On 240722 0007, Yao Xingtao wrote:
> use ranges_overlap() instead of open-coding the overlap check to improve
> the readability of the code.
>
> Signed-off-by: Yao Xingtao
Reviewed-by: Alexander Bulekov
Thank you
> ---
> tests/qtest/fuzz/generic_fuzz.c | 3 ++-
&g
This fixes the almost-immediate timeout issue for me on the
virtio_net_fuzz target, but I'm not sure why this works or if it is
fixing the right problem:
qtest_probe_child is designed to run from a libqtest process which
uses waitpid on the PID of the child (qemu) process (stored in
QTestState->qe
Reviewed-by: Alexander Bulekov
On 240521 1331, Dmitry Frolov wrote:
> Found with fuzzing for qemu-8.2, but also relevant for master
>
> Signed-off-by: Dmitry Frolov
> ---
> tests/qtest/fuzz/qos_fuzz.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/tests
When we are building for OSS-Fuzz, we want to ensure that the fuzzer
targets are actually created, regardless of leaks. Leaks will be
detected by the subsequent tests of the individual fuzz-targets.
Signed-off-by: Alexander Bulekov
---
scripts/oss-fuzz/build.sh | 1 +
1 file changed, 1
On 240527 1007, Alexander Bulekov wrote:
> On 240527 0734, Thomas Huth wrote:
> > On 27/05/2024 06.07, Alexander Bulekov wrote:
> > > Fixes test-failure on Fedora 40 CI.
> > >
> > > Reported-by: Thomas Huth
> > > Signed-off-by: Alexande
On 240527 0734, Thomas Huth wrote:
> On 27/05/2024 06.07, Alexander Bulekov wrote:
> > Fixes test-failure on Fedora 40 CI.
> >
> > Reported-by: Thomas Huth
> > Signed-off-by: Alexander Bulekov
> > ---
> > tests/qtest/fuzz/generic_fuzz_configs.h | 3 ++-
&
Fixes test-failure on Fedora 40 CI.
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/generic_fuzz_configs.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
b/tests/qtest/fuzz/generic_fuzz_configs.h
On 240321 2208, Vladimir Sementsov-Ogievskiy wrote:
> On 21.03.24 18:01, Alexander Bulekov wrote:
> > On 240320 0024, Vladimir Sementsov-Ogievskiy wrote:
> > > Hi all!
> > >
> > > From fuzzing I've got a fuzz-data, which produces the following crash:
On 240320 0024, Vladimir Sementsov-Ogievskiy wrote:
> Hi all!
>
> From fuzzing I've got a fuzz-data, which produces the following crash:
>
> qemu-fuzz-x86_64: ../hw/net/virtio-net.c:134: void
> flush_or_purge_queued_packets(NetClientState *): Assertion
> `!virtio_net_get_subqueue(nc)->async_tx.
On 231115 1522, Brian Cain wrote:
> Alexander, Bandan, Paolo, Stefan, Manuel,
>
> Hi, I'm Brian and I maintain the Hexagon arch for QEMU. Elia, a security
> researcher at Qualcomm is exploring ways to fuzz some hexagon OS kernel with
> QEMU and in particular leveraging snapshotting, inspired by
Reviewed-by: Alexander Bulekov
Thank you
On 231004 1106, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé
> ---
> tests/qtest/fuzz/fuzz.h | 4 ++--
> softmmu/memory.c| 2 +-
> tests/qtest/fuzz/fuzz.c | 2 +-
> 3 files changed, 4 insertio
t; One consequence of the prior behavior was that setting zero sectors
> >> per track could lead to an FPE within ide_set_sector(). Thanks to
> >> Alexander Bulekov for reporting this issue.
> >>
> >> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1243
> >&g
s://gitlab.com/qemu-project/qemu/-/issues/1744
> Signed-off-by: Marc-André Lureau
Reviewed-by: Alexander Bulekov
On 230627 1502, marcandre.lur...@redhat.com wrote:
> From: Marc-André Lureau
>
> Allocate pixman bits for scanouts with qemu_win32_map_alloc() so we can
> set a shareable handle on the associated display surface.
>
> Note: when bits are provided to pixman_image_create_bits(), you must also give
e
Reviewed-by: Alexander Bulekov
Thanks
> ---
> tests/docker/test-fuzz | 28
> 1 file changed, 28 insertions(+)
> create mode 100755 tests/docker/test-fuzz
>
> diff --git a/tests/docker/test-fuzz b/tests/docker/test-fuzz
> new file mode 100755
>
On 230626 2259, Alex Bennée wrote:
> An update to the clang tooling detects more issues with the code
> including a memory leak from the g_string_new() allocation. Clean up
> the code with g_autoptr and use ARRAY_SIZE while we are at it.
>
> Signed-off-by: Alex Bennée
Reviewe
On 230329 0542, Alexander Bulekov wrote:
> On 230213 1841, Mauro Matteo Cascella wrote:
> > The guest can control the size of buf; an OOB write occurs when buf is 1 or
> > 2
> > bytes long. Only fill in the buffer as long as there is enough space, throw
> > away
ncyGuard * as a
> parameter of qemu_new_nic().
>
> Signed-off-by: Akihiko Odaki
Reviewed-by: Alexander Bulekov
One minor comment below.
> ---
> include/net/net.h | 1 +
> hw/net/allwinner-sun8i-emac.c | 3 ++-
> hw/net/allwinner_emac.c | 3 ++-
> hw/n
023-3019
> Reported-by: Alexander Bulekov
> Signed-off-by: Akihiko Odaki
Acked-by: Alexander Bulekov
> ---
> include/net/net.h | 1 +
> net/net.c | 14 ++
> 2 files changed, 15 insertions(+)
>
> diff --git a/include/net/net.h b/include/net/net.h
ab.com/qemu-project/qemu/-/issues/1563
> Signed-off-by: Thomas Huth
Reviewed-by: Alexander Bulekov
On 230516 1105, Thomas Huth wrote:
> While trying to use a SCSI disk on the LSI controller with an
> older version of Fedora (25), I'm getting:
>
> qemu: warning: Blocked re-entrant IO on MemoryRegion: lsi-mmio at addr: 0x34
Do you have a gdb backtrace for this one or is there some easy way to
r
engaged_in_io could be unset by an MR with re-entrancy checks disabled.
Ensure that only MRs that can set the engaged_in_io flag can unset it.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1563
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
softmmu/memory.c | 4 +++-
1
On 230511 1104, Cédric Le Goater wrote:
> Hello Alexander
>
> On 5/11/23 10:53, Alexander Bulekov wrote:
> > As lpc-hc is designed for re-entrant calls from xscom, mark it
> > re-entrancy safe.
> >
> > Reported-by: Thomas Huth
> > Signed-off-by: Alexander
As lpc-hc is designed for re-entrant calls from xscom, mark it
re-entrancy safe.
Reported-by: Thomas Huth
Signed-off-by: Alexander Bulekov
---
hw/ppc/pnv_lpc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
index 01f44c19eb..67fd049a7f 100644
--- a/hw
loongarch_ipi_iocsr MRs rely on re-entrant IO through the ipi_send
function. As such, mark these MRs re-entrancy-safe.
Fixes: a2e1753b80 ("memory: prevent dma-reentracy issues")
Signed-off-by: Alexander Bulekov
---
hw/intc/loongarch_ipi.c | 4
1 file changed, 4 insertions(+)
di
ned-off-by: Alexander Bulekov
---
util/async.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/util/async.c b/util/async.c
index 9df7674b4e..055070ffbd 100644
--- a/util/async.c
+++ b/util/async.c
@@ -156,18 +156,20 @@ void aio_bh_call(QEMUBH *bh)
{
On 230428 1143, Thomas Huth wrote:
> From: Alexander Bulekov
>
> Devices can pass their MemoryReentrancyGuard (from their DeviceState),
> when creating new BHes. Then, the async API will toggle the guard
> before/after calling the BH call-back. This prevents bh->mmio r
On 230428 1015, Thomas Huth wrote:
> On 28/04/2023 10.12, Daniel P. Berrangé wrote:
> > On Thu, Apr 27, 2023 at 05:10:06PM -0400, Alexander Bulekov wrote:
> > > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > > This flag is set/checked
As the code is designed for re-entrant calls from raven_io_ops to
pci-conf, mark raven_io_ops as reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
hw/pci-host/raven.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
index 072ffe3c5e
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
As the code is designed for re-entrant calls from bcm2835_property to
bcm2835_mbox and back into bcm2835_property, mark iomem as
reentrancy-safe.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
hw/misc/bcm2835_property.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a
ew, you call qemu_bh_new_guarded)
I replaced most of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially accessible.
Alexander Bulekov (8):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard to the BH API
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
Reviewed-by
As the code is designed for re-entrant calls to apic-msi, mark apic-msi
as reentrancy-safe.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
hw/intc/apic.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 20b5a94073..ac3d47d231
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
//gitlab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Resolves: CVE-2023-0330
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
include/exec/memory.h | 5 +
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 16
On 230426 1219, Alexander Bulekov wrote:
> This is useful for using unit-tests/fuzzing to detect bugs introduced by
> the re-entrancy guard mechanism into devices that are intentionally
> re-entrant.
>
> Signed-off-by: Alexander Bulekov
> Reviewed-by: Thomas Huth
> ---
Thi
As the code is designed for re-entrant calls to apic-msi, mark apic-msi
as reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
Based-on: <20230426161951.2948996-1-alx...@bu.edu>
hw/intc/apic.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
On 230427 1504, Thomas Huth wrote:
> On 26/04/2023 18.19, Alexander Bulekov wrote:
> > v8-> v9:
> > - Disable reentrancy checks for raven's iomem (Patch 8)
> > - Fix non-bisectable disable_reentrancy_guard patch by squashing it
> >into Patch 1.
This is useful for using unit-tests/fuzzing to detect bugs introduced by
the re-entrancy guard mechanism into devices that are intentionally
re-entrant.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
softmmu/memory.c | 3 +++
util/async.c | 3 +++
2 files changed, 6
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
As the code is designed for re-entrant calls from bcm2835_property to
bcm2835_mbox and back into bcm2835_property, mark iomem as
reentrancy-safe.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
hw/misc/bcm2835_property.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a
//gitlab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Resolves: CVE-2023-0330
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
include/exec/memory.h | 5 +
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 14 ++
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
Reviewed-by
As the code is designed for re-entrant calls from raven_io_ops to
pci-conf, mark raven_io_ops as reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
hw/pci-host/raven.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/pci-host/raven.c b/hw/pci-host/raven.c
index 072ffe3c5e
ing Device/DeviceState. Thus, this version allows a
device to associate a reentrancy-guard with a bh, when creating it.
(Instead of calling qemu_bh_new, you call qemu_bh_new_guarded)
I replaced most of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
On 230425 1146, Thomas Huth wrote:
> On 21/04/2023 16.27, Alexander Bulekov wrote:
> > v7 -> v8:
> > - Disable reentrancy checks for bcm2835_property's iomem (Patch 7)
> > - Cache DeviceState* in the MemoryRegion to avoid dynamic cast for
> >
On 230425 0941, Thomas Huth wrote:
> On 21/04/2023 16.27, Alexander Bulekov wrote:
> > Signed-off-by: Alexander Bulekov
> > Reviewed-by: Thomas Huth
> > Reviewed-by: Darren Kenny
> > ---
> > include/exec/memory.h | 3 +++
> > 1 file changed, 3 insertion
This is useful for using unit-tests/fuzzing to detect bugs introduced by
the re-entrancy guard mechanism into devices that are intentionally
re-entrant.
Signed-off-by: Alexander Bulekov
---
softmmu/memory.c | 3 +++
util/async.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a
As the code is designed for re-entrant calls from bcm2835_property to
bcm2835_mbox and back into bcm2835_property, mark iomem as
reentrancy-safe.
Signed-off-by: Alexander Bulekov
---
hw/misc/bcm2835_property.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/misc/bcm2835_property.c
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
st of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially accessible.
Alexander Bulekov (8):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard to the BH API
checkpatch: add qemu_bh_new/aio_bh_ne
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
Reviewed-by: Darren Kenny
---
include/exec/memory.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 6c0a5e68d3..4e9531bd8a 100644
--- a/include/exec/memory.h
+++ b/include/exec
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
Reviewed-by
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
//gitlab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Resolves: CVE-2023-0330
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 2 ++
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 14 ++
softmmu/trace-events
rite 0xb800a646028c000e 0x1 0x47
> write 0xb800a646028c0010 0x1 0x02
> write 0xb800a646028c0017 0x1 0x06
> write 0xb800a646028c0036 0x1 0x80
> write 0xe0d9 0x1 0x40
> EOF
>
> Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Maybe instead:
Closes:
On 230328 1859, Markus Armbruster wrote:
> At this moment, arm_load_dtb() can free machine->fdt when
> binfo->dtb_filename is NULL. If there's no 'dtb_filename', 'fdt' will be
> retrieved by binfo->get_dtb(). If get_dtb() returns machine->fdt, as is
> the case of machvirt_dtb() from hw/arm/virt.c,
Cascella
Tested-by: Alexander Bulekov
Thanks
> ---
> hw/usb/dev-wacom.c | 20 +---
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
> index 7177c17f03..ca9e6aa82f 100644
> --- a/hw/usb/dev-wacom.c
> +
On 230214 1148, Mauro Matteo Cascella wrote:
> Hi Philippe,
>
> On Mon, Feb 13, 2023 at 7:26 PM Philippe Mathieu-Daudé
> wrote:
> >
> > Hi Mauro,
> >
> > On 13/2/23 18:41, Mauro Matteo Cascella wrote:
> > > The guest can control the size of buf; an OOB write occurs when buf is 1
> > > or 2
> > >
On 230324 1200, Mauro Matteo Cascella wrote:
> On Fri, Mar 17, 2023 at 10:59 PM Philippe Mathieu-Daudé
> wrote:
> >
> > On 17/3/23 19:18, Karl Heubaum wrote:
> > > Did this CVE fix fall in the cracks during the QEMU 8.0 merge window?
> >
> > The patch isn't reviewed, and apparently almost no activ
On 230316 2124, Akihiko Odaki wrote:
> A guest may request ask a memory-mapped device to perform DMA. If the
> address specified for DMA is the device performing DMA, it will create
> recursion. It is very unlikely that device implementations are prepared
> for such an abnormal access, which can re
On 230313 1608, Peter Maydell wrote:
> On Mon, 13 Mar 2023 at 15:41, Philippe Mathieu-Daudé
> wrote:
> > Now I wonder again if this is a good time to merge this change set.
>
> No, I don't think it is at this point in the release
> cycle. I would vote for merging it when we reopen for 8.1,
> so
On 230313 1502, Thomas Huth wrote:
> On 13/03/2023 09.24, Alexander Bulekov wrote:
> > v6 -> v7:
> > - Fix bad qemu_bh_new_guarded calls found by Thomas (Patch 4)
> > - Add an MR-specific flag to disable reentrancy (Patch 5)
> > - Disable reentrancy ch
On 230313 0515, Alexander Bulekov wrote:
> >
> > At this point I'm not sure anymore this is a device or MR property.
>
> It's designed to be an MR property. If it were MR specific, it wouldn't
Should be "It's designed to be a Device property."
On 230313 0945, Philippe Mathieu-Daudé wrote:
> Hi Alex,
>
> Sorry for the late review, *sigh*.
>
> On 13/3/23 09:24, Alexander Bulekov wrote:
> > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > This flag is set/checked prior to call
//gitlab.com/qemu-project/qemu/-/issues/827
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Alexander Bulekov
Acked-by: Peter Xu
---
include/hw/qdev-core.h | 7 +++
softmmu/memory.c | 17 +++
Advise authors to use the _guarded versions of the APIs, instead.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index d768171dcf..eeaec436eb 100755
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 3 +++
softmmu/memory.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 6fa0b071f0..5154b123d8 100644
--- a/include/exec/memory.h
+++ b/include/exec
As the code is designed to use the memory APIs to access the script ram,
disable reentrancy checks for the pseudo-RAM ram_io MemoryRegion.
In the future, ram_io may be converted from an IO to a proper RAM MemoryRegion.
Reported-by: Fiona Ebner
Signed-off-by: Alexander Bulekov
---
hw/scsi
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backen
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
mu_bh_new_guarded)
I replaced most of the qemu_bh_new invocations with the guarded analog,
except for the ones where the DeviceState was not trivially accessible.
Alexander Bulekov (6):
memory: prevent dma-reentracy issues
async: Add an optional reentrancy guard to the BH API
checkpat
On 230302 1103, Carlos López wrote:
> In virtqueue_{split,packed}_get_avail_bytes() descriptors are read
> in a loop via MemoryRegionCache regions and calls to
> vring_{split,packed}_desc_read() - these take a region cache and the
> index of the descriptor to be read.
>
> For direct descriptors we
On 230310 0802, Alexander Bulekov wrote:
> On 230310 1245, Peter Maydell wrote:
> > On Fri, 10 Mar 2023 at 12:32, Alexander Bulekov wrote:
> > > This MR seems to be "lsi-ram".
> > >
> > > From hw/scsi/lsi53c895a.c:
> > >
> > &
On 230310 1245, Peter Maydell wrote:
> On Fri, 10 Mar 2023 at 12:32, Alexander Bulekov wrote:
> > This MR seems to be "lsi-ram".
> >
> > From hw/scsi/lsi53c895a.c:
> >
> > memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
> &
On 230310 0723, Alexander Bulekov wrote:
> On 230310 1214, Fiona Ebner wrote:
> > Am 05.02.23 um 05:07 schrieb Alexander Bulekov:
> > > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > > This flag is set/checked prior to calling a device&#x
On 230310 1214, Fiona Ebner wrote:
> Am 05.02.23 um 05:07 schrieb Alexander Bulekov:
> > Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
> > This flag is set/checked prior to calling a device's MemoryRegion
> > handlers, and set when device code i
[[ CCing qemu-devel in case someone can spot something wrong faster than me]]
On 230308 1042, Thomas Huth wrote:
[snip]
> > > I'd really love to see this series included in QEMU 8.0, so to help with
> > > testing a little bit, I've put it in my gitlab-CI for testing. However, it
> > > hit a segf
On 230302 1627, byzero wrote:
> Hi,
> The bug class of MMIO reentrancy is fixed by adding a member "memory" in
> the struct "MemTxAttrs", but the patch only exists in 7.x version, which is
As a side-note, that patch doesn't fix the entire class of
DMA-reentrnacy bugs. There are still active DMA re
On 230216 1214, Thomas Huth wrote:
> On 13/02/2023 03.11, Alexander Bulekov wrote:
> > ping
>
> I think it would be really good to finally get these dma-reentrancy issues
> fixed! Who's supposed to pick up these patches? Paolo? David? Peter?
Ping
>
> Thomas
> This can be fixed by ensuring we always call g_test_init first in the
> body of main.
>
> Thanks: Daniel Berrange, for diagnosing the problem
> Signed-off-by: Richard W.M. Jones
Reviewed-by: Alexander Bulekov
On 230217 1048, Darren Kenny wrote:
> I know this is a pull request, but if you prefer to have all the patches
> with and R-b, you can add mine here too, but I'll leave it up to you.
>
> Reviewed-by: Darren Kenny
>
Thank you Darren - I missed that this one wasn't reviewed..
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.rst | 22 ++
1 file changed, 2 insertions(+), 20 deletions(-)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 715330c856..3bfcb33fc4 100644
--- a/docs/devel/fuzzing.rst
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/virtio_blk_fuzz.c | 51 --
1 file changed, 7 insertions(+), 44 deletions(-)
diff --git a/tests/qtest/fuzz/virtio_blk_fuzz.c
b/tests/qtest/fuzz/virtio_blk_fuzz.c
index a9fb9ecf6c
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/generic_fuzz.c | 114 ++--
1 file changed, 22 insertions(+), 92 deletions(-)
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 7326f6840b..f4acfa45cc
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/i440fx_fuzz.c | 27 +--
1 file changed, 1 insertion(+), 26 deletions(-)
diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c
index b17fc725df..155fe018f8 100644
--- a
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/virtio_scsi_fuzz.c | 51 -
1 file changed, 7 insertions(+), 44 deletions(-)
diff --git a/tests/qtest/fuzz/virtio_scsi_fuzz.c
b/tests/qtest/fuzz/virtio_scsi_fuzz.c
index b3220ef6cb
longer in active development). Remove it in favor of other
methods of resetting state between inputs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
meson.build | 4 ---
tests/qtest/fuzz/fork_fuzz.c | 41 -
tests/qtest/fuzz/fork_fuzz.h | 23
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/virtio_net_fuzz.c | 54 +++---
1 file changed, 5 insertions(+), 49 deletions(-)
diff --git a/tests/qtest/fuzz/virtio_net_fuzz.c
b/tests/qtest/fuzz/virtio_net_fuzz.c
index c2c15f07f0
As we are converting most fuzzers to rely on reboots to reset state,
introduce an API to make sure reboots are invoked in a consistent
manner.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/fuzz.c | 6 ++
tests/qtest/fuzz/fuzz.h | 2 +-
2 files changed, 7 insertions(+), 1 deletion
We use sparse-mem for fuzzing. For long-running fuzzing processes, we
eventually end up with many allocated sparse-mem pages. To avoid this,
clear the allocated pages on system-reset.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Philippe Mathieu-Daudé
---
hw/mem
found that slow inputs often attempt to fill overly large DMA
requests. Thus, we can mitigate most timeouts by setting a cap on the
total number of DMA bytes written by an input.
Signed-off-by: Alexander Bulekov
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz
zzers will reboot the guest between inputs.
----
Alexander Bulekov (10):
hw/sparse-mem: clear memory on reset
fuzz: add fuzz_reset API
fuzz/generic-fuzz: use reboots instead of forks to reset state
fuzz/generic-fuzz: a
On 230213 1426, Darren Kenny wrote:
> Hi Alex,
>
> On Saturday, 2023-02-04 at 23:29:44 -05, Alexander Bulekov wrote:
> > Signed-off-by: Alexander Bulekov
> > ---
> > tests/qtest/fuzz/generic_fuzz.c | 106 +++-
> > 1 file change
On 230213 1438, Darren Kenny wrote:
> Hi Alex,
>
> On Saturday, 2023-02-04 at 23:29:45 -05, Alexander Bulekov wrote:
> > As we have repplaced fork-based fuzzing, with reboots - we can no longer
> > use a timeout+exit() to avoid slow inputs. Libfuzzer has its own timer
>
1 - 100 of 1001 matches
Mail list logo
