From 45222b9a9016488289a1938a528239c3b83eddb1 Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Thu, 18 Jun 2020 12:05:16 -0400 Subject: [PATCH 1/6] fuzz: fix broken qtest check at rcu_disable_atfork The qtest_enabled check introduced in d6919e4 always returns false, as it is called prior to configure_accelerators(). Instead of trying to skip rcu_disable_atfork in qemu_main, simply call rcu_enable_atfork in the fuzzer, after qemu_main returns. Reported-by: Thomas Huth Signed-off-by: Alexander Bulekov Message-Id: <20200618160516.2817-1-alxndr@bu.edu> Signed-off-by: Thomas Huth --- softmmu/vl.c | 12 +----------- tests/qtest/fuzz/fuzz.c | 3 +++ 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/softmmu/vl.c b/softmmu/vl.c index 3e15ee2435..9da2e23144 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -3832,17 +3832,7 @@ void qemu_init(int argc, char **argv, char **envp) machine_class); os_daemonize(); - - /* - * If QTest is enabled, keep the rcu_atfork enabled, since system processes - * may be forked testing purposes (e.g. fork-server based fuzzing) The fork - * should happen before a signle cpu instruction is executed, to prevent - * deadlocks. See commit 73c6e40, rcu: "completely disable pthread_atfork - * callbacks as soon as possible" - */ - if (!qtest_enabled()) { - rcu_disable_atfork(); - } + rcu_disable_atfork(); if (pid_file && !qemu_write_pidfile(pid_file, &err)) { error_reportf_err(err, "cannot create PID file: "); diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c index a44fe479db..a36d9038e0 100644 --- a/tests/qtest/fuzz/fuzz.c +++ b/tests/qtest/fuzz/fuzz.c @@ -211,5 +211,8 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp) qemu_init(result.we_wordc, result.we_wordv, NULL); + /* re-enable the rcu atfork, which was previously disabled in qemu_init */ + rcu_enable_atfork(); + return 0; } From dda2f556c3503758680b6a868fc49c4886a5039f Mon Sep 17 00:00:00 2001 From: Alexander Bulekov Date: Mon, 22 Jun 2020 12:50:40 -0400 Subject: [PATCH 2/6] fuzz: do not use POSIX shm for coverage bitmap We used shm_open with mmap to share libfuzzer's coverage bitmap with child (runner) processes. The same functionality can be achieved with MAP_SHARED | MAP_ANONYMOUS, since we do not care about naming or permissioning the shared memory object. Signed-off-by: Alexander Bulekov Message-Id: <20200622165040.15121-1-alxndr@bu.edu> Reviewed-by: Darren Kenny Reviewed-by: Stefan Hajnoczi Signed-off-by: Thomas Huth --- tests/qtest/fuzz/fork_fuzz.c | 40 ++++++++++++------------------------ 1 file changed, 13 insertions(+), 27 deletions(-) diff --git a/tests/qtest/fuzz/fork_fuzz.c b/tests/qtest/fuzz/fork_fuzz.c index 2bd0851903..6ffb2a7937 100644 --- a/tests/qtest/fuzz/fork_fuzz.c +++ b/tests/qtest/fuzz/fork_fuzz.c @@ -17,39 +17,25 @@ void counter_shm_init(void) { - char *shm_path = g_strdup_printf("/qemu-fuzz-cntrs.%d", getpid()); - int fd = shm_open(shm_path, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR); - g_free(shm_path); - - if (fd == -1) { - perror("Error: "); - exit(1); - } - if (ftruncate(fd, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START) == -1) { - perror("Error: "); - exit(1); - } - /* Copy what's in the counter region to the shm.. */ - void *rptr = mmap(NULL , - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START, - PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); - memcpy(rptr, + /* Copy what's in the counter region to a temporary buffer.. */ + void *copy = malloc(&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START); + memcpy(copy, &__FUZZ_COUNTERS_START, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START); - munmap(rptr, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START); - - /* And map the shm over the counter region */ - rptr = mmap(&__FUZZ_COUNTERS_START, - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START, - PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, 0); - - close(fd); - - if (!rptr) { + /* Map a shared region over the counter region */ + if (mmap(&__FUZZ_COUNTERS_START, + &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START, + PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, + 0, 0) == MAP_FAILED) { perror("Error: "); exit(1); } + + /* Copy the original data back to the counter-region */ + memcpy(&__FUZZ_COUNTERS_START, copy, + &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START); + free(copy); } From 51b3ca97592964a0ece22f9df92592e0f80a78fe Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Wed, 17 Jun 2020 16:52:04 +0200 Subject: [PATCH 3/6] tests/qtest: Unify the test for the xenfv and xenpv machines MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We have the same check in three places. Let's unify it in a central place instead. Message-Id: <20200622104339.21000-1-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Huth --- tests/qtest/device-introspect-test.c | 5 ----- tests/qtest/libqtest.c | 4 ++++ tests/qtest/qom-test.c | 5 ----- tests/qtest/test-hmp.c | 5 ----- 4 files changed, 4 insertions(+), 15 deletions(-) diff --git a/tests/qtest/device-introspect-test.c b/tests/qtest/device-introspect-test.c index f2c1576cae..9abb5ec889 100644 --- a/tests/qtest/device-introspect-test.c +++ b/tests/qtest/device-introspect-test.c @@ -287,11 +287,6 @@ static void add_machine_test_case(const char *mname) { char *path, *args; - /* Ignore blacklisted machines */ - if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) { - return; - } - path = g_strdup_printf("device/introspect/concrete/defaults/%s", mname); args = g_strdup_printf("-M %s", mname); qtest_add_data_func(path, args, test_device_intro_concrete); diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c index 49075b55a1..fd4680590d 100644 --- a/tests/qtest/libqtest.c +++ b/tests/qtest/libqtest.c @@ -1232,6 +1232,10 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine), qstr = qobject_to(QString, qobj); g_assert(qstr); mname = qstring_get_str(qstr); + /* Ignore machines that cannot be used for qtests */ + if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) { + continue; + } if (!skip_old_versioned || !qtest_is_old_versioned_machine(mname)) { cb(mname); } diff --git a/tests/qtest/qom-test.c b/tests/qtest/qom-test.c index e338a41194..1acf0d7369 100644 --- a/tests/qtest/qom-test.c +++ b/tests/qtest/qom-test.c @@ -81,11 +81,6 @@ static void add_machine_test_case(const char *mname) { char *path; - /* Ignore blacklisted machines that have known problems */ - if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) { - return; - } - path = g_strdup_printf("qom/%s", mname); qtest_add_data_func(path, g_strdup(mname), test_machine); g_free(path); diff --git a/tests/qtest/test-hmp.c b/tests/qtest/test-hmp.c index b8b1271b9e..d5e7ebd176 100644 --- a/tests/qtest/test-hmp.c +++ b/tests/qtest/test-hmp.c @@ -143,11 +143,6 @@ static void add_machine_test_case(const char *mname) { char *path; - /* Ignore blacklisted machines that have known problems */ - if (!memcmp("xenfv", mname, 5) || g_str_equal("xenpv", mname)) { - return; - } - path = g_strdup_printf("hmp/%s", mname); qtest_add_data_func(path, g_strdup(mname), test_machine); g_free(path); From 9df8b20d1632d108da316134d4d86a00b4028803 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Mon, 29 Jun 2020 14:13:24 +0200 Subject: [PATCH 4/6] configure / util: Auto-detect the availability of openpty() Recent versions of Solaris (v11.4) now feature an openpty() function, too, causing a build failure since we ship our own implementation of openpty() for Solaris in util/qemu-openpty.c so far. Since there are now both variants available in the wild, with and without this function (and illumos is said to not have this function yet), let's introduce a proper HAVE_OPENPTY define for this to fix the build failure. Message-Id: <20200702143955.678-1-thuth@redhat.com> Tested-by: Michele Denber Signed-off-by: Thomas Huth --- configure | 9 ++++++++- util/qemu-openpty.c | 5 ++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 8a65240d4a..f8dc64beab 100755 --- a/configure +++ b/configure @@ -5134,10 +5134,14 @@ extern int openpty(int *am, int *as, char *name, void *termp, void *winp); int main(void) { return openpty(0, 0, 0, 0, 0); } EOF -if ! compile_prog "" "" ; then +have_openpty="no" +if compile_prog "" "" ; then + have_openpty="yes" +else if compile_prog "" "-lutil" ; then libs_softmmu="-lutil $libs_softmmu" libs_tools="-lutil $libs_tools" + have_openpty="yes" fi fi @@ -7380,6 +7384,9 @@ fi if test "$have_broken_size_max" = "yes" ; then echo "HAVE_BROKEN_SIZE_MAX=y" >> $config_host_mak fi +if test "$have_openpty" = "yes" ; then + echo "HAVE_OPENPTY=y" >> $config_host_mak +fi # Work around a system header bug with some kernel/XFS header # versions where they both try to define 'struct fsxattr': diff --git a/util/qemu-openpty.c b/util/qemu-openpty.c index 2e8b43bdf5..4b8df96f38 100644 --- a/util/qemu-openpty.c +++ b/util/qemu-openpty.c @@ -52,7 +52,9 @@ #endif #ifdef __sun__ -/* Once Solaris has openpty(), this is going to be removed. */ + +#if !defined(HAVE_OPENPTY) +/* Once illumos has openpty(), this is going to be removed. */ static int openpty(int *amaster, int *aslave, char *name, struct termios *termp, struct winsize *winp) { @@ -93,6 +95,7 @@ err: close(mfd); return -1; } +#endif static void cfmakeraw (struct termios *termios_p) { From c7aab58ba0baaf82422b7f7b0d7ad63b0db8d166 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Thu, 11 Jun 2020 07:58:07 +0200 Subject: [PATCH 5/6] hw/m68k/mcf5206: Replace remaining hw_error()s by qemu_log_mask() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit hw_error() dumps the CPU state and exits QEMU. This is ok during initial code development (to see where the guest code is currently executing), but it is certainly not the desired behavior that we want to present to normal users, and it can also cause trouble when e.g. fuzzing devices. Thus let's replace these hw_error()s by qemu_log_mask()s instead. Message-Id: <20200611055807.15921-1-huth@tuxfamily.org> Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Huth --- hw/m68k/mcf5206.c | 39 ++++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/hw/m68k/mcf5206.c b/hw/m68k/mcf5206.c index a2fef04f8e..94a37a1a46 100644 --- a/hw/m68k/mcf5206.c +++ b/hw/m68k/mcf5206.c @@ -10,7 +10,6 @@ #include "qemu/error-report.h" #include "qemu/log.h" #include "cpu.h" -#include "hw/hw.h" #include "hw/irq.h" #include "hw/m68k/mcf.h" #include "qemu/timer.h" @@ -69,10 +68,16 @@ static void m5206_timer_recalibrate(m5206_timer_state *s) if (mode == 2) prescale *= 16; - if (mode == 3 || mode == 0) - hw_error("m5206_timer: mode %d not implemented\n", mode); - if ((s->tmr & TMR_FRR) == 0) - hw_error("m5206_timer: free running mode not implemented\n"); + if (mode == 3 || mode == 0) { + qemu_log_mask(LOG_UNIMP, "m5206_timer: mode %d not implemented\n", + mode); + goto exit; + } + if ((s->tmr & TMR_FRR) == 0) { + qemu_log_mask(LOG_UNIMP, + "m5206_timer: free running mode not implemented\n"); + goto exit; + } /* Assume 66MHz system clock. */ ptimer_set_freq(s->timer, 66000000 / prescale); @@ -391,7 +396,9 @@ static uint32_t m5206_mbar_readb(void *opaque, hwaddr offset) m5206_mbar_state *s = (m5206_mbar_state *)opaque; offset &= 0x3ff; if (offset >= 0x200) { - hw_error("Bad MBAR read offset 0x%x", (int)offset); + qemu_log_mask(LOG_GUEST_ERROR, "Bad MBAR read offset 0x%" HWADDR_PRIX, + offset); + return 0; } if (m5206_mbar_width[offset >> 2] > 1) { uint16_t val; @@ -410,7 +417,9 @@ static uint32_t m5206_mbar_readw(void *opaque, hwaddr offset) int width; offset &= 0x3ff; if (offset >= 0x200) { - hw_error("Bad MBAR read offset 0x%x", (int)offset); + qemu_log_mask(LOG_GUEST_ERROR, "Bad MBAR read offset 0x%" HWADDR_PRIX, + offset); + return 0; } width = m5206_mbar_width[offset >> 2]; if (width > 2) { @@ -434,7 +443,9 @@ static uint32_t m5206_mbar_readl(void *opaque, hwaddr offset) int width; offset &= 0x3ff; if (offset >= 0x200) { - hw_error("Bad MBAR read offset 0x%x", (int)offset); + qemu_log_mask(LOG_GUEST_ERROR, "Bad MBAR read offset 0x%" HWADDR_PRIX, + offset); + return 0; } width = m5206_mbar_width[offset >> 2]; if (width < 4) { @@ -458,7 +469,9 @@ static void m5206_mbar_writeb(void *opaque, hwaddr offset, int width; offset &= 0x3ff; if (offset >= 0x200) { - hw_error("Bad MBAR write offset 0x%x", (int)offset); + qemu_log_mask(LOG_GUEST_ERROR, "Bad MBAR write offset 0x%" HWADDR_PRIX, + offset); + return; } width = m5206_mbar_width[offset >> 2]; if (width > 1) { @@ -482,7 +495,9 @@ static void m5206_mbar_writew(void *opaque, hwaddr offset, int width; offset &= 0x3ff; if (offset >= 0x200) { - hw_error("Bad MBAR write offset 0x%x", (int)offset); + qemu_log_mask(LOG_GUEST_ERROR, "Bad MBAR write offset 0x%" HWADDR_PRIX, + offset); + return; } width = m5206_mbar_width[offset >> 2]; if (width > 2) { @@ -510,7 +525,9 @@ static void m5206_mbar_writel(void *opaque, hwaddr offset, int width; offset &= 0x3ff; if (offset >= 0x200) { - hw_error("Bad MBAR write offset 0x%x", (int)offset); + qemu_log_mask(LOG_GUEST_ERROR, "Bad MBAR write offset 0x%" HWADDR_PRIX, + offset); + return; } width = m5206_mbar_width[offset >> 2]; if (width < 4) { From 8c4329214f1d4484205e6f7c48e98ff26969eb56 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Thu, 2 Jul 2020 16:03:16 +0200 Subject: [PATCH 6/6] tests/acceptance: Add a test for the sun4u sparc64 machine MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We can use the image from the advent calendar 2018 to test the sun4u machine. It's not using the "QEMU advent calendar" string, so we can not use the do_test_advcal_2018() from boot_linux_console.py, thus let's also put it into a separate file to also be able to add an entry to the MAINTAINERS file. Message-Id: <20200704173519.26087-1-thuth@redhat.com> Tested-by: Mark Cave-Ayland Tested-by: Philippe Mathieu-Daudé Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Huth --- MAINTAINERS | 1 + tests/acceptance/machine_sparc64_sun4u.py | 36 +++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 tests/acceptance/machine_sparc64_sun4u.py diff --git a/MAINTAINERS b/MAINTAINERS index c31c878c63..a8e2d46e9d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1319,6 +1319,7 @@ F: include/hw/pci-host/sabre.h F: hw/pci-bridge/simba.c F: include/hw/pci-bridge/simba.h F: pc-bios/openbios-sparc64 +F: tests/acceptance/machine_sparc64_sun4u.py Sun4v M: Artyom Tarasenko diff --git a/tests/acceptance/machine_sparc64_sun4u.py b/tests/acceptance/machine_sparc64_sun4u.py new file mode 100644 index 0000000000..458165500e --- /dev/null +++ b/tests/acceptance/machine_sparc64_sun4u.py @@ -0,0 +1,36 @@ +# Functional test that boots a Linux kernel and checks the console +# +# Copyright (c) 2020 Red Hat, Inc. +# +# Author: +# Thomas Huth +# +# This work is licensed under the terms of the GNU GPL, version 2 or +# later. See the COPYING file in the top-level directory. + +import os + +from avocado_qemu import wait_for_console_pattern +from avocado.utils import archive +from boot_linux_console import LinuxKernelTest + +class Sun4uMachine(LinuxKernelTest): + """Boots the Linux kernel and checks that the console is operational""" + + timeout = 90 + + def test_sparc64_sun4u(self): + """ + :avocado: tags=arch:sparc64 + :avocado: tags=machine:sun4u + """ + tar_url = ('https://www.qemu-advent-calendar.org' + '/2018/download/day23.tar.xz') + tar_hash = '142db83cd974ffadc4f75c8a5cad5bcc5722c240' + file_path = self.fetch_asset(tar_url, asset_hash=tar_hash) + archive.extract(file_path, self.workdir) + self.vm.set_console() + self.vm.add_args('-kernel', self.workdir + '/day23/vmlinux', + '-append', self.KERNEL_COMMON_COMMAND_LINE) + self.vm.launch() + wait_for_console_pattern(self, 'Starting logging: OK')