From fc1c8344e65807843ae8eaa25284e5277bdcd1eb Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Wed, 20 Jan 2021 01:02:55 -0500 Subject: fuzz: ignore address_space_map is_write flag We passed an is_write flag to the fuzz_dma_read_cb function to differentiate between the mapped DMA regions that need to be populated with fuzzed data, and those that don't. We simply passed through the address_space_map is_write parameter. The goal was to cut down on unnecessarily populating mapped DMA regions, when they are not read from. Unfortunately, nothing precludes code from reading from regions mapped with is_write=true. For example, see: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04729.html This patch removes the is_write parameter to fuzz_dma_read_cb. As a result, we will fill all mapped DMA regions with fuzzed data, ignoring the specified transfer direction. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny Message-Id: <20210120060255.558535-1-alxndr@bu.edu> --- include/exec/memory.h | 8 +++----- include/exec/memory_ldst_cached.h.inc | 6 +++--- 2 files changed, 6 insertions(+), 8 deletions(-) (limited to 'include') diff --git a/include/exec/memory.h b/include/exec/memory.h index c6ce74fb79..ecba90bfd8 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -45,13 +45,11 @@ DECLARE_OBJ_CHECKERS(IOMMUMemoryRegion, IOMMUMemoryRegionClass, #ifdef CONFIG_FUZZ void fuzz_dma_read_cb(size_t addr, size_t len, - MemoryRegion *mr, - bool is_write); + MemoryRegion *mr); #else static inline void fuzz_dma_read_cb(size_t addr, size_t len, - MemoryRegion *mr, - bool is_write) + MemoryRegion *mr) { /* Do Nothing */ } @@ -2506,7 +2504,7 @@ address_space_read_cached(MemoryRegionCache *cache, hwaddr addr, void *buf, hwaddr len) { assert(addr < cache->len && len <= cache->len - addr); - fuzz_dma_read_cb(cache->xlat + addr, len, cache->mrs.mr, false); + fuzz_dma_read_cb(cache->xlat + addr, len, cache->mrs.mr); if (likely(cache->ptr)) { memcpy(buf, cache->ptr + addr, len); return MEMTX_OK; diff --git a/include/exec/memory_ldst_cached.h.inc b/include/exec/memory_ldst_cached.h.inc index 01efad62de..7bc8790d34 100644 --- a/include/exec/memory_ldst_cached.h.inc +++ b/include/exec/memory_ldst_cached.h.inc @@ -28,7 +28,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(l)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 4 <= cache->len - addr); - fuzz_dma_read_cb(cache->xlat + addr, 4, cache->mrs.mr, false); + fuzz_dma_read_cb(cache->xlat + addr, 4, cache->mrs.mr); if (likely(cache->ptr)) { return LD_P(l)(cache->ptr + addr); } else { @@ -40,7 +40,7 @@ static inline uint64_t ADDRESS_SPACE_LD_CACHED(q)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 8 <= cache->len - addr); - fuzz_dma_read_cb(cache->xlat + addr, 8, cache->mrs.mr, false); + fuzz_dma_read_cb(cache->xlat + addr, 8, cache->mrs.mr); if (likely(cache->ptr)) { return LD_P(q)(cache->ptr + addr); } else { @@ -52,7 +52,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(uw)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 2 <= cache->len - addr); - fuzz_dma_read_cb(cache->xlat + addr, 2, cache->mrs.mr, false); + fuzz_dma_read_cb(cache->xlat + addr, 2, cache->mrs.mr); if (likely(cache->ptr)) { return LD_P(uw)(cache->ptr + addr); } else { -- cgit v1.2.3-55-g7522 From e34e47eb28c0b8119be2e958450763701b38ac3a Mon Sep 17 00:00:00 2001 From: Maxim Levitsky Date: Thu, 17 Dec 2020 17:00:40 +0200 Subject: event_notifier: handle initialization failure better Add 'initialized' field and use it to avoid touching event notifiers which are either not initialized or if their initialization failed. This is somewhat a hack, but it seems the less intrusive way to make virtio code deal with event notifiers that failed initialization. Signed-off-by: Maxim Levitsky Message-Id: <20201217150040.906961-4-mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini --- include/qemu/event_notifier.h | 1 + util/event_notifier-posix.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) (limited to 'include') diff --git a/include/qemu/event_notifier.h b/include/qemu/event_notifier.h index 3380b662f3..b79add035d 100644 --- a/include/qemu/event_notifier.h +++ b/include/qemu/event_notifier.h @@ -24,6 +24,7 @@ struct EventNotifier { #else int rfd; int wfd; + bool initialized; #endif }; diff --git a/util/event_notifier-posix.c b/util/event_notifier-posix.c index 00d93204f9..5b2110e861 100644 --- a/util/event_notifier-posix.c +++ b/util/event_notifier-posix.c @@ -29,6 +29,7 @@ void event_notifier_init_fd(EventNotifier *e, int fd) { e->rfd = fd; e->wfd = fd; + e->initialized = true; } #endif @@ -68,6 +69,7 @@ int event_notifier_init(EventNotifier *e, int active) if (active) { event_notifier_set(e); } + e->initialized = true; return 0; fail: @@ -78,12 +80,18 @@ fail: void event_notifier_cleanup(EventNotifier *e) { + if (!e->initialized) { + return; + } + if (e->rfd != e->wfd) { close(e->rfd); } + e->rfd = -1; close(e->wfd); e->wfd = -1; + e->initialized = false; } int event_notifier_get_fd(const EventNotifier *e) @@ -96,6 +104,10 @@ int event_notifier_set(EventNotifier *e) static const uint64_t value = 1; ssize_t ret; + if (!e->initialized) { + return -1; + } + do { ret = write(e->wfd, &value, sizeof(value)); } while (ret < 0 && errno == EINTR); @@ -113,6 +125,10 @@ int event_notifier_test_and_clear(EventNotifier *e) ssize_t len; char buffer[512]; + if (!e->initialized) { + return 0; + } + /* Drain the notify pipe. For eventfd, only 8 bytes will be read. */ value = 0; do { -- cgit v1.2.3-55-g7522