATE_SINGLE_TEST(_f, _s, _t, 0, vmstate_info_uint64, uint64_t)
-#define VMSTATE_FLOAT64_V(_f, _s, _v) \
- VMSTATE_SINGLE(_f, _s, _v, vmstate_info_float64, float64)
-
-#define VMSTATE_FLOAT64(_f, _s) \
- VMSTATE_FLOAT64_V(_f, _s, 0)
-
#define VMSTATE_TIMER_PTR_TEST(_f, _s, _test) \
VMSTATE_POINTER_TEST(_f, _s, _test, vmstate_info_timer, QEMUTimer *)
@@ -1114,12 +1107,6 @@ extern const VMStateInfo vmstate_info_qlist;
#define VMSTATE_INT64_ARRAY(_f, _s, _n) \
VMSTATE_INT64_ARRAY_V(_f, _s, _n, 0)
-#define VMSTATE_FLOAT64_ARRAY_V(_f, _s, _n, _v) \
- VMSTATE_ARRAY(_f, _s, _n, _v, vmstate_info_float64, float64)
-
-#define VMSTATE_FLOAT64_ARRAY(_f, _s, _n) \
- VMSTATE_FLOAT64_ARRAY_V(_f, _s, _n, 0)
-
#define VMSTATE_CPUDOUBLE_ARRAY_V(_f, _s, _n, _v) \
VMSTATE_ARRAY(_f, _s, _n, _v, vmstate_info_cpudouble, CPU_DoubleU)
diff --git a/include/standard-headers/linux/fuse.h b/include/standard-headers/linux/fuse.h
index f4df0a4..7dd7a3b 100644
--- a/include/standard-headers/linux/fuse.h
+++ b/include/standard-headers/linux/fuse.h
@@ -227,7 +227,7 @@ struct fuse_attr {
uint32_t gid;
uint32_t rdev;
uint32_t blksize;
- uint32_t padding;
+ uint32_t flags;
};
struct fuse_kstatfs {
@@ -310,6 +310,7 @@ struct fuse_file_lock {
* FUSE_NO_OPENDIR_SUPPORT: kernel supports zero-message opendir
* FUSE_EXPLICIT_INVAL_DATA: only invalidate cached pages on explicit request
* FUSE_MAP_ALIGNMENT: map_alignment field is valid
+ * FUSE_ATTR_FLAGS: fuse_attr.flags is present and valid
*/
#define FUSE_ASYNC_READ (1 << 0)
#define FUSE_POSIX_LOCKS (1 << 1)
@@ -338,6 +339,7 @@ struct fuse_file_lock {
#define FUSE_NO_OPENDIR_SUPPORT (1 << 24)
#define FUSE_EXPLICIT_INVAL_DATA (1 << 25)
#define FUSE_MAP_ALIGNMENT (1 << 26)
+#define FUSE_ATTR_FLAGS (1 << 27)
/**
* CUSE INIT request/reply flags
@@ -413,6 +415,13 @@ struct fuse_file_lock {
*/
#define FUSE_FSYNC_FDATASYNC (1 << 0)
+/**
+ * fuse_attr flags
+ *
+ * FUSE_ATTR_SUBMOUNT: File/directory is a submount point
+ */
+#define FUSE_ATTR_SUBMOUNT (1 << 0)
+
enum fuse_opcode {
FUSE_LOOKUP = 1,
FUSE_FORGET = 2, /* no reply */
diff --git a/include/sysemu/cpus.h b/include/sysemu/cpus.h
index 2316859..e815672 100644
--- a/include/sysemu/cpus.h
+++ b/include/sysemu/cpus.h
@@ -25,6 +25,9 @@ typedef struct CpusAccel {
/* register accel-specific cpus interface implementation */
void cpus_register_accel(const CpusAccel *i);
+/* Create a dummy vcpu for CpusAccel->create_vcpu_thread */
+void dummy_start_vcpu_thread(CPUState *);
+
/* interface available for cpus accelerator threads */
/* For temporary buffers for forming a name */
diff --git a/memory_ldst.c.inc b/memory_ldst.c.inc
index c54aee4..8d45d2e 100644
--- a/memory_ldst.c.inc
+++ b/memory_ldst.c.inc
@@ -42,6 +42,7 @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,
MO_32 | devend_memop(endian), attrs);
} else {
/* RAM case */
+ fuzz_dma_read_cb(addr, 4, mr, false);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
switch (endian) {
case DEVICE_LITTLE_ENDIAN:
@@ -110,6 +111,7 @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,
MO_64 | devend_memop(endian), attrs);
} else {
/* RAM case */
+ fuzz_dma_read_cb(addr, 8, mr, false);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
switch (endian) {
case DEVICE_LITTLE_ENDIAN:
@@ -175,6 +177,7 @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,
r = memory_region_dispatch_read(mr, addr1, &val, MO_8, attrs);
} else {
/* RAM case */
+ fuzz_dma_read_cb(addr, 1, mr, false);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
val = ldub_p(ptr);
r = MEMTX_OK;
@@ -212,6 +215,7 @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,
MO_16 | devend_memop(endian), attrs);
} else {
/* RAM case */
+ fuzz_dma_read_cb(addr, 2, mr, false);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
switch (endian) {
case DEVICE_LITTLE_ENDIAN:
diff --git a/meson.build b/meson.build
index b349c9b..47e32e1 100644
--- a/meson.build
+++ b/meson.build
@@ -29,8 +29,14 @@ if get_option('qemu_suffix').startswith('/')
error('qemu_suffix cannot start with a /')
endif
+qemu_confdir = get_option('sysconfdir') / get_option('qemu_suffix')
qemu_datadir = get_option('datadir') / get_option('qemu_suffix')
qemu_docdir = get_option('docdir') / get_option('qemu_suffix')
+qemu_moddir = get_option('libdir') / get_option('qemu_suffix')
+
+qemu_desktopdir = get_option('datadir') / 'applications'
+qemu_icondir = get_option('datadir') / 'icons'
+
config_host_data = configuration_data()
genh = []
@@ -198,7 +204,7 @@ else
have_xen_pci_passthrough = false
endif
if not get_option('whpx').disabled() and targetos == 'windows'
- if get_option('whpx').enabled() and cpu != 'x86_64'
+ if get_option('whpx').enabled() and host_machine.cpu() != 'x86_64'
error('WHPX requires 64-bit host')
elif cc.has_header('WinHvPlatform.h', required: get_option('whpx')) and \
cc.has_header('WinHvEmulation.h', required: get_option('whpx'))
@@ -465,70 +471,89 @@ endif
iconv = not_found
curses = not_found
if have_system and not get_option('curses').disabled()
- if not get_option('iconv').disabled()
- libiconv = cc.find_library('iconv',
- required: false,
- static: enable_static)
- if cc.links('''
- #include <iconv.h>
- int main(void) {
- iconv_t conv = iconv_open("WCHAR_T", "UCS-2");
- return conv != (iconv_t) -1;
- }''', dependencies: [libiconv])
- iconv = declare_dependency(dependencies: [libiconv])
+ curses_test = '''
+ #include <locale.h>
+ #include <curses.h>
+ #include <wchar.h>
+ int main(void) {
+ wchar_t wch = L'w';
+ setlocale(LC_ALL, "");
+ resize_term(0, 0);
+ addwstr(L"wide chars\n");
+ addnwstr(&wch, 1);
+ add_wch(WACS_DEGREE);
+ return 0;
+ }'''
+
+ curses = dependency((targetos == 'windows' ? 'ncurses' : 'ncursesw'),
+ required: false,
+ method: 'pkg-config',
+ static: enable_static)
+ msg = get_option('curses').enabled() ? 'curses library not found' : ''
+ if curses.found()
+ if cc.links(curses_test, dependencies: [curses])
+ curses = declare_dependency(compile_args: '-DNCURSES_WIDECHAR', dependencies: [curses])
+ else
+ msg = 'curses package not usable'
+ curses = not_found
endif
endif
- if get_option('iconv').enabled() and not iconv.found()
- error('Cannot detect iconv API')
- endif
- if iconv.found()
- curses_libname_list = ['ncursesw', 'ncurses', 'cursesw', 'pdcurses']
- curses_test = '''
- #include <locale.h>
- #include <curses.h>
- #include <wchar.h>
- int main(void) {
- wchar_t wch = L'w';
- setlocale(LC_ALL, "");
- resize_term(0, 0);
- addwstr(L"wide chars\n");
- addnwstr(&wch, 1);
- add_wch(WACS_DEGREE);
- return 0;
- }'''
- foreach curses_libname : curses_libname_list
- libcurses = dependency(curses_libname,
- required: false,
- method: 'pkg-config',
- static: enable_static)
-
- if not libcurses.found()
- dirs = ['/usr/include/ncursesw']
- if targetos == 'windows'
- dirs = []
- endif
+ if not curses.found()
+ curses_compile_args = ['-DNCURSES_WIDECHAR']
+ has_curses_h = cc.has_header('curses.h', args: curses_compile_args)
+ if targetos != 'windows' and not has_curses_h
+ message('Trying with /usr/include/ncursesw')
+ curses_compile_args += ['-I/usr/include/ncursesw']
+ has_curses_h = cc.has_header('curses.h', args: curses_compile_args)
+ endif
+ if has_curses_h
+ curses_libname_list = (targetos == 'windows' ? ['pdcurses'] : ['ncursesw', 'cursesw'])
+ foreach curses_libname : curses_libname_list
libcurses = cc.find_library(curses_libname,
required: false,
- dirs: dirs,
static: enable_static)
- endif
- if libcurses.found()
- if cc.links(curses_test, dependencies: [libcurses])
- curses = declare_dependency(compile_args: '-DNCURSES_WIDECHAR', dependencies: [libcurses])
- break
+ if libcurses.found()
+ if cc.links(curses_test, args: curses_compile_args, dependencies: libcurses)
+ curses = declare_dependency(compile_args: curses_compile_args,
+ dependencies: [libcurses])
+ break
+ else
+ msg = 'curses library not usable'
+ endif
endif
+ endforeach
+ endif
+ endif
+ if not get_option('iconv').disabled()
+ foreach link_args : [ ['-liconv'], [] ]
+ # Programs will be linked with glib and this will bring in libiconv on FreeBSD.
+ # We need to use libiconv if available because mixing libiconv's headers with
+ # the system libc does not work.
+ # However, without adding glib to the dependencies -L/usr/local/lib will not be
+ # included in the command line and libiconv will not be found.
+ if cc.links('''
+ #include <iconv.h>
+ int main(void) {
+ iconv_t conv = iconv_open("WCHAR_T", "UCS-2");
+ return conv != (iconv_t) -1;
+ }''', args: config_host['GLIB_CFLAGS'].split() + config_host['GLIB_LIBS'].split() + link_args)
+ iconv = declare_dependency(link_args: link_args, dependencies: glib)
+ break
endif
endforeach
endif
- if not curses.found()
- if iconv.found()
- if get_option('curses').enabled()
- error('Cannot find curses')
- endif
- elif get_option('curses').enabled()
- error('iconv required for curses UI but not available')
+ if curses.found() and not iconv.found()
+ if get_option('iconv').enabled()
+ error('iconv not available')
+ endif
+ msg = 'iconv required for curses UI but not available'
+ curses = not_found
+ endif
+ if not curses.found() and msg != ''
+ if get_option('curses').enabled()
+ error(msg)
else
- warning('iconv required for curses UI but not available, disabling')
+ warning(msg + ', disabling')
endif
endif
endif
@@ -715,6 +740,19 @@ endif
# config-host.h #
#################
+config_host_data.set_quoted('CONFIG_BINDIR', get_option('prefix') / get_option('bindir'))
+config_host_data.set_quoted('CONFIG_PREFIX', get_option('prefix'))
+config_host_data.set_quoted('CONFIG_QEMU_CONFDIR', get_option('prefix') / qemu_confdir)
+config_host_data.set_quoted('CONFIG_QEMU_DATADIR', get_option('prefix') / qemu_datadir)
+config_host_data.set_quoted('CONFIG_QEMU_DESKTOPDIR', get_option('prefix') / qemu_desktopdir)
+config_host_data.set_quoted('CONFIG_QEMU_FIRMWAREPATH', get_option('qemu_firmwarepath'))
+config_host_data.set_quoted('CONFIG_QEMU_HELPERDIR', get_option('prefix') / get_option('libexecdir'))
+config_host_data.set_quoted('CONFIG_QEMU_ICONDIR', get_option('prefix') / qemu_icondir)
+config_host_data.set_quoted('CONFIG_QEMU_LOCALEDIR', get_option('prefix') / get_option('localedir'))
+config_host_data.set_quoted('CONFIG_QEMU_LOCALSTATEDIR', get_option('prefix') / get_option('localstatedir'))
+config_host_data.set_quoted('CONFIG_QEMU_MODDIR', get_option('prefix') / qemu_moddir)
+config_host_data.set_quoted('CONFIG_SYSCONFDIR', get_option('prefix') / get_option('sysconfdir'))
+
config_host_data.set('CONFIG_COCOA', cocoa.found())
config_host_data.set('CONFIG_LIBUDEV', libudev.found())
config_host_data.set('CONFIG_MPATH', mpathpersist.found())
@@ -737,9 +775,7 @@ config_host_data.set('QEMU_VERSION_MICRO', meson.project_version().split('.')[2]
ignored = ['CONFIG_QEMU_INTERP_PREFIX'] # actually per-target
arrays = ['CONFIG_AUDIO_DRIVERS', 'CONFIG_BDRV_RW_WHITELIST', 'CONFIG_BDRV_RO_WHITELIST']
-strings = ['HOST_DSOSUF', 'CONFIG_IASL', 'bindir', 'prefix', 'qemu_confdir', 'qemu_datadir',
- 'qemu_moddir', 'qemu_localstatedir', 'qemu_helperdir', 'qemu_localedir',
- 'qemu_icondir', 'qemu_desktopdir', 'qemu_firmwarepath', 'sysconfdir']
+strings = ['HOST_DSOSUF', 'CONFIG_IASL']
foreach k, v: config_host
if ignored.contains(k)
# do nothing
@@ -1633,7 +1669,7 @@ foreach m : block_mods + softmmu_mods
name_prefix: '',
link_whole: m,
install: true,
- install_dir: config_host['qemu_moddir'])
+ install_dir: qemu_moddir)
endforeach
softmmu_ss.add(authz, blockdev, chardev, crypto, io, qmp)
@@ -1794,7 +1830,7 @@ foreach target : target_dirs
output: exe['name'] + stp['ext'],
capture: true,
install: stp['install'],
- install_dir: qemu_datadir / '../systemtap/tapset',
+ install_dir: get_option('datadir') / 'systemtap/tapset',
command: [
tracetool, '--group=all', '--format=' + stp['fmt'],
'--binary=' + stp['bin'],
@@ -1906,17 +1942,17 @@ endif
#########################
summary_info = {}
-summary_info += {'Install prefix': config_host['prefix']}
-summary_info += {'BIOS directory': config_host['qemu_datadir']}
-summary_info += {'firmware path': config_host['qemu_firmwarepath']}
-summary_info += {'binary directory': config_host['bindir']}
-summary_info += {'library directory': config_host['libdir']}
-summary_info += {'module directory': config_host['qemu_moddir']}
-summary_info += {'libexec directory': config_host['libexecdir']}
-summary_info += {'include directory': config_host['includedir']}
-summary_info += {'config directory': config_host['sysconfdir']}
+summary_info += {'Install prefix': get_option('prefix')}
+summary_info += {'BIOS directory': qemu_datadir}
+summary_info += {'firmware path': get_option('qemu_firmwarepath')}
+summary_info += {'binary directory': get_option('bindir')}
+summary_info += {'library directory': get_option('libdir')}
+summary_info += {'module directory': qemu_moddir}
+summary_info += {'libexec directory': get_option('libexecdir')}
+summary_info += {'include directory': get_option('includedir')}
+summary_info += {'config directory': get_option('sysconfdir')}
if targetos != 'windows'
- summary_info += {'local state directory': config_host['qemu_localstatedir']}
+ summary_info += {'local state directory': get_option('localstatedir')}
summary_info += {'Manual directory': get_option('mandir')}
else
summary_info += {'local state directory': 'queried at runtime'}
@@ -2009,6 +2045,7 @@ summary_info += {'Audio drivers': config_host['CONFIG_AUDIO_DRIVERS']}
summary_info += {'Block whitelist (rw)': config_host['CONFIG_BDRV_RW_WHITELIST']}
summary_info += {'Block whitelist (ro)': config_host['CONFIG_BDRV_RO_WHITELIST']}
summary_info += {'VirtFS support': config_host.has_key('CONFIG_VIRTFS')}
+summary_info += {'build virtiofs daemon': have_virtiofsd}
summary_info += {'Multipath support': mpathpersist.found()}
summary_info += {'VNC support': vnc.found()}
if vnc.found()
@@ -2028,7 +2065,7 @@ summary_info += {'netmap support': config_host.has_key('CONFIG_NETMAP')}
summary_info += {'Linux AIO support': config_host.has_key('CONFIG_LINUX_AIO')}
summary_info += {'Linux io_uring support': config_host.has_key('CONFIG_LINUX_IO_URING')}
summary_info += {'ATTR/XATTR support': config_host.has_key('CONFIG_ATTR')}
-summary_info += {'Install blobs': config_host.has_key('INSTALL_BLOBS')}
+summary_info += {'Install blobs': get_option('install_blobs')}
summary_info += {'KVM support': config_all.has_key('CONFIG_KVM')}
summary_info += {'HAX support': config_all.has_key('CONFIG_HAX')}
summary_info += {'HVF support': config_all.has_key('CONFIG_HVF')}
diff --git a/meson_options.txt b/meson_options.txt
index 967229b..b4f1801 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -2,6 +2,8 @@ option('qemu_suffix', type : 'string', value: 'qemu',
description: 'Suffix for QEMU data/modules/config directories (can be empty)')
option('docdir', type : 'string', value : 'doc',
description: 'Base directory for documentation installation (can be empty)')
+option('qemu_firmwarepath', type : 'string', value : '',
+ description: 'search PATH for firmware files')
option('sphinx_build', type : 'string', value : '',
description: 'Use specified sphinx-build [$sphinx_build] for building document (default to be empty)')
@@ -9,6 +11,8 @@ option('docs', type : 'feature', value : 'auto',
description: 'Documentations build support')
option('gettext', type : 'boolean', value : true,
description: 'Localization of the GTK+ user interface')
+option('install_blobs', type : 'boolean', value : true,
+ description: 'install provided firmware blobs')
option('sparse', type : 'feature', value : 'auto',
description: 'sparse checker')
@@ -58,6 +62,8 @@ option('vnc_sasl', type : 'feature', value : 'auto',
description: 'SASL authentication for VNC server')
option('xkbcommon', type : 'feature', value : 'auto',
description: 'xkbcommon support')
+option('virtiofsd', type: 'feature', value: 'auto',
+ description: 'build virtiofs daemon (virtiofsd)')
option('capstone', type: 'combo', value: 'auto',
choices: ['disabled', 'enabled', 'auto', 'system', 'internal'],
diff --git a/migration/block-dirty-bitmap.c b/migration/block-dirty-bitmap.c
index 5bef793..c61d382 100644
--- a/migration/block-dirty-bitmap.c
+++ b/migration/block-dirty-bitmap.c
@@ -562,8 +562,9 @@ static int add_bitmaps_to_list(DBMSaveState *s, BlockDriverState *bs,
dbms->bitmap_alias = g_strdup(bitmap_alias);
dbms->bitmap = bitmap;
dbms->total_sectors = bdrv_nb_sectors(bs);
- dbms->sectors_per_chunk = CHUNK_SIZE * 8 *
- bdrv_dirty_bitmap_granularity(bitmap) >> BDRV_SECTOR_BITS;
+ dbms->sectors_per_chunk = CHUNK_SIZE * 8LLU *
+ (bdrv_dirty_bitmap_granularity(bitmap) >> BDRV_SECTOR_BITS);
+ assert(dbms->sectors_per_chunk != 0);
if (bdrv_dirty_bitmap_enabled(bitmap)) {
dbms->flags |= DIRTY_BITMAP_MIG_START_FLAG_ENABLED;
}
@@ -1071,18 +1072,15 @@ static int dirty_bitmap_load_header(QEMUFile *f, DBMLoadState *s,
return -EINVAL;
}
- if (!s->cancelled) {
- if (bitmap_alias_map) {
- bitmap_name = g_hash_table_lookup(bitmap_alias_map,
- s->bitmap_alias);
- if (!bitmap_name) {
- error_report("Error: Unknown bitmap alias '%s' on node "
- "'%s' (alias '%s')", s->bitmap_alias,
- s->bs->node_name, s->node_alias);
- cancel_incoming_locked(s);
- }
- } else {
- bitmap_name = s->bitmap_alias;
+ bitmap_name = s->bitmap_alias;
+ if (!s->cancelled && bitmap_alias_map) {
+ bitmap_name = g_hash_table_lookup(bitmap_alias_map,
+ s->bitmap_alias);
+ if (!bitmap_name) {
+ error_report("Error: Unknown bitmap alias '%s' on node "
+ "'%s' (alias '%s')", s->bitmap_alias,
+ s->bs->node_name, s->node_alias);
+ cancel_incoming_locked(s);
}
}
diff --git a/migration/block.c b/migration/block.c
index 737b649..a950977 100644
--- a/migration/block.c
+++ b/migration/block.c
@@ -26,6 +26,7 @@
#include "qemu-file.h"
#include "migration/vmstate.h"
#include "sysemu/block-backend.h"
+#include "trace.h"
#define BLK_MIG_BLOCK_SIZE (1 << 20)
#define BDRV_SECTORS_PER_DIRTY_CHUNK (BLK_MIG_BLOCK_SIZE >> BDRV_SECTOR_BITS)
@@ -40,7 +41,7 @@
#define MAX_IO_BUFFERS 512
#define MAX_PARALLEL_IO 16
-//#define DEBUG_BLK_MIGRATION
+/* #define DEBUG_BLK_MIGRATION */
#ifdef DEBUG_BLK_MIGRATION
#define DPRINTF(fmt, ...) \
@@ -434,10 +435,9 @@ static int init_blk_migration(QEMUFile *f)
block_mig_state.total_sector_sum += sectors;
if (bmds->shared_base) {
- DPRINTF("Start migration for %s with shared base image\n",
- bdrv_get_device_name(bs));
+ trace_migration_block_init_shared(bdrv_get_device_name(bs));
} else {
- DPRINTF("Start full migration for %s\n", bdrv_get_device_name(bs));
+ trace_migration_block_init_full(bdrv_get_device_name(bs));
}
QSIMPLEQ_INSERT_TAIL(&block_mig_state.bmds_list, bmds, entry);
@@ -592,7 +592,7 @@ static int mig_save_device_dirty(QEMUFile *f, BlkMigDevState *bmds,
return (bmds->cur_dirty >= bmds->total_sectors);
error:
- DPRINTF("Error reading sector %" PRId64 "\n", sector);
+ trace_migration_block_save_device_dirty(sector);
g_free(blk->buf);
g_free(blk);
return ret;
@@ -628,9 +628,9 @@ static int flush_blks(QEMUFile *f)
BlkMigBlock *blk;
int ret = 0;
- DPRINTF("%s Enter submitted %d read_done %d transferred %d\n",
- __func__, block_mig_state.submitted, block_mig_state.read_done,
- block_mig_state.transferred);
+ trace_migration_block_flush_blks("Enter", block_mig_state.submitted,
+ block_mig_state.read_done,
+ block_mig_state.transferred);
blk_mig_lock();
while ((blk = QSIMPLEQ_FIRST(&block_mig_state.blk_list)) != NULL) {
@@ -656,9 +656,9 @@ static int flush_blks(QEMUFile *f)
}
blk_mig_unlock();
- DPRINTF("%s Exit submitted %d read_done %d transferred %d\n", __func__,
- block_mig_state.submitted, block_mig_state.read_done,
- block_mig_state.transferred);
+ trace_migration_block_flush_blks("Exit", block_mig_state.submitted,
+ block_mig_state.read_done,
+ block_mig_state.transferred);
return ret;
}
@@ -727,8 +727,8 @@ static int block_save_setup(QEMUFile *f, void *opaque)
{
int ret;
- DPRINTF("Enter save live setup submitted %d transferred %d\n",
- block_mig_state.submitted, block_mig_state.transferred);
+ trace_migration_block_save("setup", block_mig_state.submitted,
+ block_mig_state.transferred);
qemu_mutex_lock_iothread();
ret = init_blk_migration(f);
@@ -759,8 +759,8 @@ static int block_save_iterate(QEMUFile *f, void *opaque)
int64_t last_ftell = qemu_ftell(f);
int64_t delta_ftell;
- DPRINTF("Enter save live iterate submitted %d transferred %d\n",
- block_mig_state.submitted, block_mig_state.transferred);
+ trace_migration_block_save("iterate", block_mig_state.submitted,
+ block_mig_state.transferred);
ret = flush_blks(f);
if (ret) {
@@ -825,8 +825,8 @@ static int block_save_complete(QEMUFile *f, void *opaque)
{
int ret;
- DPRINTF("Enter save live complete submitted %d transferred %d\n",
- block_mig_state.submitted, block_mig_state.transferred);
+ trace_migration_block_save("complete", block_mig_state.submitted,
+ block_mig_state.transferred);
ret = flush_blks(f);
if (ret) {
@@ -851,7 +851,7 @@ static int block_save_complete(QEMUFile *f, void *opaque)
/* report completion */
qemu_put_be64(f, (100 << BDRV_SECTOR_BITS) | BLK_MIG_FLAG_PROGRESS);
- DPRINTF("Block migration completed\n");
+ trace_migration_block_save_complete();
qemu_put_be64(f, BLK_MIG_FLAG_EOS);
@@ -884,7 +884,7 @@ static void block_save_pending(QEMUFile *f, void *opaque, uint64_t max_size,
pending = max_size + BLK_MIG_BLOCK_SIZE;
}
- DPRINTF("Enter save live pending %" PRIu64 "\n", pending);
+ trace_migration_block_save_pending(pending);
/* We don't do postcopy */
*res_precopy_only += pending;
}
@@ -998,7 +998,7 @@ static int block_load(QEMUFile *f, void *opaque, int version_id)
(addr == 100) ? '\n' : '\r');
fflush(stdout);
} else if (!(flags & BLK_MIG_FLAG_EOS)) {
- fprintf(stderr, "Unknown block migration flags: %#x\n", flags);
+ fprintf(stderr, "Unknown block migration flags: 0x%x\n", flags);
return -EINVAL;
}
ret = qemu_file_get_error(f);
diff --git a/migration/migration.c b/migration/migration.c
index 0575ecb..9bb4fee 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -143,9 +143,15 @@ static int migration_maybe_pause(MigrationState *s,
int new_state);
static void migrate_fd_cancel(MigrationState *s);
+static gint page_request_addr_cmp(gconstpointer ap, gconstpointer bp)
+{
+ uintptr_t a = (uintptr_t) ap, b = (uintptr_t) bp;
+
+ return (a > b) - (a < b);
+}
+
void migration_object_init(void)
{
- MachineState *ms = MACHINE(qdev_get_machine());
Error *err = NULL;
/* This can only be called once. */
@@ -165,20 +171,13 @@ void migration_object_init(void)
qemu_event_init(&current_incoming->main_thread_load_event, false);
qemu_sem_init(&current_incoming->postcopy_pause_sem_dst, 0);
qemu_sem_init(&current_incoming->postcopy_pause_sem_fault, 0);
+ qemu_mutex_init(&current_incoming->page_request_mutex);
+ current_incoming->page_requested = g_tree_new(page_request_addr_cmp);
if (!migration_object_check(current_migration, &err)) {
error_report_err(err);
exit(1);
}
-
- /*
- * We cannot really do this in migration_instance_init() since at
- * that time global properties are not yet applied, then this
- * value will be definitely replaced by something else.
- */
- if (ms->enforce_config_section) {
- current_migration->send_configuration = true;
- }
}
void migration_shutdown(void)
@@ -240,6 +239,11 @@ void migration_incoming_state_destroy(void)
qemu_event_reset(&mis->main_thread_load_event);
+ if (mis->page_requested) {
+ g_tree_destroy(mis->page_requested);
+ mis->page_requested = NULL;
+ }
+
if (mis->socket_address_list) {
qapi_free_SocketAddressList(mis->socket_address_list);
mis->socket_address_list = NULL;
@@ -316,8 +320,8 @@ error:
* Start: Address offset within the RB
* Len: Length in bytes required - must be a multiple of pagesize
*/
-int migrate_send_rp_req_pages(MigrationIncomingState *mis, RAMBlock *rb,
- ram_addr_t start)
+int migrate_send_rp_message_req_pages(MigrationIncomingState *mis,
+ RAMBlock *rb, ram_addr_t start)
{
uint8_t bufc[12 + 1 + 255]; /* start (8), len (4), rbname up to 256 */
size_t msglen = 12; /* start + len */
@@ -353,6 +357,37 @@ int migrate_send_rp_req_pages(MigrationIncomingState *mis, RAMBlock *rb,
return migrate_send_rp_message(mis, msg_type, msglen, bufc);
}
+int migrate_send_rp_req_pages(MigrationIncomingState *mis,
+ RAMBlock *rb, ram_addr_t start, uint64_t haddr)
+{
+ void *aligned = (void *)(uintptr_t)(haddr & (-qemu_ram_pagesize(rb)));
+ bool received;
+
+ WITH_QEMU_LOCK_GUARD(&mis->page_request_mutex) {
+ received = ramblock_recv_bitmap_test_byte_offset(rb, start);
+ if (!received && !g_tree_lookup(mis->page_requested, aligned)) {
+ /*
+ * The page has not been received, and it's not yet in the page
+ * request list. Queue it. Set the value of element to 1, so that
+ * things like g_tree_lookup() will return TRUE (1) when found.
+ */
+ g_tree_insert(mis->page_requested, aligned, (gpointer)1);
+ mis->page_requested_count++;
+ trace_postcopy_page_req_add(aligned, mis->page_requested_count);
+ }
+ }
+
+ /*
+ * If the page is there, skip sending the message. We don't even need the
+ * lock because as long as the page arrived, it'll be there forever.
+ */
+ if (received) {
+ return 0;
+ }
+
+ return migrate_send_rp_message_req_pages(mis, rb, start);
+}
+
static bool migration_colo_enabled;
bool migration_incoming_colo_enabled(void)
{
@@ -2478,8 +2513,8 @@ static void migrate_handle_rp_req_pages(MigrationState *ms, const char* rbname,
* Since we currently insist on matching page sizes, just sanity check
* we're being asked for whole host pages.
*/
- if (start & (our_host_ps-1) ||
- (len & (our_host_ps-1))) {
+ if (start & (our_host_ps - 1) ||
+ (len & (our_host_ps - 1))) {
error_report("%s: Misaligned page request, start: " RAM_ADDR_FMT
" len: %zd", __func__, start, len);
mark_source_rp_bad(ms);
@@ -3133,9 +3168,6 @@ static MigThrError postcopy_pause(MigrationState *s)
while (true) {
QEMUFile *file;
- migrate_set_state(&s->state, s->state,
- MIGRATION_STATUS_POSTCOPY_PAUSED);
-
/* Current channel is possibly broken. Release it. */
assert(s->to_dst_file);
qemu_mutex_lock(&s->qemu_file_lock);
@@ -3146,6 +3178,9 @@ static MigThrError postcopy_pause(MigrationState *s)
qemu_file_shutdown(file);
qemu_fclose(file);
+ migrate_set_state(&s->state, s->state,
+ MIGRATION_STATUS_POSTCOPY_PAUSED);
+
error_report("Detected IO failure for postcopy. "
"Migration paused.");
diff --git a/migration/migration.h b/migration/migration.h
index deb411a..d096b77 100644
--- a/migration/migration.h
+++ b/migration/migration.h
@@ -104,6 +104,23 @@ struct MigrationIncomingState {
/* List of listening socket addresses */
SocketAddressList *socket_address_list;
+
+ /* A tree of pages that we requested to the source VM */
+ GTree *page_requested;
+ /* For debugging purpose only, but would be nice to keep */
+ int page_requested_count;
+ /*
+ * The mutex helps to maintain the requested pages that we sent to the
+ * source, IOW, to guarantee coherent between the page_requests tree and
+ * the per-ramblock receivedmap. Note! This does not guarantee consistency
+ * of the real page copy procedures (using UFFDIO_[ZERO]COPY). E.g., even
+ * if one bit in receivedmap is cleared, UFFDIO_COPY could have happened
+ * for that page already. This is intended so that the mutex won't
+ * serialize and blocked by slow operations like UFFDIO_* ioctls. However
+ * this should be enough to make sure the page_requested tree always
+ * contains valid information.
+ */
+ QemuMutex page_request_mutex;
};
MigrationIncomingState *migration_incoming_get_current(void);
@@ -124,8 +141,7 @@ struct MigrationClass {
DeviceClass parent_class;
};
-struct MigrationState
-{
+struct MigrationState {
/*< private >*/
DeviceState parent_obj;
@@ -332,7 +348,9 @@ void migrate_send_rp_shut(MigrationIncomingState *mis,
void migrate_send_rp_pong(MigrationIncomingState *mis,
uint32_t value);
int migrate_send_rp_req_pages(MigrationIncomingState *mis, RAMBlock *rb,
- ram_addr_t start);
+ ram_addr_t start, uint64_t haddr);
+int migrate_send_rp_message_req_pages(MigrationIncomingState *mis,
+ RAMBlock *rb, ram_addr_t start);
void migrate_send_rp_recv_bitmap(MigrationIncomingState *mis,
char *block_name);
void migrate_send_rp_resume_ack(MigrationIncomingState *mis, uint32_t value);
diff --git a/migration/page_cache.c b/migration/page_cache.c
index 775582f..098b436 100644
--- a/migration/page_cache.c
+++ b/migration/page_cache.c
@@ -18,14 +18,7 @@
#include "qapi/error.h"
#include "qemu/host-utils.h"
#include "page_cache.h"
-
-#ifdef DEBUG_CACHE
-#define DPRINTF(fmt, ...) \
- do { fprintf(stdout, "cache: " fmt, ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...) \
- do { } while (0)
-#endif
+#include "trace.h"
/* the page in cache will not be replaced in two cycles */
#define CACHED_PAGE_LIFETIME 2
@@ -75,7 +68,7 @@ PageCache *cache_init(int64_t new_size, size_t page_size, Error **errp)
cache->num_items = 0;
cache->max_num_items = num_pages;
- DPRINTF("Setting cache buckets to %" PRId64 "\n", cache->max_num_items);
+ trace_migration_pagecache_init(cache->max_num_items);
/* We prefer not to abort if there is no memory */
cache->page_cache = g_try_malloc((cache->max_num_items) *
@@ -169,7 +162,7 @@ int cache_insert(PageCache *cache, uint64_t addr, const uint8_t *pdata,
if (!it->it_data) {
it->it_data = g_try_malloc(cache->page_size);
if (!it->it_data) {
- DPRINTF("Error allocating page\n");
+ trace_migration_pagecache_insert();
return -1;
}
cache->num_items++;
diff --git a/migration/postcopy-ram.c b/migration/postcopy-ram.c
index 0a2f88a8..d3bb3a7 100644
--- a/migration/postcopy-ram.c
+++ b/migration/postcopy-ram.c
@@ -403,7 +403,7 @@ bool postcopy_ram_supported_by_host(MigrationIncomingState *mis)
strerror(errno));
goto out;
}
- g_assert(((size_t)testarea & (pagesize-1)) == 0);
+ g_assert(((size_t)testarea & (pagesize - 1)) == 0);
reg_struct.range.start = (uintptr_t)testarea;
reg_struct.range.len = pagesize;
@@ -684,7 +684,7 @@ int postcopy_request_shared_page(struct PostCopyFD *pcfd, RAMBlock *rb,
qemu_ram_get_idstr(rb), rb_offset);
return postcopy_wake_shared(pcfd, client_addr, rb);
}
- migrate_send_rp_req_pages(mis, rb, aligned_rbo);
+ migrate_send_rp_req_pages(mis, rb, aligned_rbo, client_addr);
return 0;
}
@@ -979,7 +979,8 @@ retry:
* Send the request to the source - we want to request one
* of our host page sizes (which is >= TPS)
*/
- ret = migrate_send_rp_req_pages(mis, rb, rb_offset);
+ ret = migrate_send_rp_req_pages(mis, rb, rb_offset,
+ msg.arg.pagefault.address);
if (ret) {
/* May be network failure, try to wait for recovery */
if (ret == -EIO && postcopy_pause_fault_thread(mis)) {
@@ -1128,10 +1129,12 @@ int postcopy_ram_incoming_setup(MigrationIncomingState *mis)
return 0;
}
-static int qemu_ufd_copy_ioctl(int userfault_fd, void *host_addr,
+static int qemu_ufd_copy_ioctl(MigrationIncomingState *mis, void *host_addr,
void *from_addr, uint64_t pagesize, RAMBlock *rb)
{
+ int userfault_fd = mis->userfault_fd;
int ret;
+
if (from_addr) {
struct uffdio_copy copy_struct;
copy_struct.dst = (uint64_t)(uintptr_t)host_addr;
@@ -1147,10 +1150,20 @@ static int qemu_ufd_copy_ioctl(int userfault_fd, void *host_addr,
ret = ioctl(userfault_fd, UFFDIO_ZEROPAGE, &zero_struct);
}
if (!ret) {
+ qemu_mutex_lock(&mis->page_request_mutex);
ramblock_recv_bitmap_set_range(rb, host_addr,
pagesize / qemu_target_page_size());
+ /*
+ * If this page resolves a page fault for a previous recorded faulted
+ * address, take a special note to maintain the requested page list.
+ */
+ if (g_tree_lookup(mis->page_requested, host_addr)) {
+ g_tree_remove(mis->page_requested, host_addr);
+ mis->page_requested_count--;
+ trace_postcopy_page_req_del(host_addr, mis->page_requested_count);
+ }
+ qemu_mutex_unlock(&mis->page_request_mutex);
mark_postcopy_blocktime_end((uintptr_t)host_addr);
-
}
return ret;
}
@@ -1185,7 +1198,7 @@ int postcopy_place_page(MigrationIncomingState *mis, void *host, void *from,
* which would be slightly cheaper, but we'd have to be careful
* of the order of updating our page state.
*/
- if (qemu_ufd_copy_ioctl(mis->userfault_fd, host, from, pagesize, rb)) {
+ if (qemu_ufd_copy_ioctl(mis, host, from, pagesize, rb)) {
int e = errno;
error_report("%s: %s copy host: %p from: %p (size: %zd)",
__func__, strerror(e), host, from, pagesize);
@@ -1212,7 +1225,7 @@ int postcopy_place_page_zero(MigrationIncomingState *mis, void *host,
* but it's not available for everything (e.g. hugetlbpages)
*/
if (qemu_ram_is_uf_zeroable(rb)) {
- if (qemu_ufd_copy_ioctl(mis->userfault_fd, host, NULL, pagesize, rb)) {
+ if (qemu_ufd_copy_ioctl(mis, host, NULL, pagesize, rb)) {
int e = errno;
error_report("%s: %s zero host: %p",
__func__, strerror(e), host);
diff --git a/migration/ram.c b/migration/ram.c
index 433489d..2da2b62 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -101,14 +101,16 @@ static struct {
static void XBZRLE_cache_lock(void)
{
- if (migrate_use_xbzrle())
+ if (migrate_use_xbzrle()) {
qemu_mutex_lock(&XBZRLE.lock);
+ }
}
static void XBZRLE_cache_unlock(void)
{
- if (migrate_use_xbzrle())
+ if (migrate_use_xbzrle()) {
qemu_mutex_unlock(&XBZRLE.lock);
+ }
}
/**
@@ -1563,7 +1565,7 @@ int ram_save_queue_pages(const char *rbname, ram_addr_t start, ram_addr_t len)
rs->last_req_rb = ramblock;
}
trace_ram_save_queue_pages(ramblock->idstr, start, len);
- if (start+len > ramblock->used_length) {
+ if (start + len > ramblock->used_length) {
error_report("%s request overrun start=" RAM_ADDR_FMT " len="
RAM_ADDR_FMT " blocklen=" RAM_ADDR_FMT,
__func__, start, len, ramblock->used_length);
@@ -2741,7 +2743,7 @@ static int load_xbzrle(QEMUFile *f, ram_addr_t addr, void *host)
*/
static inline RAMBlock *ram_block_from_stream(QEMUFile *f, int flags)
{
- static RAMBlock *block = NULL;
+ static RAMBlock *block;
char id[256];
uint8_t len;
@@ -3298,7 +3300,7 @@ static int ram_load_postcopy(QEMUFile *f)
multifd_recv_sync_main();
break;
default:
- error_report("Unknown combination of migration flags: %#x"
+ error_report("Unknown combination of migration flags: 0x%x"
" (postcopy mode)", flags);
ret = -EINVAL;
break;
@@ -3576,7 +3578,7 @@ static int ram_load_precopy(QEMUFile *f)
if (flags & RAM_SAVE_FLAG_HOOK) {
ram_control_load_hook(f, RAM_CONTROL_HOOK, NULL);
} else {
- error_report("Unknown combination of migration flags: %#x",
+ error_report("Unknown combination of migration flags: 0x%x",
flags);
ret = -EINVAL;
}
diff --git a/migration/rdma.c b/migration/rdma.c
index 0340841..00eac34 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -273,7 +273,8 @@ static uint64_t htonll(uint64_t v)
return u.llv;
}
-static uint64_t ntohll(uint64_t v) {
+static uint64_t ntohll(uint64_t v)
+{
union { uint32_t lv[2]; uint64_t llv; } u;
u.llv = v;
return ((uint64_t)ntohl(u.lv[0]) << 32) | (uint64_t) ntohl(u.lv[1]);
@@ -854,7 +855,7 @@ static int qemu_rdma_broken_ipv6_kernel(struct ibv_context *verbs, Error **errp)
*/
if (!verbs) {
int num_devices, x;
- struct ibv_device ** dev_list = ibv_get_device_list(&num_devices);
+ struct ibv_device **dev_list = ibv_get_device_list(&num_devices);
bool roce_found = false;
bool ib_found = false;
@@ -1288,7 +1289,7 @@ const char *print_wrid(int wrid)
* workload information or LRU information is available, do not attempt to use
* this feature except for basic testing.
*/
-//#define RDMA_UNREGISTRATION_EXAMPLE
+/* #define RDMA_UNREGISTRATION_EXAMPLE */
/*
* Perform a non-optimized memory unregistration after every transfer
diff --git a/migration/savevm.c b/migration/savevm.c
index ff33e21..21ccba9 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -63,7 +63,7 @@
#include "qemu/bitmap.h"
#include "net/announce.h"
-const unsigned int postcopy_ram_discard_version = 0;
+const unsigned int postcopy_ram_discard_version;
/* Subcommands for QEMU_VM_COMMAND */
enum qemu_vm_cmd {
@@ -520,7 +520,7 @@ static const VMStateDescription vmstate_configuration = {
VMSTATE_VBUFFER_ALLOC_UINT32(name, SaveState, 0, NULL, len),
VMSTATE_END_OF_LIST()
},
- .subsections = (const VMStateDescription*[]) {
+ .subsections = (const VMStateDescription *[]) {
&vmstate_target_page_bits,
&vmstate_capabilites,
&vmstate_uuid,
@@ -2010,6 +2010,49 @@ static int loadvm_postcopy_handle_run(MigrationIncomingState *mis)
return LOADVM_QUIT;
}
+/* We must be with page_request_mutex held */
+static gboolean postcopy_sync_page_req(gpointer key, gpointer value,
+ gpointer data)
+{
+ MigrationIncomingState *mis = data;
+ void *host_addr = (void *) key;
+ ram_addr_t rb_offset;
+ RAMBlock *rb;
+ int ret;
+
+ rb = qemu_ram_block_from_host(host_addr, true, &rb_offset);
+ if (!rb) {
+ /*
+ * This should _never_ happen. However be nice for a migrating VM to
+ * not crash/assert. Post an error (note: intended to not use *_once
+ * because we do want to see all the illegal addresses; and this can
+ * never be triggered by the guest so we're safe) and move on next.
+ */
+ error_report("%s: illegal host addr %p", __func__, host_addr);
+ /* Try the next entry */
+ return FALSE;
+ }
+
+ ret = migrate_send_rp_message_req_pages(mis, rb, rb_offset);
+ if (ret) {
+ /* Please refer to above comment. */
+ error_report("%s: send rp message failed for addr %p",
+ __func__, host_addr);
+ return FALSE;
+ }
+
+ trace_postcopy_page_req_sync(host_addr);
+
+ return FALSE;
+}
+
+static void migrate_send_rp_req_pages_pending(MigrationIncomingState *mis)
+{
+ WITH_QEMU_LOCK_GUARD(&mis->page_request_mutex) {
+ g_tree_foreach(mis->page_requested, postcopy_sync_page_req, mis);
+ }
+}
+
static int loadvm_postcopy_handle_resume(MigrationIncomingState *mis)
{
if (mis->state != MIGRATION_STATUS_POSTCOPY_RECOVER) {
@@ -2032,6 +2075,20 @@ static int loadvm_postcopy_handle_resume(MigrationIncomingState *mis)
/* Tell source that "we are ready" */
migrate_send_rp_resume_ack(mis, MIGRATION_RESUME_ACK_VALUE);
+ /*
+ * After a postcopy recovery, the source should have lost the postcopy
+ * queue, or potentially the requested pages could have been lost during
+ * the network down phase. Let's re-sync with the source VM by re-sending
+ * all the pending pages that we eagerly need, so these threads won't get
+ * blocked too long due to the recovery.
+ *
+ * Without this procedure, the faulted destination VM threads (waiting for
+ * page requests right before the postcopy is interrupted) can keep hanging
+ * until the pages are sent by the source during the background copying of
+ * pages, or another thread faulted on the same address accidentally.
+ */
+ migrate_send_rp_req_pages_pending(mis);
+
return 0;
}
diff --git a/migration/trace-events b/migration/trace-events
index 338f38b..75de500 100644
--- a/migration/trace-events
+++ b/migration/trace-events
@@ -49,6 +49,7 @@ vmstate_save(const char *idstr, const char *vmsd_name) "%s, %s"
vmstate_load(const char *idstr, const char *vmsd_name) "%s, %s"
postcopy_pause_incoming(void) ""
postcopy_pause_incoming_continued(void) ""
+postcopy_page_req_sync(void *host_addr) "sync page req %p"
# vmstate.c
vmstate_load_field_error(const char *field, int ret) "field \"%s\" load failed, ret = %d"
@@ -162,6 +163,7 @@ postcopy_pause_return_path(void) ""
postcopy_pause_return_path_continued(void) ""
postcopy_pause_continued(void) ""
postcopy_start_set_run(void) ""
+postcopy_page_req_add(void *addr, int count) "new page req %p total %d"
source_return_path_thread_bad_end(void) ""
source_return_path_thread_end(void) ""
source_return_path_thread_entry(void) ""
@@ -272,6 +274,7 @@ postcopy_ram_incoming_cleanup_blocktime(uint64_t total) "total blocktime %" PRIu
postcopy_request_shared_page(const char *sharer, const char *rb, uint64_t rb_offset) "for %s in %s offset 0x%"PRIx64
postcopy_request_shared_page_present(const char *sharer, const char *rb, uint64_t rb_offset) "%s already %s offset 0x%"PRIx64
postcopy_wake_shared(uint64_t client_addr, const char *rb) "at 0x%"PRIx64" in %s"
+postcopy_page_req_del(void *addr, int count) "resolved page req %p total %d"
get_mem_fault_cpu_index(int cpu, uint32_t pid) "cpu: %d, pid: %u"
@@ -325,3 +328,16 @@ get_ramblock_vfn_hash(const char *idstr, uint64_t vfn, uint32_t crc) "ramblock n
calc_page_dirty_rate(const char *idstr, uint32_t new_crc, uint32_t old_crc) "ramblock name: %s, new crc: %" PRIu32 ", old crc: %" PRIu32
skip_sample_ramblock(const char *idstr, uint64_t ramblock_size) "ramblock name: %s, ramblock size: %" PRIu64
find_page_matched(const char *idstr) "ramblock %s addr or size changed"
+
+# block.c
+migration_block_init_shared(const char *blk_device_name) "Start migration for %s with shared base image"
+migration_block_init_full(const char *blk_device_name) "Start full migration for %s"
+migration_block_save_device_dirty(int64_t sector) "Error reading sector %" PRId64
+migration_block_flush_blks(const char *action, int submitted, int read_done, int transferred) "%s submitted %d read_done %d transferred %d"
+migration_block_save(const char *mig_stage, int submitted, int transferred) "Enter save live %s submitted %d transferred %d"
+migration_block_save_complete(void) "Block migration completed"
+migration_block_save_pending(uint64_t pending) "Enter save live pending %" PRIu64
+
+# page_cache.c
+migration_pagecache_init(int64_t max_num_items) "Setting cache buckets to %" PRId64
+migration_pagecache_insert(void) "Error allocating page"
diff --git a/migration/vmstate-types.c b/migration/vmstate-types.c
index 35e784c..e22d41d 100644
--- a/migration/vmstate-types.c
+++ b/migration/vmstate-types.c
@@ -420,32 +420,6 @@ const VMStateInfo vmstate_info_uint16_equal = {
.put = put_uint16,
};
-/* floating point */
-
-static int get_float64(QEMUFile *f, void *pv, size_t size,
- const VMStateField *field)
-{
- float64 *v = pv;
-
- *v = make_float64(qemu_get_be64(f));
- return 0;
-}
-
-static int put_float64(QEMUFile *f, void *pv, size_t size,
- const VMStateField *field, QJSON *vmdesc)
-{
- uint64_t *v = pv;
-
- qemu_put_be64(f, float64_val(*v));
- return 0;
-}
-
-const VMStateInfo vmstate_info_float64 = {
- .name = "float64",
- .get = get_float64,
- .put = put_float64,
-};
-
/* CPU_DoubleU type */
static int get_cpudouble(QEMUFile *f, void *pv, size_t size,
diff --git a/migration/vmstate.c b/migration/vmstate.c
index bafa890..e9d2aef 100644
--- a/migration/vmstate.c
+++ b/migration/vmstate.c
@@ -32,13 +32,13 @@ static int vmstate_n_elems(void *opaque, const VMStateField *field)
if (field->flags & VMS_ARRAY) {
n_elems = field->num;
} else if (field->flags & VMS_VARRAY_INT32) {
- n_elems = *(int32_t *)(opaque+field->num_offset);
+ n_elems = *(int32_t *)(opaque + field->num_offset);
} else if (field->flags & VMS_VARRAY_UINT32) {
- n_elems = *(uint32_t *)(opaque+field->num_offset);
+ n_elems = *(uint32_t *)(opaque + field->num_offset);
} else if (field->flags & VMS_VARRAY_UINT16) {
- n_elems = *(uint16_t *)(opaque+field->num_offset);
+ n_elems = *(uint16_t *)(opaque + field->num_offset);
} else if (field->flags & VMS_VARRAY_UINT8) {
- n_elems = *(uint8_t *)(opaque+field->num_offset);
+ n_elems = *(uint8_t *)(opaque + field->num_offset);
}
if (field->flags & VMS_MULTIPLY_ELEMENTS) {
@@ -54,7 +54,7 @@ static int vmstate_size(void *opaque, const VMStateField *field)
int size = field->size;
if (field->flags & VMS_VBUFFER) {
- size = *(int32_t *)(opaque+field->size_offset);
+ size = *(int32_t *)(opaque + field->size_offset);
if (field->flags & VMS_MULTIPLY) {
size *= field->size;
}
diff --git a/net/meson.build b/net/meson.build
index 1c7e3a3..1076b0a 100644
--- a/net/meson.build
+++ b/net/meson.build
@@ -7,7 +7,6 @@ softmmu_ss.add(files(
'eth.c',
'filter-buffer.c',
'filter-mirror.c',
- 'filter-replay.c',
'filter-rewriter.c',
'filter.c',
'hub.c',
@@ -17,6 +16,8 @@ softmmu_ss.add(files(
'util.c',
))
+softmmu_ss.add(when: 'CONFIG_TCG', if_true: files('filter-replay.c'))
+
softmmu_ss.add(when: 'CONFIG_L2TPV3', if_true: files('l2tpv3.c'))
softmmu_ss.add(when: slirp, if_true: files('slirp.c'))
softmmu_ss.add(when: ['CONFIG_VDE', vde], if_true: files('vde.c'))
diff --git a/pc-bios/descriptors/meson.build b/pc-bios/descriptors/meson.build
index 3798d32..7040834 100644
--- a/pc-bios/descriptors/meson.build
+++ b/pc-bios/descriptors/meson.build
@@ -8,7 +8,7 @@ foreach f: [
]
configure_file(input: files(f),
output: f,
- configuration: {'DATADIR': config_host['qemu_datadir']},
- install: install_blobs,
+ configuration: {'DATADIR': qemu_datadir},
+ install: get_option('install_blobs'),
install_dir: qemu_datadir / 'firmware')
endforeach
diff --git a/pc-bios/meson.build b/pc-bios/meson.build
index a0d21be..fab323a 100644
--- a/pc-bios/meson.build
+++ b/pc-bios/meson.build
@@ -1,7 +1,8 @@
-bzip2 = find_program('bzip2')
-
-install_blobs = 'INSTALL_BLOBS' in config_host
-if 'DECOMPRESS_EDK2_BLOBS' in config_host
+if 'arm-softmmu' in target_dirs or \
+ 'aarch64-softmmu' in target_dirs or \
+ 'i386-softmmu' in target_dirs or \
+ 'x86_64-softmmu' in target_dirs
+ bzip2 = find_program('bzip2', required: true)
fds = [
'edk2-aarch64-code.fd',
'edk2-arm-code.fd',
@@ -18,7 +19,7 @@ if 'DECOMPRESS_EDK2_BLOBS' in config_host
output: f,
input: '@0@.bz2'.format(f),
capture: true,
- install: install_blobs,
+ install: get_option('install_blobs'),
install_dir: qemu_datadir,
command: [ bzip2, '-dc', '@INPUT0@' ])
endforeach
@@ -85,8 +86,8 @@ blobs = files(
'npcm7xx_bootrom.bin',
)
-if install_blobs
- install_data(blobs, install_dir: config_host['qemu_datadir'])
+if get_option('install_blobs')
+ install_data(blobs, install_dir: qemu_datadir)
endif
subdir('descriptors')
diff --git a/qemu-options.hx b/qemu-options.hx
index 1da52a2..2c83390 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -34,7 +34,6 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
" dea-key-wrap=on|off controls support for DEA key wrapping (default=on)\n"
" suppress-vmdesc=on|off disables self-describing migration (default=off)\n"
" nvdimm=on|off controls NVDIMM support (default=off)\n"
- " enforce-config-section=on|off enforce configuration section migration (default=off)\n"
" memory-encryption=@var{} memory encryption object to use (default=none)\n"
" hmat=on|off controls ACPI HMAT support (default=off)\n",
QEMU_ARCH_ALL)
@@ -91,13 +90,6 @@ SRST
``nvdimm=on|off``
Enables or disables NVDIMM support. The default is off.
- ``enforce-config-section=on|off``
- If ``enforce-config-section`` is set to on, force migration code
- to send configuration section even if the machine-type sets the
- ``migration.send-configuration`` property to off. NOTE: this
- parameter is deprecated. Please use ``-global``
- ``migration.send-configuration``\ =on\|off instead.
-
``memory-encryption=``
Memory encryption object to use. The default is none.
@@ -4351,9 +4343,6 @@ SRST
Enable FIPS 140-2 compliance mode.
ERST
-HXCOMM Deprecated by -accel tcg
-DEF("no-kvm", 0, QEMU_OPTION_no_kvm, "", QEMU_ARCH_I386)
-
DEF("msg", HAS_ARG, QEMU_OPTION_msg,
"-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
" control error message format\n"
diff --git a/replay/meson.build b/replay/meson.build
index f91163f..21aefad 100644
--- a/replay/meson.build
+++ b/replay/meson.build
@@ -1,4 +1,4 @@
-softmmu_ss.add(files(
+softmmu_ss.add(when: 'CONFIG_TCG', if_true: files(
'replay.c',
'replay-internal.c',
'replay-events.c',
@@ -10,4 +10,4 @@ softmmu_ss.add(files(
'replay-audio.c',
'replay-random.c',
'replay-debugging.c',
-))
+), if_false: files('stubs-system.c'))
diff --git a/replay/stubs-system.c b/replay/stubs-system.c
new file mode 100644
index 0000000..5c262b0
--- /dev/null
+++ b/replay/stubs-system.c
@@ -0,0 +1,96 @@
+#include "qemu/osdep.h"
+#include "sysemu/replay.h"
+#include "ui/input.h"
+
+void replay_input_event(QemuConsole *src, InputEvent *evt)
+{
+ qemu_input_event_send_impl(src, evt);
+}
+
+void replay_input_sync_event(void)
+{
+ qemu_input_event_sync_impl();
+}
+
+void replay_add_blocker(Error *reason)
+{
+}
+void replay_audio_in(size_t *recorded, void *samples, size_t *wpos, size_t size)
+{
+}
+void replay_audio_out(size_t *played)
+{
+}
+void replay_breakpoint(void)
+{
+}
+bool replay_can_snapshot(void)
+{
+ return true;
+}
+void replay_configure(struct QemuOpts *opts)
+{
+}
+void replay_flush_events(void)
+{
+}
+void replay_gdb_attached(void)
+{
+}
+bool replay_running_debug(void)
+{
+ return false;
+}
+void replay_shutdown_request(ShutdownCause cause)
+{
+}
+void replay_start(void)
+{
+}
+void replay_vmstate_init(void)
+{
+}
+
+#include "monitor/monitor.h"
+#include "monitor/hmp.h"
+#include "qapi/qapi-commands-replay.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+
+void hmp_info_replay(Monitor *mon, const QDict *qdict)
+{
+ error_report("replay support not available");
+}
+void hmp_replay_break(Monitor *mon, const QDict *qdict)
+{
+ error_report("replay support not available");
+}
+void hmp_replay_delete_break(Monitor *mon, const QDict *qdict)
+{
+ error_report("replay support not available");
+}
+void hmp_replay_seek(Monitor *mon, const QDict *qdict)
+{
+ error_report("replay support not available");
+}
+ReplayInfo *qmp_query_replay(Error **errp)
+{
+ error_set(errp, ERROR_CLASS_COMMAND_NOT_FOUND,
+ "replay support not available");
+ return NULL;
+}
+void qmp_replay_break(int64_t icount, Error **errp)
+{
+ error_set(errp, ERROR_CLASS_COMMAND_NOT_FOUND,
+ "replay support not available");
+}
+void qmp_replay_delete_break(Error **errp)
+{
+ error_set(errp, ERROR_CLASS_COMMAND_NOT_FOUND,
+ "replay support not available");
+}
+void qmp_replay_seek(int64_t icount, Error **errp)
+{
+ error_set(errp, ERROR_CLASS_COMMAND_NOT_FOUND,
+ "replay support not available");
+}
diff --git a/scripts/oss-fuzz/build.sh b/scripts/oss-fuzz/build.sh
index 0c3ca9e..fcae4a0 100755
--- a/scripts/oss-fuzz/build.sh
+++ b/scripts/oss-fuzz/build.sh
@@ -62,6 +62,9 @@ fi
mkdir -p "$DEST_DIR/lib/" # Copy the shared libraries here
+mkdir -p "$DEST_DIR/bin/" # Copy executables that shouldn't
+ # be treated as fuzzers by oss-fuzz here
+
# Build once to get the list of dynamic lib paths, and copy them over
../configure --disable-werror --cc="$CC" --cxx="$CXX" --enable-fuzzing \
--prefix="$DEST_DIR" --bindir="$DEST_DIR" --datadir="$DEST_DIR/data/" \
@@ -88,13 +91,22 @@ make "-j$(nproc)" qemu-fuzz-i386 V=1
# Copy over the datadir
cp -r ../pc-bios/ "$DEST_DIR/pc-bios"
+cp "./qemu-fuzz-i386" "$DEST_DIR/bin/"
+
# Run the fuzzer with no arguments, to print the help-string and get the list
# of available fuzz-targets. Copy over the qemu-fuzz-i386, naming it according
# to each available fuzz target (See 05509c8e6d fuzz: select fuzz target using
# executable name)
for target in $(./qemu-fuzz-i386 | awk '$1 ~ /\*/ {print $2}');
do
- cp qemu-fuzz-i386 "$DEST_DIR/qemu-fuzz-i386-target-$target"
+ # Ignore the generic-fuzz target, as it requires some environment variables
+ # to be configured. We have some generic-fuzz-{pc-q35, floppy, ...} targets
+ # that are thin wrappers around this target that set the required
+ # environment variables according to predefined configs.
+ if [ "$target" != "generic-fuzz" ]; then
+ ln "$DEST_DIR/bin/qemu-fuzz-i386" \
+ "$DEST_DIR/qemu-fuzz-i386-target-$target"
+ fi
done
echo "Done. The fuzzers are located in $DEST_DIR"
diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py
new file mode 100755
index 0000000..5e405a0
--- /dev/null
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -0,0 +1,157 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+This takes a crashing qtest trace and tries to remove superflous operations
+"""
+
+import sys
+import os
+import subprocess
+import time
+import struct
+
+QEMU_ARGS = None
+QEMU_PATH = None
+TIMEOUT = 5
+CRASH_TOKEN = None
+
+write_suffix_lookup = {"b": (1, "B"),
+ "w": (2, "H"),
+ "l": (4, "L"),
+ "q": (8, "Q")}
+
+def usage():
+ sys.exit("""\
+Usage: QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} input_trace output_trace
+By default, will try to use the second-to-last line in the output to identify
+whether the crash occred. Optionally, manually set a string that idenitifes the
+crash by setting CRASH_TOKEN=
+""".format((sys.argv[0])))
+
+def check_if_trace_crashes(trace, path):
+ global CRASH_TOKEN
+ with open(path, "w") as tracefile:
+ tracefile.write("".join(trace))
+
+ rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} {qemu_args} 2>&1\
+ < {trace_path}".format(timeout=TIMEOUT,
+ qemu_path=QEMU_PATH,
+ qemu_args=QEMU_ARGS,
+ trace_path=path),
+ shell=True,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE)
+ stdo = rc.communicate()[0]
+ output = stdo.decode('unicode_escape')
+ if rc.returncode == 137: # Timed Out
+ return False
+ if len(output.splitlines()) < 2:
+ return False
+
+ if CRASH_TOKEN is None:
+ CRASH_TOKEN = output.splitlines()[-2]
+
+ return CRASH_TOKEN in output
+
+
+def minimize_trace(inpath, outpath):
+ global TIMEOUT
+ with open(inpath) as f:
+ trace = f.readlines()
+ start = time.time()
+ if not check_if_trace_crashes(trace, outpath):
+ sys.exit("The input qtest trace didn't cause a crash...")
+ end = time.time()
+ print("Crashed in {} seconds".format(end-start))
+ TIMEOUT = (end-start)*5
+ print("Setting the timeout for {} seconds".format(TIMEOUT))
+ print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
+
+ i = 0
+ newtrace = trace[:]
+ # For each line
+ while i < len(newtrace):
+ # 1.) Try to remove it completely and reproduce the crash. If it works,
+ # we're done.
+ prior = newtrace[i]
+ print("Trying to remove {}".format(newtrace[i]))
+ # Try to remove the line completely
+ newtrace[i] = ""
+ if check_if_trace_crashes(newtrace, outpath):
+ i += 1
+ continue
+ newtrace[i] = prior
+
+ # 2.) Try to replace write{bwlq} commands with a write addr, len
+ # command. Since this can require swapping endianness, try both LE and
+ # BE options. We do this, so we can "trim" the writes in (3)
+ if (newtrace[i].startswith("write") and not
+ newtrace[i].startswith("write ")):
+ suffix = newtrace[i].split()[0][-1]
+ assert(suffix in write_suffix_lookup)
+ addr = int(newtrace[i].split()[1], 16)
+ value = int(newtrace[i].split()[2], 16)
+ for endianness in ['<', '>']:
+ data = struct.pack("{end}{size}".format(end=endianness,
+ size=write_suffix_lookup[suffix][1]),
+ value)
+ newtrace[i] = "write {addr} {size} 0x{data}\n".format(
+ addr=hex(addr),
+ size=hex(write_suffix_lookup[suffix][0]),
+ data=data.hex())
+ if(check_if_trace_crashes(newtrace, outpath)):
+ break
+ else:
+ newtrace[i] = prior
+
+ # 3.) If it is a qtest write command: write addr len data, try to split
+ # it into two separate write commands. If splitting the write down the
+ # middle does not work, try to move the pivot "left" and retry, until
+ # there is no space left. The idea is to prune unneccessary bytes from
+ # long writes, while accommodating arbitrary MemoryRegion access sizes
+ # and alignments.
+ if newtrace[i].startswith("write "):
+ addr = int(newtrace[i].split()[1], 16)
+ length = int(newtrace[i].split()[2], 16)
+ data = newtrace[i].split()[3][2:]
+ if length > 1:
+ leftlength = int(length/2)
+ rightlength = length - leftlength
+ newtrace.insert(i+1, "")
+ while leftlength > 0:
+ newtrace[i] = "write {addr} {size} 0x{data}\n".format(
+ addr=hex(addr),
+ size=hex(leftlength),
+ data=data[:leftlength*2])
+ newtrace[i+1] = "write {addr} {size} 0x{data}\n".format(
+ addr=hex(addr+leftlength),
+ size=hex(rightlength),
+ data=data[leftlength*2:])
+ if check_if_trace_crashes(newtrace, outpath):
+ break
+ else:
+ leftlength -= 1
+ rightlength += 1
+ if check_if_trace_crashes(newtrace, outpath):
+ i -= 1
+ else:
+ newtrace[i] = prior
+ del newtrace[i+1]
+ i += 1
+ check_if_trace_crashes(newtrace, outpath)
+
+
+if __name__ == '__main__':
+ if len(sys.argv) < 3:
+ usage()
+
+ QEMU_PATH = os.getenv("QEMU_PATH")
+ QEMU_ARGS = os.getenv("QEMU_ARGS")
+ if QEMU_PATH is None or QEMU_ARGS is None:
+ usage()
+ # if "accel" not in QEMU_ARGS:
+ # QEMU_ARGS += " -accel qtest"
+ CRASH_TOKEN = os.getenv("CRASH_TOKEN")
+ QEMU_ARGS += " -qtest stdio -monitor none -serial none "
+ minimize_trace(sys.argv[1], sys.argv[2])
diff --git a/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py b/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py
new file mode 100755
index 0000000..890e1de
--- /dev/null
+++ b/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py
@@ -0,0 +1,103 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Use this to convert qtest log info from a generic fuzzer input into a qtest
+trace that you can feed into a standard qemu-system process. Example usage:
+
+QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
+ ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
+# .. Finds some crash
+QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
+QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
+ ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
+ /path/to/crash 2> qtest_log_output
+scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace
+./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \
+ -qtest stdin < qtest_trace
+
+### Details ###
+
+Some fuzzer make use of hooks that allow us to populate some memory range, just
+before a DMA read from that range. This means that the fuzzer can produce
+activity that looks like:
+ [start] read from mmio addr
+ [end] read from mmio addr
+ [start] write to pio addr
+ [start] fill a DMA buffer just in time
+ [end] fill a DMA buffer just in time
+ [start] fill a DMA buffer just in time
+ [end] fill a DMA buffer just in time
+ [end] write to pio addr
+ [start] read from mmio addr
+ [end] read from mmio addr
+
+We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace
+might look something like:
+[R +0.028431] readw 0x10000
+[R +0.028434] outl 0xc000 0xbeef # Triggers a DMA read from 0xbeef and 0xbf00
+[DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
+[DMA][R +0.034639] write 0xbf00 0x2 0xBBBB
+[R +0.028431] readw 0xfc000
+
+This script would reorder the above trace so it becomes:
+readw 0x10000
+write 0xbeef 0x2 0xAAAA
+write 0xbf00 0x2 0xBBBB
+outl 0xc000 0xbeef
+readw 0xfc000
+
+I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already
+been set up, removing the need for the DMA hooks. We can simply provide this
+reordered trace via -qtest stdio to reproduce the input
+
+Note: this won't work for traces where the device tries to read from the same
+DMA region twice in between MMIO/PIO commands. E.g:
+ [R +0.028434] outl 0xc000 0xbeef
+ [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
+ [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB
+
+The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This
+script looks for these tags and warns the users that the resulting trace might
+not reproduce the bug.
+"""
+
+import sys
+
+__author__ = "Alexander Bulekov <alxndr@bu.edu>"
+__copyright__ = "Copyright (C) 2020, Red Hat, Inc."
+__license__ = "GPL version 2 or (at your option) any later version"
+
+__maintainer__ = "Alexander Bulekov"
+__email__ = "alxndr@bu.edu"
+
+
+def usage():
+ sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0])))
+
+
+def main(filename):
+ with open(filename, "r") as f:
+ trace = f.readlines()
+
+ # Leave only lines that look like logged qtest commands
+ trace[:] = [x.strip() for x in trace if "[R +" in x
+ or "[S +" in x and "CLOSED" not in x]
+
+ for i in range(len(trace)):
+ if i+1 < len(trace):
+ if "[DMA]" in trace[i+1]:
+ if "[DOUBLE-FETCH]" in trace[i+1]:
+ sys.stderr.write("Warning: Likely double fetch on line"
+ "{}.\n There will likely be problems "
+ "reproducing behavior with the "
+ "resulting qtest trace\n\n".format(i+1))
+ trace[i], trace[i+1] = trace[i+1], trace[i]
+ for line in trace:
+ print(line.split("]")[-1].strip())
+
+
+if __name__ == '__main__':
+ if len(sys.argv) == 1:
+ usage()
+ main(sys.argv[1])
diff --git a/scripts/tracetool.py b/scripts/tracetool.py
index 3114624..3114624 100644..100755
--- a/scripts/tracetool.py
+++ b/scripts/tracetool.py
diff --git a/scripts/undefsym.py b/scripts/undefsym.py
index 69a895c..4b6a72d 100644
--- a/scripts/undefsym.py
+++ b/scripts/undefsym.py
@@ -15,12 +15,11 @@ def filter_lines_set(stdout, from_staticlib):
linesSet = set()
for line in stdout.splitlines():
tokens = line.split(b' ')
- if len(tokens) >= 1:
- if len(tokens) > 1:
- if from_staticlib and tokens[1] == b'U':
- continue
- if not from_staticlib and tokens[1] != b'U':
- continue
+ if len(tokens) >= 2:
+ if from_staticlib and tokens[1] == b'U':
+ continue
+ if not from_staticlib and tokens[1] != b'U':
+ continue
new_line = b'-Wl,-u,' + tokens[0]
if not new_line in linesSet:
linesSet.add(new_line)
diff --git a/softmmu/memory.c b/softmmu/memory.c
index 403ff3a..ee4a6bc 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -656,6 +656,19 @@ static void render_memory_region(FlatView *view,
}
}
+void flatview_for_each_range(FlatView *fv, flatview_cb cb , void *opaque)
+{
+ FlatRange *fr;
+
+ assert(fv);
+ assert(cb);
+
+ FOR_EACH_FLAT_RANGE(fr, fv) {
+ if (cb(fr->addr.start, fr->addr.size, fr->mr, opaque))
+ break;
+ }
+}
+
static MemoryRegion *memory_region_get_flatview_root(MemoryRegion *mr)
{
while (mr->enabled) {
@@ -1420,6 +1433,7 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
unsigned size = memop_size(op);
MemTxResult r;
+ fuzz_dma_read_cb(addr, size, mr, false);
if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
*pval = unassigned_mem_read(mr, addr, size);
return MEMTX_DECODE_ERROR;
@@ -3233,6 +3247,19 @@ void memory_region_init_rom_device(MemoryRegion *mr,
vmstate_register_ram(mr, owner_dev);
}
+/*
+ * Support softmmu builds with CONFIG_FUZZ using a weak symbol and a stub for
+ * the fuzz_dma_read_cb callback
+ */
+#ifdef CONFIG_FUZZ
+void __attribute__((weak)) fuzz_dma_read_cb(size_t addr,
+ size_t len,
+ MemoryRegion *mr,
+ bool is_write)
+{
+}
+#endif
+
static const TypeInfo memory_region_info = {
.parent = TYPE_OBJECT,
.name = TYPE_MEMORY_REGION,
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index e319fb2..a9adedb 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -2832,6 +2832,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
stn_he_p(buf, l, val);
} else {
/* RAM case */
+ fuzz_dma_read_cb(addr, len, mr, false);
ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);
memcpy(buf, ram_ptr, l);
}
@@ -3192,6 +3193,7 @@ void *address_space_map(AddressSpace *as,
memory_region_ref(mr);
*plen = flatview_extend_translation(fv, addr, len, mr, xlat,
l, is_write, attrs);
+ fuzz_dma_read_cb(addr, *plen, mr, is_write);
ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
return ptr;
diff --git a/softmmu/vl.c b/softmmu/vl.c
index e86d203..7c1c6d3 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -3506,10 +3506,6 @@ void qemu_init(int argc, char **argv, char **envp)
exit(1);
}
break;
- case QEMU_OPTION_no_kvm:
- olist = qemu_find_opts("machine");
- qemu_opts_parse_noisily(olist, "accel=tcg", false);
- break;
case QEMU_OPTION_accel:
accel_opts = qemu_opts_parse_noisily(qemu_find_opts("accel"),
optarg, true);
@@ -3978,18 +3974,6 @@ void qemu_init(int argc, char **argv, char **envp)
exit(0);
}
- /* machine_class: default to UP */
- machine_class->max_cpus = machine_class->max_cpus ?: 1;
- machine_class->min_cpus = machine_class->min_cpus ?: 1;
- machine_class->default_cpus = machine_class->default_cpus ?: 1;
-
- /* default to machine_class->default_cpus */
- current_machine->smp.cpus = machine_class->default_cpus;
- current_machine->smp.max_cpus = machine_class->default_cpus;
- current_machine->smp.cores = 1;
- current_machine->smp.threads = 1;
- current_machine->smp.sockets = 1;
-
machine_class->smp_parse(current_machine,
qemu_opts_find(qemu_find_opts("smp-opts"), NULL));
diff --git a/stubs/meson.build b/stubs/meson.build
index 7b733fa..82b7ba6 100644
--- a/stubs/meson.build
+++ b/stubs/meson.build
@@ -33,7 +33,6 @@ stub_ss.add(files('qtest.c'))
stub_ss.add(files('ram-block.c'))
stub_ss.add(files('ramfb.c'))
stub_ss.add(files('replay.c'))
-stub_ss.add(files('replay-user.c'))
stub_ss.add(files('runstate-check.c'))
stub_ss.add(files('set-fd-handler.c'))
stub_ss.add(files('sysbus.c'))
@@ -47,6 +46,9 @@ stub_ss.add(files('vmstate.c'))
stub_ss.add(files('vm-stop.c'))
stub_ss.add(files('win32-kbd-hook.c'))
stub_ss.add(files('cpu-synchronize-state.c'))
+if have_block
+ stub_ss.add(files('replay-tools.c'))
+endif
if have_system
stub_ss.add(files('semihost.c'))
stub_ss.add(files('xen-hw-stub.c'))
diff --git a/stubs/replay-tools.c b/stubs/replay-tools.c
new file mode 100644
index 0000000..c06b360
--- /dev/null
+++ b/stubs/replay-tools.c
@@ -0,0 +1,83 @@
+#include "qemu/osdep.h"
+#include "sysemu/replay.h"
+#include "block/aio.h"
+
+bool replay_events_enabled(void)
+{
+ return false;
+}
+
+int64_t replay_save_clock(unsigned int kind, int64_t clock, int64_t raw_icount)
+{
+ abort();
+ return 0;
+}
+
+int64_t replay_read_clock(unsigned int kind)
+{
+ abort();
+ return 0;
+}
+
+uint64_t replay_get_current_icount(void)
+{
+ return 0;
+}
+
+void replay_bh_schedule_event(QEMUBH *bh)
+{
+ qemu_bh_schedule(bh);
+}
+
+void replay_bh_schedule_oneshot_event(AioContext *ctx,
+ QEMUBHFunc *cb, void *opaque)
+{
+ aio_bh_schedule_oneshot(ctx, cb, opaque);
+}
+
+bool replay_checkpoint(ReplayCheckpoint checkpoint)
+{
+ return true;
+}
+
+void replay_mutex_lock(void)
+{
+}
+
+void replay_mutex_unlock(void)
+{
+}
+
+void replay_register_char_driver(Chardev *chr)
+{
+}
+
+void replay_chr_be_write(Chardev *s, uint8_t *buf, int len)
+{
+ abort();
+}
+
+void replay_char_write_event_save(int res, int offset)
+{
+ abort();
+}
+
+void replay_char_write_event_load(int *res, int *offset)
+{
+ abort();
+}
+
+int replay_char_read_all_load(uint8_t *buf)
+{
+ abort();
+}
+
+void replay_char_read_all_save_error(int res)
+{
+ abort();
+}
+
+void replay_char_read_all_save_buf(uint8_t *buf, int offset)
+{
+ abort();
+}
diff --git a/stubs/replay-user.c b/stubs/replay-user.c
deleted file mode 100644
index 2ad9e27..0000000
--- a/stubs/replay-user.c
+++ /dev/null
@@ -1,9 +0,0 @@
-#include "qemu/osdep.h"
-#include "sysemu/replay.h"
-#include "sysemu/sysemu.h"
-
-void replay_bh_schedule_oneshot_event(AioContext *ctx,
- QEMUBHFunc *cb, void *opaque)
-{
- aio_bh_schedule_oneshot(ctx, cb, opaque);
-}
diff --git a/stubs/replay.c b/stubs/replay.c
index 45ebe77..9d5b4be 100644
--- a/stubs/replay.c
+++ b/stubs/replay.c
@@ -3,83 +3,10 @@
ReplayMode replay_mode;
-int64_t replay_save_clock(unsigned int kind, int64_t clock, int64_t raw_icount)
-{
- abort();
- return 0;
-}
-
-int64_t replay_read_clock(unsigned int kind)
-{
- abort();
- return 0;
-}
-
-bool replay_checkpoint(ReplayCheckpoint checkpoint)
-{
- return true;
-}
-
-bool replay_events_enabled(void)
-{
- return false;
-}
-
void replay_finish(void)
{
}
-void replay_register_char_driver(Chardev *chr)
-{
-}
-
-void replay_chr_be_write(Chardev *s, uint8_t *buf, int len)
-{
- abort();
-}
-
-void replay_char_write_event_save(int res, int offset)
-{
- abort();
-}
-
-void replay_char_write_event_load(int *res, int *offset)
-{
- abort();
-}
-
-int replay_char_read_all_load(uint8_t *buf)
-{
- abort();
-}
-
-void replay_char_read_all_save_error(int res)
-{
- abort();
-}
-
-void replay_char_read_all_save_buf(uint8_t *buf, int offset)
-{
- abort();
-}
-
-void replay_block_event(QEMUBH *bh, uint64_t id)
-{
-}
-
-uint64_t blkreplay_next_id(void)
-{
- return 0;
-}
-
-void replay_mutex_lock(void)
-{
-}
-
-void replay_mutex_unlock(void)
-{
-}
-
void replay_save_random(int ret, void *buf, size_t len)
{
}
@@ -89,11 +16,6 @@ int replay_read_random(void *buf, size_t len)
return 0;
}
-uint64_t replay_get_current_icount(void)
-{
- return 0;
-}
-
bool replay_reverse_step(void)
{
return false;
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index de27578..de4705b 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -82,9 +82,13 @@ enum {
#define VEXT_VERSION_0_07_1 0x00000701
-#define TRANSLATE_PMP_FAIL 2
-#define TRANSLATE_FAIL 1
-#define TRANSLATE_SUCCESS 0
+enum {
+ TRANSLATE_SUCCESS,
+ TRANSLATE_FAIL,
+ TRANSLATE_PMP_FAIL,
+ TRANSLATE_G_STAGE_FAIL
+};
+
#define MMU_USER_IDX 3
#define MAX_RISCV_PMPS (16)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 9048990..4652082 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -316,6 +316,9 @@ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv)
* @physical: This will be set to the calculated physical address
* @prot: The returned protection attributes
* @addr: The virtual address to be translated
+ * @fault_pte_addr: If not NULL, this will be set to fault pte address
+ * when a error occurs on pte address translation.
+ * This will already be shifted to match htval.
* @access_type: The type of MMU access
* @mmu_idx: Indicates current privilege level
* @first_stage: Are we in first stage translation?
@@ -324,6 +327,7 @@ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong newpriv)
*/
static int get_physical_address(CPURISCVState *env, hwaddr *physical,
int *prot, target_ulong addr,
+ target_ulong *fault_pte_addr,
int access_type, int mmu_idx,
bool first_stage, bool two_stage)
{
@@ -447,11 +451,14 @@ restart:
/* Do the second stage translation on the base PTE address. */
int vbase_ret = get_physical_address(env, &vbase, &vbase_prot,
- base, MMU_DATA_LOAD,
+ base, NULL, MMU_DATA_LOAD,
mmu_idx, false, true);
if (vbase_ret != TRANSLATE_SUCCESS) {
- return vbase_ret;
+ if (fault_pte_addr) {
+ *fault_pte_addr = (base + idx * ptesize) >> 2;
+ }
+ return TRANSLATE_G_STAGE_FAIL;
}
pte_addr = vbase + idx * ptesize;
@@ -632,13 +639,13 @@ hwaddr riscv_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
int prot;
int mmu_idx = cpu_mmu_index(&cpu->env, false);
- if (get_physical_address(env, &phys_addr, &prot, addr, 0, mmu_idx,
+ if (get_physical_address(env, &phys_addr, &prot, addr, NULL, 0, mmu_idx,
true, riscv_cpu_virt_enabled(env))) {
return -1;
}
if (riscv_cpu_virt_enabled(env)) {
- if (get_physical_address(env, &phys_addr, &prot, phys_addr,
+ if (get_physical_address(env, &phys_addr, &prot, phys_addr, NULL,
0, mmu_idx, false, true)) {
return -1;
}
@@ -727,19 +734,30 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
if (riscv_cpu_virt_enabled(env) ||
(riscv_cpu_two_stage_lookup(env) && access_type != MMU_INST_FETCH)) {
/* Two stage lookup */
- ret = get_physical_address(env, &pa, &prot, address, access_type,
+ ret = get_physical_address(env, &pa, &prot, address,
+ &env->guest_phys_fault_addr, access_type,
mmu_idx, true, true);
+ /*
+ * A G-stage exception may be triggered during two state lookup.
+ * And the env->guest_phys_fault_addr has already been set in
+ * get_physical_address().
+ */
+ if (ret == TRANSLATE_G_STAGE_FAIL) {
+ first_stage_error = false;
+ access_type = MMU_DATA_LOAD;
+ }
+
qemu_log_mask(CPU_LOG_MMU,
"%s 1st-stage address=%" VADDR_PRIx " ret %d physical "
TARGET_FMT_plx " prot %d\n",
__func__, address, ret, pa, prot);
- if (ret != TRANSLATE_FAIL) {
+ if (ret == TRANSLATE_SUCCESS) {
/* Second stage lookup */
im_address = pa;
- ret = get_physical_address(env, &pa, &prot2, im_address,
+ ret = get_physical_address(env, &pa, &prot2, im_address, NULL,
access_type, mmu_idx, false, true);
qemu_log_mask(CPU_LOG_MMU,
@@ -768,8 +786,8 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
}
} else {
/* Single stage lookup */
- ret = get_physical_address(env, &pa, &prot, address, access_type,
- mmu_idx, true, false);
+ ret = get_physical_address(env, &pa, &prot, address, NULL,
+ access_type, mmu_idx, true, false);
qemu_log_mask(CPU_LOG_MMU,
"%s address=%" VADDR_PRIx " ret %d physical "
@@ -852,6 +870,7 @@ void riscv_cpu_do_interrupt(CPUState *cs)
bool async = !!(cs->exception_index & RISCV_EXCP_INT_FLAG);
target_ulong cause = cs->exception_index & RISCV_EXCP_INT_MASK;
target_ulong deleg = async ? env->mideleg : env->medeleg;
+ bool write_tval = false;
target_ulong tval = 0;
target_ulong htval = 0;
target_ulong mtval2 = 0;
@@ -873,6 +892,7 @@ void riscv_cpu_do_interrupt(CPUState *cs)
case RISCV_EXCP_INST_PAGE_FAULT:
case RISCV_EXCP_LOAD_PAGE_FAULT:
case RISCV_EXCP_STORE_PAGE_FAULT:
+ write_tval = true;
tval = env->badaddr;
break;
default:
@@ -895,7 +915,13 @@ void riscv_cpu_do_interrupt(CPUState *cs)
}
trace_riscv_trap(env->mhartid, async, cause, env->pc, tval,
- riscv_cpu_get_trap_name(cause, async));
+ riscv_cpu_get_trap_name(cause, async));
+
+ qemu_log_mask(CPU_LOG_INT,
+ "%s: hart:"TARGET_FMT_ld", async:%d, cause:"TARGET_FMT_lx", "
+ "epc:0x"TARGET_FMT_lx", tval:0x"TARGET_FMT_lx", desc=%s\n",
+ __func__, env->mhartid, async, cause, env->pc, tval,
+ riscv_cpu_get_trap_name(cause, async));
if (env->priv <= PRV_S &&
cause < TARGET_LONG_BITS && ((deleg >> cause) & 1)) {
@@ -904,7 +930,7 @@ void riscv_cpu_do_interrupt(CPUState *cs)
target_ulong hdeleg = async ? env->hideleg : env->hedeleg;
if ((riscv_cpu_virt_enabled(env) ||
- riscv_cpu_two_stage_lookup(env)) && tval) {
+ riscv_cpu_two_stage_lookup(env)) && write_tval) {
/*
* If we are writing a guest virtual address to stval, set
* this to 1. If we are trapping to VS we will set this to 0
@@ -932,7 +958,7 @@ void riscv_cpu_do_interrupt(CPUState *cs)
/* Trap into HS mode, from virt */
riscv_cpu_swap_hypervisor_regs(env);
env->hstatus = set_field(env->hstatus, HSTATUS_SPVP,
- get_field(env->mstatus, SSTATUS_SPP));
+ env->priv);
env->hstatus = set_field(env->hstatus, HSTATUS_SPV,
riscv_cpu_virt_enabled(env));
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index 9b9ada4..4ce7357 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -29,7 +29,6 @@ void QEMU_NORETURN riscv_raise_exception(CPURISCVState *env,
uint32_t exception, uintptr_t pc)
{
CPUState *cs = env_cpu(env);
- qemu_log_mask(CPU_LOG_INT, "%s: %d\n", __func__, exception);
cs->exception_index = exception;
cpu_loop_exit_restore(cs, pc);
}
@@ -334,12 +333,12 @@ target_ulong helper_hyp_x_load(CPURISCVState *env, target_ulong address,
riscv_cpu_set_two_stage_lookup(env, true);
switch (memop) {
- case MO_TEUL:
- pte = cpu_ldub_data_ra(env, address, GETPC());
- break;
case MO_TEUW:
pte = cpu_lduw_data_ra(env, address, GETPC());
break;
+ case MO_TEUL:
+ pte = cpu_ldl_data_ra(env, address, GETPC());
+ break;
default:
g_assert_not_reached();
}
diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c
index 31ea8df..42fe0bf 100644
--- a/target/s390x/cpu_features.c
+++ b/target/s390x/cpu_features.c
@@ -14,6 +14,7 @@
#include "qemu/osdep.h"
#include "qemu/module.h"
#include "cpu_features.h"
+#include "hw/s390x/pv.h"
#define DEF_FEAT(_FEAT, _NAME, _TYPE, _BIT, _DESC) \
[S390_FEAT_##_FEAT] = { \
@@ -105,6 +106,10 @@ void s390_fill_feat_block(const S390FeatBitmap features, S390FeatType type,
}
feat = find_next_bit(features, S390_FEAT_MAX, feat + 1);
}
+
+ if (type == S390_FEAT_TYPE_SCLP_FAC134 && s390_is_pv()) {
+ clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data);
+ }
}
void s390_add_from_feat_block(S390FeatBitmap features, S390FeatType type,
diff --git a/target/s390x/cpu_features.h b/target/s390x/cpu_features.h
index ef52ffc..87463f0 100644
--- a/target/s390x/cpu_features.h
+++ b/target/s390x/cpu_features.h
@@ -81,6 +81,10 @@ const S390FeatGroupDef *s390_feat_group_def(S390FeatGroup group);
#define BE_BIT_NR(BIT) (BIT ^ (BITS_PER_LONG - 1))
+static inline void clear_be_bit(unsigned int bit_nr, uint8_t *array)
+{
+ array[bit_nr / 8] &= ~(0x80 >> (bit_nr % 8));
+}
static inline void set_be_bit(unsigned int bit_nr, uint8_t *array)
{
array[bit_nr / 8] |= 0x80 >> (bit_nr % 8);
diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c
index ca484bf..461e0b8 100644
--- a/target/s390x/cpu_models.c
+++ b/target/s390x/cpu_models.c
@@ -29,6 +29,7 @@
#include "hw/pci/pci.h"
#endif
#include "qapi/qapi-commands-machine-target.h"
+#include "hw/s390x/pv.h"
#define CPUDEF_INIT(_type, _gen, _ec_ga, _mha_pow, _hmfai, _name, _desc) \
{ \
@@ -238,6 +239,9 @@ bool s390_has_feat(S390Feat feat)
}
return 0;
}
+ if (feat == S390_FEAT_DIAG_318 && s390_is_pv()) {
+ return false;
+ }
return test_bit(feat, cpu->model->features);
}
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index f13eff6..baa070f 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -2498,8 +2498,7 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
*/
set_bit(S390_FEAT_EXTENDED_LENGTH_SCCB, model->features);
- /* DIAGNOSE 0x318 is not supported under protected virtualization */
- if (!s390_is_pv() && kvm_check_extension(kvm_state, KVM_CAP_S390_DIAG318)) {
+ if (kvm_check_extension(kvm_state, KVM_CAP_S390_DIAG318)) {
set_bit(S390_FEAT_DIAG_318, model->features);
}
diff --git a/tests/acceptance/boot_linux.py b/tests/acceptance/boot_linux.py
index 0055dc7..1da4a53 100644
--- a/tests/acceptance/boot_linux.py
+++ b/tests/acceptance/boot_linux.py
@@ -57,7 +57,7 @@ class BootLinuxBase(Test):
self.cancel('Failed to download/prepare boot image')
return boot.path
- def download_cloudinit(self):
+ def download_cloudinit(self, ssh_pubkey=None):
self.log.info('Preparing cloudinit image')
try:
cloudinit_iso = os.path.join(self.workdir, 'cloudinit.iso')
@@ -67,7 +67,8 @@ class BootLinuxBase(Test):
password='password',
# QEMU's hard coded usermode router address
phone_home_host='10.0.2.2',
- phone_home_port=self.phone_home_port)
+ phone_home_port=self.phone_home_port,
+ authorized_key=ssh_pubkey)
except Exception:
self.cancel('Failed to prepared cloudinit image')
return cloudinit_iso
@@ -80,19 +81,19 @@ class BootLinux(BootLinuxBase):
timeout = 900
chksum = None
- def setUp(self):
+ def setUp(self, ssh_pubkey=None):
super(BootLinux, self).setUp()
self.vm.add_args('-smp', '2')
self.vm.add_args('-m', '1024')
self.prepare_boot()
- self.prepare_cloudinit()
+ self.prepare_cloudinit(ssh_pubkey)
def prepare_boot(self):
path = self.download_boot()
self.vm.add_args('-drive', 'file=%s' % path)
- def prepare_cloudinit(self):
- cloudinit_iso = self.download_cloudinit()
+ def prepare_cloudinit(self, ssh_pubkey=None):
+ cloudinit_iso = self.download_cloudinit(ssh_pubkey)
self.vm.add_args('-drive', 'file=%s,format=raw' % cloudinit_iso)
def launch_and_wait(self):
@@ -182,10 +183,11 @@ class BootLinuxAarch64(BootLinux):
self.add_common_args()
self.launch_and_wait()
- def test_virt_kvm(self):
+ def test_virt_kvm_gicv2(self):
"""
:avocado: tags=accel:kvm
:avocado: tags=cpu:host
+ :avocado: tags=device:gicv2
"""
if not kvm_available(self.arch, self.qemu_bin):
self.cancel(KVM_NOT_AVAILABLE)
@@ -195,6 +197,20 @@ class BootLinuxAarch64(BootLinux):
self.add_common_args()
self.launch_and_wait()
+ def test_virt_kvm_gicv3(self):
+ """
+ :avocado: tags=accel:kvm
+ :avocado: tags=cpu:host
+ :avocado: tags=device:gicv3
+ """
+ if not kvm_available(self.arch, self.qemu_bin):
+ self.cancel(KVM_NOT_AVAILABLE)
+ self.vm.add_args("-accel", "kvm")
+ self.vm.add_args("-cpu", "host")
+ self.vm.add_args("-machine", "virt,gic-version=3")
+ self.add_common_args()
+ self.launch_and_wait()
+
class BootLinuxPPC64(BootLinux):
"""
diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
index 0118ed5..8f433a6 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -780,6 +780,8 @@ class BootLinuxConsole(LinuxKernelTest):
# Wait for VM to shut down gracefully
self.vm.wait()
+ @skipUnless(os.getenv('ARMBIAN_ARTIFACTS_CACHED'),
+ 'Test artifacts fetched from unreliable dl.armbian.com')
@skipUnless(os.getenv('AVOCADO_ALLOW_LARGE_STORAGE'), 'storage limited')
@skipUnless(P7ZIP_AVAILABLE, '7z not installed')
def test_arm_orangepi_bionic(self):
@@ -889,6 +891,28 @@ class BootLinuxConsole(LinuxKernelTest):
# Wait for user-space
wait_for_console_pattern(self, 'Starting root file system check')
+ def test_aarch64_raspi3_atf(self):
+ """
+ :avocado: tags=arch:aarch64
+ :avocado: tags=machine:raspi3
+ :avocado: tags=cpu:cortex-a53
+ :avocado: tags=device:pl011
+ :avocado: tags=atf
+ """
+ zip_url = ('https://github.com/pbatard/RPi3/releases/download/'
+ 'v1.15/RPi3_UEFI_Firmware_v1.15.zip')
+ zip_hash = '74b3bd0de92683cadb14e008a7575e1d0c3cafb9'
+ zip_path = self.fetch_asset(zip_url, asset_hash=zip_hash)
+
+ archive.extract(zip_path, self.workdir)
+ efi_fd = os.path.join(self.workdir, 'RPI_EFI.fd')
+
+ self.vm.set_console(console_index=1)
+ self.vm.add_args('-nodefaults',
+ '-device', 'loader,file=%s,force-raw=true' % efi_fd)
+ self.vm.launch()
+ self.wait_for_console_pattern('version UEFI Firmware v1.15')
+
def test_s390x_s390_ccw_virtio(self):
"""
:avocado: tags=arch:s390x
diff --git a/tests/acceptance/machine_m68k_nextcube.py b/tests/acceptance/machine_m68k_nextcube.py
index 32cf571..2baba5f 100644
--- a/tests/acceptance/machine_m68k_nextcube.py
+++ b/tests/acceptance/machine_m68k_nextcube.py
@@ -9,7 +9,6 @@ import os
import re
import time
import logging
-import distutils.spawn
from avocado_qemu import Test
from avocado import skipUnless
@@ -70,7 +69,7 @@ class NextCubeMachine(Test):
@skipUnless(PIL_AVAILABLE, 'Python PIL not installed')
def test_bootrom_framebuffer_size(self):
- screenshot_path = os.path.join(self.workdir, "dump.png")
+ screenshot_path = os.path.join(self.workdir, "dump.ppm")
self.check_bootrom_framebuffer(screenshot_path)
width, height = Image.open(screenshot_path).size
@@ -79,7 +78,7 @@ class NextCubeMachine(Test):
@skipUnless(tesseract_available(3), 'tesseract v3 OCR tool not available')
def test_bootrom_framebuffer_ocr_with_tesseract_v3(self):
- screenshot_path = os.path.join(self.workdir, "dump.png")
+ screenshot_path = os.path.join(self.workdir, "dump.ppm")
self.check_bootrom_framebuffer(screenshot_path)
console_logger = logging.getLogger('console')
@@ -95,7 +94,7 @@ class NextCubeMachine(Test):
# that it is still alpha-level software.
@skipUnless(tesseract_available(4), 'tesseract v4 OCR tool not available')
def test_bootrom_framebuffer_ocr_with_tesseract_v4(self):
- screenshot_path = os.path.join(self.workdir, "dump.png")
+ screenshot_path = os.path.join(self.workdir, "dump.ppm")
self.check_bootrom_framebuffer(screenshot_path)
console_logger = logging.getLogger('console')
diff --git a/tests/acceptance/ppc_prep_40p.py b/tests/acceptance/ppc_prep_40p.py
index 1515561..96ba13b 100644
--- a/tests/acceptance/ppc_prep_40p.py
+++ b/tests/acceptance/ppc_prep_40p.py
@@ -22,7 +22,6 @@ class IbmPrep40pMachine(Test):
# All rights reserved.
# U.S. Government Users Restricted Rights - Use, duplication or disclosure
# restricted by GSA ADP Schedule Contract with IBM Corp.
- @skipIf(os.getenv('CONTINUOUS_INTEGRATION'), 'Running on Travis-CI')
@skipUnless(os.getenv('AVOCADO_ALLOW_UNTRUSTED_CODE'), 'untrusted code')
def test_factory_firmware_and_netbsd(self):
"""
@@ -35,7 +34,7 @@ class IbmPrep40pMachine(Test):
'7020-40p/P12H0456.IMG')
bios_hash = '1775face4e6dc27f3a6ed955ef6eb331bf817f03'
bios_path = self.fetch_asset(bios_url, asset_hash=bios_hash)
- drive_url = ('https://cdn.netbsd.org/pub/NetBSD/NetBSD-archive/'
+ drive_url = ('https://archive.netbsd.org/pub/NetBSD-archive/'
'NetBSD-4.0/prep/installation/floppy/generic_com0.fs')
drive_hash = 'dbcfc09912e71bd5f0d82c7c1ee43082fb596ceb'
drive_path = self.fetch_asset(drive_url, asset_hash=drive_hash)
@@ -61,7 +60,6 @@ class IbmPrep40pMachine(Test):
wait_for_console_pattern(self, '>> Memory: 192M')
wait_for_console_pattern(self, '>> CPU type PowerPC,604')
- @skipIf(os.getenv('CONTINUOUS_INTEGRATION'), 'Running on Travis-CI')
def test_openbios_and_netbsd(self):
"""
:avocado: tags=arch:ppc
diff --git a/tests/acceptance/virtiofs_submounts.py b/tests/acceptance/virtiofs_submounts.py
new file mode 100644
index 0000000..8b207b3
--- /dev/null
+++ b/tests/acceptance/virtiofs_submounts.py
@@ -0,0 +1,289 @@
+import logging
+import re
+import os
+import subprocess
+import time
+
+from avocado import skipUnless
+from avocado_qemu import Test, BUILD_DIR
+from avocado_qemu import wait_for_console_pattern
+from avocado.utils import ssh
+
+from qemu.accel import kvm_available
+
+from boot_linux import BootLinux
+
+
+def run_cmd(args):
+ subp = subprocess.Popen(args,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ universal_newlines=True)
+ stdout, stderr = subp.communicate()
+ ret = subp.returncode
+
+ return (stdout, stderr, ret)
+
+def has_passwordless_sudo():
+ """
+ This function is for use in a @avocado.skipUnless decorator, e.g.:
+
+ @skipUnless(*has_passwordless_sudo())
+ def test_something_that_needs_sudo(self):
+ ...
+ """
+
+ _, stderr, exitcode = run_cmd(('sudo', '-n', 'true'))
+ if exitcode != 0:
+ return (False, f'Failed to use sudo -n: {stderr.strip()}')
+ else:
+ return (True, '')
+
+
+class VirtiofsSubmountsTest(BootLinux):
+ """
+ :avocado: tags=arch:x86_64
+ """
+
+ def get_portfwd(self):
+ port = None
+
+ res = self.vm.command('human-monitor-command',
+ command_line='info usernet')
+ for line in res.split('\r\n'):
+ match = \
+ re.search(r'TCP.HOST_FORWARD.*127\.0\.0\.1\s*(\d+)\s+10\.',
+ line)
+ if match is not None:
+ port = match[1]
+ break
+
+ self.assertIsNotNone(port)
+ self.log.debug('sshd listening on port: ' + port)
+ return port
+
+ def ssh_connect(self, username, keyfile):
+ self.ssh_logger = logging.getLogger('ssh')
+ port = self.get_portfwd()
+ self.ssh_session = ssh.Session('127.0.0.1', port=int(port),
+ user=username, key=keyfile)
+ for i in range(10):
+ try:
+ self.ssh_session.connect()
+ return
+ except:
+ time.sleep(4)
+ pass
+ self.fail('sshd timeout')
+
+ def ssh_command(self, command):
+ self.ssh_logger.info(command)
+ result = self.ssh_session.cmd(command)
+ stdout_lines = [line.rstrip() for line
+ in result.stdout_text.splitlines()]
+ for line in stdout_lines:
+ self.ssh_logger.info(line)
+ stderr_lines = [line.rstrip() for line
+ in result.stderr_text.splitlines()]
+ for line in stderr_lines:
+ self.ssh_logger.warning(line)
+
+ self.assertEqual(result.exit_status, 0,
+ f'Guest command failed: {command}')
+ return stdout_lines, stderr_lines
+
+ def run(self, args, ignore_error=False):
+ stdout, stderr, ret = run_cmd(args)
+
+ if ret != 0:
+ cmdline = ' '.join(args)
+ if not ignore_error:
+ self.fail(f'{cmdline}: Returned {ret}: {stderr}')
+ else:
+ self.log.warn(f'{cmdline}: Returned {ret}: {stderr}')
+
+ return (stdout, stderr, ret)
+
+ def set_up_shared_dir(self):
+ atwd = os.getenv('AVOCADO_TEST_WORKDIR')
+ self.shared_dir = os.path.join(atwd, 'virtiofs-shared')
+
+ os.mkdir(self.shared_dir)
+
+ self.run(('cp', self.get_data('guest.sh'),
+ os.path.join(self.shared_dir, 'check.sh')))
+
+ self.run(('cp', self.get_data('guest-cleanup.sh'),
+ os.path.join(self.shared_dir, 'cleanup.sh')))
+
+ def set_up_virtiofs(self):
+ attmp = os.getenv('AVOCADO_TESTS_COMMON_TMPDIR')
+ self.vfsdsock = os.path.join(attmp, 'vfsdsock')
+
+ self.run(('sudo', '-n', 'rm', '-f', self.vfsdsock), ignore_error=True)
+
+ self.virtiofsd = \
+ subprocess.Popen(('sudo', '-n',
+ 'tools/virtiofsd/virtiofsd',
+ f'--socket-path={self.vfsdsock}',
+ '-o', f'source={self.shared_dir}',
+ '-o', 'cache=always',
+ '-o', 'xattr',
+ '-o', 'announce_submounts',
+ '-f'),
+ stdout=subprocess.DEVNULL,
+ stderr=subprocess.PIPE,
+ universal_newlines=True)
+
+ while not os.path.exists(self.vfsdsock):
+ if self.virtiofsd.poll() is not None:
+ self.fail('virtiofsd exited prematurely: ' +
+ self.virtiofsd.communicate()[1])
+ time.sleep(0.1)
+
+ self.run(('sudo', '-n', 'chmod', 'go+rw', self.vfsdsock))
+
+ self.vm.add_args('-chardev',
+ f'socket,id=vfsdsock,path={self.vfsdsock}',
+ '-device',
+ 'vhost-user-fs-pci,queue-size=1024,chardev=vfsdsock' \
+ ',tag=host',
+ '-object',
+ 'memory-backend-file,id=mem,size=1G,' \
+ 'mem-path=/dev/shm,share=on',
+ '-numa',
+ 'node,memdev=mem')
+
+ def launch_vm(self):
+ self.launch_and_wait()
+ self.ssh_connect('root', self.ssh_key)
+
+ def set_up_nested_mounts(self):
+ scratch_dir = os.path.join(self.shared_dir, 'scratch')
+ try:
+ os.mkdir(scratch_dir)
+ except FileExistsError:
+ pass
+
+ args = ['bash', self.get_data('host.sh'), scratch_dir]
+ if self.seed:
+ args += [self.seed]
+
+ out, _, _ = self.run(args)
+ seed = re.search(r'^Seed: \d+', out)
+ self.log.info(seed[0])
+
+ def mount_in_guest(self):
+ self.ssh_command('mkdir -p /mnt/host')
+ self.ssh_command('mount -t virtiofs host /mnt/host')
+
+ def check_in_guest(self):
+ self.ssh_command('bash /mnt/host/check.sh /mnt/host/scratch/share')
+
+ def live_cleanup(self):
+ self.ssh_command('bash /mnt/host/cleanup.sh /mnt/host/scratch')
+
+ # It would be nice if the above was sufficient to make virtiofsd clear
+ # all references to the mounted directories (so they can be unmounted
+ # on the host), but unfortunately it is not. To do so, we have to
+ # resort to a remount.
+ self.ssh_command('mount -o remount /mnt/host')
+
+ scratch_dir = os.path.join(self.shared_dir, 'scratch')
+ self.run(('bash', self.get_data('cleanup.sh'), scratch_dir))
+
+ @skipUnless(*has_passwordless_sudo())
+ def setUp(self):
+ vmlinuz = self.params.get('vmlinuz')
+ if vmlinuz is None:
+ self.cancel('vmlinuz parameter not set; you must point it to a '
+ 'Linux kernel binary to test (to run this test with ' \
+ 'the on-image kernel, set it to an empty string)')
+
+ self.seed = self.params.get('seed')
+
+ atwd = os.getenv('AVOCADO_TEST_WORKDIR')
+ self.ssh_key = os.path.join(atwd, 'id_ed25519')
+
+ self.run(('ssh-keygen', '-t', 'ed25519', '-f', self.ssh_key))
+
+ pubkey = open(self.ssh_key + '.pub').read()
+
+ super(VirtiofsSubmountsTest, self).setUp(pubkey)
+
+ if len(vmlinuz) > 0:
+ self.vm.add_args('-kernel', vmlinuz,
+ '-append', 'console=ttyS0 root=/dev/sda1')
+
+ # Allow us to connect to SSH
+ self.vm.add_args('-netdev', 'user,id=vnet,hostfwd=:127.0.0.1:0-:22',
+ '-device', 'e1000,netdev=vnet')
+
+ if not kvm_available(self.arch, self.qemu_bin):
+ self.cancel(KVM_NOT_AVAILABLE)
+ self.vm.add_args('-accel', 'kvm')
+
+ def tearDown(self):
+ try:
+ self.vm.shutdown()
+ except:
+ pass
+
+ scratch_dir = os.path.join(self.shared_dir, 'scratch')
+ self.run(('bash', self.get_data('cleanup.sh'), scratch_dir),
+ ignore_error=True)
+
+ def test_pre_virtiofsd_set_up(self):
+ self.set_up_shared_dir()
+
+ self.set_up_nested_mounts()
+
+ self.set_up_virtiofs()
+ self.launch_vm()
+ self.mount_in_guest()
+ self.check_in_guest()
+
+ def test_pre_launch_set_up(self):
+ self.set_up_shared_dir()
+ self.set_up_virtiofs()
+
+ self.set_up_nested_mounts()
+
+ self.launch_vm()
+ self.mount_in_guest()
+ self.check_in_guest()
+
+ def test_post_launch_set_up(self):
+ self.set_up_shared_dir()
+ self.set_up_virtiofs()
+ self.launch_vm()
+
+ self.set_up_nested_mounts()
+
+ self.mount_in_guest()
+ self.check_in_guest()
+
+ def test_post_mount_set_up(self):
+ self.set_up_shared_dir()
+ self.set_up_virtiofs()
+ self.launch_vm()
+ self.mount_in_guest()
+
+ self.set_up_nested_mounts()
+
+ self.check_in_guest()
+
+ def test_two_runs(self):
+ self.set_up_shared_dir()
+
+ self.set_up_nested_mounts()
+
+ self.set_up_virtiofs()
+ self.launch_vm()
+ self.mount_in_guest()
+ self.check_in_guest()
+
+ self.live_cleanup()
+ self.set_up_nested_mounts()
+
+ self.check_in_guest()
diff --git a/tests/acceptance/virtiofs_submounts.py.data/cleanup.sh b/tests/acceptance/virtiofs_submounts.py.data/cleanup.sh
new file mode 100644
index 0000000..2a6579a
--- /dev/null
+++ b/tests/acceptance/virtiofs_submounts.py.data/cleanup.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+function print_usage()
+{
+ if [ -n "$2" ]; then
+ echo "Error: $2"
+ echo
+ fi
+ echo "Usage: $1 <scratch dir>"
+}
+
+scratch_dir=$1
+if [ -z "$scratch_dir" ]; then
+ print_usage "$0" 'Scratch dir not given' >&2
+ exit 1
+fi
+
+cd "$scratch_dir/share" || exit 1
+mps=(mnt*)
+mp_i=0
+for mp in "${mps[@]}"; do
+ mp_i=$((mp_i + 1))
+ printf "Unmounting %i/%i...\r" "$mp_i" "${#mps[@]}"
+
+ sudo umount -R "$mp"
+ rm -rf "$mp"
+done
+echo
+
+rm some-file
+cd ..
+rmdir share
+
+imgs=(fs*.img)
+img_i=0
+for img in "${imgs[@]}"; do
+ img_i=$((img_i + 1))
+ printf "Detaching and deleting %i/%i...\r" "$img_i" "${#imgs[@]}"
+
+ dev=$(losetup -j "$img" | sed -e 's/:.*//')
+ sudo losetup -d "$dev"
+ rm -f "$img"
+done
+echo
+
+echo 'Done.'
diff --git a/tests/acceptance/virtiofs_submounts.py.data/guest-cleanup.sh b/tests/acceptance/virtiofs_submounts.py.data/guest-cleanup.sh
new file mode 100644
index 0000000..729cb2d
--- /dev/null
+++ b/tests/acceptance/virtiofs_submounts.py.data/guest-cleanup.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+function print_usage()
+{
+ if [ -n "$2" ]; then
+ echo "Error: $2"
+ echo
+ fi
+ echo "Usage: $1 <scratch dir>"
+}
+
+scratch_dir=$1
+if [ -z "$scratch_dir" ]; then
+ print_usage "$0" 'Scratch dir not given' >&2
+ exit 1
+fi
+
+cd "$scratch_dir/share" || exit 1
+
+mps=(mnt*)
+mp_i=0
+for mp in "${mps[@]}"; do
+ mp_i=$((mp_i + 1))
+ printf "Unmounting %i/%i...\r" "$mp_i" "${#mps[@]}"
+
+ sudo umount -R "$mp"
+done
+echo
+
+echo 'Done.'
diff --git a/tests/acceptance/virtiofs_submounts.py.data/guest.sh b/tests/acceptance/virtiofs_submounts.py.data/guest.sh
new file mode 100644
index 0000000..59ba40f
--- /dev/null
+++ b/tests/acceptance/virtiofs_submounts.py.data/guest.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+
+function print_usage()
+{
+ if [ -n "$2" ]; then
+ echo "Error: $2"
+ echo
+ fi
+ echo "Usage: $1 <shared dir>"
+ echo '(The shared directory is the "share" directory in the scratch' \
+ 'directory)'
+}
+
+shared_dir=$1
+if [ -z "$shared_dir" ]; then
+ print_usage "$0" 'Shared dir not given' >&2
+ exit 1
+fi
+
+cd "$shared_dir"
+
+# FIXME: This should not be necessary, but it is. In order for all
+# submounts to be proper mount points, we need to visit them.
+# (Before we visit them, they will not be auto-mounted, and so just
+# appear as normal directories, with the catch that their st_ino will
+# be the st_ino of the filesystem they host, while the st_dev will
+# still be the st_dev of the parent.)
+# `find` does not work, because it will refuse to touch the mount
+# points as long as they are not mounted; their st_dev being shared
+# with the parent and st_ino just being the root node's inode ID
+# will practically ensure that this node exists elsewhere on the
+# filesystem, and `find` is required to recognize loops and not to
+# follow them.
+# Thus, we have to manually visit all nodes first.
+
+mnt_i=0
+
+function recursively_visit()
+{
+ pushd "$1" >/dev/null
+ for entry in *; do
+ if [[ "$entry" == mnt* ]]; then
+ mnt_i=$((mnt_i + 1))
+ printf "Triggering auto-mount $mnt_i...\r"
+ fi
+
+ if [ -d "$entry" ]; then
+ recursively_visit "$entry"
+ fi
+ done
+ popd >/dev/null
+}
+
+recursively_visit .
+echo
+
+
+if [ -n "$(find -name not-mounted)" ]; then
+ echo "Error: not-mounted files visible on mount points:" >&2
+ find -name not-mounted >&2
+ exit 1
+fi
+
+if [ ! -f some-file -o "$(cat some-file)" != 'root' ]; then
+ echo "Error: Bad file in the share root" >&2
+ exit 1
+fi
+
+shopt -s nullglob
+
+function check_submounts()
+{
+ local base_path=$1
+
+ for mp in mnt*; do
+ printf "Checking submount %i...\r" "$((${#devs[@]} + 1))"
+
+ mp_i=$(echo "$mp" | sed -e 's/mnt//')
+ dev=$(stat -c '%D' "$mp")
+
+ if [ -n "${devs[mp_i]}" ]; then
+ echo "Error: $mp encountered twice" >&2
+ exit 1
+ fi
+ devs[mp_i]=$dev
+
+ pushd "$mp" >/dev/null
+ path="$base_path$mp"
+ while true; do
+ expected_content="$(printf '%s\n%s\n' "$mp_i" "$path")"
+ if [ ! -f some-file ]; then
+ echo "Error: $PWD/some-file does not exist" >&2
+ exit 1
+ fi
+
+ if [ "$(cat some-file)" != "$expected_content" ]; then
+ echo "Error: Bad content in $PWD/some-file:" >&2
+ echo '--- found ---'
+ cat some-file
+ echo '--- expected ---'
+ echo "$expected_content"
+ exit 1
+ fi
+ if [ "$(stat -c '%D' some-file)" != "$dev" ]; then
+ echo "Error: $PWD/some-file has the wrong device ID" >&2
+ exit 1
+ fi
+
+ if [ -d sub ]; then
+ if [ "$(stat -c '%D' sub)" != "$dev" ]; then
+ echo "Error: $PWD/some-file has the wrong device ID" >&2
+ exit 1
+ fi
+ cd sub
+ path="$path/sub"
+ else
+ if [ -n "$(echo mnt*)" ]; then
+ check_submounts "$path/"
+ fi
+ break
+ fi
+ done
+ popd >/dev/null
+ done
+}
+
+root_dev=$(stat -c '%D' some-file)
+devs=()
+check_submounts ''
+echo
+
+reused_devs=$(echo "$root_dev ${devs[@]}" | tr ' ' '\n' | sort | uniq -d)
+if [ -n "$reused_devs" ]; then
+ echo "Error: Reused device IDs: $reused_devs" >&2
+ exit 1
+fi
+
+echo "Test passed for ${#devs[@]} submounts."
diff --git a/tests/acceptance/virtiofs_submounts.py.data/host.sh b/tests/acceptance/virtiofs_submounts.py.data/host.sh
new file mode 100644
index 0000000..d8a9afe
--- /dev/null
+++ b/tests/acceptance/virtiofs_submounts.py.data/host.sh
@@ -0,0 +1,127 @@
+#!/bin/bash
+
+mount_count=128
+
+function print_usage()
+{
+ if [ -n "$2" ]; then
+ echo "Error: $2"
+ echo
+ fi
+ echo "Usage: $1 <scratch dir> [seed]"
+ echo "(If no seed is given, it will be randomly generated.)"
+}
+
+scratch_dir=$1
+if [ -z "$scratch_dir" ]; then
+ print_usage "$0" 'No scratch dir given' >&2
+ exit 1
+fi
+
+if [ ! -d "$scratch_dir" ]; then
+ print_usage "$0" "$scratch_dir is not a directory" >&2
+ exit 1
+fi
+
+seed=$2
+if [ -z "$seed" ]; then
+ seed=$RANDOM
+fi
+RANDOM=$seed
+
+echo "Seed: $seed"
+
+set -e
+shopt -s nullglob
+
+cd "$scratch_dir"
+if [ -d share ]; then
+ echo 'Error: This directory seems to be in use already' >&2
+ exit 1
+fi
+
+for ((i = 0; i < $mount_count; i++)); do
+ printf "Setting up fs %i/%i...\r" "$((i + 1))" "$mount_count"
+
+ rm -f fs$i.img
+ truncate -s 512M fs$i.img
+ mkfs.xfs -q fs$i.img
+ devs[i]=$(sudo losetup -f --show fs$i.img)
+done
+echo
+
+top_level_mounts=$((RANDOM % mount_count + 1))
+
+mkdir -p share
+echo 'root' > share/some-file
+
+for ((i = 0; i < $top_level_mounts; i++)); do
+ printf "Mounting fs %i/%i...\r" "$((i + 1))" "$mount_count"
+
+ mkdir -p share/mnt$i
+ touch share/mnt$i/not-mounted
+ sudo mount "${devs[i]}" share/mnt$i
+ sudo chown "$(id -u):$(id -g)" share/mnt$i
+
+ pushd share/mnt$i >/dev/null
+ path=mnt$i
+ nesting=$((RANDOM % 4))
+ for ((j = 0; j < $nesting; j++)); do
+ cat > some-file <<EOF
+$i
+$path
+EOF
+ mkdir sub
+ cd sub
+ path="$path/sub"
+ done
+cat > some-file <<EOF
+$i
+$path
+EOF
+ popd >/dev/null
+done
+
+for ((; i < $mount_count; i++)); do
+ printf "Mounting fs %i/%i...\r" "$((i + 1))" "$mount_count"
+
+ mp_i=$((i % top_level_mounts))
+
+ pushd share/mnt$mp_i >/dev/null
+ path=mnt$mp_i
+ while true; do
+ sub_mp="$(echo mnt*)"
+ if cd sub 2>/dev/null; then
+ path="$path/sub"
+ elif [ -n "$sub_mp" ] && cd "$sub_mp" 2>/dev/null; then
+ path="$path/$sub_mp"
+ else
+ break
+ fi
+ done
+ mkdir mnt$i
+ touch mnt$i/not-mounted
+ sudo mount "${devs[i]}" mnt$i
+ sudo chown "$(id -u):$(id -g)" mnt$i
+
+ cd mnt$i
+ path="$path/mnt$i"
+ nesting=$((RANDOM % 4))
+ for ((j = 0; j < $nesting; j++)); do
+ cat > some-file <<EOF
+$i
+$path
+EOF
+ mkdir sub
+ cd sub
+ path="$path/sub"
+ done
+ cat > some-file <<EOF
+$i
+$path
+EOF
+ popd >/dev/null
+done
+echo
+
+echo 'Done.'
diff --git a/tests/docker/dockerfiles/centos8.docker b/tests/docker/dockerfiles/centos8.docker
index 585dfad..a589142 100644
--- a/tests/docker/dockerfiles/centos8.docker
+++ b/tests/docker/dockerfiles/centos8.docker
@@ -18,6 +18,7 @@ ENV PACKAGES \
lzo-devel \
make \
mesa-libEGL-devel \
+ nmap-ncat \
nettle-devel \
ninja-build \
perl-Test-Harness \
diff --git a/tests/docker/dockerfiles/debian-amd64.docker b/tests/docker/dockerfiles/debian-amd64.docker
index 314c6ba..55075d9 100644
--- a/tests/docker/dockerfiles/debian-amd64.docker
+++ b/tests/docker/dockerfiles/debian-amd64.docker
@@ -23,6 +23,9 @@ RUN apt update && \
libsnappy-dev \
libvte-dev \
netcat-openbsd \
+ openssh-client \
+ python3-numpy \
+ python3-opencv \
python3-venv
# virgl
diff --git a/tests/docker/dockerfiles/fedora.docker b/tests/docker/dockerfiles/fedora.docker
index ac79d95..0b5053f 100644
--- a/tests/docker/dockerfiles/fedora.docker
+++ b/tests/docker/dockerfiles/fedora.docker
@@ -73,6 +73,7 @@ ENV PACKAGES \
mingw64-pixman \
mingw64-pkg-config \
mingw64-SDL2 \
+ nmap-ncat \
ncurses-devel \
nettle-devel \
ninja-build \
diff --git a/tests/docker/dockerfiles/ubuntu2004.docker b/tests/docker/dockerfiles/ubuntu2004.docker
index 17b37cd..355bbb3 100644
--- a/tests/docker/dockerfiles/ubuntu2004.docker
+++ b/tests/docker/dockerfiles/ubuntu2004.docker
@@ -47,6 +47,7 @@ ENV PACKAGES flex bison \
libxen-dev \
libzstd-dev \
make \
+ netcat-openbsd \
ninja-build \
python3-numpy \
python3-opencv \
diff --git a/tests/fp/meson.build b/tests/fp/meson.build
index 24739ad..3d4fb00 100644
--- a/tests/fp/meson.build
+++ b/tests/fp/meson.build
@@ -603,7 +603,7 @@ fptest_rounding_args = ['-r', 'all']
# FIXME: i32_to_extF80 (broken), i64_to_extF80 (broken)
# extF80_roundToInt (broken)
foreach k, v : softfloat_conv_tests
- test('fp-test:' + k, fptest,
+ test('fp-test-' + k, fptest,
args: fptest_args + fptest_rounding_args + v.split(),
suite: ['softfloat', 'softfloat-conv'])
endforeach
@@ -612,13 +612,13 @@ endforeach
# extF80_{mulAdd} (missing)
foreach k, v : softfloat_tests
extF80_broken = ['lt_quiet', 'rem'].contains(k)
- test('fp-test:' + k, fptest,
+ test('fp-test-' + k, fptest,
args: fptest_args + fptest_rounding_args +
['f16_' + k, 'f32_' + k, 'f64_' + k, 'f128_' + k] +
(extF80_broken ? [] : ['extF80_' + k]),
suite: ['softfloat', 'softfloat-' + v])
endforeach
-test('fp-test:mulAdd', fptest,
+test('fp-test-mulAdd', fptest,
# no fptest_rounding_args
args: fptest_args +
['f16_mulAdd', 'f32_mulAdd', 'f64_mulAdd', 'f128_mulAdd'],
diff --git a/tests/ptimer-test-stubs.c b/tests/ptimer-test-stubs.c
index e935a13..7f801a4 100644
--- a/tests/ptimer-test-stubs.c
+++ b/tests/ptimer-test-stubs.c
@@ -122,8 +122,3 @@ void qemu_bh_delete(QEMUBH *bh)
{
g_free(bh);
}
-
-void replay_bh_schedule_event(QEMUBH *bh)
-{
- bh->cb(bh->opaque);
-}
diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index 3830a40..f23a533 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -127,6 +127,9 @@ static void free_test_data(test_data *data)
{
int i;
+ if (!data->tables) {
+ return;
+ }
for (i = 0; i < data->tables->len; ++i) {
cleanup_table_descriptor(&g_array_index(data->tables, AcpiSdtTable, i));
}
@@ -656,6 +659,13 @@ static void test_acpi_one(const char *params, test_data *data)
char *args;
bool use_uefi = data->uefi_fl1 && data->uefi_fl2;
+#ifndef CONFIG_TCG
+ if (data->tcg_only) {
+ g_test_skip("TCG disabled, skipping ACPI tcg_only test");
+ return;
+ }
+#endif /* CONFIG_TCG */
+
if (use_uefi) {
/*
* TODO: convert '-drive if=pflash' to new syntax (see e33763be7cd3)
diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
index eb00704..7be7226 100644
--- a/tests/qtest/fuzz/fuzz.c
+++ b/tests/qtest/fuzz/fuzz.c
@@ -118,6 +118,19 @@ static FuzzTarget *fuzz_get_target(char* name)
}
+/* Sometimes called by libfuzzer to mutate two inputs into one */
+size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
+ const uint8_t *data2, size_t size2,
+ uint8_t *out, size_t max_out_size,
+ unsigned int seed)
+{
+ if (fuzz_target->crossover) {
+ return fuzz_target->crossover(data1, size1, data2, size2, out,
+ max_out_size, seed);
+ }
+ return 0;
+}
+
/* Executed for each fuzzing-input */
int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size)
{
diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h
index 8eb765e..08e9560 100644
--- a/tests/qtest/fuzz/fuzz.h
+++ b/tests/qtest/fuzz/fuzz.h
@@ -77,6 +77,30 @@ typedef struct FuzzTarget {
*/
void(*fuzz)(QTestState *, const unsigned char *, size_t);
+ /*
+ * The fuzzer can specify a "Custom Crossover" function for combining two
+ * inputs from the corpus. This function is sometimes called by libfuzzer
+ * when mutating inputs.
+ *
+ * data1: location of first input
+ * size1: length of first input
+ * data1: location of second input
+ * size1: length of second input
+ * out: where to place the resulting, mutated input
+ * max_out_size: the maximum length of the input that can be placed in out
+ * seed: the seed that should be used to make mutations deterministic, when
+ * needed
+ *
+ * See libfuzzer's LLVMFuzzerCustomCrossOver API for more info.
+ *
+ * Can be NULL
+ */
+ size_t(*crossover)(const uint8_t *data1, size_t size1,
+ const uint8_t *data2, size_t size2,
+ uint8_t *out, size_t max_out_size,
+ unsigned int seed);
+
+ void *opaque;
} FuzzTarget;
void flush_events(QTestState *);
@@ -91,6 +115,10 @@ void fuzz_qtest_set_serialize(bool option);
*/
void fuzz_add_target(const FuzzTarget *target);
+size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
+ const uint8_t *data2, size_t size2,
+ uint8_t *out, size_t max_out_size,
+ unsigned int seed);
int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp);
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
new file mode 100644
index 0000000..a8f5864
--- /dev/null
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -0,0 +1,954 @@
+/*
+ * Generic Virtual-Device Fuzzing Target
+ *
+ * Copyright Red Hat Inc., 2020
+ *
+ * Authors:
+ * Alexander Bulekov <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include <wordexp.h>
+
+#include "hw/core/cpu.h"
+#include "tests/qtest/libqos/libqtest.h"
+#include "fuzz.h"
+#include "fork_fuzz.h"
+#include "exec/address-spaces.h"
+#include "string.h"
+#include "exec/memory.h"
+#include "exec/ramblock.h"
+#include "exec/address-spaces.h"
+#include "hw/qdev-core.h"
+#include "hw/pci/pci.h"
+#include "hw/boards.h"
+#include "generic_fuzz_configs.h"
+
+/*
+ * SEPARATOR is used to separate "operations" in the fuzz input
+ */
+#define SEPARATOR "FUZZ"
+
+enum cmds {
+ OP_IN,
+ OP_OUT,
+ OP_READ,
+ OP_WRITE,
+ OP_PCI_READ,
+ OP_PCI_WRITE,
+ OP_DISABLE_PCI,
+ OP_ADD_DMA_PATTERN,
+ OP_CLEAR_DMA_PATTERNS,
+ OP_CLOCK_STEP,
+};
+
+#define DEFAULT_TIMEOUT_US 100000
+#define USEC_IN_SEC 1000000000
+
+#define MAX_DMA_FILL_SIZE 0x10000
+
+#define PCI_HOST_BRIDGE_CFG 0xcf8
+#define PCI_HOST_BRIDGE_DATA 0xcfc
+
+typedef struct {
+ ram_addr_t addr;
+ ram_addr_t size; /* The number of bytes until the end of the I/O region */
+} address_range;
+
+static useconds_t timeout = DEFAULT_TIMEOUT_US;
+
+static bool qtest_log_enabled;
+
+/*
+ * A pattern used to populate a DMA region or perform a memwrite. This is
+ * useful for e.g. populating tables of unique addresses.
+ * Example {.index = 1; .stride = 2; .len = 3; .data = "\x00\x01\x02"}
+ * Renders as: 00 01 02 00 03 02 00 05 02 00 07 02 ...
+ */
+typedef struct {
+ uint8_t index; /* Index of a byte to increment by stride */
+ uint8_t stride; /* Increment each index'th byte by this amount */
+ size_t len;
+ const uint8_t *data;
+} pattern;
+
+/* Avoid filling the same DMA region between MMIO/PIO commands ? */
+static bool avoid_double_fetches;
+
+static QTestState *qts_global; /* Need a global for the DMA callback */
+
+/*
+ * List of memory regions that are children of QOM objects specified by the
+ * user for fuzzing.
+ */
+static GHashTable *fuzzable_memoryregions;
+static GPtrArray *fuzzable_pci_devices;
+
+struct get_io_cb_info {
+ int index;
+ int found;
+ address_range result;
+};
+
+static int get_io_address_cb(Int128 start, Int128 size,
+ const MemoryRegion *mr, void *opaque) {
+ struct get_io_cb_info *info = opaque;
+ if (g_hash_table_lookup(fuzzable_memoryregions, mr)) {
+ if (info->index == 0) {
+ info->result.addr = (ram_addr_t)start;
+ info->result.size = (ram_addr_t)size;
+ info->found = 1;
+ return 1;
+ }
+ info->index--;
+ }
+ return 0;
+}
+
+/*
+ * List of dma regions populated since the last fuzzing command. Used to ensure
+ * that we only write to each DMA address once, to avoid race conditions when
+ * building reproducers.
+ */
+static GArray *dma_regions;
+
+static GArray *dma_patterns;
+static int dma_pattern_index;
+static bool pci_disabled;
+
+/*
+ * Allocate a block of memory and populate it with a pattern.
+ */
+static void *pattern_alloc(pattern p, size_t len)
+{
+ int i;
+ uint8_t *buf = g_malloc(len);
+ uint8_t sum = 0;
+
+ for (i = 0; i < len; ++i) {
+ buf[i] = p.data[i % p.len];
+ if ((i % p.len) == p.index) {
+ buf[i] += sum;
+ sum += p.stride;
+ }
+ }
+ return buf;
+}
+
+static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
+{
+ unsigned access_size_max = mr->ops->valid.max_access_size;
+
+ /*
+ * Regions are assumed to support 1-4 byte accesses unless
+ * otherwise specified.
+ */
+ if (access_size_max == 0) {
+ access_size_max = 4;
+ }
+
+ /* Bound the maximum access by the alignment of the address. */
+ if (!mr->ops->impl.unaligned) {
+ unsigned align_size_max = addr & -addr;
+ if (align_size_max != 0 && align_size_max < access_size_max) {
+ access_size_max = align_size_max;
+ }
+ }
+
+ /* Don't attempt accesses larger than the maximum. */
+ if (l > access_size_max) {
+ l = access_size_max;
+ }
+ l = pow2floor(l);
+
+ return l;
+}
+
+/*
+ * Call-back for functions that perform DMA reads from guest memory. Confirm
+ * that the region has not already been populated since the last loop in
+ * generic_fuzz(), avoiding potential race-conditions, which we don't have
+ * a good way for reproducing right now.
+ */
+void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write)
+{
+ /* Are we in the generic-fuzzer or are we using another fuzz-target? */
+ if (!qts_global) {
+ return;
+ }
+
+ /*
+ * Return immediately if:
+ * - We have no DMA patterns defined
+ * - The length of the DMA read request is zero
+ * - The DMA read is hitting an MR other than the machine's main RAM
+ * - The DMA request is not a read (what happens for a address_space_map
+ * with is_write=True? Can the device use the same pointer to do reads?)
+ * - The DMA request hits past the bounds of our RAM
+ */
+ if (dma_patterns->len == 0
+ || len == 0
+ /* || mr != MACHINE(qdev_get_machine())->ram */
+ || is_write
+ || addr > current_machine->ram_size) {
+ return;
+ }
+
+ /*
+ * If we overlap with any existing dma_regions, split the range and only
+ * populate the non-overlapping parts.
+ */
+ address_range region;
+ bool double_fetch = false;
+ for (int i = 0;
+ i < dma_regions->len && (avoid_double_fetches || qtest_log_enabled);
+ ++i) {
+ region = g_array_index(dma_regions, address_range, i);
+ if (addr < region.addr + region.size && addr + len > region.addr) {
+ double_fetch = true;
+ if (addr < region.addr
+ && avoid_double_fetches) {
+ fuzz_dma_read_cb(addr, region.addr - addr, mr, is_write);
+ }
+ if (addr + len > region.addr + region.size
+ && avoid_double_fetches) {
+ fuzz_dma_read_cb(region.addr + region.size,
+ addr + len - (region.addr + region.size), mr, is_write);
+ }
+ return;
+ }
+ }
+
+ /* Cap the length of the DMA access to something reasonable */
+ len = MIN(len, MAX_DMA_FILL_SIZE);
+
+ address_range ar = {addr, len};
+ g_array_append_val(dma_regions, ar);
+ pattern p = g_array_index(dma_patterns, pattern, dma_pattern_index);
+ void *buf = pattern_alloc(p, ar.size);
+ hwaddr l, addr1;
+ MemoryRegion *mr1;
+ uint8_t *ram_ptr;
+ while (len > 0) {
+ l = len;
+ mr1 = address_space_translate(first_cpu->as,
+ addr, &addr1, &l, true,
+ MEMTXATTRS_UNSPECIFIED);
+
+ if (!(memory_region_is_ram(mr1) ||
+ memory_region_is_romd(mr1))) {
+ l = memory_access_size(mr1, l, addr1);
+ } else {
+ /* ROM/RAM case */
+ ram_ptr = qemu_map_ram_ptr(mr1->ram_block, addr1);
+ memcpy(ram_ptr, buf, l);
+ break;
+ }
+ len -= l;
+ buf += l;
+ addr += l;
+
+ }
+ if (qtest_log_enabled) {
+ /*
+ * With QTEST_LOG, use a normal, slow QTest memwrite. Prefix the log
+ * that will be written by qtest.c with a DMA tag, so we can reorder
+ * the resulting QTest trace so the DMA fills precede the last PIO/MMIO
+ * command.
+ */
+ fprintf(stderr, "[DMA] ");
+ if (double_fetch) {
+ fprintf(stderr, "[DOUBLE-FETCH] ");
+ }
+ fflush(stderr);
+ }
+ qtest_memwrite(qts_global, ar.addr, buf, ar.size);
+ g_free(buf);
+
+ /* Increment the index of the pattern for the next DMA access */
+ dma_pattern_index = (dma_pattern_index + 1) % dma_patterns->len;
+}
+
+/*
+ * Here we want to convert a fuzzer-provided [io-region-index, offset] to
+ * a physical address. To do this, we iterate over all of the matched
+ * MemoryRegions. Check whether each region exists within the particular io
+ * space. Return the absolute address of the offset within the index'th region
+ * that is a subregion of the io_space and the distance until the end of the
+ * memory region.
+ */
+static bool get_io_address(address_range *result, AddressSpace *as,
+ uint8_t index,
+ uint32_t offset) {
+ FlatView *view;
+ view = as->current_map;
+ g_assert(view);
+ struct get_io_cb_info cb_info = {};
+
+ cb_info.index = index;
+
+ /*
+ * Loop around the FlatView until we match "index" number of
+ * fuzzable_memoryregions, or until we know that there are no matching
+ * memory_regions.
+ */
+ do {
+ flatview_for_each_range(view, get_io_address_cb , &cb_info);
+ } while (cb_info.index != index && !cb_info.found);
+
+ *result = cb_info.result;
+ return cb_info.found;
+}
+
+static bool get_pio_address(address_range *result,
+ uint8_t index, uint16_t offset)
+{
+ /*
+ * PIO BARs can be set past the maximum port address (0xFFFF). Thus, result
+ * can contain an addr that extends past the PIO space. When we pass this
+ * address to qtest_in/qtest_out, it is cast to a uint16_t, so we might end
+ * up fuzzing a completely different MemoryRegion/Device. Therefore, check
+ * that the address here is within the PIO space limits.
+ */
+ bool found = get_io_address(result, &address_space_io, index, offset);
+ return result->addr <= 0xFFFF ? found : false;
+}
+
+static bool get_mmio_address(address_range *result,
+ uint8_t index, uint32_t offset)
+{
+ return get_io_address(result, &address_space_memory, index, offset);
+}
+
+static void op_in(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint16_t offset;
+ } a;
+ address_range abs;
+
+ if (len < sizeof(a)) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ if (get_pio_address(&abs, a.base, a.offset) == 0) {
+ return;
+ }
+
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_inb(s, abs.addr);
+ break;
+ case Word:
+ if (abs.size >= 2) {
+ qtest_inw(s, abs.addr);
+ }
+ break;
+ case Long:
+ if (abs.size >= 4) {
+ qtest_inl(s, abs.addr);
+ }
+ break;
+ }
+}
+
+static void op_out(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint16_t offset;
+ uint32_t value;
+ } a;
+ address_range abs;
+
+ if (len < sizeof(a)) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+
+ if (get_pio_address(&abs, a.base, a.offset) == 0) {
+ return;
+ }
+
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_outb(s, abs.addr, a.value & 0xFF);
+ break;
+ case Word:
+ if (abs.size >= 2) {
+ qtest_outw(s, abs.addr, a.value & 0xFFFF);
+ }
+ break;
+ case Long:
+ if (abs.size >= 4) {
+ qtest_outl(s, abs.addr, a.value);
+ }
+ break;
+ }
+}
+
+static void op_read(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, Quad, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint32_t offset;
+ } a;
+ address_range abs;
+
+ if (len < sizeof(a)) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+
+ if (get_mmio_address(&abs, a.base, a.offset) == 0) {
+ return;
+ }
+
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_readb(s, abs.addr);
+ break;
+ case Word:
+ if (abs.size >= 2) {
+ qtest_readw(s, abs.addr);
+ }
+ break;
+ case Long:
+ if (abs.size >= 4) {
+ qtest_readl(s, abs.addr);
+ }
+ break;
+ case Quad:
+ if (abs.size >= 8) {
+ qtest_readq(s, abs.addr);
+ }
+ break;
+ }
+}
+
+static void op_write(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, Quad, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint32_t offset;
+ uint64_t value;
+ } a;
+ address_range abs;
+
+ if (len < sizeof(a)) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+
+ if (get_mmio_address(&abs, a.base, a.offset) == 0) {
+ return;
+ }
+
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_writeb(s, abs.addr, a.value & 0xFF);
+ break;
+ case Word:
+ if (abs.size >= 2) {
+ qtest_writew(s, abs.addr, a.value & 0xFFFF);
+ }
+ break;
+ case Long:
+ if (abs.size >= 4) {
+ qtest_writel(s, abs.addr, a.value & 0xFFFFFFFF);
+ }
+ break;
+ case Quad:
+ if (abs.size >= 8) {
+ qtest_writeq(s, abs.addr, a.value);
+ }
+ break;
+ }
+}
+
+static void op_pci_read(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint8_t offset;
+ } a;
+ if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
+ a.base % fuzzable_pci_devices->len);
+ int devfn = dev->devfn;
+ qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_inb(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ case Word:
+ qtest_inw(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ case Long:
+ qtest_inl(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ }
+}
+
+static void op_pci_write(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint8_t offset;
+ uint32_t value;
+ } a;
+ if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
+ a.base % fuzzable_pci_devices->len);
+ int devfn = dev->devfn;
+ qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_outb(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFF);
+ break;
+ case Word:
+ qtest_outw(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFF);
+ break;
+ case Long:
+ qtest_outl(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFFFFFF);
+ break;
+ }
+}
+
+static void op_add_dma_pattern(QTestState *s,
+ const unsigned char *data, size_t len)
+{
+ struct {
+ /*
+ * index and stride can be used to increment the index-th byte of the
+ * pattern by the value stride, for each loop of the pattern.
+ */
+ uint8_t index;
+ uint8_t stride;
+ } a;
+
+ if (len < sizeof(a) + 1) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ pattern p = {a.index, a.stride, len - sizeof(a), data + sizeof(a)};
+ p.index = a.index % p.len;
+ g_array_append_val(dma_patterns, p);
+ return;
+}
+
+static void op_clear_dma_patterns(QTestState *s,
+ const unsigned char *data, size_t len)
+{
+ g_array_set_size(dma_patterns, 0);
+ dma_pattern_index = 0;
+}
+
+static void op_clock_step(QTestState *s, const unsigned char *data, size_t len)
+{
+ qtest_clock_step_next(s);
+}
+
+static void op_disable_pci(QTestState *s, const unsigned char *data, size_t len)
+{
+ pci_disabled = true;
+}
+
+static void handle_timeout(int sig)
+{
+ if (qtest_log_enabled) {
+ fprintf(stderr, "[Timeout]\n");
+ fflush(stderr);
+ }
+ _Exit(0);
+}
+
+/*
+ * Here, we interpret random bytes from the fuzzer, as a sequence of commands.
+ * Some commands can be variable-width, so we use a separator, SEPARATOR, to
+ * specify the boundaries between commands. SEPARATOR is used to separate
+ * "operations" in the fuzz input. Why use a separator, instead of just using
+ * the operations' length to identify operation boundaries?
+ * 1. This is a simple way to support variable-length operations
+ * 2. This adds "stability" to the input.
+ * For example take the input "AbBcgDefg", where there is no separator and
+ * Opcodes are capitalized.
+ * Simply, by removing the first byte, we end up with a very different
+ * sequence:
+ * BbcGdefg...
+ * By adding a separator, we avoid this problem:
+ * Ab SEP Bcg SEP Defg -> B SEP Bcg SEP Defg
+ * Since B uses two additional bytes as operands, the first "B" will be
+ * ignored. The fuzzer actively tries to reduce inputs, so such unused
+ * bytes are likely to be pruned, eventually.
+ *
+ * SEPARATOR is trivial for the fuzzer to discover when using ASan. Optionally,
+ * SEPARATOR can be manually specified as a dictionary value (see libfuzzer's
+ * -dict), though this should not be necessary.
+ *
+ * As a result, the stream of bytes is converted into a sequence of commands.
+ * In a simplified example where SEPARATOR is 0xFF:
+ * 00 01 02 FF 03 04 05 06 FF 01 FF ...
+ * becomes this sequence of commands:
+ * 00 01 02 -> op00 (0102) -> in (0102, 2)
+ * 03 04 05 06 -> op03 (040506) -> write (040506, 3)
+ * 01 -> op01 (-,0) -> out (-,0)
+ * ...
+ *
+ * Note here that it is the job of the individual opcode functions to check
+ * that enough data was provided. I.e. in the last command out (,0), out needs
+ * to check that there is not enough data provided to select an address/value
+ * for the operation.
+ */
+static void generic_fuzz(QTestState *s, const unsigned char *Data, size_t Size)
+{
+ void (*ops[]) (QTestState *s, const unsigned char* , size_t) = {
+ [OP_IN] = op_in,
+ [OP_OUT] = op_out,
+ [OP_READ] = op_read,
+ [OP_WRITE] = op_write,
+ [OP_PCI_READ] = op_pci_read,
+ [OP_PCI_WRITE] = op_pci_write,
+ [OP_DISABLE_PCI] = op_disable_pci,
+ [OP_ADD_DMA_PATTERN] = op_add_dma_pattern,
+ [OP_CLEAR_DMA_PATTERNS] = op_clear_dma_patterns,
+ [OP_CLOCK_STEP] = op_clock_step,
+ };
+ const unsigned char *cmd = Data;
+ const unsigned char *nextcmd;
+ size_t cmd_len;
+ uint8_t op;
+
+ if (fork() == 0) {
+ /*
+ * Sometimes the fuzzer will find inputs that take quite a long time to
+ * process. Often times, these inputs do not result in new coverage.
+ * Even if these inputs might be interesting, they can slow down the
+ * fuzzer, overall. Set a timeout to avoid hurting performance, too much
+ */
+ if (timeout) {
+ struct sigaction sact;
+ struct itimerval timer;
+
+ sigemptyset(&sact.sa_mask);
+ sact.sa_flags = SA_NODEFER;
+ sact.sa_handler = handle_timeout;
+ sigaction(SIGALRM, &sact, NULL);
+
+ memset(&timer, 0, sizeof(timer));
+ timer.it_value.tv_sec = timeout / USEC_IN_SEC;
+ timer.it_value.tv_usec = timeout % USEC_IN_SEC;
+ setitimer(ITIMER_VIRTUAL, &timer, NULL);
+ }
+
+ op_clear_dma_patterns(s, NULL, 0);
+ pci_disabled = false;
+
+ while (cmd && Size) {
+ /* Get the length until the next command or end of input */
+ nextcmd = memmem(cmd, Size, SEPARATOR, strlen(SEPARATOR));
+ cmd_len = nextcmd ? nextcmd - cmd : Size;
+
+ if (cmd_len > 0) {
+ /* Interpret the first byte of the command as an opcode */
+ op = *cmd % (sizeof(ops) / sizeof((ops)[0]));
+ ops[op](s, cmd + 1, cmd_len - 1);
+
+ /* Run the main loop */
+ flush_events(s);
+ }
+ /* Advance to the next command */
+ cmd = nextcmd ? nextcmd + sizeof(SEPARATOR) - 1 : nextcmd;
+ Size = Size - (cmd_len + sizeof(SEPARATOR) - 1);
+ g_array_set_size(dma_regions, 0);
+ }
+ _Exit(0);
+ } else {
+ flush_events(s);
+ wait(0);
+ }
+}
+
+static void usage(void)
+{
+ printf("Please specify the following environment variables:\n");
+ printf("QEMU_FUZZ_ARGS= the command line arguments passed to qemu\n");
+ printf("QEMU_FUZZ_OBJECTS= "
+ "a space separated list of QOM type names for objects to fuzz\n");
+ printf("Optionally: QEMU_AVOID_DOUBLE_FETCH= "
+ "Try to avoid racy DMA double fetch bugs? %d by default\n",
+ avoid_double_fetches);
+ printf("Optionally: QEMU_FUZZ_TIMEOUT= Specify a custom timeout (us). "
+ "0 to disable. %d by default\n", timeout);
+ exit(0);
+}
+
+static int locate_fuzz_memory_regions(Object *child, void *opaque)
+{
+ const char *name;
+ MemoryRegion *mr;
+ if (object_dynamic_cast(child, TYPE_MEMORY_REGION)) {
+ mr = MEMORY_REGION(child);
+ if ((memory_region_is_ram(mr) ||
+ memory_region_is_ram_device(mr) ||
+ memory_region_is_rom(mr)) == false) {
+ name = object_get_canonical_path_component(child);
+ /*
+ * We don't want duplicate pointers to the same MemoryRegion, so
+ * try to remove copies of the pointer, before adding it.
+ */
+ g_hash_table_insert(fuzzable_memoryregions, mr, (gpointer)true);
+ }
+ }
+ return 0;
+}
+
+static int locate_fuzz_objects(Object *child, void *opaque)
+{
+ char *pattern = opaque;
+ if (g_pattern_match_simple(pattern, object_get_typename(child))) {
+ /* Find and save ptrs to any child MemoryRegions */
+ object_child_foreach_recursive(child, locate_fuzz_memory_regions, NULL);
+
+ /*
+ * We matched an object. If its a PCI device, store a pointer to it so
+ * we can map BARs and fuzz its config space.
+ */
+ if (object_dynamic_cast(OBJECT(child), TYPE_PCI_DEVICE)) {
+ /*
+ * Don't want duplicate pointers to the same PCIDevice, so remove
+ * copies of the pointer, before adding it.
+ */
+ g_ptr_array_remove_fast(fuzzable_pci_devices, PCI_DEVICE(child));
+ g_ptr_array_add(fuzzable_pci_devices, PCI_DEVICE(child));
+ }
+ } else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) {
+ if (g_pattern_match_simple(pattern,
+ object_get_canonical_path_component(child))) {
+ MemoryRegion *mr;
+ mr = MEMORY_REGION(child);
+ if ((memory_region_is_ram(mr) ||
+ memory_region_is_ram_device(mr) ||
+ memory_region_is_rom(mr)) == false) {
+ g_hash_table_insert(fuzzable_memoryregions, mr, (gpointer)true);
+ }
+ }
+ }
+ return 0;
+}
+
+static void generic_pre_fuzz(QTestState *s)
+{
+ GHashTableIter iter;
+ MemoryRegion *mr;
+ char **result;
+
+ if (!getenv("QEMU_FUZZ_OBJECTS")) {
+ usage();
+ }
+ if (getenv("QTEST_LOG")) {
+ qtest_log_enabled = 1;
+ }
+ if (getenv("QEMU_AVOID_DOUBLE_FETCH")) {
+ avoid_double_fetches = 1;
+ }
+ if (getenv("QEMU_FUZZ_TIMEOUT")) {
+ timeout = g_ascii_strtoll(getenv("QEMU_FUZZ_TIMEOUT"), NULL, 0);
+ }
+ qts_global = s;
+
+ dma_regions = g_array_new(false, false, sizeof(address_range));
+ dma_patterns = g_array_new(false, false, sizeof(pattern));
+
+ fuzzable_memoryregions = g_hash_table_new(NULL, NULL);
+ fuzzable_pci_devices = g_ptr_array_new();
+
+ result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1);
+ for (int i = 0; result[i] != NULL; i++) {
+ printf("Matching objects by name %s\n", result[i]);
+ object_child_foreach_recursive(qdev_get_machine(),
+ locate_fuzz_objects,
+ result[i]);
+ }
+ g_strfreev(result);
+ printf("This process will try to fuzz the following MemoryRegions:\n");
+
+ g_hash_table_iter_init(&iter, fuzzable_memoryregions);
+ while (g_hash_table_iter_next(&iter, (gpointer)&mr, NULL)) {
+ printf(" * %s (size %lx)\n",
+ object_get_canonical_path_component(&(mr->parent_obj)),
+ (uint64_t)mr->size);
+ }
+
+ if (!g_hash_table_size(fuzzable_memoryregions)) {
+ printf("No fuzzable memory regions found...\n");
+ exit(1);
+ }
+
+ counter_shm_init();
+}
+
+/*
+ * When libfuzzer gives us two inputs to combine, return a new input with the
+ * following structure:
+ *
+ * Input 1 (data1)
+ * SEPARATOR
+ * Clear out the DMA Patterns
+ * SEPARATOR
+ * Disable the pci_read/write instructions
+ * SEPARATOR
+ * Input 2 (data2)
+ *
+ * The idea is to collate the core behaviors of the two inputs.
+ * For example:
+ * Input 1: maps a device's BARs, sets up three DMA patterns, and triggers
+ * device functionality A
+ * Input 2: maps a device's BARs, sets up one DMA pattern, and triggers device
+ * functionality B
+ *
+ * This function attempts to produce an input that:
+ * Ouptut: maps a device's BARs, set up three DMA patterns, triggers
+ * functionality A device, replaces the DMA patterns with a single
+ * patten, and triggers device functionality B.
+ */
+static size_t generic_fuzz_crossover(const uint8_t *data1, size_t size1, const
+ uint8_t *data2, size_t size2, uint8_t *out,
+ size_t max_out_size, unsigned int seed)
+{
+ size_t copy_len = 0, size = 0;
+
+ /* Check that we have enough space for data1 and at least part of data2 */
+ if (max_out_size <= size1 + strlen(SEPARATOR) * 3 + 2) {
+ return 0;
+ }
+
+ /* Copy_Len in the first input */
+ copy_len = size1;
+ memcpy(out + size, data1, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Append a separator */
+ copy_len = strlen(SEPARATOR);
+ memcpy(out + size, SEPARATOR, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Clear out the DMA Patterns */
+ copy_len = 1;
+ if (copy_len) {
+ out[size] = OP_CLEAR_DMA_PATTERNS;
+ }
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Append a separator */
+ copy_len = strlen(SEPARATOR);
+ memcpy(out + size, SEPARATOR, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Disable PCI ops. Assume data1 took care of setting up PCI */
+ copy_len = 1;
+ if (copy_len) {
+ out[size] = OP_DISABLE_PCI;
+ }
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Append a separator */
+ copy_len = strlen(SEPARATOR);
+ memcpy(out + size, SEPARATOR, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Copy_Len over the second input */
+ copy_len = MIN(size2, max_out_size);
+ memcpy(out + size, data2, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ return size;
+}
+
+
+static GString *generic_fuzz_cmdline(FuzzTarget *t)
+{
+ GString *cmd_line = g_string_new(TARGET_NAME);
+ if (!getenv("QEMU_FUZZ_ARGS")) {
+ usage();
+ }
+ g_string_append_printf(cmd_line, " -display none \
+ -machine accel=qtest, \
+ -m 512M %s ", getenv("QEMU_FUZZ_ARGS"));
+ return cmd_line;
+}
+
+static GString *generic_fuzz_predefined_config_cmdline(FuzzTarget *t)
+{
+ const generic_fuzz_config *config;
+ g_assert(t->opaque);
+
+ config = t->opaque;
+ setenv("QEMU_FUZZ_ARGS", config->args, 1);
+ setenv("QEMU_FUZZ_OBJECTS", config->objects, 1);
+ return generic_fuzz_cmdline(t);
+}
+
+static void register_generic_fuzz_targets(void)
+{
+ fuzz_add_target(&(FuzzTarget){
+ .name = "generic-fuzz",
+ .description = "Fuzz based on any qemu command-line args. ",
+ .get_init_cmdline = generic_fuzz_cmdline,
+ .pre_fuzz = generic_pre_fuzz,
+ .fuzz = generic_fuzz,
+ .crossover = generic_fuzz_crossover
+ });
+
+ GString *name;
+ const generic_fuzz_config *config;
+
+ for (int i = 0;
+ i < sizeof(predefined_configs) / sizeof(generic_fuzz_config);
+ i++) {
+ config = predefined_configs + i;
+ name = g_string_new("generic-fuzz");
+ g_string_append_printf(name, "-%s", config->name);
+ fuzz_add_target(&(FuzzTarget){
+ .name = name->str,
+ .description = "Predefined generic-fuzz config.",
+ .get_init_cmdline = generic_fuzz_predefined_config_cmdline,
+ .pre_fuzz = generic_pre_fuzz,
+ .fuzz = generic_fuzz,
+ .crossover = generic_fuzz_crossover,
+ .opaque = (void *)config
+ });
+ }
+}
+
+fuzz_target_init(register_generic_fuzz_targets);
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/generic_fuzz_configs.h
new file mode 100644
index 0000000..c4d925f
--- /dev/null
+++ b/tests/qtest/fuzz/generic_fuzz_configs.h
@@ -0,0 +1,121 @@
+/*
+ * Generic Virtual-Device Fuzzing Target Configs
+ *
+ * Copyright Red Hat Inc., 2020
+ *
+ * Authors:
+ * Alexander Bulekov <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef GENERIC_FUZZ_CONFIGS_H
+#define GENERIC_FUZZ_CONFIGS_H
+
+#include "qemu/osdep.h"
+
+typedef struct generic_fuzz_config {
+ const char *name, *args, *objects;
+} generic_fuzz_config;
+
+const generic_fuzz_config predefined_configs[] = {
+ {
+ .name = "virtio-net-pci-slirp",
+ .args = "-M q35 -nodefaults "
+ "-device virtio-net,netdev=net0 -netdev user,id=net0",
+ .objects = "virtio*",
+ },{
+ .name = "virtio-blk",
+ .args = "-machine q35 -device virtio-blk,drive=disk0 "
+ "-drive file=null-co://,id=disk0,if=none,format=raw",
+ .objects = "virtio*",
+ },{
+ .name = "virtio-scsi",
+ .args = "-machine q35 -device virtio-scsi,num_queues=8 "
+ "-device scsi-hd,drive=disk0 "
+ "-drive file=null-co://,id=disk0,if=none,format=raw",
+ .objects = "scsi* virtio*",
+ },{
+ .name = "virtio-gpu",
+ .args = "-machine q35 -nodefaults -device virtio-gpu",
+ .objects = "virtio*",
+ },{
+ .name = "virtio-vga",
+ .args = "-machine q35 -nodefaults -device virtio-vga",
+ .objects = "virtio*",
+ },{
+ .name = "virtio-rng",
+ .args = "-machine q35 -nodefaults -device virtio-rng",
+ .objects = "virtio*",
+ },{
+ .name = "virtio-balloon",
+ .args = "-machine q35 -nodefaults -device virtio-balloon",
+ .objects = "virtio*",
+ },{
+ .name = "virtio-serial",
+ .args = "-machine q35 -nodefaults -device virtio-serial",
+ .objects = "virtio*",
+ },{
+ .name = "virtio-mouse",
+ .args = "-machine q35 -nodefaults -device virtio-mouse",
+ .objects = "virtio*",
+ },{
+ .name = "e1000",
+ .args = "-M q35 -nodefaults "
+ "-device e1000,netdev=net0 -netdev user,id=net0",
+ .objects = "e1000",
+ },{
+ .name = "e1000e",
+ .args = "-M q35 -nodefaults "
+ "-device e1000e,netdev=net0 -netdev user,id=net0",
+ .objects = "e1000e",
+ },{
+ .name = "cirrus-vga",
+ .args = "-machine q35 -nodefaults -device cirrus-vga",
+ .objects = "cirrus*",
+ },{
+ .name = "bochs-display",
+ .args = "-machine q35 -nodefaults -device bochs-display",
+ .objects = "bochs*",
+ },{
+ .name = "intel-hda",
+ .args = "-machine q35 -nodefaults -device intel-hda,id=hda0 "
+ "-device hda-output,bus=hda0.0 -device hda-micro,bus=hda0.0 "
+ "-device hda-duplex,bus=hda0.0",
+ .objects = "intel-hda",
+ },{
+ .name = "ide-hd",
+ .args = "-machine q35 -nodefaults "
+ "-drive file=null-co://,if=none,format=raw,id=disk0 "
+ "-device ide-hd,drive=disk0",
+ .objects = "ahci*",
+ },{
+ .name = "floppy",
+ .args = "-machine pc -nodefaults -device floppy,id=floppy0 "
+ "-drive id=disk0,file=null-co://,file.read-zeroes=on,if=none "
+ "-device floppy,drive=disk0,drive-type=288",
+ .objects = "fd* floppy*",
+ },{
+ .name = "xhci",
+ .args = "-machine q35 -nodefaults "
+ "-drive file=null-co://,if=none,format=raw,id=disk0 "
+ "-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 "
+ "-device usb-bot -device usb-storage,drive=disk0 "
+ "-chardev null,id=cd0 -chardev null,id=cd1 "
+ "-device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid "
+ "-device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 "
+ "-device usb-tablet -device usb-wacom-tablet -device usb-audio",
+ .objects = "*usb* *uhci* *xhci*",
+ },{
+ .name = "pc-i440fx",
+ .args = "-machine pc",
+ .objects = "*",
+ },{
+ .name = "pc-q35",
+ .args = "-machine q35",
+ .objects = "*",
+ }
+};
+
+#endif
diff --git a/tests/qtest/fuzz/meson.build b/tests/qtest/fuzz/meson.build
index b31ace7..5162321 100644
--- a/tests/qtest/fuzz/meson.build
+++ b/tests/qtest/fuzz/meson.build
@@ -5,6 +5,7 @@ specific_fuzz_ss.add(files('fuzz.c', 'fork_fuzz.c', 'qos_fuzz.c',
specific_fuzz_ss.add(when: 'CONFIG_I440FX', if_true: files('i440fx_fuzz.c'))
specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_NET', if_true: files('virtio_net_fuzz.c'))
specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio_scsi_fuzz.c'))
+specific_fuzz_ss.add(files('generic_fuzz.c'))
fork_fuzz = declare_dependency(
link_args: config_host['FUZZ_EXE_LDFLAGS'].split() +
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index 08929f5..99deff4 100644
--- a/tests/qtest/libqtest.c
+++ b/tests/qtest/libqtest.c
@@ -621,7 +621,7 @@ QDict *qtest_qmp_receive(QTestState *s)
return response;
}
/* Stash the event for a later consumption */
- s->pending_events = g_list_prepend(s->pending_events, response);
+ s->pending_events = g_list_append(s->pending_events, response);
}
}
@@ -795,15 +795,12 @@ void qtest_qmp_send_raw(QTestState *s, const char *fmt, ...)
QDict *qtest_qmp_event_ref(QTestState *s, const char *event)
{
- GList *next = NULL;
- QDict *response;
-
- for (GList *it = s->pending_events; it != NULL; it = next) {
+ while (s->pending_events) {
- next = it->next;
- response = (QDict *)it->data;
+ GList *first = s->pending_events;
+ QDict *response = (QDict *)first->data;
- s->pending_events = g_list_remove_link(s->pending_events, it);
+ s->pending_events = g_list_delete_link(s->pending_events, first);
if (!strcmp(qdict_get_str(response, "event"), event)) {
return response;
@@ -870,9 +867,14 @@ char *qtest_hmp(QTestState *s, const char *fmt, ...)
const char *qtest_get_arch(void)
{
const char *qemu = qtest_qemu_binary();
- const char *end = strrchr(qemu, '/');
+ const char *end = strrchr(qemu, '-');
+
+ if (!end) {
+ fprintf(stderr, "Can't determine architecture from binary name.\n");
+ abort();
+ }
- return end + strlen("/qemu-system-");
+ return end + 1;
}
bool qtest_get_irq(QTestState *s, int num)
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index 28d4068..ba8ebee 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -133,12 +133,13 @@ qtests_sparc64 = \
(config_all_devices.has_key('CONFIG_ISA_TESTDEV') ? ['endianness-test'] : []) + \
['prom-env-test', 'boot-serial-test']
+qtests_npcm7xx = ['npcm7xx_timer-test']
qtests_arm = \
(config_all_devices.has_key('CONFIG_PFLASH_CFI02') ? ['pflash-cfi02-test'] : []) + \
+ (config_all_devices.has_key('CONFIG_NPCM7XX') ? qtests_npcm7xx : []) + \
['arm-cpu-features',
'microbit-test',
'm25p80-test',
- 'npcm7xx_timer-test',
'test-arm-mptimer',
'boot-serial-test',
'hexloader-test']
@@ -251,7 +252,7 @@ foreach dir : target_dirs
}
endif
# FIXME: missing dependency on the emulator binary and qemu-img
- test('qtest-@0@: @1@'.format(target_base, test),
+ test('qtest-@0@/@1@'.format(target_base, test),
qtest_executables[test],
depends: [test_deps, qtest_emulator],
env: qtest_env,
diff --git a/tests/qtest/migration-helpers.c b/tests/qtest/migration-helpers.c
index b799dba..4ee2601 100644
--- a/tests/qtest/migration-helpers.c
+++ b/tests/qtest/migration-helpers.c
@@ -32,7 +32,7 @@ static void check_stop_event(QTestState *who)
QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...)
{
va_list ap;
- QDict *resp;
+ QDict *resp, *ret;
va_start(ap, command);
qtest_qmp_vsend_fds(who, &fd, 1, command, ap);
@@ -44,7 +44,11 @@ QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...)
g_assert(!qdict_haskey(resp, "error"));
g_assert(qdict_haskey(resp, "return"));
- return qdict_get_qdict(resp, "return");
+ ret = qdict_get_qdict(resp, "return");
+ qobject_ref(ret);
+ qobject_unref(resp);
+
+ return ret;
}
/*
@@ -53,7 +57,7 @@ QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...)
QDict *wait_command(QTestState *who, const char *command, ...)
{
va_list ap;
- QDict *resp;
+ QDict *resp, *ret;
va_start(ap, command);
resp = qtest_vqmp(who, command, ap);
@@ -64,7 +68,11 @@ QDict *wait_command(QTestState *who, const char *command, ...)
g_assert(!qdict_haskey(resp, "error"));
g_assert(qdict_haskey(resp, "return"));
- return qdict_get_qdict(resp, "return");
+ ret = qdict_get_qdict(resp, "return");
+ qobject_ref(ret);
+ qobject_unref(resp);
+
+ return ret;
}
/*
diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index f410ec5..f2142fb 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -464,6 +464,10 @@ static void migrate_postcopy_start(QTestState *from, QTestState *to)
}
typedef struct {
+ /*
+ * QTEST_LOG=1 may override this. When QTEST_LOG=1, we always dump errors
+ * unconditionally, because it means the user would like to be verbose.
+ */
bool hide_stderr;
bool use_shmem;
/* only launch the target process */
@@ -557,7 +561,7 @@ static int test_migrate_start(QTestState **from, QTestState **to,
g_free(bootpath);
- if (args->hide_stderr) {
+ if (!getenv("QTEST_LOG") && args->hide_stderr) {
ignore_stderr = "2>/dev/null";
} else {
ignore_stderr = "";
diff --git a/tests/qtest/qmp-cmd-test.c b/tests/qtest/qmp-cmd-test.c
index 8a4c570..1c7186e 100644
--- a/tests/qtest/qmp-cmd-test.c
+++ b/tests/qtest/qmp-cmd-test.c
@@ -31,6 +31,9 @@ static int query_error_class(const char *cmd)
#ifndef CONFIG_SPICE
{ "query-spice", ERROR_CLASS_COMMAND_NOT_FOUND },
#endif
+#ifndef CONFIG_TCG
+ { "query-replay", ERROR_CLASS_COMMAND_NOT_FOUND },
+#endif
#ifndef CONFIG_VNC
{ "query-vnc", ERROR_CLASS_GENERIC_ERROR },
{ "query-vnc-servers", ERROR_CLASS_GENERIC_ERROR },
diff --git a/tools/meson.build b/tools/meson.build
index 513bd2f..76bf84d 100644
--- a/tools/meson.build
+++ b/tools/meson.build
@@ -1,10 +1,23 @@
-have_virtiofsd = (have_system and
+have_virtiofsd = (targetos == 'linux' and
have_tools and
- 'CONFIG_LINUX' in config_host and
'CONFIG_SECCOMP' in config_host and
'CONFIG_LIBCAP_NG' in config_host and
'CONFIG_VHOST_USER' in config_host)
+if get_option('virtiofsd').enabled()
+ if not have_virtiofsd
+ if targetos != 'linux'
+ error('virtiofsd requires Linux')
+ elif 'CONFIG_SECCOMP' not in config_host or 'CONFIG_LIBCAP_NG' not in config_host
+ error('virtiofsd requires libcap-ng-devel and seccomp-devel')
+ elif not have_tools or 'CONFIG_VHOST_USER' not in config_host
+ error('virtiofsd needs tools and vhost-user support')
+ endif
+ endif
+elif get_option('virtiofsd').disabled() or not have_system
+ have_virtiofsd = false
+endif
+
if have_virtiofsd
subdir('virtiofsd')
endif
diff --git a/tools/virtiofsd/fuse_common.h b/tools/virtiofsd/fuse_common.h
index 686c42c..870544f 100644
--- a/tools/virtiofsd/fuse_common.h
+++ b/tools/virtiofsd/fuse_common.h
@@ -353,6 +353,14 @@ struct fuse_file_info {
#define FUSE_CAP_NO_OPENDIR_SUPPORT (1 << 24)
/**
+ * Indicates that the client will provide fuse_attr.flags, and the kernel will
+ * interpret it.
+ *
+ * This feature is enabled by default when supported by the kernel.
+ */
+#define FUSE_CAP_ATTR_FLAGS (1 << 27)
+
+/**
* Ioctl flags
*
* FUSE_IOCTL_COMPAT: 32bit compat ioctl on 64bit machine
diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
index 4d1ba29..5198f62 100644
--- a/tools/virtiofsd/fuse_lowlevel.c
+++ b/tools/virtiofsd/fuse_lowlevel.c
@@ -329,7 +329,8 @@ static unsigned int calc_timeout_nsec(double t)
}
}
-static void fill_entry(struct fuse_entry_out *arg,
+static void fill_entry(struct fuse_session *se,
+ struct fuse_entry_out *arg,
const struct fuse_entry_param *e)
{
*arg = (struct fuse_entry_out){
@@ -341,6 +342,10 @@ static void fill_entry(struct fuse_entry_out *arg,
.attr_valid_nsec = calc_timeout_nsec(e->attr_timeout),
};
convert_stat(&e->attr, &arg->attr);
+
+ if (se->conn.capable & FUSE_CAP_ATTR_FLAGS) {
+ arg->attr.flags = e->attr_flags;
+ }
}
/*
@@ -365,7 +370,7 @@ size_t fuse_add_direntry_plus(fuse_req_t req, char *buf, size_t bufsize,
struct fuse_direntplus *dp = (struct fuse_direntplus *)buf;
memset(&dp->entry_out, 0, sizeof(dp->entry_out));
- fill_entry(&dp->entry_out, e);
+ fill_entry(req->se, &dp->entry_out, e);
struct fuse_dirent *dirent = &dp->dirent;
*dirent = (struct fuse_dirent){
@@ -403,7 +408,7 @@ int fuse_reply_entry(fuse_req_t req, const struct fuse_entry_param *e)
size_t size = sizeof(arg);
memset(&arg, 0, sizeof(arg));
- fill_entry(&arg, e);
+ fill_entry(req->se, &arg, e);
return send_reply_ok(req, &arg, size);
}
@@ -416,13 +421,13 @@ int fuse_reply_create(fuse_req_t req, const struct fuse_entry_param *e,
struct fuse_open_out *oarg = (struct fuse_open_out *)(buf + entrysize);
memset(buf, 0, sizeof(buf));
- fill_entry(earg, e);
+ fill_entry(req->se, earg, e);
fill_open(oarg, f);
return send_reply_ok(req, buf, entrysize + sizeof(struct fuse_open_out));
}
-int fuse_reply_attr(fuse_req_t req, const struct stat *attr,
- double attr_timeout)
+int fuse_reply_attr_with_flags(fuse_req_t req, const struct stat *attr,
+ double attr_timeout, uint32_t attr_flags)
{
struct fuse_attr_out arg;
size_t size = sizeof(arg);
@@ -432,9 +437,19 @@ int fuse_reply_attr(fuse_req_t req, const struct stat *attr,
arg.attr_valid_nsec = calc_timeout_nsec(attr_timeout);
convert_stat(attr, &arg.attr);
+ if (req->se->conn.capable & FUSE_CAP_ATTR_FLAGS) {
+ arg.attr.flags = attr_flags;
+ }
+
return send_reply_ok(req, &arg, size);
}
+int fuse_reply_attr(fuse_req_t req, const struct stat *attr,
+ double attr_timeout)
+{
+ return fuse_reply_attr_with_flags(req, attr, attr_timeout, 0);
+}
+
int fuse_reply_readlink(fuse_req_t req, const char *linkname)
{
return send_reply_ok(req, linkname, strlen(linkname));
@@ -1988,6 +2003,9 @@ static void do_init(fuse_req_t req, fuse_ino_t nodeid,
bufsize = max_bufsize;
}
}
+ if (arg->flags & FUSE_ATTR_FLAGS) {
+ se->conn.capable |= FUSE_CAP_ATTR_FLAGS;
+ }
#ifdef HAVE_SPLICE
#ifdef HAVE_VMSPLICE
se->conn.capable |= FUSE_CAP_SPLICE_WRITE | FUSE_CAP_SPLICE_MOVE;
@@ -2014,6 +2032,7 @@ static void do_init(fuse_req_t req, fuse_ino_t nodeid,
LL_SET_DEFAULT(1, FUSE_CAP_ASYNC_DIO);
LL_SET_DEFAULT(1, FUSE_CAP_IOCTL_DIR);
LL_SET_DEFAULT(1, FUSE_CAP_ATOMIC_O_TRUNC);
+ LL_SET_DEFAULT(1, FUSE_CAP_ATTR_FLAGS);
LL_SET_DEFAULT(se->op.write_buf, FUSE_CAP_SPLICE_READ);
LL_SET_DEFAULT(se->op.getlk && se->op.setlk, FUSE_CAP_POSIX_LOCKS);
LL_SET_DEFAULT(se->op.flock, FUSE_CAP_FLOCK_LOCKS);
@@ -2103,6 +2122,9 @@ static void do_init(fuse_req_t req, fuse_ino_t nodeid,
if (se->conn.want & FUSE_CAP_POSIX_ACL) {
outarg.flags |= FUSE_POSIX_ACL;
}
+ if (se->conn.want & FUSE_CAP_ATTR_FLAGS) {
+ outarg.flags |= FUSE_ATTR_FLAGS;
+ }
outarg.max_readahead = se->conn.max_readahead;
outarg.max_write = se->conn.max_write;
if (se->conn.max_background >= (1 << 16)) {
diff --git a/tools/virtiofsd/fuse_lowlevel.h b/tools/virtiofsd/fuse_lowlevel.h
index 562fd52..1ff6ba1 100644
--- a/tools/virtiofsd/fuse_lowlevel.h
+++ b/tools/virtiofsd/fuse_lowlevel.h
@@ -102,6 +102,11 @@ struct fuse_entry_param {
* large value.
*/
double entry_timeout;
+
+ /**
+ * Flags for fuse_attr.flags that do not fit into attr.
+ */
+ uint32_t attr_flags;
};
/**
@@ -1309,6 +1314,21 @@ int fuse_reply_attr(fuse_req_t req, const struct stat *attr,
double attr_timeout);
/**
+ * Reply with attributes and set fuse_attr.flags
+ *
+ * Possible requests:
+ * getattr, setattr
+ *
+ * @param req request handle
+ * @param attr the attributes
+ * @param attr_timeout validity timeout (in seconds) for the attributes
+ * @param attr_flags flags to put into fuse_attr.flags
+ * @return zero for success, -errno for failure to send reply
+ */
+int fuse_reply_attr_with_flags(fuse_req_t req, const struct stat *attr,
+ double attr_timeout, uint32_t attr_flags);
+
+/**
* Reply with the contents of a symbolic link
*
* Possible requests:
diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
index 85770d6..a212f32 100644
--- a/tools/virtiofsd/helper.c
+++ b/tools/virtiofsd/helper.c
@@ -166,10 +166,19 @@ void fuse_cmdline_help(void)
" enable/disable readirplus\n"
" default: readdirplus except with "
"cache=none\n"
+ " -o sandbox=namespace|chroot\n"
+ " sandboxing mode:\n"
+ " - namespace: mount, pid, and net\n"
+ " namespaces with pivot_root(2)\n"
+ " into shared directory\n"
+ " - chroot: chroot(2) into shared\n"
+ " directory (use in containers)\n"
+ " default: namespace\n"
" -o timeout=<number> I/O timeout (seconds)\n"
" default: depends on cache= option.\n"
" -o writeback|no_writeback enable/disable writeback cache\n"
" default: no_writeback\n"
+ " -o announce_submounts Announce sub-mount points to the guest\n"
" -o xattr|no_xattr enable/disable xattr\n"
" default: no_xattr\n"
" -o modcaps=CAPLIST Modify the list of capabilities\n"
diff --git a/tools/virtiofsd/meson.build b/tools/virtiofsd/meson.build
index 50022ed..e1a4dc9 100644
--- a/tools/virtiofsd/meson.build
+++ b/tools/virtiofsd/meson.build
@@ -15,5 +15,5 @@ executable('virtiofsd', files(
configure_file(input: '50-qemu-virtiofsd.json.in',
output: '50-qemu-virtiofsd.json',
- configuration: config_host,
+ configuration: { 'libexecdir' : get_option('libexecdir') },
install_dir: qemu_datadir / 'vhost-user')
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index ff53df4..4db5004 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -40,6 +40,7 @@
#include "fuse_virtio.h"
#include "fuse_log.h"
#include "fuse_lowlevel.h"
+#include "standard-headers/linux/fuse.h"
#include <assert.h>
#include <cap-ng.h>
#include <dirent.h>
@@ -64,6 +65,7 @@
#include <syslog.h>
#include <unistd.h>
+#include "qemu/cutils.h"
#include "passthrough_helpers.h"
#include "passthrough_seccomp.h"
@@ -124,6 +126,14 @@ struct lo_inode {
GHashTable *posix_locks; /* protected by lo_inode->plock_mutex */
mode_t filetype;
+
+ /*
+ * So we can detect crossmount roots
+ * (As such, this only needs to be valid for directories. Note
+ * that files can have multiple parents due to hard links, and so
+ * their parent_dev may fluctuate.)
+ */
+ dev_t parent_dev;
};
struct lo_cred {
@@ -137,13 +147,26 @@ enum {
CACHE_ALWAYS,
};
+enum {
+ SANDBOX_NAMESPACE,
+ SANDBOX_CHROOT,
+};
+
+typedef struct xattr_map_entry {
+ char *key;
+ char *prepend;
+ unsigned int flags;
+} XattrMapEntry;
+
struct lo_data {
pthread_mutex_t mutex;
+ int sandbox;
int debug;
int writeback;
int flock;
int posix_lock;
int xattr;
+ char *xattrmap;
char *source;
char *modcaps;
double timeout;
@@ -151,18 +174,27 @@ struct lo_data {
int timeout_set;
int readdirplus_set;
int readdirplus_clear;
+ int announce_submounts;
int allow_direct_io;
struct lo_inode root;
GHashTable *inodes; /* protected by lo->mutex */
struct lo_map ino_map; /* protected by lo->mutex */
struct lo_map dirp_map; /* protected by lo->mutex */
struct lo_map fd_map; /* protected by lo->mutex */
+ XattrMapEntry *xattr_map_list;
+ size_t xattr_map_nentries;
/* An O_PATH file descriptor to /proc/self/fd/ */
int proc_self_fd;
};
static const struct fuse_opt lo_opts[] = {
+ { "sandbox=namespace",
+ offsetof(struct lo_data, sandbox),
+ SANDBOX_NAMESPACE },
+ { "sandbox=chroot",
+ offsetof(struct lo_data, sandbox),
+ SANDBOX_CHROOT },
{ "writeback", offsetof(struct lo_data, writeback), 1 },
{ "no_writeback", offsetof(struct lo_data, writeback), 0 },
{ "source=%s", offsetof(struct lo_data, source), 0 },
@@ -172,6 +204,7 @@ static const struct fuse_opt lo_opts[] = {
{ "no_posix_lock", offsetof(struct lo_data, posix_lock), 0 },
{ "xattr", offsetof(struct lo_data, xattr), 1 },
{ "no_xattr", offsetof(struct lo_data, xattr), 0 },
+ { "xattrmap=%s", offsetof(struct lo_data, xattrmap), 0 },
{ "modcaps=%s", offsetof(struct lo_data, modcaps), 0 },
{ "timeout=%lf", offsetof(struct lo_data, timeout), 0 },
{ "timeout=", offsetof(struct lo_data, timeout_set), 1 },
@@ -180,6 +213,7 @@ static const struct fuse_opt lo_opts[] = {
{ "cache=always", offsetof(struct lo_data, cache), CACHE_ALWAYS },
{ "readdirplus", offsetof(struct lo_data, readdirplus_set), 1 },
{ "no_readdirplus", offsetof(struct lo_data, readdirplus_clear), 1 },
+ { "announce_submounts", offsetof(struct lo_data, announce_submounts), 1 },
{ "allow_direct_io", offsetof(struct lo_data, allow_direct_io), 1 },
{ "no_allow_direct_io", offsetof(struct lo_data, allow_direct_io), 0 },
FUSE_OPT_END
@@ -577,22 +611,52 @@ static void lo_init(void *userdata, struct fuse_conn_info *conn)
}
}
+/**
+ * Call fstatat() and set st_rdev whenever a directory's st_dev
+ * differs from the rparent's st_dev (@parent_dev). This will
+ * announce submounts to the FUSE client (unless @announce_submounts
+ * is false).
+ */
+static int do_fstatat(int dirfd, const char *pathname, struct stat *statbuf,
+ int flags, dev_t parent_dev, uint32_t *fuse_attr_flags)
+{
+ int res = fstatat(dirfd, pathname, statbuf, flags);
+ if (res == -1) {
+ return res;
+ }
+
+ if (statbuf->st_dev != parent_dev && S_ISDIR(statbuf->st_mode) &&
+ fuse_attr_flags)
+ {
+ *fuse_attr_flags |= FUSE_ATTR_SUBMOUNT;
+ }
+
+ return 0;
+}
+
static void lo_getattr(fuse_req_t req, fuse_ino_t ino,
struct fuse_file_info *fi)
{
int res;
struct stat buf;
struct lo_data *lo = lo_data(req);
+ struct lo_inode *inode = lo_inode(req, ino);
+ uint32_t fuse_attr_flags = 0;
(void)fi;
- res =
- fstatat(lo_fd(req, ino), "", &buf, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+ res = do_fstatat(inode->fd, "", &buf, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW,
+ inode->parent_dev, &fuse_attr_flags);
+ lo_inode_put(lo, &inode);
if (res == -1) {
return (void)fuse_reply_err(req, errno);
}
- fuse_reply_attr(req, &buf, lo->timeout);
+ if (!lo->announce_submounts) {
+ fuse_attr_flags &= ~FUSE_ATTR_SUBMOUNT;
+ }
+
+ fuse_reply_attr_with_flags(req, &buf, lo->timeout, fuse_attr_flags);
}
static int lo_fi_fd(fuse_req_t req, struct fuse_file_info *fi)
@@ -788,11 +852,16 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
goto out_err;
}
- res = fstatat(newfd, "", &e->attr, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+ res = do_fstatat(newfd, "", &e->attr, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW,
+ dir->key.dev, &e->attr_flags);
if (res == -1) {
goto out_err;
}
+ if (!lo->announce_submounts) {
+ e->attr_flags &= ~FUSE_ATTR_SUBMOUNT;
+ }
+
inode = lo_find(lo, &e->attr);
if (inode) {
close(newfd);
@@ -824,6 +893,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
g_hash_table_insert(lo->inodes, &inode->key, inode);
pthread_mutex_unlock(&lo->mutex);
}
+ inode->parent_dev = dir->key.dev;
e->ino = inode->fuse_ino;
lo_inode_put(lo, &inode);
lo_inode_put(lo, &dir);
@@ -1037,11 +1107,17 @@ static void lo_link(fuse_req_t req, fuse_ino_t ino, fuse_ino_t parent,
goto out_err;
}
- res = fstatat(inode->fd, "", &e.attr, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+ res = do_fstatat(inode->fd, "", &e.attr,
+ AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW,
+ parent_inode->key.dev, &e.attr_flags);
if (res == -1) {
goto out_err;
}
+ if (!lo->announce_submounts) {
+ e.attr_flags &= ~FUSE_ATTR_SUBMOUNT;
+ }
+
pthread_mutex_lock(&lo->mutex);
inode->nlookup++;
pthread_mutex_unlock(&lo->mutex);
@@ -1050,6 +1126,14 @@ static void lo_link(fuse_req_t req, fuse_ino_t ino, fuse_ino_t parent,
fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent,
name, (unsigned long long)e.ino);
+ /*
+ * No need to update inode->parent_dev, because
+ * (1) We cannot, the inode now has more than one parent,
+ * (2) Directories cannot have more than one parent, so link()
+ * does not work for them; but parent_dev only needs to be
+ * valid for directories.
+ */
+
fuse_reply_entry(req, &e);
lo_inode_put(lo, &parent_inode);
lo_inode_put(lo, &inode);
@@ -1068,14 +1152,21 @@ static struct lo_inode *lookup_name(fuse_req_t req, fuse_ino_t parent,
{
int res;
struct stat attr;
+ struct lo_data *lo = lo_data(req);
+ struct lo_inode *dir = lo_inode(req, parent);
- res = fstatat(lo_fd(req, parent), name, &attr,
- AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+ if (!dir) {
+ return NULL;
+ }
+
+ res = do_fstatat(dir->fd, name, &attr,
+ AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW, dir->key.dev, NULL);
+ lo_inode_put(lo, &dir);
if (res == -1) {
return NULL;
}
- return lo_find(lo_data(req), &attr);
+ return lo_find(lo, &attr);
}
static void lo_rmdir(fuse_req_t req, fuse_ino_t parent, const char *name)
@@ -2010,20 +2101,383 @@ static void lo_flock(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi,
fuse_reply_err(req, res == -1 ? errno : 0);
}
-static void lo_getxattr(fuse_req_t req, fuse_ino_t ino, const char *name,
+/* types */
+/*
+ * Exit; process attribute unmodified if matched.
+ * An empty key applies to all.
+ */
+#define XATTR_MAP_FLAG_OK (1 << 0)
+/*
+ * The attribute is unwanted;
+ * EPERM on write, hidden on read.
+ */
+#define XATTR_MAP_FLAG_BAD (1 << 1)
+/*
+ * For attr that start with 'key' prepend 'prepend'
+ * 'key' may be empty to prepend for all attrs
+ * key is defined from set/remove point of view.
+ * Automatically reversed on read
+ */
+#define XATTR_MAP_FLAG_PREFIX (1 << 2)
+
+/* scopes */
+/* Apply rule to get/set/remove */
+#define XATTR_MAP_FLAG_CLIENT (1 << 16)
+/* Apply rule to list */
+#define XATTR_MAP_FLAG_SERVER (1 << 17)
+/* Apply rule to all */
+#define XATTR_MAP_FLAG_ALL (XATTR_MAP_FLAG_SERVER | XATTR_MAP_FLAG_CLIENT)
+
+static void add_xattrmap_entry(struct lo_data *lo,
+ const XattrMapEntry *new_entry)
+{
+ XattrMapEntry *res = g_realloc_n(lo->xattr_map_list,
+ lo->xattr_map_nentries + 1,
+ sizeof(XattrMapEntry));
+ res[lo->xattr_map_nentries++] = *new_entry;
+
+ lo->xattr_map_list = res;
+}
+
+static void free_xattrmap(struct lo_data *lo)
+{
+ XattrMapEntry *map = lo->xattr_map_list;
+ size_t i;
+
+ if (!map) {
+ return;
+ }
+
+ for (i = 0; i < lo->xattr_map_nentries; i++) {
+ g_free(map[i].key);
+ g_free(map[i].prepend);
+ };
+
+ g_free(map);
+ lo->xattr_map_list = NULL;
+ lo->xattr_map_nentries = -1;
+}
+
+/*
+ * Handle the 'map' type, which is sugar for a set of commands
+ * for the common case of prefixing a subset or everything,
+ * and allowing anything not prefixed through.
+ * It must be the last entry in the stream, although there
+ * can be other entries before it.
+ * The form is:
+ * :map:key:prefix:
+ *
+ * key maybe empty in which case all entries are prefixed.
+ */
+static void parse_xattrmap_map(struct lo_data *lo,
+ const char *rule, char sep)
+{
+ const char *tmp;
+ char *key;
+ char *prefix;
+ XattrMapEntry tmp_entry;
+
+ if (*rule != sep) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Expecting '%c' after 'map' keyword, found '%c'\n",
+ __func__, sep, *rule);
+ exit(1);
+ }
+
+ rule++;
+
+ /* At start of 'key' field */
+ tmp = strchr(rule, sep);
+ if (!tmp) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Missing '%c' at end of key field in map rule\n",
+ __func__, sep);
+ exit(1);
+ }
+
+ key = g_strndup(rule, tmp - rule);
+ rule = tmp + 1;
+
+ /* At start of prefix field */
+ tmp = strchr(rule, sep);
+ if (!tmp) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Missing '%c' at end of prefix field in map rule\n",
+ __func__, sep);
+ exit(1);
+ }
+
+ prefix = g_strndup(rule, tmp - rule);
+ rule = tmp + 1;
+
+ /*
+ * This should be the end of the string, we don't allow
+ * any more commands after 'map'.
+ */
+ if (*rule) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Expecting end of command after map, found '%c'\n",
+ __func__, *rule);
+ exit(1);
+ }
+
+ /* 1st: Prefix matches/everything */
+ tmp_entry.flags = XATTR_MAP_FLAG_PREFIX | XATTR_MAP_FLAG_ALL;
+ tmp_entry.key = g_strdup(key);
+ tmp_entry.prepend = g_strdup(prefix);
+ add_xattrmap_entry(lo, &tmp_entry);
+
+ if (!*key) {
+ /* Prefix all case */
+
+ /* 2nd: Hide any non-prefixed entries on the host */
+ tmp_entry.flags = XATTR_MAP_FLAG_BAD | XATTR_MAP_FLAG_ALL;
+ tmp_entry.key = g_strdup("");
+ tmp_entry.prepend = g_strdup("");
+ add_xattrmap_entry(lo, &tmp_entry);
+ } else {
+ /* Prefix matching case */
+
+ /* 2nd: Hide non-prefixed but matching entries on the host */
+ tmp_entry.flags = XATTR_MAP_FLAG_BAD | XATTR_MAP_FLAG_SERVER;
+ tmp_entry.key = g_strdup(""); /* Not used */
+ tmp_entry.prepend = g_strdup(key);
+ add_xattrmap_entry(lo, &tmp_entry);
+
+ /* 3rd: Stop the client accessing prefixed attributes directly */
+ tmp_entry.flags = XATTR_MAP_FLAG_BAD | XATTR_MAP_FLAG_CLIENT;
+ tmp_entry.key = g_strdup(prefix);
+ tmp_entry.prepend = g_strdup(""); /* Not used */
+ add_xattrmap_entry(lo, &tmp_entry);
+
+ /* 4th: Everything else is OK */
+ tmp_entry.flags = XATTR_MAP_FLAG_OK | XATTR_MAP_FLAG_ALL;
+ tmp_entry.key = g_strdup("");
+ tmp_entry.prepend = g_strdup("");
+ add_xattrmap_entry(lo, &tmp_entry);
+ }
+
+ g_free(key);
+ g_free(prefix);
+}
+
+static void parse_xattrmap(struct lo_data *lo)
+{
+ const char *map = lo->xattrmap;
+ const char *tmp;
+
+ lo->xattr_map_nentries = 0;
+ while (*map) {
+ XattrMapEntry tmp_entry;
+ char sep;
+
+ if (isspace(*map)) {
+ map++;
+ continue;
+ }
+ /* The separator is the first non-space of the rule */
+ sep = *map++;
+ if (!sep) {
+ break;
+ }
+
+ tmp_entry.flags = 0;
+ /* Start of 'type' */
+ if (strstart(map, "prefix", &map)) {
+ tmp_entry.flags |= XATTR_MAP_FLAG_PREFIX;
+ } else if (strstart(map, "ok", &map)) {
+ tmp_entry.flags |= XATTR_MAP_FLAG_OK;
+ } else if (strstart(map, "bad", &map)) {
+ tmp_entry.flags |= XATTR_MAP_FLAG_BAD;
+ } else if (strstart(map, "map", &map)) {
+ /*
+ * map is sugar that adds a number of rules, and must be
+ * the last entry.
+ */
+ parse_xattrmap_map(lo, map, sep);
+ return;
+ } else {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Unexpected type;"
+ "Expecting 'prefix', 'ok', 'bad' or 'map' in rule %zu\n",
+ __func__, lo->xattr_map_nentries);
+ exit(1);
+ }
+
+ if (*map++ != sep) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Missing '%c' at end of type field of rule %zu\n",
+ __func__, sep, lo->xattr_map_nentries);
+ exit(1);
+ }
+
+ /* Start of 'scope' */
+ if (strstart(map, "client", &map)) {
+ tmp_entry.flags |= XATTR_MAP_FLAG_CLIENT;
+ } else if (strstart(map, "server", &map)) {
+ tmp_entry.flags |= XATTR_MAP_FLAG_SERVER;
+ } else if (strstart(map, "all", &map)) {
+ tmp_entry.flags |= XATTR_MAP_FLAG_ALL;
+ } else {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Unexpected scope;"
+ " Expecting 'client', 'server', or 'all', in rule %zu\n",
+ __func__, lo->xattr_map_nentries);
+ exit(1);
+ }
+
+ if (*map++ != sep) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Expecting '%c' found '%c'"
+ " after scope in rule %zu\n",
+ __func__, sep, *map, lo->xattr_map_nentries);
+ exit(1);
+ }
+
+ /* At start of 'key' field */
+ tmp = strchr(map, sep);
+ if (!tmp) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Missing '%c' at end of key field of rule %zu",
+ __func__, sep, lo->xattr_map_nentries);
+ exit(1);
+ }
+ tmp_entry.key = g_strndup(map, tmp - map);
+ map = tmp + 1;
+
+ /* At start of 'prepend' field */
+ tmp = strchr(map, sep);
+ if (!tmp) {
+ fuse_log(FUSE_LOG_ERR,
+ "%s: Missing '%c' at end of prepend field of rule %zu",
+ __func__, sep, lo->xattr_map_nentries);
+ exit(1);
+ }
+ tmp_entry.prepend = g_strndup(map, tmp - map);
+ map = tmp + 1;
+
+ add_xattrmap_entry(lo, &tmp_entry);
+ /* End of rule - go around again for another rule */
+ }
+
+ if (!lo->xattr_map_nentries) {
+ fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
+ exit(1);
+ }
+}
+
+/*
+ * For use with getxattr/setxattr/removexattr, where the client
+ * gives us a name and we may need to choose a different one.
+ * Allocates a buffer for the result placing it in *out_name.
+ * If there's no change then *out_name is not set.
+ * Returns 0 on success
+ * Can return -EPERM to indicate we block a given attribute
+ * (in which case out_name is not allocated)
+ * Can return -ENOMEM to indicate out_name couldn't be allocated.
+ */
+static int xattr_map_client(const struct lo_data *lo, const char *client_name,
+ char **out_name)
+{
+ size_t i;
+ for (i = 0; i < lo->xattr_map_nentries; i++) {
+ const XattrMapEntry *cur_entry = lo->xattr_map_list + i;
+
+ if ((cur_entry->flags & XATTR_MAP_FLAG_CLIENT) &&
+ (strstart(client_name, cur_entry->key, NULL))) {
+ if (cur_entry->flags & XATTR_MAP_FLAG_BAD) {
+ return -EPERM;
+ }
+ if (cur_entry->flags & XATTR_MAP_FLAG_OK) {
+ /* Unmodified name */
+ return 0;
+ }
+ if (cur_entry->flags & XATTR_MAP_FLAG_PREFIX) {
+ *out_name = g_try_malloc(strlen(client_name) +
+ strlen(cur_entry->prepend) + 1);
+ if (!*out_name) {
+ return -ENOMEM;
+ }
+ sprintf(*out_name, "%s%s", cur_entry->prepend, client_name);
+ return 0;
+ }
+ }
+ }
+
+ return -EPERM;
+}
+
+/*
+ * For use with listxattr where the server fs gives us a name and we may need
+ * to sanitize this for the client.
+ * Returns a pointer to the result in *out_name
+ * This is always the original string or the current string with some prefix
+ * removed; no reallocation is done.
+ * Returns 0 on success
+ * Can return -ENODATA to indicate the name should be dropped from the list.
+ */
+static int xattr_map_server(const struct lo_data *lo, const char *server_name,
+ const char **out_name)
+{
+ size_t i;
+ const char *end;
+
+ for (i = 0; i < lo->xattr_map_nentries; i++) {
+ const XattrMapEntry *cur_entry = lo->xattr_map_list + i;
+
+ if ((cur_entry->flags & XATTR_MAP_FLAG_SERVER) &&
+ (strstart(server_name, cur_entry->prepend, &end))) {
+ if (cur_entry->flags & XATTR_MAP_FLAG_BAD) {
+ return -ENODATA;
+ }
+ if (cur_entry->flags & XATTR_MAP_FLAG_OK) {
+ *out_name = server_name;
+ return 0;
+ }
+ if (cur_entry->flags & XATTR_MAP_FLAG_PREFIX) {
+ /* Remove prefix */
+ *out_name = end;
+ return 0;
+ }
+ }
+ }
+
+ return -ENODATA;
+}
+
+static void lo_getxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name,
size_t size)
{
struct lo_data *lo = lo_data(req);
char *value = NULL;
char procname[64];
+ const char *name;
+ char *mapped_name;
struct lo_inode *inode;
ssize_t ret;
int saverr;
int fd = -1;
+ mapped_name = NULL;
+ name = in_name;
+ if (lo->xattrmap) {
+ ret = xattr_map_client(lo, in_name, &mapped_name);
+ if (ret < 0) {
+ if (ret == -EPERM) {
+ ret = -ENODATA;
+ }
+ fuse_reply_err(req, -ret);
+ return;
+ }
+ if (mapped_name) {
+ name = mapped_name;
+ }
+ }
+
inode = lo_inode(req, ino);
if (!inode) {
fuse_reply_err(req, EBADF);
+ g_free(mapped_name);
return;
}
@@ -2088,6 +2542,7 @@ out_err:
saverr = errno;
out:
fuse_reply_err(req, saverr);
+ g_free(mapped_name);
goto out_free;
}
@@ -2144,8 +2599,60 @@ static void lo_listxattr(fuse_req_t req, fuse_ino_t ino, size_t size)
if (ret == 0) {
goto out;
}
+
+ if (lo->xattr_map_list) {
+ /*
+ * Map the names back, some attributes might be dropped,
+ * some shortened, but not increased, so we shouldn't
+ * run out of room.
+ */
+ size_t out_index, in_index;
+ out_index = 0;
+ in_index = 0;
+ while (in_index < ret) {
+ const char *map_out;
+ char *in_ptr = value + in_index;
+ /* Length of current attribute name */
+ size_t in_len = strlen(value + in_index) + 1;
+
+ int mapret = xattr_map_server(lo, in_ptr, &map_out);
+ if (mapret != -ENODATA && mapret != 0) {
+ /* Shouldn't happen */
+ saverr = -mapret;
+ goto out;
+ }
+ if (mapret == 0) {
+ /* Either unchanged, or truncated */
+ size_t out_len;
+ if (map_out != in_ptr) {
+ /* +1 copies the NIL */
+ out_len = strlen(map_out) + 1;
+ } else {
+ /* No change */
+ out_len = in_len;
+ }
+ /*
+ * Move result along, may still be needed for an unchanged
+ * entry if a previous entry was changed.
+ */
+ memmove(value + out_index, map_out, out_len);
+
+ out_index += out_len;
+ }
+ in_index += in_len;
+ }
+ ret = out_index;
+ if (ret == 0) {
+ goto out;
+ }
+ }
fuse_reply_buf(req, value, ret);
} else {
+ /*
+ * xattrmap only ever shortens the result,
+ * so we don't need to do anything clever with the
+ * allocation length here.
+ */
fuse_reply_xattr(req, ret);
}
out_free:
@@ -2165,19 +2672,35 @@ out:
goto out_free;
}
-static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, const char *name,
+static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name,
const char *value, size_t size, int flags)
{
char procname[64];
+ const char *name;
+ char *mapped_name;
struct lo_data *lo = lo_data(req);
struct lo_inode *inode;
ssize_t ret;
int saverr;
int fd = -1;
+ mapped_name = NULL;
+ name = in_name;
+ if (lo->xattrmap) {
+ ret = xattr_map_client(lo, in_name, &mapped_name);
+ if (ret < 0) {
+ fuse_reply_err(req, -ret);
+ return;
+ }
+ if (mapped_name) {
+ name = mapped_name;
+ }
+ }
+
inode = lo_inode(req, ino);
if (!inode) {
fuse_reply_err(req, EBADF);
+ g_free(mapped_name);
return;
}
@@ -2212,21 +2735,38 @@ out:
}
lo_inode_put(lo, &inode);
+ g_free(mapped_name);
fuse_reply_err(req, saverr);
}
-static void lo_removexattr(fuse_req_t req, fuse_ino_t ino, const char *name)
+static void lo_removexattr(fuse_req_t req, fuse_ino_t ino, const char *in_name)
{
char procname[64];
+ const char *name;
+ char *mapped_name;
struct lo_data *lo = lo_data(req);
struct lo_inode *inode;
ssize_t ret;
int saverr;
int fd = -1;
+ mapped_name = NULL;
+ name = in_name;
+ if (lo->xattrmap) {
+ ret = xattr_map_client(lo, in_name, &mapped_name);
+ if (ret < 0) {
+ fuse_reply_err(req, -ret);
+ return;
+ }
+ if (mapped_name) {
+ name = mapped_name;
+ }
+ }
+
inode = lo_inode(req, ino);
if (!inode) {
fuse_reply_err(req, EBADF);
+ g_free(mapped_name);
return;
}
@@ -2261,6 +2801,7 @@ out:
}
lo_inode_put(lo, &inode);
+ g_free(mapped_name);
fuse_reply_err(req, saverr);
}
@@ -2661,14 +3202,54 @@ static void setup_capabilities(char *modcaps_in)
}
/*
+ * Use chroot as a weaker sandbox for environments where the process is
+ * launched without CAP_SYS_ADMIN.
+ */
+static void setup_chroot(struct lo_data *lo)
+{
+ lo->proc_self_fd = open("/proc/self/fd", O_PATH);
+ if (lo->proc_self_fd == -1) {
+ fuse_log(FUSE_LOG_ERR, "open(\"/proc/self/fd\", O_PATH): %m\n");
+ exit(1);
+ }
+
+ /*
+ * Make the shared directory the file system root so that FUSE_OPEN
+ * (lo_open()) cannot escape the shared directory by opening a symlink.
+ *
+ * The chroot(2) syscall is later disabled by seccomp and the
+ * CAP_SYS_CHROOT capability is dropped so that tampering with the chroot
+ * is not possible.
+ *
+ * However, it's still possible to escape the chroot via lo->proc_self_fd
+ * but that requires first gaining control of the process.
+ */
+ if (chroot(lo->source) != 0) {
+ fuse_log(FUSE_LOG_ERR, "chroot(\"%s\"): %m\n", lo->source);
+ exit(1);
+ }
+
+ /* Move into the chroot */
+ if (chdir("/") != 0) {
+ fuse_log(FUSE_LOG_ERR, "chdir(\"/\"): %m\n");
+ exit(1);
+ }
+}
+
+/*
* Lock down this process to prevent access to other processes or files outside
* source directory. This reduces the impact of arbitrary code execution bugs.
*/
static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
bool enable_syslog)
{
- setup_namespaces(lo, se);
- setup_mounts(lo->source);
+ if (lo->sandbox == SANDBOX_NAMESPACE) {
+ setup_namespaces(lo, se);
+ setup_mounts(lo->source);
+ } else {
+ setup_chroot(lo);
+ }
+
setup_seccomp(enable_syslog);
setup_capabilities(g_strdup(lo->modcaps));
}
@@ -2806,6 +3387,8 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
close(lo->root.fd);
}
+ free(lo->xattrmap);
+ free_xattrmap(lo);
free(lo->source);
}
@@ -2815,6 +3398,7 @@ int main(int argc, char *argv[])
struct fuse_session *se;
struct fuse_cmdline_opts opts;
struct lo_data lo = {
+ .sandbox = SANDBOX_NAMESPACE,
.debug = 0,
.writeback = 0,
.posix_lock = 0,
@@ -2878,12 +3462,11 @@ int main(int argc, char *argv[])
goto err_out1;
}
- /*
- * log_level is 0 if not configured via cmd options (0 is LOG_EMERG,
- * and we don't use this log level).
- */
if (opts.log_level != 0) {
current_log_level = opts.log_level;
+ } else {
+ /* default log level is INFO */
+ current_log_level = FUSE_LOG_INFO;
}
lo.debug = opts.debug;
if (lo.debug) {
@@ -2906,6 +3489,11 @@ int main(int argc, char *argv[])
} else {
lo.source = strdup("/");
}
+
+ if (lo.xattrmap) {
+ parse_xattrmap(&lo);
+ }
+
if (!lo.timeout_set) {
switch (lo.cache) {
case CACHE_NONE:
diff --git a/trace/control.c b/trace/control.c
index b35e512..5669db7 100644
--- a/trace/control.c
+++ b/trace/control.c
@@ -39,6 +39,7 @@ static TraceEventGroup *event_groups;
static size_t nevent_groups;
static uint32_t next_id;
static uint32_t next_vcpu_id;
+static bool init_trace_on_startup;
QemuOptsList qemu_trace_opts = {
.name = "trace",
@@ -225,7 +226,9 @@ void trace_init_file(const char *file)
{
#ifdef CONFIG_TRACE_SIMPLE
st_set_trace_file(file);
- st_set_trace_file_enabled(true);
+ if (init_trace_on_startup) {
+ st_set_trace_file_enabled(true);
+ }
#elif defined CONFIG_TRACE_LOG
/*
* If both the simple and the log backends are enabled, "--trace file"
@@ -299,6 +302,7 @@ char *trace_opt_parse(const char *optarg)
}
trace_init_events(qemu_opt_get(opts, "events"));
trace_file = g_strdup(qemu_opt_get(opts, "file"));
+ init_trace_on_startup = true;
qemu_opts_del(opts);
return trace_file;
diff --git a/ui/icons/meson.build b/ui/icons/meson.build
index b6e21f6..12c5208 100644
--- a/ui/icons/meson.build
+++ b/ui/icons/meson.build
@@ -2,12 +2,12 @@ foreach s: [16, 24, 32, 48, 64, 128, 256, 512]
s = '@0@x@0@'.format(s.to_string())
install_data('qemu_@0@.png'.format(s),
rename: 'qemu.png',
- install_dir: config_host['qemu_icondir'] / 'hicolor' / s / 'apps')
+ install_dir: qemu_icondir / 'hicolor' / s / 'apps')
endforeach
install_data('qemu_32x32.bmp',
rename: 'qemu.bmp',
- install_dir: config_host['qemu_icondir'] / 'hicolor' / '32x32' / 'apps')
+ install_dir: qemu_icondir / 'hicolor' / '32x32' / 'apps')
install_data('qemu.svg',
- install_dir: config_host['qemu_icondir'] / 'hicolor' / 'scalable' / 'apps')
+ install_dir: qemu_icondir / 'hicolor' / 'scalable' / 'apps')
diff --git a/ui/meson.build b/ui/meson.build
index 5d4906c..013258a 100644
--- a/ui/meson.build
+++ b/ui/meson.build
@@ -139,7 +139,7 @@ subdir('shader')
if have_system
subdir('icons')
- install_data('qemu.desktop', install_dir: config_host['qemu_desktopdir'])
+ install_data('qemu.desktop', install_dir: qemu_desktopdir)
endif
modules += {'ui': ui_modules}
diff --git a/util/cutils.c b/util/cutils.c
index be4e43a..c395974 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -949,7 +949,7 @@ char *get_relocated_path(const char *dir)
bindir += len_bindir;
dir = next_component(dir, &len_dir);
bindir = next_component(bindir, &len_bindir);
- } while (len_dir == len_bindir && !memcmp(dir, bindir, len_dir));
+ } while (len_dir && len_dir == len_bindir && !memcmp(dir, bindir, len_dir));
/* Ascend from bindir to the common prefix with dir. */
while (len_bindir) {
diff --git a/version.texi.in b/version.texi.in
deleted file mode 100644
index 0a723b8..0000000
--- a/version.texi.in
+++ /dev/null
@@ -1,2 +0,0 @@
-@set VERSION @VERSION@
-@set CONFDIR @qemu_confdir@