From 9ce84a0d17d015f059a6750fbbf4b057806751df Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Tue, 13 Oct 2020 10:05:10 -0400 Subject: accel: move qtest CpusAccel functions to a common location Move and rename accel/qtest/qtest-cpus.c files to accel/dummy-cpus.c so it can be re-used by Xen. Signed-off-by: Jason Andryuk Message-Id: <20201013140511.5681-3-jandryuk@gmail.com> Reviewed-by: Claudio Fontana Acked-by: Paolo Bonzini Signed-off-by: Thomas Huth --- include/sysemu/cpus.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include') diff --git a/include/sysemu/cpus.h b/include/sysemu/cpus.h index 2316859..e815672 100644 --- a/include/sysemu/cpus.h +++ b/include/sysemu/cpus.h @@ -25,6 +25,9 @@ typedef struct CpusAccel { /* register accel-specific cpus interface implementation */ void cpus_register_accel(const CpusAccel *i); +/* Create a dummy vcpu for CpusAccel->create_vcpu_thread */ +void dummy_start_vcpu_thread(CPUState *); + /* interface available for cpus accelerator threads */ /* For temporary buffers for forming a name */ -- cgit v1.1 From fb5ef4eeecd88b583d5a6dc8f7dc217179cbfc98 Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 23 Oct 2020 11:07:30 -0400 Subject: memory: Add FlatView foreach function Acked-by: Paolo Bonzini Reviewed-by: Darren Kenny Signed-off-by: Alexander Bulekov Message-Id: <20201023150746.107063-2-alxndr@bu.edu> Signed-off-by: Thomas Huth --- include/exec/memory.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/exec/memory.h b/include/exec/memory.h index 622207b..042918d 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -719,6 +719,11 @@ static inline FlatView *address_space_to_flatview(AddressSpace *as) return qatomic_rcu_read(&as->current_map); } +typedef int (*flatview_cb)(Int128 start, + Int128 len, + const MemoryRegion*, void*); + +void flatview_for_each_range(FlatView *fv, flatview_cb cb , void *opaque); /** * struct MemoryRegionSection: describes a fragment of a #MemoryRegion -- cgit v1.1 From 20f5a3029386363357e6fa0c2e82b35ac4914d6a Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 23 Oct 2020 11:07:33 -0400 Subject: fuzz: Add DMA support to the generic-fuzzer When a virtual-device tries to access some buffer in memory over DMA, we add call-backs into the fuzzer(next commit). The fuzzer checks verifies that the DMA request maps to a physical RAM address and fills the memory with fuzzer-provided data. The patterns that we use to fill this memory are specified using add_dma_pattern and clear_dma_patterns operations. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny Message-Id: <20201023150746.107063-5-alxndr@bu.edu> [thuth: Reformatted one comment according to the QEMU coding style] Signed-off-by: Thomas Huth --- include/exec/memory.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'include') diff --git a/include/exec/memory.h b/include/exec/memory.h index 042918d..93d27bf 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -42,6 +42,13 @@ typedef struct IOMMUMemoryRegionClass IOMMUMemoryRegionClass; DECLARE_OBJ_CHECKERS(IOMMUMemoryRegion, IOMMUMemoryRegionClass, IOMMU_MEMORY_REGION, TYPE_IOMMU_MEMORY_REGION) +#ifdef CONFIG_FUZZ +void fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write); +#endif + extern bool global_dirty_log; typedef struct MemoryRegionOps MemoryRegionOps; -- cgit v1.1 From e7d3222e2e07e2a1a0aac979ef1fa5e8ef59f02c Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 23 Oct 2020 11:07:34 -0400 Subject: fuzz: Declare DMA Read callback function This patch declares the fuzz_dma_read_cb function and uses the preprocessor and linker(weak symbols) to handle these cases: When we build softmmu/all with --enable-fuzzing, there should be no strong symbol defined for fuzz_dma_read_cb, and we link against a weak stub function. When we build softmmu/fuzz with --enable-fuzzing, we link against the strong symbol in generic_fuzz.c When we build softmmu/all without --enable-fuzzing, fuzz_dma_read_cb is an empty, inlined function. As long as we don't call any other functions when building the arguments, there should be no overhead. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny Message-Id: <20201023150746.107063-6-alxndr@bu.edu> Signed-off-by: Thomas Huth --- include/exec/memory.h | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'include') diff --git a/include/exec/memory.h b/include/exec/memory.h index 93d27bf..4aaf578 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -47,6 +47,14 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write); +#else +static inline void fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write) +{ + /* Do Nothing */ +} #endif extern bool global_dirty_log; -- cgit v1.1 From a3c20e91dea6f7af64d886b05d678839b7b1a14c Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Fri, 23 Oct 2020 11:07:35 -0400 Subject: fuzz: Add fuzzer callbacks to DMA-read functions We should be careful to not call any functions besides fuzz_dma_read_cb. Without --enable-fuzzing, fuzz_dma_read_cb is an empty inlined function. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny Message-Id: <20201023150746.107063-7-alxndr@bu.edu> Signed-off-by: Thomas Huth --- include/exec/memory.h | 1 + include/exec/memory_ldst_cached.h.inc | 3 +++ 2 files changed, 4 insertions(+) (limited to 'include') diff --git a/include/exec/memory.h b/include/exec/memory.h index 4aaf578..aff6ef7 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -2462,6 +2462,7 @@ address_space_read_cached(MemoryRegionCache *cache, hwaddr addr, void *buf, hwaddr len) { assert(addr < cache->len && len <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, len, cache->mrs.mr, false); if (likely(cache->ptr)) { memcpy(buf, cache->ptr + addr, len); return MEMTX_OK; diff --git a/include/exec/memory_ldst_cached.h.inc b/include/exec/memory_ldst_cached.h.inc index fd4bbb4..aff5740 100644 --- a/include/exec/memory_ldst_cached.h.inc +++ b/include/exec/memory_ldst_cached.h.inc @@ -28,6 +28,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(l)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 4 <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, 4, cache->mrs.mr, false); if (likely(cache->ptr)) { return LD_P(l)(cache->ptr + addr); } else { @@ -39,6 +40,7 @@ static inline uint64_t ADDRESS_SPACE_LD_CACHED(q)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 8 <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, 8, cache->mrs.mr, false); if (likely(cache->ptr)) { return LD_P(q)(cache->ptr + addr); } else { @@ -50,6 +52,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(uw)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 2 <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, 2, cache->mrs.mr, false); if (likely(cache->ptr)) { return LD_P(uw)(cache->ptr + addr); } else { -- cgit v1.1