- 27 2月, 2020 1 次提交
-
-
由 Stefan Hajnoczi 提交于
The virtqueue code sets up MemoryRegionCaches to access the virtqueue guest RAM data structures. The code currently assumes that VRingMemoryRegionCaches is initialized before device emulation code accesses the virtqueue. An assertion will fail in vring_get_region_caches() when this is not true. Device fuzzing found a case where this assumption is false (see below). Virtqueue guest RAM addresses can also be changed from a vCPU thread while an IOThread is accessing the virtqueue. This breaks the same assumption but this time the caches could become invalid partway through the virtqueue code. The code fetches the caches RCU pointer multiple times so we will need to validate the pointer every time it is fetched. Add checks each time we call vring_get_region_caches() and treat invalid caches as a nop: memory stores are ignored and memory reads return 0. The fuzz test failure is as follows: $ qemu -M pc -device virtio-blk-pci,id=drv0,drive=drive0,addr=4.0 \ -drive if=none,id=drive0,file=null-co://,format=raw,auto-read-only=off \ -drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw \ -display none \ -qtest stdio endianness outl 0xcf8 0x80002020 outl 0xcfc 0xe0000000 outl 0xcf8 0x80002004 outw 0xcfc 0x7 write 0xe0000000 0x24 0x00ffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab5cffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffabffffffab0000000001 inb 0x4 writew 0xe000001c 0x1 write 0xe0000014 0x1 0x0d The following error message is produced: qemu-system-x86_64: /home/stefanha/qemu/hw/virtio/virtio.c:286: vring_get_region_caches: Assertion `caches != NULL' failed. The backtrace looks like this: #0 0x00007ffff5520625 in raise () at /lib64/libc.so.6 #1 0x00007ffff55098d9 in abort () at /lib64/libc.so.6 #2 0x00007ffff55097a9 in _nl_load_domain.cold () at /lib64/libc.so.6 #3 0x00007ffff5518a66 in annobin_assert.c_end () at /lib64/libc.so.6 #4 0x00005555559073da in vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:286 #5 vring_get_region_caches (vq=<optimized out>) at qemu/hw/virtio/virtio.c:283 #6 0x000055555590818d in vring_used_flags_set_bit (mask=1, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398 #7 virtio_queue_split_set_notification (enable=0, vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:398 #8 virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:451 #9 0x0000555555908512 in virtio_queue_set_notification (vq=vq@entry=0x5555575ceea0, enable=enable@entry=0) at qemu/hw/virtio/virtio.c:444 #10 0x00005555558c697a in virtio_blk_handle_vq (s=0x5555575c57e0, vq=0x5555575ceea0) at qemu/hw/block/virtio-blk.c:775 #11 0x0000555555907836 in virtio_queue_notify_aio_vq (vq=0x5555575ceea0) at qemu/hw/virtio/virtio.c:2244 #12 0x0000555555cb5dd7 in aio_dispatch_handlers (ctx=ctx@entry=0x55555671a420) at util/aio-posix.c:429 #13 0x0000555555cb67a8 in aio_dispatch (ctx=0x55555671a420) at util/aio-posix.c:460 #14 0x0000555555cb307e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at util/async.c:260 #15 0x00007ffff7bbc510 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0 #16 0x0000555555cb5848 in glib_pollfds_poll () at util/main-loop.c:219 #17 os_host_main_loop_wait (timeout=<optimized out>) at util/main-loop.c:242 #18 main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:518 #19 0x00005555559b20c9 in main_loop () at vl.c:1683 #20 0x0000555555838115 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4441 Reported-by: NAlexander Bulekov <alxndr@bu.edu> Cc: Michael Tsirkin <mst@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Message-Id: <20200207104619.164892-1-stefanha@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
- 25 2月, 2020 14 次提交
-
-
由 Pan Nengyuan 提交于
use the new virtio_delete_queue function to cleanup. Signed-off-by: NPan Nengyuan <pannengyuan@huawei.com> Message-Id: <20200224041336.30790-3-pannengyuan@huawei.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Pan Nengyuan 提交于
virtio queues forgot to delete in unrealize, and aslo error path in realize, this patch fix these memleaks, the leak stack is as follow: Direct leak of 114688 byte(s) in 16 object(s) allocated from: #0 0x7f24024fdbf0 in calloc (/lib64/libasan.so.3+0xcabf0) #1 0x7f2401642015 in g_malloc0 (/lib64/libglib-2.0.so.0+0x50015) #2 0x55ad175a6447 in virtio_add_queue /mnt/sdb/qemu/hw/virtio/virtio.c:2327 #3 0x55ad17570cf9 in vhost_user_blk_device_realize /mnt/sdb/qemu/hw/block/vhost-user-blk.c:419 #4 0x55ad175a3707 in virtio_device_realize /mnt/sdb/qemu/hw/virtio/virtio.c:3509 #5 0x55ad176ad0d1 in device_set_realized /mnt/sdb/qemu/hw/core/qdev.c:876 #6 0x55ad1781ff9d in property_set_bool /mnt/sdb/qemu/qom/object.c:2080 #7 0x55ad178245ae in object_property_set_qobject /mnt/sdb/qemu/qom/qom-qobject.c:26 #8 0x55ad17821eb4 in object_property_set_bool /mnt/sdb/qemu/qom/object.c:1338 #9 0x55ad177aeed7 in virtio_pci_realize /mnt/sdb/qemu/hw/virtio/virtio-pci.c:1801 Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NPan Nengyuan <pannengyuan@huawei.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Message-Id: <20200224041336.30790-2-pannengyuan@huawei.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Pan Nengyuan 提交于
Similar to other virtio-deivces, ctrl_vq forgot to delete in virtio_crypto_device_unrealize, this patch fix it. This device has aleardy maintained vq pointers. Thus, we use the new virtio_delete_queue function directly to do the cleanup. The leak stack: Direct leak of 10752 byte(s) in 3 object(s) allocated from: #0 0x7f4c024b1970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970) #1 0x7f4c018be49d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d) #2 0x55a2f8017279 in virtio_add_queue /mnt/sdb/qemu-new/qemu_test/qemu/hw/virtio/virtio.c:2333 #3 0x55a2f8057035 in virtio_crypto_device_realize /mnt/sdb/qemu-new/qemu_test/qemu/hw/virtio/virtio-crypto.c:814 #4 0x55a2f8005d80 in virtio_device_realize /mnt/sdb/qemu-new/qemu_test/qemu/hw/virtio/virtio.c:3531 #5 0x55a2f8497d1b in device_set_realized /mnt/sdb/qemu-new/qemu_test/qemu/hw/core/qdev.c:891 #6 0x55a2f8b48595 in property_set_bool /mnt/sdb/qemu-new/qemu_test/qemu/qom/object.c:2238 #7 0x55a2f8b54fad in object_property_set_qobject /mnt/sdb/qemu-new/qemu_test/qemu/qom/qom-qobject.c:26 #8 0x55a2f8b4de2c in object_property_set_bool /mnt/sdb/qemu-new/qemu_test/qemu/qom/object.c:1390 #9 0x55a2f80609c9 in virtio_crypto_pci_realize /mnt/sdb/qemu-new/qemu_test/qemu/hw/virtio/virtio-crypto-pci.c:58 Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NPan Nengyuan <pannengyuan@huawei.com> Cc: "Gonglei (Arei)" <arei.gonglei@huawei.com> Message-Id: <20200225075554.10835-5-pannengyuan@huawei.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Pan Nengyuan 提交于
Similar to other virtio-devices, rq_vq forgot to delete in virtio_pmem_unrealize, this patch fix it. This device has already maintained a vq pointer, thus we use the new virtio_delete_queue function directly to do the cleanup. Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NPan Nengyuan <pannengyuan@huawei.com> Message-Id: <20200225075554.10835-4-pannengyuan@huawei.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Pan Nengyuan 提交于
use the new virtio_delete_queue function to cleanup. Signed-off-by: NPan Nengyuan <pannengyuan@huawei.com> Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20200225075554.10835-3-pannengyuan@huawei.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Pan Nengyuan 提交于
Similar to other virtio device(https://patchwork.kernel.org/patch/11399237/), virtio queues forgot to delete in unrealize, and aslo error path in realize, this patch fix these memleaks, the leak stack is as follow: Direct leak of 57344 byte(s) in 1 object(s) allocated from: #0 0x7f15784fb970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970) #1 0x7f157790849d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d) #2 0x55587a1bf859 in virtio_add_queue /mnt/sdb/qemu-new/qemu_test/qemu/hw/virtio/virtio.c:2333 #3 0x55587a2071d5 in vuf_device_realize /mnt/sdb/qemu-new/qemu_test/qemu/hw/virtio/vhost-user-fs.c:212 #4 0x55587a1ae360 in virtio_device_realize /mnt/sdb/qemu-new/qemu_test/qemu/hw/virtio/virtio.c:3531 #5 0x55587a63fb7b in device_set_realized /mnt/sdb/qemu-new/qemu_test/qemu/hw/core/qdev.c:891 #6 0x55587acf03f5 in property_set_bool /mnt/sdb/qemu-new/qemu_test/qemu/qom/object.c:2238 #7 0x55587acfce0d in object_property_set_qobject /mnt/sdb/qemu-new/qemu_test/qemu/qom/qom-qobject.c:26 #8 0x55587acf5c8c in object_property_set_bool /mnt/sdb/qemu-new/qemu_test/qemu/qom/object.c:1390 #9 0x55587a8e22a2 in pci_qdev_realize /mnt/sdb/qemu-new/qemu_test/qemu/hw/pci/pci.c:2095 #10 0x55587a63fb7b in device_set_realized /mnt/sdb/qemu-new/qemu_test/qemu/hw/core/qdev.c:891 #11 0x55587acf03f5 in property_set_bool /mnt/sdb/qemu-new/qemu_test/qemu/qom/object.c:2238 #12 0x55587acfce0d in object_property_set_qobject /mnt/sdb/qemu-new/qemu_test/qemu/qom/qom-qobject.c:26 #13 0x55587acf5c8c in object_property_set_bool /mnt/sdb/qemu-new/qemu_test/qemu/qom/object.c:1390 #14 0x55587a496d65 in qdev_device_add /mnt/sdb/qemu-new/qemu_test/qemu/qdev-monitor.c:679 Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NPan Nengyuan <pannengyuan@huawei.com> Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20200225075554.10835-2-pannengyuan@huawei.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Michael S. Tsirkin 提交于
Remind users of rebuild-expected-aml.sh about the process to follow. Suppress the warning if allowed file list exists - that's a big hint user is already aware of the process. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Michael S. Tsirkin 提交于
Most people probably just want diff -u. So let's use that as the default. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Michael S. Tsirkin 提交于
Turns out it goes to stdout which is suppressed even with V=1. Force DIFF output to stderr to make it visible. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
-
由 Michael S. Tsirkin 提交于
For now just a pointer to the source file. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NLaurent Vivier <lvivier@redhat.com> Reviewed-by: NThomas Huth <thuth@redhat.com>
-
由 Peter Maydell 提交于
* create a new 'tools' manual, and move the documentation for qemu-img, qemu-nbd, virtfs-proxy-helper, qemu-trace-stap and virtiofsd to it # gpg: Signature made Tue 25 Feb 2020 11:00:16 GMT # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * remotes/pmaydell/tags/pull-docs-20200225: docs: Move tools documentation to tools manual docs: Move qemu-option-trace.rst.inc to docs/ docs: Create new 'tools' manual Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Peter Maydell 提交于
Move the following tools documentation files to the new tools manual: docs/interop/qemu-img.rst docs/interop/qemu-nbd.rst docs/interop/virtfs-proxy-helper.rst docs/interop/qemu-trace-stap.rst docs/interop/virtiofsd.rst Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Message-id: 20200217155415.30949-4-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
The qemu-option-trace.rst.inc file contains a rST documentation fragment which describes trace options common to qemu-nbd and qemu-img. We put this file into interop/, but we'd like to move the qemu-nbd and qemu-img files into the tools/ manual. We could move the .rst.inc file along with them, but we're eventually going to want to use it for the main QEMU binary options documentation too, and that will be in system/. So move qemu-option-trace.rst.inc to the top-level docs/ directory, where all these files can include it via .. include:: ../qemu-option-trace.rst.inc This does have the slight downside that we now need to explicitly tell Make which manuals use this file rather than relying on a wildcard for all .rst.inc in the manual. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Message-id: 20200217155415.30949-3-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
Some of the documentation for QEMU "tools" which are standalone binaries like qemu-img is an awkward fit in our current 5-manual split. We've put it into "interop", but they're not really about interoperability. Create a new top level manual "tools" which will be a better home for this documentation. This commit creates an empty initial manual; we will move the relevant documentation files in a subsequent commit. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Message-id: 20200217155415.30949-2-peter.maydell@linaro.org
-
- 24 2月, 2020 1 次提交
-
-
由 Peter Maydell 提交于
Pull request This pull request contains a virtio-blk/scsi performance optimization, event loop scalability improvements, and a qtest-based device fuzzing framework. I am including the fuzzing patches because I have reviewed them and Thomas Huth is currently away on leave. # gpg: Signature made Sat 22 Feb 2020 08:50:05 GMT # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full] # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full] # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/block-pull-request: (31 commits) fuzz: add documentation to docs/devel/ fuzz: add virtio-scsi fuzz target fuzz: add virtio-net fuzz target fuzz: add i440fx fuzz targets fuzz: add configure flag --enable-fuzzing fuzz: add target/fuzz makefile rules fuzz: add support for qos-assisted fuzz targets fuzz: support for fork-based fuzzing. main: keep rcu_atfork callback enabled for qtest exec: keep ram block across fork when using qtest fuzz: add fuzzer skeleton libqos: move useful qos-test funcs to qos_external libqos: split qos-test and libqos makefile vars libqos: rename i2c_send and i2c_recv qtest: add in-process incoming command handler libqtest: make bufwrite rely on the TransportOps libqtest: add a layer of abstraction to send/recv qtest: add qtest_server_send abstraction fuzz: add FUZZ_TARGET module type module: check module wasn't already initialized ... Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 22 2月, 2020 24 次提交
-
-
由 Alexander Bulekov 提交于
Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-23-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi queues. After an element is placed on a queue, the fuzzer can select whether to perform a kick, or continue adding elements. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-22-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
The virtio-net fuzz target feeds inputs to all three virtio-net virtqueues, and uses forking to avoid leaking state between fuzz runs. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-21-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
These three targets should simply fuzz reads/writes to a couple ioports, but they mostly serve as examples of different ways to write targets. They demonstrate using qtest and qos for fuzzing, as well as using rebooting and forking to reset state, or not resetting it at all. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-20-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-19-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 20200220041118.23264-18-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-17-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-16-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
The qtest-based fuzzer makes use of forking to reset-state between tests. Keep the callback enabled, so the call_rcu thread gets created within the child process. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Acked-by: NStefan Hajnoczi <stefanha@redhat.com> Message-id: 20200220041118.23264-15-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
Ram blocks were marked MADV_DONTFORK breaking fuzzing-tests which execute each test-input in a forked process. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-14-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
tests/fuzz/fuzz.c serves as the entry point for the virtual-device fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and LLVMFuzzerTestOneInput functions, both of which are defined in this file. This change adds a "FuzzTarget" struct, along with the fuzz_add_target function, which should be used to define new fuzz targets. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-13-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
The moved functions are not specific to qos-test and might be useful elsewhere. For example the virtual-device fuzzer makes use of them for qos-assisted fuzz-targets. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-12-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
Most qos-related objects were specified in the qos-test-obj-y variable. qos-test-obj-y also included qos-test.o which defines a main(). This made it difficult to repurpose qos-test-obj-y to link anything beside tests/qos-test against libqos. This change separates objects that are libqos-specific and ones that are qos-test specific into different variables. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20200220041118.23264-11-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
The names i2c_send and i2c_recv collide with functions defined in hw/i2c/core.c. This causes an error when linking against libqos and softmmu simultaneously (for example when using qtest inproc). Rename the libqos functions to avoid this. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Acked-by: NThomas Huth <thuth@redhat.com> Message-id: 20200220041118.23264-10-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
The handler allows a qtest client to send commands to the server by directly calling a function, rather than using a file/CharBackend Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-9-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
When using qtest "in-process" communication, qtest_sendf directly calls a function in the server (qtest.c). Previously, bufwrite used socket_send, which bypasses the TransportOps enabling the call into qtest.c. This change replaces the socket_send calls with ops->send, maintaining the benefits of the direct socket_send call, while adding support for in-process qtest calls. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-8-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
This makes it simple to swap the transport functions for qtest commands to and from the qtest client. For example, now it is possible to directly pass qtest commands to a server handler that exists within the same process, without the standard way of writing to a file descriptor. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-7-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
qtest_server_send is a function pointer specifying the handler used to transmit data to the qtest client. In the standard configuration, this calls the CharBackend handler, but now it is possible for other types of handlers, e.g direct-function calls if the qtest client and server exist within the same process (inproc) Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Acked-by: NThomas Huth <thuth@redhat.com> Message-id: 20200220041118.23264-6-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-5-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
The virtual-device fuzzer must initialize QOM, prior to running vl:qemu_init, so that it can use the qos_graph to identify the arguments required to initialize a guest for libqos-assisted fuzzing. This change prevents errors when vl:qemu_init tries to (re)initialize the previously initialized QOM module. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20200220041118.23264-4-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
A program might rely on functions implemented in vl.c, but implement its own main(). By placing main into a separate source file, there are no complaints about duplicate main()s when linking against vl.o. For example, the virtual-device fuzzer uses a main() provided by libfuzzer, and needs to perform some initialization before running the softmmu initialization. Now, main simply calls three vl.c functions which handle the guest initialization, main loop and cleanup. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-3-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Alexander Bulekov 提交于
Move vl.c to a separate directory, similar to linux-user/ Update the chechpatch and get_maintainer scripts, since they relied on /vl.c for top_of_tree checks. Signed-off-by: NAlexander Bulekov <alxndr@bu.edu> Reviewed-by: NDarren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-2-alxndr@bu.edu Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Stefan Hajnoczi 提交于
File descriptor monitoring is O(1) with epoll(7), but aio_dispatch_handlers() still scans all AioHandlers instead of dispatching just those that are ready. This makes aio_poll() O(n) with respect to the total number of registered handlers. Add a local ready_list to aio_poll() so that each nested aio_poll() builds a list of handlers ready to be dispatched. Since file descriptor polling is level-triggered, nested aio_poll() calls also see fds that were ready in the parent but not yet dispatched. This guarantees that nested aio_poll() invocations will dispatch all fds, even those that became ready before the nested invocation. Since only handlers ready to be dispatched are placed onto the ready_list, the new aio_dispatch_ready_handlers() function provides O(1) dispatch. Note that AioContext polling is still O(n) and currently cannot be fully disabled. This still needs to be fixed before aio_poll() is fully O(1). Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NSergio Lopez <slp@redhat.com> Message-id: 20200214171712.541358-6-stefanha@redhat.com [Fix compilation error on macOS where there is no epoll(87). The aio_epoll() prototype was out of date and aio_add_ready_list() needed to be moved outside the ifdef. --Stefan] Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-
由 Stefan Hajnoczi 提交于
It is not necessary to scan all AioHandlers for deletion. Keep a list of deleted handlers instead of scanning the full list of all handlers. The AioHandler->deleted field can be dropped. Let's check if the handler has been inserted into the deleted list instead. Add a new QLIST_IS_INSERTED() API for this check. Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NSergio Lopez <slp@redhat.com> Message-id: 20200214171712.541358-5-stefanha@redhat.com Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
-