Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging

Doc and bug fixes # gpg: Signature made Wed 04 Nov 2020 17:01:29 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini-gitlab/tags/for-upstream: qapi, qemu-options: make all parsing visitors parse boolean options the same qtest: escape device name in device-introspect-test ivshmem-test: do not use short-form boolean option semihosting: fix order of initialization functions fuzz: fuzz offsets within pio/mmio regions fuzz: check the MR in the DMA callback fuzz: fix writing DMA patterns tests/qtest: Fix potential NULL pointer dereference in qos_build_main_args() configure: fix gio_libs reference meson: fix warning for bad sphinx-build tests/qtest/libqos/ahci.c: Avoid NULL dereference in ahci_exec() tests/qtest/libqtest.c: Check for setsockopt() failure meson: vhost-user-gpu/virtiofsd: use absolute path meson: use b_staticpic=false for meson >=0.56.0 qtest: add a reproducer for LP#1878642 hw/isa/lpc_ich9: Ignore reserved/invalid SCI IRQ scripts/oss-fuzz: rename bin/qemu-fuzz-i386 exec: Remove dead code (CID 1432876) docs: expand sourceset documentation cutils: replace strdup with g_strdup Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
author: Peter Maydell <peter.maydell@linaro.org> 2020-11-05 13:30:05 +0000
committer: Peter Maydell <peter.maydell@linaro.org> 2020-11-05 13:30:05 +0000
commit: 747c6b3811ef5f06278ab364261e3723bcbb4031 (patch)
tree: 787182dd26651217d8a9b134e3c73c44f609a3e6 /tests/qtest/fuzz/generic_fuzz.c
parent: e2766868d45d8c8f8991cfd133e6a0c14abfe577 (diff)
parent: 372bcb2585cd2f06a01f13b1a208370ccf7479cf (diff)
1 files changed, 23 insertions, 21 deletions
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index a8f5864883..262a963d2e 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -192,7 +192,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write)
      */
     if (dma_patterns->len == 0
         || len == 0
-        /* || mr != MACHINE(qdev_get_machine())->ram */
+        || mr != current_machine->ram
         || is_write
         || addr > current_machine->ram_size) {
         return;
@@ -229,10 +229,10 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write)
     address_range ar = {addr, len};
     g_array_append_val(dma_regions, ar);
     pattern p = g_array_index(dma_patterns, pattern, dma_pattern_index);
-    void *buf = pattern_alloc(p, ar.size);
+    void *buf_base = pattern_alloc(p, ar.size);
+    void *buf = buf_base;
     hwaddr l, addr1;
     MemoryRegion *mr1;
-    uint8_t *ram_ptr;
     while (len > 0) {
         l = len;
         mr1 = address_space_translate(first_cpu->as,
@@ -244,30 +244,27 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write)
             l = memory_access_size(mr1, l, addr1);
         } else {
             /* ROM/RAM case */
-            ram_ptr = qemu_map_ram_ptr(mr1->ram_block, addr1);
-            memcpy(ram_ptr, buf, l);
-            break;
+            if (qtest_log_enabled) {
+                /*
+                * With QTEST_LOG, use a normal, slow QTest memwrite. Prefix the log
+                * that will be written by qtest.c with a DMA tag, so we can reorder
+                * the resulting QTest trace so the DMA fills precede the last PIO/MMIO
+                * command.
+                */
+                fprintf(stderr, "[DMA] ");
+                if (double_fetch) {
+                    fprintf(stderr, "[DOUBLE-FETCH] ");
+                }
+                fflush(stderr);
+            }
+            qtest_memwrite(qts_global, addr, buf, l);
         }
         len -= l;
         buf += l;
         addr += l;
 
     }
-    if (qtest_log_enabled) {
-        /*
-         * With QTEST_LOG, use a normal, slow QTest memwrite. Prefix the log
-         * that will be written by qtest.c with a DMA tag, so we can reorder
-         * the resulting QTest trace so the DMA fills precede the last PIO/MMIO
-         * command.
-         */
-        fprintf(stderr, "[DMA] ");
-        if (double_fetch) {
-            fprintf(stderr, "[DOUBLE-FETCH] ");
-        }
-        fflush(stderr);
-    }
-    qtest_memwrite(qts_global, ar.addr, buf, ar.size);
-    g_free(buf);
+    g_free(buf_base);
 
     /* Increment the index of the pattern for the next DMA access */
     dma_pattern_index = (dma_pattern_index + 1) % dma_patterns->len;
@@ -301,6 +298,11 @@ static bool get_io_address(address_range *result, AddressSpace *as,
     } while (cb_info.index != index && !cb_info.found);
 
     *result = cb_info.result;
+    if (result->size) {
+        offset = offset % result->size;
+        result->addr += offset;
+        result->size -= offset;
+    }
     return cb_info.found;
 }
author	Peter Maydell <peter.maydell@linaro.org>	2020-11-05 13:30:05 +0000
committer	Peter Maydell <peter.maydell@linaro.org>	2020-11-05 13:30:05 +0000
commit	747c6b3811ef5f06278ab364261e3723bcbb4031 (patch)
tree	787182dd26651217d8a9b134e3c73c44f609a3e6 /tests/qtest/fuzz/generic_fuzz.c
parent	e2766868d45d8c8f8991cfd133e6a0c14abfe577 (diff)
parent	372bcb2585cd2f06a01f13b1a208370ccf7479cf (diff)