aboutsummaryrefslogtreecommitdiff
path: root/tests/qtest
AgeCommit message (Collapse)Author
2021-10-20tests: acpi: dump table with failed checksumIgor Mammedov
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Message-Id: <20210902113551.461632-2-imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2021-10-14configure, meson: move fuzzing configuration to MesonPaolo Bonzini
Cc: Alexander Oleinik <alxndr@bu.edu> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20211007130829.632254-2-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-10-05meson: switch minimum meson version to 0.58.2, minimum recommended to 0.59.2Paolo Bonzini
Meson 0.58.2 does not need b_staticpic=$pie anymore, and has stabilized the keyval module. Remove the workaround and use a few replacements for features deprecated in the 0.57.0 release cycle. One feature that we would like to use is passing dependencies to summary. However, that was broken in 0.59.0 and 0.59.1. Therefore, use the embedded Meson if the host has anything older than 0.59.2, but allow --meson= to use 0.58.2. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-10-01qtest/numa-test: Use detailed -smp CLIs in test_def_cpu_splitYanan Wang
Since commit 80d7835749 (qemu-options: rewrite help for -smp options), the preference of sockets/cores in -smp parsing is considered liable to change, and actually we are going to change it in a coming commit. So it'll be more stable to use detailed -smp CLIs in the testcases that have strong dependency on the parsing results. Currently, test_def_cpu_split use "-smp 8" and will get 8 CPU sockets based on current parsing rule. But if we change to prefer cores over sockets we will get one CPU socket with 8 cores, and this testcase will not get expected numa set by default on x86_64 (Ok on aarch64). So now explicitly use "-smp 8,sockets=8" to avoid affect from parsing logic change. Signed-off-by: Yanan Wang <wangyanan55@huawei.com> Reviewed-by: Andrew Jones <drjones@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210929025816.21076-9-wangyanan55@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-10-01qtest/numa-test: Use detailed -smp CLIs in pc_dynamic_cpu_cfgYanan Wang
Since commit 80d7835749 (qemu-options: rewrite help for -smp options), the preference of sockets/cores in -smp parsing is considered liable to change, and actually we are going to change it in a coming commit. So it'll be more stable to use detailed -smp CLIs in testing if we have strong dependency on the parsing results. pc_dynamic_cpu_cfg currently assumes/needs that there will be 2 CPU sockets with "-smp 2". To avoid breaking the test because of parsing logic change, now explicitly use "-smp 2,sockets=2". Signed-off-by: Yanan Wang <wangyanan55@huawei.com> Reviewed-by: Andrew Jones <drjones@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210929025816.21076-8-wangyanan55@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-09-30tests: qtest: bios-tables-test depends on the unpacked edk2 ROMsPaolo Bonzini
Skip the test if bzip2 is not available, and run it after they are uncompressed. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20210923105529.3845741-2-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-09-30target/i386: Add the query-sgx-capabilities QMP commandYang Zhong
Libvirt can use query-sgx-capabilities to get the host sgx capabilities to decide how to allocate SGX EPC size to VM. Signed-off-by: Yang Zhong <yang.zhong@intel.com> Message-Id: <20210910102258.46648-3-yang.zhong@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-09-30target/i386: Add HMP and QMP interfaces for SGXYang Zhong
The QMP and HMP interfaces can be used by monitor or QMP tools to retrieve the SGX information from VM side when SGX is enabled on Intel platform. Signed-off-by: Yang Zhong <yang.zhong@intel.com> Message-Id: <20210910102258.46648-2-yang.zhong@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-09-06libqtest: check for g_setenv() failurePeter Maydell
g_setenv() can fail; check for it when starting a QEMU process when we set the QEMU_AUDIO_DRV environment variable. Because this happens after fork() reporting an exact message via printf() is a bad idea; just exit(1), as we already do for the case of execlp() failure. Fixes: Coverity CID 1460117 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210820163750.9106-1-peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-09-02Merge remote-tracking branch 'remotes/a1xndr/tags/fuzz-pull-2021-09-01' into ↵Peter Maydell
staging Fuzzing Patches for 2021-09-01 # gpg: Signature made Wed 01 Sep 2021 12:42:00 BST # gpg: using RSA key FAD4E2BF871375D6340517C44E661DDE583A964E # gpg: Good signature from "Alexander Bulekov <alxndr@bu.edu>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: FAD4 E2BF 8713 75D6 3405 17C4 4E66 1DDE 583A 964E * remotes/a1xndr/tags/fuzz-pull-2021-09-01: MAINTAINERS: add fuzzing reviewer MAINTAINERS: Add myself as a reviewer for Device Fuzzing fuzz: unblock SIGALRM so the timeout works fuzz: use ITIMER_REAL for timeouts fuzz: add an instrumentation filter fuzz: make object-name matching case-insensitive fuzz: adjust timeout to allow for longer inputs fuzz: fix sparse memory access in the DMA callback Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-09-02Merge remote-tracking branch ↵Peter Maydell
'remotes/stefanberger/tags/pull-tpm-2021-09-01-1' into staging Merge tpm 2021/09/01 v1 # gpg: Signature made Wed 01 Sep 2021 13:13:27 BST # gpg: using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211 # gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211 * remotes/stefanberger/tags/pull-tpm-2021-09-01-1: tests: acpi: tpm1.2: Add expected TPM 1.2 ACPI blobs tests: acpi: Add test cases for TPM 1.2 with TCPA table tests: Use QMP to check whether a TPM device model is available tests: acpi: prepare for new TPM 1.2 related tables tests: tpm: Create TPM 1.2 response in TPM emulator tests: acpi: tpm2: Add the renamed ACPI files and drop old ones tests: Add suffix 'tpm2' or 'tpm12' to ACPI table files tests: acpi: Prepare for renaming of TPM2 related ACPI files tests: Add tpm_version field to TPMTestState and fill it tests: Rename TestState to TPMTestState Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-09-01Merge remote-tracking branch ↵Peter Maydell
'remotes/pmaydell/tags/pull-target-arm-20210901' into staging * Refactor M-profile systick to use Clocks instead of system_clock_scale global * clock: Provide builtin multiplier/divider * Add A64FX processor model * Enable MVE emulation in Cortex-M55 * hw: Add compat machines for 6.2 * hw/intc/arm_gicv3: Replace mis-used MEMTX_* constants by booleans * hw/arm/raspi: Remove deprecated raspi2/raspi3 aliases # gpg: Signature made Wed 01 Sep 2021 11:35:57 BST # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * remotes/pmaydell/tags/pull-target-arm-20210901: (51 commits) arm: Remove system_clock_scale global hw/timer/stellaris-gptm: Use Clock input instead of system_clock_scale hw/arm/stellaris: Split stellaris-gptm into its own file hw/arm/stellaris: Fix code style issues in GPTM code hw/timer/armv7m_systick: Use clock inputs instead of system_clock_scale hw/arm/msf2-soc: Wire up refclk hw/arm/msf2: Use Clock input to MSF2_SOC instead of m3clk property hw/arm/msf2_soc: Don't allocate separate MemoryRegions hw/arm/stellaris: Wire sysclk up to armv7m hw/arm/stellaris: split stellaris_sys_init() hw/arm/nrf51: Wire up sysclk hw/arm/stm32vldiscovery: Delete trailing blank line hw/arm/stm32f405: Wire up sysclk and refclk hw/arm/stm32f205: Wire up sysclk and refclk hw/arm/stm32f100: Wire up sysclk and refclk hw/arm: Don't allocate separate MemoryRegions in stm32 SoC realize clock: Provide builtin multiplier/divider hw/arm/mps2.c: Connect up armv7m clocks armsse: Wire up systick cpuclk clock hw/arm/armv7m: Create input clocks ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-09-01fuzz: unblock SIGALRM so the timeout worksAlexander Bulekov
The timeout mechanism won't work if SIGALRM is blocked. This changes unmasks SIGALRM when the timer is installed. This doesn't completely solve the problem, as the fuzzer could trigger some device activity that re-masks SIGALRM. However, there are currently no inputs on OSS-Fuzz that re-mask SIGALRM and timeout. If that turns out to be a real issue, we could try to hook sigmask-type calls, or use a separate timer thread. Based-on: <20210713150037.9297-1-alxndr@bu.edu> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2021-09-01fuzz: use ITIMER_REAL for timeoutsAlexander Bulekov
Using ITIMER_VIRTUAL is a bad idea, if the fuzzer hits a blocking syscall - e.g. ppoll with a NULL timespec. This causes timeout issues while fuzzing some block-device code. Fix that by using wall-clock time. This might cause inputs to timeout sometimes due to scheduling effects/ambient load, but it is better than bringing the entire fuzzing process to a halt. Based-on: <20210713150037.9297-1-alxndr@bu.edu> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2021-09-01fuzz: make object-name matching case-insensitiveAlexander Bulekov
We have some configs for devices such as the AC97 and ES1370 that were not matching memory-regions correctly, because the configs provided lowercase names. To resolve these problems and prevent them from occurring again in the future, convert both the pattern and names to lower-case, prior to checking for a match. Suggested-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
2021-09-01fuzz: adjust timeout to allow for longer inputsAlexander Bulekov
Using a custom timeout is useful to continue fuzzing complex devices, even after we run into some slow code-path. However, simply adding a fixed timeout to each input effectively caps the maximum input length/number of operations at some artificial value. There are two major problems with this: 1. Some code might only be reachable through long IO sequences. 2. Longer inputs can actually be _better_ for performance. While the raw number of fuzzer executions decreases with larger inputs, the number of MMIO/PIO/DMA operation/second actually increases, since were are speding proportionately less time fork()ing. With this change, we keep the custom-timeout, but we renew it, prior to each MMIO/PIO/DMA operation. Thus, we time-out only when a specific operation takes a long time. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
2021-09-01fuzz: fix sparse memory access in the DMA callbackAlexander Bulekov
The code mistakenly relied on address_space_translate to store the length remaining until the next memory-region. We care about this because when there is RAM or sparse-memory neighboring on an MMIO region, we should only write up to the border, to prevent inadvertently invoking MMIO handlers within the DMA callback. However address_space_translate_internal only stores the length until the end of the MemoryRegion if memory_region_is_ram(mr). Otherwise the *len is left unmodified. This caused some false-positive issues, where the fuzzer found a way to perform a nested MMIO write through a DMA callback on an [address, length] that started within sparse memory and spanned some device MMIO regions. To fix this, write to sparse memory in small chunks of memory_access_size (similar to the underlying address_space_write code), which will prevent accidentally hitting MMIO handlers through large writes. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2021-09-01tests/arm-cpu-features: Add A64FX processor related testsShuuichirou Ishii
Add tests that the A64FX CPU model exposes the expected features. Signed-off-by: Shuuichirou Ishii <ishii.shuuichir@fujitsu.com> Reviewed-by: Andrew Jones <drjones@redhat.com> [PMM: added commit message body] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-09-01tests: Remove uses of deprecated raspi2/raspi3 machine namesPhilippe Mathieu-Daudé
Commit 155e1c82ed0 deprecated the raspi2/raspi3 machine names. Use the recommended new names: raspi2b and raspi3b. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Willian Rampazzo <willianr@redhat.com> Message-id: 20210827060815.2384760-2-f4bug@amsat.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-08-31tests: acpi: tpm1.2: Add expected TPM 1.2 ACPI blobsStefan Berger
The TCPA.tis.tpm12 file contains the following: [000h 0000 4] Signature : "TCPA" [Trusted Computing Platform Alliance table] [004h 0004 4] Table Length : 00000032 [008h 0008 1] Revision : 02 [009h 0009 1] Checksum : 32 [00Ah 0010 6] Oem ID : "BOCHS " [010h 0016 8] Oem Table ID : "BXPC " [018h 0024 4] Oem Revision : 00000001 [01Ch 0028 4] Asl Compiler ID : "BXPC" [020h 0032 4] Asl Compiler Revision : 00000001 [024h 0036 2] Platform Class : 0000 [026h 0038 4] Min Event Log Length : 00010000 [02Ah 0042 8] Event Log Address : 0000000007FF0000 Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-11-stefanb@linux.ibm.com
2021-08-31tests: acpi: Add test cases for TPM 1.2 with TCPA tableStefan Berger
Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-10-stefanb@linux.ibm.com
2021-08-31tests: Use QMP to check whether a TPM device model is availableStefan Berger
Use QMP to check whether a given TPM device model is available and if it is not the case then do not register the tests that require it. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20210802215246.1433175-9-stefanb@linux.ibm.com
2021-08-31tests: acpi: prepare for new TPM 1.2 related tablesStefan Berger
Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-8-stefanb@linux.ibm.com
2021-08-31tests: tpm: Create TPM 1.2 response in TPM emulatorStefan Berger
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-7-stefanb@linux.ibm.com
2021-08-31tests: acpi: tpm2: Add the renamed ACPI files and drop old onesStefan Berger
Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-6-stefanb@linux.ibm.com
2021-08-31tests: Add suffix 'tpm2' or 'tpm12' to ACPI table filesStefan Berger
Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-5-stefanb@linux.ibm.com
2021-08-31tests: acpi: Prepare for renaming of TPM2 related ACPI filesStefan Berger
Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-4-stefanb@linux.ibm.com
2021-08-31tests: Add tpm_version field to TPMTestState and fill itStefan Berger
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-3-stefanb@linux.ibm.com
2021-08-31tests: Rename TestState to TPMTestStateStefan Berger
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-id: 20210802215246.1433175-2-stefanb@linux.ibm.com
2021-08-31hw/display/xlnx_dp: fix an out-of-bounds read in xlnx_dp_readQiang Liu
xlnx_dp_read allows an out-of-bounds read at its default branch because of an improper index. According to https://www.xilinx.com/html_docs/registers/ug1087/ug1087-zynq-ultrascale-registers.html (DP Module), registers 0x3A4/0x3A4/0x3AC are allowed. DP_INT_MASK 0x000003A4 32 mixed 0xFFFFF03F Interrupt Mask Register for intrN. DP_INT_EN 0x000003A8 32 mixed 0x00000000 Interrupt Enable Register. DP_INT_DS 0x000003AC 32 mixed 0x00000000 Interrupt Disable Register. In xlnx_dp_write, when the offset is 0x3A8 and 0x3AC, the virtual device will write s->core_registers[0x3A4 >> 2]. That is to say, the maxize of s->core_registers could be ((0x3A4 >> 2) + 1). However, the current size of s->core_registers is (0x3AF >> >> 2), that is ((0x3A4 >> 2) + 2), which is out of the range. In xlxn_dp_read, the access to offset 0x3A8 or 0x3AC will be directed to the offset 0x3A8 (incorrect functionality) or 0x3AC (out-of-bounds read) rather than 0x3A4. This patch enforces the read access to offset 0x3A8 and 0x3AC to 0x3A4, but does not adjust the size of s->core_registers to avoid breaking migration. Fixes: 58ac482a66de ("introduce xlnx-dp") Signed-off-by: Qiang Liu <cyruscyliu@gmail.com> Acked-by: Thomas Huth <thuth@redhat.com> Acked-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <1628059910-12060-1-git-send-email-cyruscyliu@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-08-26tests/qtest/ipmi-bt-test: Zero-initialize sockaddr structPeter Maydell
Zero-initialize the sockaddr_in struct that we're about to fill in and pass to bind(), to ensure we don't leave possible implementation-defined extension fields as uninitialized garbage. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Corey Minyard <cminyard@mvista.com> Acked-by: Thomas Huth <thuth@redhat.com> Message-id: 20210813150506.7768-4-peter.maydell@linaro.org
2021-08-11tests/qtest/vhost-user-blk-test: Check whether qemu-storage-daemon is availableThomas Huth
The vhost-user-blk-test currently hangs if QTEST_QEMU_STORAGE_DAEMON_BINARY points to a non-existing binary. Let's improve this situation by checking for the availability of the binary first, so we can fail gracefully if it is not accessible. Message-Id: <20210811095949.133462-1-thuth@redhat.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-08-11storage-daemon: Add missing build dependency to the vhost-user-blk-testThomas Huth
vhost-user-blk-test needs the qemu-storage-daemon, otherwise it currently hangs. So make sure that we build the daemon before running the tests. Message-Id: <20210811094705.131314-1-thuth@redhat.com> Tested-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-08-03hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30Philippe Mathieu-Daudé
OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers the assertion added in commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group"): qemu-fuzz-i386-target-generic-fuzz-sdhci-v3: ../hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed. #3 0x7f62a8b22c91 in __assert_fail #4 0x5569adcec405 in sd_wpbits hw/sd/sd.c:824:9 #5 0x5569adce5f6d in sd_normal_command hw/sd/sd.c:1389:38 #6 0x5569adce3870 in sd_do_command hw/sd/sd.c:1737:17 #7 0x5569adcf1566 in sdbus_do_command hw/sd/core.c:100:16 #8 0x5569adcfc192 in sdhci_send_command hw/sd/sdhci.c:337:12 #9 0x5569adcfa3a3 in sdhci_write hw/sd/sdhci.c:1186:9 #10 0x5569adfb3447 in memory_region_write_accessor softmmu/memory.c:492:5 It is legal for the CMD30 to query for out-of-range addresses. Such invalid addresses are simply ignored in the response (write protection bits set to 0). In commit 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group") we misplaced the assertion *before* we test the address is in range. Move it *after*. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed. Cc: qemu-stable@nongnu.org Reported-by: OSS-Fuzz (Issue 29225) Suggested-by: Peter Maydell <peter.maydell@linaro.org> Fixes: 84816fb63e5 ("hw/sd/sdcard: Assert if accessing an illegal group") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/495 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210802235524.3417739-3-f4bug@amsat.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Alexander Bulekov <alxndr@bu.edu>
2021-07-29tests: Fix migration-test build failure for sparcPeter Xu
Even if <linux/kvm.h> seems to exist for all archs on linux, however including it with __linux__ defined seems to be not working yet as it'll try to include asm/kvm.h and that can be missing for archs that do not support kvm. To fix this (instead of any attempt to fix linux headers..), we can mark the header to be x86_64 only, because it's so far only service for adding the kvm dirty ring test. Fixes: 1f546b709d6 ("tests: migration-test: Add dirty ring test") Reported-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Peter Xu <peterx@redhat.com> Message-Id: <20210728214128.206198-1-peterx@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-07-27Merge remote-tracking branch 'remotes/nvme/tags/nvme-next-pull-request' into ↵Peter Maydell
staging hw/nvme fixes * new PMR test (Gollu Appalanaidu) * pmr/sgl mapping fix (Padmakar Kalghatgi) * hotplug fixes (me) * mmio out-of-bound read fix (me) * big-endian host fixes (me) # gpg: Signature made Mon 26 Jul 2021 20:18:12 BST # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown] # gpg: aka "Klaus Jensen <k.jensen@samsung.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * remotes/nvme/tags/nvme-next-pull-request: tests/qtest/nvme-test: add mmio read test hw/nvme: fix mmio read hw/nvme: fix out-of-bounds reads hw/nvme: use symbolic names for registers hw/nvme: split pmrmsc register into upper and lower hw/nvme: fix controller hot unplugging tests/qtest/nvme-test: add persistent memory region test hw/nvme: error handling for too many mappings hw/nvme: unregister controller with subsystem at exit hw/nvme: mark nvme-subsys non-hotpluggable hw/nvme: remove NvmeCtrl parameter from ns setup/check functions Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-07-26tests/qtest/nvme-test: add mmio read testKlaus Jensen
Add a regression test for mmio read on big-endian hosts. Signed-off-by: Klaus Jensen <k.jensen@samsung.com> Reviewed-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
2021-07-26tests/qtest/nvme-test: add persistent memory region testGollu Appalanaidu
This will test the PMR functionality. Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> [k.jensen: replaced memory-backend-file with memory-backend-ram] Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
2021-07-26tests/qtest/migration-test.c: use 127.0.0.1 instead of 0Dr. David Alan Gilbert
OpenBSD doesn't like :0 as an address, switch to using 127.0.0.1 in baddest; it's really testing the :0 port number that isn't allowed on anything. (The test doesn't currently run anyway because of the userfault problem that Peter noticed, but this gets us closer to being able to reenable it) Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-Id: <20210719185217.122105-1-dgilbert@redhat.com> Acked-by: Peter Xu <peterx@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2021-07-12hw/sd/sdcard: Check for valid address range in SEND_WRITE_PROT (CMD30)Philippe Mathieu-Daudé
OSS-Fuzz found sending illegal addresses when querying the write protection bits triggers an assertion: qemu-fuzz-i386: hw/sd/sd.c:824: uint32_t sd_wpbits(SDState *, uint64_t): Assertion `wpnum < sd->wpgrps_size' failed. ==11578== ERROR: libFuzzer: deadly signal #8 0x7ffff628e091 in __assert_fail #9 0x5555588f1a3c in sd_wpbits hw/sd/sd.c:824:9 #10 0x5555588dd271 in sd_normal_command hw/sd/sd.c:1383:38 #11 0x5555588d777c in sd_do_command hw/sd/sd.c #12 0x555558cb25a0 in sdbus_do_command hw/sd/core.c:100:16 #13 0x555558e02a9a in sdhci_send_command hw/sd/sdhci.c:337:12 #14 0x555558dffa46 in sdhci_write hw/sd/sdhci.c:1187:9 #15 0x5555598b9d76 in memory_region_write_accessor softmmu/memory.c:489:5 Similarly to commit 8573378e62d ("hw/sd: fix out-of-bounds check for multi block reads"), check the address range before sending the status of the write protection bits. Include the qtest reproducer provided by Alexander Bulekov: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test qemu-system-i386: ../hw/sd/sd.c:824: sd_wpbits: Assertion `wpnum < sd->wpgrps_size' failed. Reported-by: OSS-Fuzz (Issue 29225) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/450 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20210702155900.148665-4-f4bug@amsat.org>
2021-07-11Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-6.1-2' into stagingPeter Maydell
Some qemu updates for IPMI and I2C Move some ADC file to where they belong and move some sensors to a sensor directory, since with new BMCs coming in lots of different sensors should be coming in. Keep from cluttering things up. Add support for I2C PMBus devices. Replace the confusing and error-prone i2c_send_recv and i2c_transfer with specific send and receive functions. Several errors have already been made with these, avoid any new errors. Fix the watchdog_expired field in the IPMI watchdog, it's not a bool, it's a u8. After a vmstate transfer, the new value could be wrong. # gpg: Signature made Fri 09 Jul 2021 17:25:04 BST # gpg: using RSA key FD0D5CE67CE0F59A6688268661F38C90919BFF81 # gpg: Good signature from "Corey Minyard <cminyard@mvista.com>" [unknown] # gpg: aka "Corey Minyard <minyard@acm.org>" [unknown] # gpg: aka "Corey Minyard <corey@minyard.net>" [unknown] # gpg: aka "Corey Minyard <minyard@mvista.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: FD0D 5CE6 7CE0 F59A 6688 2686 61F3 8C90 919B FF81 * remotes/cminyard/tags/for-qemu-6.1-2: (24 commits) tests/qtest: add tests for MAX34451 device model hw/misc: add MAX34451 device tests/qtest: add tests for ADM1272 device model hw/misc: add ADM1272 device hw/i2c: add support for PMBus ipmi/sim: fix watchdog_expired data type error in IPMIBmcSim struct hw/i2c: Introduce i2c_start_recv() and i2c_start_send() hw/i2c: Extract i2c_do_start_transfer() from i2c_start_transfer() hw/i2c: Make i2c_start_transfer() direction argument a boolean hw/i2c: Rename i2c_set_slave_address() -> i2c_slave_set_address() hw/i2c: Remove confusing i2c_send_recv() hw/misc/auxbus: Replace i2c_send_recv() by i2c_recv() & i2c_send() hw/misc/auxbus: Replace 'is_write' boolean by its value hw/misc/auxbus: Explode READ_I2C / WRITE_I2C_MOT cases hw/misc/auxbus: Fix MOT/classic I2C mode hw/i2c/ppc4xx_i2c: Replace i2c_send_recv() by i2c_recv() & i2c_send() hw/i2c/ppc4xx_i2c: Add reference to datasheet hw/display/sm501: Replace i2c_send_recv() by i2c_recv() & i2c_send() hw/display/sm501: Simplify sm501_i2c_write() logic hw/input/lm832x: Define TYPE_LM8323 in public header ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-07-11Merge remote-tracking branch ↵Peter Maydell
'remotes/pmaydell/tags/pull-target-arm-20210709' into staging target-arm queue: * New machine type: stm32vldiscovery * hw/intc/arm_gicv3_cpuif: Fix virtual irq number check in icv_[dir|eoir]_write * hw/gpio/pl061: Honour Luminary PL061 PUR and PDR registers * virt: Fix implementation of GPIO-based powerdown/shutdown mechanism * Correct the encoding of MDCCSR_EL0 and DBGDSCRint * hw/intc: Improve formatting of MEMTX_ERROR guest error message # gpg: Signature made Fri 09 Jul 2021 17:09:10 BST # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * remotes/pmaydell/tags/pull-target-arm-20210709: hw/intc: Improve formatting of MEMTX_ERROR guest error message target/arm: Correct the encoding of MDCCSR_EL0 and DBGDSCRint hw/arm/stellaris: Expand comment about handling of OLED chipselect hw/gpio/pl061: Document a shortcoming in our implementation hw/gpio/pl061: Convert to 3-phase reset and assert GPIO lines correctly on reset hw/arm/virt: Make PL061 GPIO lines pulled low, not high hw/gpio/pl061: Make pullup/pulldown of outputs configurable hw/gpio/pl061: Honour Luminary PL061 PUR and PDR registers hw/gpio/pl061: Document the interface of this device hw/gpio/pl061: Add tracepoints for register read and write hw/gpio/pl061: Clean up read/write offset handling logic hw/gpio/pl061: Convert DPRINTF to tracepoints hw/intc/arm_gicv3_cpuif: Fix virtual irq number check in icv_[dir|eoir]_write tests/boot-serial-test: Add STM32VLDISCOVERY board testcase docs/system: arm: Add stm32 boards description stm32vldiscovery: Add the STM32VLDISCOVERY Machine stm32f100: Add the stm32f100 SoC Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-07-09tests/boot-serial-test: Add STM32VLDISCOVERY board testcaseAlexandre Iooss
New mini-kernel test for STM32VLDISCOVERY USART1. Signed-off-by: Alexandre Iooss <erdnaxe@crans.org> Acked-by: Thomas Huth <thuth@redhat.com> Acked-by: Alistair Francis <alistair.francis@wdc.com> Message-id: 20210617165647.2575955-5-erdnaxe@crans.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-07-09spapr: Implement Open Firmware client interfaceAlexey Kardashevskiy
The PAPR platform describes an OS environment that's presented by a combination of a hypervisor and firmware. The features it specifies require collaboration between the firmware and the hypervisor. Since the beginning, the runtime component of the firmware (RTAS) has been implemented as a 20 byte shim which simply forwards it to a hypercall implemented in qemu. The boot time firmware component is SLOF - but a build that's specific to qemu, and has always needed to be updated in sync with it. Even though we've managed to limit the amount of runtime communication we need between qemu and SLOF, there's some, and it has become increasingly awkward to handle as we've implemented new features. This implements a boot time OF client interface (CI) which is enabled by a new "x-vof" pseries machine option (stands for "Virtual Open Firmware). When enabled, QEMU implements the custom H_OF_CLIENT hcall which implements Open Firmware Client Interface (OF CI). This allows using a smaller stateless firmware which does not have to manage the device tree. The new "vof.bin" firmware image is included with source code under pc-bios/. It also includes RTAS blob. This implements a handful of CI methods just to get -kernel/-initrd working. In particular, this implements the device tree fetching and simple memory allocator - "claim" (an OF CI memory allocator) and updates "/memory@0/available" to report the client about available memory. This implements changing some device tree properties which we know how to deal with, the rest is ignored. To allow changes, this skips fdt_pack() when x-vof=on as not packing the blob leaves some room for appending. In absence of SLOF, this assigns phandles to device tree nodes to make device tree traversing work. When x-vof=on, this adds "/chosen" every time QEMU (re)builds a tree. This adds basic instances support which are managed by a hash map ihandle -> [phandle]. Before the guest started, the used memory is: 0..e60 - the initial firmware 8000..10000 - stack 400000.. - kernel 3ea0000.. - initramdisk This OF CI does not implement "interpret". Unlike SLOF, this does not format uninitialized nvram. Instead, this includes a disk image with pre-formatted nvram. With this basic support, this can only boot into kernel directly. However this is just enough for the petitboot kernel and initradmdisk to boot from any possible source. Note this requires reasonably recent guest kernel with: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df5be5be8735 The immediate benefit is much faster booting time which especially crucial with fully emulated early CPU bring up environments. Also this may come handy when/if GRUB-in-the-userspace sees light of the day. This separates VOF and sPAPR in a hope that VOF bits may be reused by other POWERPC boards which do not support pSeries. This assumes potential support for booting from QEMU backends such as blockdev or netdev without devices/drivers used. Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Message-Id: <20210625055155.2252896-1-aik@ozlabs.ru> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu> [dwg: Adjusted some includes which broke compile in some more obscure compilation setups] Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-07-08tests/qtest: add tests for MAX34451 device modelTitus Rwantare
Signed-off-by: Titus Rwantare <titusr@google.com> Reviewed-by: Joel Stanley <joel@jms.id.au> Message-Id: <20210708172556.1868139-6-titusr@google.com> Signed-off-by: Corey Minyard <cminyard@mvista.com>
2021-07-08tests/qtest: add tests for ADM1272 device modelTitus Rwantare
Signed-off-by: Titus Rwantare <titusr@google.com> Reviewed-by: Joel Stanley <joel@jms.id.au> Message-Id: <20210708172556.1868139-4-titusr@google.com> Signed-off-by: Corey Minyard <cminyard@mvista.com>
2021-07-06Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into ↵Peter Maydell
staging * More Meson test conversions and configure cleanups * Generalize XSAVE area offset so that it matches AMD processors on KVM * Improvements for -display and deprecation of -no-quit * Enable SMP configuration as a compound machine property ("-M smp.cpus=...") * Haiku compilation fix * Add icon on Darwin # gpg: Signature made Tue 06 Jul 2021 08:35:23 BST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini-gitlab/tags/for-upstream: (40 commits) config-host.mak: remove unused compiler-related lines Set icon for QEMU binary on Mac OS qemu-option: remove now-dead code machine: add smp compound property vl: switch -M parsing to keyval keyval: introduce keyval_parse_into keyval: introduce keyval_merge qom: export more functions for use with non-UserCreatable objects configure: convert compiler tests to meson, part 6 configure: convert compiler tests to meson, part 5 configure: convert compiler tests to meson, part 4 configure: convert compiler tests to meson, part 3 configure: convert compiler tests to meson, part 2 configure: convert compiler tests to meson, part 1 configure: convert HAVE_BROKEN_SIZE_MAX to meson configure, meson: move CONFIG_IVSHMEM to meson meson: store dependency('threads') in a variable meson: sort existing compiler tests configure, meson: convert libxml2 detection to meson configure, meson: convert liburing detection to meson ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-07-06machine: add smp compound propertyPaolo Bonzini
Make -smp syntactic sugar for a compound property "-machine smp.{cores,threads,cpu,...}". machine_smp_parse is replaced by the setter for the property. numa-test will now cover the new syntax, while other tests still use -smp. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-07-05Merge remote-tracking branch 'remotes/cschoenebeck/tags/pull-9p-20210705' ↵Peter Maydell
into staging 9pfs: misc patches * Add link to 9p developer docs. * Fix runtime check whether client supplied relative path is the export root. * Performance optimization of Twalk requests. * Code cleanup. # gpg: Signature made Mon 05 Jul 2021 12:13:34 BST # gpg: using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395 # gpg: issuer "qemu_oss@crudebyte.com" # gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: ECAB 1A45 4014 1413 BA38 4926 30DB 47C3 A012 D5F4 # Subkey fingerprint: 96D8 D110 CF7A F808 4F88 5901 34C2 B587 65A4 7395 * remotes/cschoenebeck/tags/pull-9p-20210705: 9pfs: reduce latency of Twalk 9pfs: drop root_qid 9pfs: replace not_same_qid() by same_stat_id() 9pfs: drop fid_to_qid() 9pfs: capture root stat 9pfs: fix not_same_qid() 9pfs: simplify v9fs_walk() 9pfs: add link to 9p developer docs Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-07-059pfs: add link to 9p developer docsChristian Schoenebeck
To lower the entry level for new developers, add a link to the 9p developer docs (i.e. qemu wiki) to MAINTAINERS and to the beginning of 9p source files, that is to: https://wiki.qemu.org/Documentation/9p Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Acked-by: Greg Kurz <groug@kaod.org> Message-Id: <E1leeDf-0008GZ-9q@lizzy.crudebyte.com>