From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Alexander Bulekov <alxndr@bu.edu>,
Darren Kenny <darren.kenny@oracle.com>
Subject: [PULL 01/46] fuzz: ignore address_space_map is_write flag
Date: Mon, 8 Feb 2021 19:22:46 +0100 [thread overview]
Message-ID: <20210208182331.58897-2-pbonzini@redhat.com> (raw)
In-Reply-To: <20210208182331.58897-1-pbonzini@redhat.com>
From: Alexander Bulekov <alxndr@bu.edu>
We passed an is_write flag to the fuzz_dma_read_cb function to
differentiate between the mapped DMA regions that need to be populated
with fuzzed data, and those that don't. We simply passed through the
address_space_map is_write parameter. The goal was to cut down on
unnecessarily populating mapped DMA regions, when they are not read
from.
Unfortunately, nothing precludes code from reading from regions mapped
with is_write=true. For example, see:
https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04729.html
This patch removes the is_write parameter to fuzz_dma_read_cb. As a
result, we will fill all mapped DMA regions with fuzzed data, ignoring
the specified transfer direction.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20210120060255.558535-1-alxndr@bu.edu>
---
include/exec/memory.h | 8 +++-----
include/exec/memory_ldst_cached.h.inc | 6 +++---
memory_ldst.c.inc | 8 ++++----
softmmu/memory.c | 5 ++---
softmmu/physmem.c | 4 ++--
tests/qtest/fuzz/generic_fuzz.c | 9 +++------
6 files changed, 17 insertions(+), 23 deletions(-)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index c6ce74fb79..ecba90bfd8 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -45,13 +45,11 @@ DECLARE_OBJ_CHECKERS(IOMMUMemoryRegion, IOMMUMemoryRegionClass,
#ifdef CONFIG_FUZZ
void fuzz_dma_read_cb(size_t addr,
size_t len,
- MemoryRegion *mr,
- bool is_write);
+ MemoryRegion *mr);
#else
static inline void fuzz_dma_read_cb(size_t addr,
size_t len,
- MemoryRegion *mr,
- bool is_write)
+ MemoryRegion *mr)
{
/* Do Nothing */
}
@@ -2506,7 +2504,7 @@ address_space_read_cached(MemoryRegionCache *cache, hwaddr addr,
void *buf, hwaddr len)
{
assert(addr < cache->len && len <= cache->len - addr);
- fuzz_dma_read_cb(cache->xlat + addr, len, cache->mrs.mr, false);
+ fuzz_dma_read_cb(cache->xlat + addr, len, cache->mrs.mr);
if (likely(cache->ptr)) {
memcpy(buf, cache->ptr + addr, len);
return MEMTX_OK;
diff --git a/include/exec/memory_ldst_cached.h.inc b/include/exec/memory_ldst_cached.h.inc
index 01efad62de..7bc8790d34 100644
--- a/include/exec/memory_ldst_cached.h.inc
+++ b/include/exec/memory_ldst_cached.h.inc
@@ -28,7 +28,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(l)(MemoryRegionCache *cache,
hwaddr addr, MemTxAttrs attrs, MemTxResult *result)
{
assert(addr < cache->len && 4 <= cache->len - addr);
- fuzz_dma_read_cb(cache->xlat + addr, 4, cache->mrs.mr, false);
+ fuzz_dma_read_cb(cache->xlat + addr, 4, cache->mrs.mr);
if (likely(cache->ptr)) {
return LD_P(l)(cache->ptr + addr);
} else {
@@ -40,7 +40,7 @@ static inline uint64_t ADDRESS_SPACE_LD_CACHED(q)(MemoryRegionCache *cache,
hwaddr addr, MemTxAttrs attrs, MemTxResult *result)
{
assert(addr < cache->len && 8 <= cache->len - addr);
- fuzz_dma_read_cb(cache->xlat + addr, 8, cache->mrs.mr, false);
+ fuzz_dma_read_cb(cache->xlat + addr, 8, cache->mrs.mr);
if (likely(cache->ptr)) {
return LD_P(q)(cache->ptr + addr);
} else {
@@ -52,7 +52,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(uw)(MemoryRegionCache *cache,
hwaddr addr, MemTxAttrs attrs, MemTxResult *result)
{
assert(addr < cache->len && 2 <= cache->len - addr);
- fuzz_dma_read_cb(cache->xlat + addr, 2, cache->mrs.mr, false);
+ fuzz_dma_read_cb(cache->xlat + addr, 2, cache->mrs.mr);
if (likely(cache->ptr)) {
return LD_P(uw)(cache->ptr + addr);
} else {
diff --git a/memory_ldst.c.inc b/memory_ldst.c.inc
index 2fed2de18e..b56e961967 100644
--- a/memory_ldst.c.inc
+++ b/memory_ldst.c.inc
@@ -42,7 +42,7 @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,
MO_32 | devend_memop(endian), attrs);
} else {
/* RAM case */
- fuzz_dma_read_cb(addr, 4, mr, false);
+ fuzz_dma_read_cb(addr, 4, mr);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
switch (endian) {
case DEVICE_LITTLE_ENDIAN:
@@ -111,7 +111,7 @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,
MO_64 | devend_memop(endian), attrs);
} else {
/* RAM case */
- fuzz_dma_read_cb(addr, 8, mr, false);
+ fuzz_dma_read_cb(addr, 8, mr);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
switch (endian) {
case DEVICE_LITTLE_ENDIAN:
@@ -177,7 +177,7 @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,
r = memory_region_dispatch_read(mr, addr1, &val, MO_8, attrs);
} else {
/* RAM case */
- fuzz_dma_read_cb(addr, 1, mr, false);
+ fuzz_dma_read_cb(addr, 1, mr);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
val = ldub_p(ptr);
r = MEMTX_OK;
@@ -215,7 +215,7 @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,
MO_16 | devend_memop(endian), attrs);
} else {
/* RAM case */
- fuzz_dma_read_cb(addr, 2, mr, false);
+ fuzz_dma_read_cb(addr, 2, mr);
ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
switch (endian) {
case DEVICE_LITTLE_ENDIAN:
diff --git a/softmmu/memory.c b/softmmu/memory.c
index c0c814fbb9..23e8e33001 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -1440,7 +1440,7 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
unsigned size = memop_size(op);
MemTxResult r;
- fuzz_dma_read_cb(addr, size, mr, false);
+ fuzz_dma_read_cb(addr, size, mr);
if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
*pval = unassigned_mem_read(mr, addr, size);
return MEMTX_DECODE_ERROR;
@@ -3285,8 +3285,7 @@ void memory_region_init_rom_device(MemoryRegion *mr,
#ifdef CONFIG_FUZZ
void __attribute__((weak)) fuzz_dma_read_cb(size_t addr,
size_t len,
- MemoryRegion *mr,
- bool is_write)
+ MemoryRegion *mr)
{
}
#endif
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index 243c3097d3..96efaef97a 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -2839,7 +2839,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
stn_he_p(buf, l, val);
} else {
/* RAM case */
- fuzz_dma_read_cb(addr, len, mr, false);
+ fuzz_dma_read_cb(addr, len, mr);
ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);
memcpy(buf, ram_ptr, l);
}
@@ -3200,7 +3200,7 @@ void *address_space_map(AddressSpace *as,
memory_region_ref(mr);
*plen = flatview_extend_translation(fv, addr, len, mr, xlat,
l, is_write, attrs);
- fuzz_dma_read_cb(addr, *plen, mr, is_write);
+ fuzz_dma_read_cb(addr, *plen, mr);
ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
return ptr;
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index be76d47d2d..deb74f15be 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -175,7 +175,7 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
* generic_fuzz(), avoiding potential race-conditions, which we don't have
* a good way for reproducing right now.
*/
-void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write)
+void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr)
{
/* Are we in the generic-fuzzer or are we using another fuzz-target? */
if (!qts_global) {
@@ -187,14 +187,11 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write)
* - We have no DMA patterns defined
* - The length of the DMA read request is zero
* - The DMA read is hitting an MR other than the machine's main RAM
- * - The DMA request is not a read (what happens for a address_space_map
- * with is_write=True? Can the device use the same pointer to do reads?)
* - The DMA request hits past the bounds of our RAM
*/
if (dma_patterns->len == 0
|| len == 0
|| mr != current_machine->ram
- || is_write
|| addr > current_machine->ram_size) {
return;
}
@@ -213,12 +210,12 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write)
double_fetch = true;
if (addr < region.addr
&& avoid_double_fetches) {
- fuzz_dma_read_cb(addr, region.addr - addr, mr, is_write);
+ fuzz_dma_read_cb(addr, region.addr - addr, mr);
}
if (addr + len > region.addr + region.size
&& avoid_double_fetches) {
fuzz_dma_read_cb(region.addr + region.size,
- addr + len - (region.addr + region.size), mr, is_write);
+ addr + len - (region.addr + region.size), mr);
}
return;
}
--
2.29.2
next prev parent reply other threads:[~2021-02-08 22:38 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-08 18:22 [PULL 00/46] Misc patches for 2021-02-08 Paolo Bonzini
2021-02-08 18:22 ` Paolo Bonzini [this message]
2021-02-08 18:22 ` [PULL 02/46] fuzz: refine the ide/ahci fuzzer configs Paolo Bonzini
2021-02-08 18:22 ` [PULL 03/46] docs/fuzz: fix pre-meson path Paolo Bonzini
2021-02-08 18:22 ` [PULL 04/46] fuzz: log the arguments used to initialize QEMU Paolo Bonzini
2021-02-08 18:22 ` [PULL 05/46] fuzz: enable dynamic args for generic-fuzz configs Paolo Bonzini
2021-02-08 18:22 ` [PULL 06/46] docs/fuzz: add some information about OSS-Fuzz Paolo Bonzini
2021-02-08 18:22 ` [PULL 07/46] fuzz: add virtio-9p configurations for fuzzing Paolo Bonzini
2021-02-08 18:22 ` [PULL 08/46] target/i386: do not set LM for 32-bit emulation "-cpu host/max" Paolo Bonzini
2021-02-08 18:22 ` [PULL 09/46] machine: add missing doc for memory-backend option Paolo Bonzini
2021-02-08 18:22 ` [PULL 10/46] meson: accept either shared or static libraries if --disable-static Paolo Bonzini
2021-02-08 18:22 ` [PULL 11/46] meson: honor --enable-rbd if cc.links test fails Paolo Bonzini
2021-02-08 18:22 ` [PULL 12/46] x86/cpu: Populate SVM CPUID feature bits Paolo Bonzini
2021-02-08 18:22 ` [PULL 13/46] fuzz: fix wrong index in clear_bits Paolo Bonzini
2021-02-08 18:22 ` [PULL 14/46] docs: don't install corresponding man page if guest agent is disabled Paolo Bonzini
2021-02-08 18:23 ` [PULL 15/46] virtio-scsi: don't uninitialize queues that we didn't initialize Paolo Bonzini
2021-02-08 18:23 ` [PULL 16/46] event_notifier: handle initialization failure better Paolo Bonzini
2021-02-08 18:23 ` [PULL 17/46] target/i386: Fix decoding of certain BMI instructions Paolo Bonzini
2021-02-08 18:23 ` [PULL 18/46] target/i86: implement PKS Paolo Bonzini
2021-02-08 18:23 ` [PULL 19/46] configure: Improve TCI feature description Paolo Bonzini
2021-02-08 18:23 ` [PULL 20/46] meson: Explicit TCG backend used Paolo Bonzini
2021-02-08 18:23 ` [PULL 21/46] meson: Warn when TCI is selected but TCG backend is available Paolo Bonzini
2021-05-21 8:49 ` Peter Maydell
2021-02-08 18:23 ` [PULL 22/46] tests/meson: Only build softfloat objects if TCG is selected Paolo Bonzini
2021-02-08 18:23 ` [PULL 23/46] pc-bios/meson: Only install EDK2 blob firmwares with system emulation Paolo Bonzini
2021-02-08 18:23 ` [PULL 24/46] meson: Restrict block subsystem processing Paolo Bonzini
2021-02-08 18:23 ` [PULL 25/46] meson: Merge trace_events_subdirs array Paolo Bonzini
2021-02-08 18:23 ` [PULL 26/46] meson: Restrict some trace event directories to user/system emulation Paolo Bonzini
2021-02-08 18:23 ` [PULL 27/46] meson: Restrict emulation code Paolo Bonzini
2021-02-08 18:23 ` [PULL 28/46] qapi/meson: Restrict qdev code to system-mode emulation Paolo Bonzini
2021-02-08 18:23 ` [PULL 29/46] qapi/meson: Remove QMP from user-mode emulation Paolo Bonzini
2021-02-08 18:23 ` [PULL 30/46] qapi/meson: Restrict system-mode specific modules Paolo Bonzini
2021-02-08 18:23 ` [PULL 31/46] qapi/meson: Restrict UI module to system emulation and tools Paolo Bonzini
2021-02-08 18:23 ` [PULL 32/46] accel/kvm/kvm-all: Fix wrong return code handling in dirty log code Paolo Bonzini
2021-02-08 18:23 ` [PULL 33/46] replay: fix replay of the interrupts Paolo Bonzini
2021-02-08 18:23 ` [PULL 34/46] pc-bios/descriptors: fix paths in json files Paolo Bonzini
2021-02-08 18:23 ` [PULL 35/46] replay: rng-builtin support Paolo Bonzini
2021-02-08 18:23 ` [PULL 36/46] cpu-throttle: Remove timer_mod() from cpu_throttle_set() Paolo Bonzini
2021-02-08 18:23 ` [PULL 37/46] hw/pci-host: add pci-intack write method Paolo Bonzini
2021-02-08 18:23 ` [PULL 38/46] pci-host: designware: add pcie-msi read method Paolo Bonzini
2021-02-08 18:23 ` [PULL 39/46] vfio: add quirk device write method Paolo Bonzini
2021-02-08 18:23 ` [PULL 40/46] prep: add ppc-parity " Paolo Bonzini
2021-02-08 18:23 ` [PULL 41/46] nvram: add nrf51_soc flash read method Paolo Bonzini
2021-02-08 18:23 ` [PULL 42/46] spapr_pci: add spapr msi " Paolo Bonzini
2021-02-08 18:23 ` [PULL 43/46] tz-ppc: add dummy read/write methods Paolo Bonzini
2021-02-08 18:23 ` [PULL 44/46] imx7-ccm: add digprog mmio write method Paolo Bonzini
2021-02-08 18:23 ` [PULL 45/46] target/i386: Add support for save/load IA32_PKRS MSR Paolo Bonzini
2021-02-08 18:23 ` [PULL 46/46] target/i386: Expose VMX entry/exit load pkrs control bits Paolo Bonzini
2021-02-09 13:24 ` [PULL 00/46] Misc patches for 2021-02-08 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210208182331.58897-2-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=alxndr@bu.edu \
--cc=darren.kenny@oracle.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.