From nobody Tue Feb 10 11:12:48 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=amsat.org
ARC-Seal: i=1; a=rsa-sha256; t=1586596643; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mXTAM90eVrZQFTjJ20GvOPcMudTrdiA/cMxML/2kMLq6VJH8984/32Gia2nE12ZJ1B5d8oLDs5aE5bYfetf6kpVsxt1/oY6cU5o+Ir0i+I7SgCFS31bIPedygDAgCXpGpg8QzmvLT9vqby4Cfj+FnPIYbIhaJ1JaPna28/Xl3Ww=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1586596643;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=VNJuqR9RvHlYF2029BwTSqDJA9AO9s7mV7e8lqyUNrg=;
	b=iigCK3eGhuIlfnz/HNhym1Be7XxuxNopLkNkZCtgV/i3xynKcDZcnhpmRRMtxJehLeE05d2ORuegTQ+LGqd5IkPA8ZcE0iuVPi2Mxz8CokQG5Xr1cCrQvewDGYzKvd7TkWI4Lu71K61O4y7JGxQOsaK4YcFO+Tn54Ryj23jT2AI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail header.from=<f4bug@amsat.org> (p=none dis=none)
 header.from=<f4bug@amsat.org>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1586596643858253.35466992497197;
 Sat, 11 Apr 2020 02:17:23 -0700 (PDT)
Received: from localhost ([::1]:50116 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1jNCGQ-0008Eo-89
	for importer@patchew.org; Sat, 11 Apr 2020 05:17:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38350)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <philippe.mathieu.daude@gmail.com>)
 id 1jNCED-0005VN-4n
 for qemu-devel@nongnu.org; Sat, 11 Apr 2020 05:15:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <philippe.mathieu.daude@gmail.com>)
 id 1jNCEB-0005cX-RY
 for qemu-devel@nongnu.org; Sat, 11 Apr 2020 05:15:05 -0400
Received: from mail-wr1-x441.google.com ([2a00:1450:4864:20::441]:43200)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <philippe.mathieu.daude@gmail.com>)
 id 1jNCEB-0005c2-LQ; Sat, 11 Apr 2020 05:15:03 -0400
Received: by mail-wr1-x441.google.com with SMTP id i10so4704774wrv.10;
 Sat, 11 Apr 2020 02:15:03 -0700 (PDT)
Received: from localhost.localdomain (116.red-83-42-57.dynamicip.rima-tde.net.
 [83.42.57.116])
 by smtp.gmail.com with ESMTPSA id f83sm6073301wmf.42.2020.04.11.02.15.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 11 Apr 2020 02:15:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=VNJuqR9RvHlYF2029BwTSqDJA9AO9s7mV7e8lqyUNrg=;
 b=G9hQChXI9BfNwiSIf36B507V4ZB8zQt1Ids3Vbgp/n+IerhmalO4v0/eakNVEbQfCs
 wluzVcUaj/YOlL/M2ckM+betC/Fdt0QYY4OMogyr78F2sW+T5pAEudnF99hvhmqBpuO8
 AnvPy1GAbF72gqoxSl4svAPdv3I04Jbm4Zobv4yogkk1HpRr5GBD4OIi5Wt9w+YAmmBc
 cmlxTsqLPLvgTV/tSjxVSbubAjBmYkU96DJQgdYwQG1wUkEIfgPDu8Xxcc56lYvH8NN8
 jiiVUIuKjOh7PvVxh4VvfBGcixvP3nvONmeLVQ6jDNOlqihC93KDSrU9q4W58Jb4Xksm
 QuOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
 :in-reply-to:references:mime-version:content-transfer-encoding;
 bh=VNJuqR9RvHlYF2029BwTSqDJA9AO9s7mV7e8lqyUNrg=;
 b=eyyBl8UKbk6b+rL+F/yT0nfBDLO4miCTH22QD4MDyCpt9Iod0cgDd+EYLo3VMb0na1
 Vj9vt3bPCjIqmSbF8P59p+0S6Tjl+jLoFcKJBF0hB1vBMp38jM4ect5HE5hLw4w5S0dc
 KJyaZxhM2t9e6fCDTZIlfx+zl033l5FnDnoKg4qj3qQ5uOwSEHLEkvNpzfDCLMOcv8zC
 0lENxdyO7/sbomgXjzVg4IOlJMv0jmU50oIC/TnKTf3t8L/RLqG+pOAfthXA9rh+Umye
 +XyjinpqL/+O/d+XCGXJRHAyR2PUT6/BxRKoWks8n1M35GCpohjFz5jq9GI8/n1eAF8V
 MJGQ==
X-Gm-Message-State: AGi0Puayf8YDdvMQ3GXhmSR5s7X7dhzV9JEw12Pnz84l7jDE0lN/PCDi
 XLQqOHF+BxN7IIqtP00h7dX8oZdjrvM=
X-Google-Smtp-Source: 
 APiQypJLn4aCqT41mBnZdRgvns5KYN96zGwimprMWbltkBOB+VC6xkNCEStlkYNY9XtwcQYhaFp7xQ==
X-Received: by 2002:adf:ef8d:: with SMTP id d13mr8819643wro.197.1586596502238;
 Sat, 11 Apr 2020 02:15:02 -0700 (PDT)
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org,
	BALATON Zoltan <balaton@eik.bme.hu>
Subject: [PATCH-for-5.0 2/2] qtest: Test the Drawing Engine of the SM501
 companion
Date: Sat, 11 Apr 2020 11:14:53 +0200
Message-Id: <20200411091453.30371-3-f4bug@amsat.org>
X-Mailer: git-send-email 2.21.1
In-Reply-To: <20200411091453.30371-1-f4bug@amsat.org>
References: <20200411091453.30371-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:1450:4864:20::441
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Laurent Vivier <lvivier@redhat.com>, Thomas Huth <thuth@redhat.com>,
 Magnus Damm <magnus.damm@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>,
 Zhang Zi Ming <1015138407@qq.com>, qemu-ppc@nongnu.org,
 Paolo Bonzini <pbonzini@redhat.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)

Run some PCI commands to call the COPY_AREA() macro in
sm501_2d_operation(), and verify that there is no more
overflow as reported in BZ#1786026 [*].

The SM501 is used by the R2D-PLUS and aCube Sam460ex
machines, but since it is a PCI card and we already have
an easy way to test PCI daughter cards on the sPAPR
machine, test it there.

[*] https://bugzilla.redhat.com/show_bug.cgi?id=3D1786026
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.org>
---
 tests/qtest/sm501-test.c     | 106 +++++++++++++++++++++++++++++++++++
 tests/qtest/Makefile.include |   2 +
 2 files changed, 108 insertions(+)
 create mode 100644 tests/qtest/sm501-test.c

diff --git a/tests/qtest/sm501-test.c b/tests/qtest/sm501-test.c
new file mode 100644
index 0000000000..79bf7c2c21
--- /dev/null
+++ b/tests/qtest/sm501-test.c
@@ -0,0 +1,106 @@
+/*
+ * QEMU test for the SM501 companion
+ *
+ * SPDX-FileCopyrightText: 2020 Philippe Mathieu-Daud=C3=A9 <f4bug@amsat.o=
rg>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qemu-common.h"
+#include "libqtest.h"
+#include "libqos/libqos-spapr.h"
+#include "hw/pci/pci_ids.h"
+
+typedef struct {
+    QOSState *qs;
+    QPCIDevice *dev;
+    QPCIBar bar;
+} PciSm501State;
+
+static void save_fn(QPCIDevice *dev, int devfn, void *data)
+{
+    *((QPCIDevice **)data) =3D dev;
+}
+
+static void sm501_init(PciSm501State *s)
+{
+    uint64_t barsize;
+
+    s->dev =3D NULL;
+    qpci_device_foreach(s->qs->pcibus, PCI_VENDOR_ID_SILICON_MOTION,
+                        PCI_DEVICE_ID_SM501, save_fn, &s->dev);
+    g_assert(s->dev !=3D NULL);
+
+    qpci_device_enable(s->dev);
+
+    /* BAR#0: VRAM, BAR#1: MMIO registers */
+    s->bar =3D qpci_iomap(s->dev, 1, &barsize);
+    g_assert_cmpuint(barsize, =3D=3D, 2 * MiB);
+}
+
+static void sm501_deinit(PciSm501State *s)
+{
+    g_free(s->dev);
+}
+
+static uint32_t sm501_read(PciSm501State *s, uint64_t off)
+{
+    uint32_t val;
+
+    s->dev->bus->memread(s->dev->bus, s->bar.addr + off, &val, sizeof(val)=
);
+
+    return val;
+}
+
+static void sm501_write(PciSm501State *s, uint64_t off, uint32_t val)
+{
+    s->dev->bus->memwrite(s->dev->bus, s->bar.addr + off, &val, sizeof(val=
));
+}
+
+static void sm501_check_device_id(PciSm501State *s)
+{
+    g_assert_cmphex(sm501_read(s, 0x60) >> 16, =3D=3D, 0x501); /* DEVICEID=
 reg */
+}
+
+/*
+ * Try to reproduce the heap overflow reported in
+ * https://bugzilla.redhat.com/show_bug.cgi?id=3D1786026
+ */
+static void test_sm501_2d_drawing_engine_op(void)
+{
+    PciSm501State s;
+
+    s.qs =3D qtest_spapr_boot("-machine pseries -device sm501");
+
+    sm501_init(&s);
+    sm501_check_device_id(&s);
+
+    /*
+     * Commands listed in BZ#1786026 to access
+     * COPY_AREA() in sm501_2d_operation().
+     */
+    sm501_write(&s, 0x100000,        0x0);  /* src: (x, y) =3D (0, 0) */
+    sm501_write(&s, 0x100004,        0x0);  /* dst: (x, y) =3D (0, 0) */
+    sm501_write(&s, 0x100008, 0x00100010);  /* dim: height =3D width =3D 1=
6 */
+    sm501_write(&s, 0x100010, 0x00100010);  /* pitch: height =3D width =3D=
 16 */
+    sm501_write(&s, 0x10000c, 0xcc000088);  /* ctrl: op =3D copy area, RTL=
 */
+
+    /* If the overflow occured, the next call will fail. */
+    sm501_check_device_id(&s);
+
+    sm501_deinit(&s);
+
+    qtest_shutdown(s.qs);
+}
+
+int main(int argc, char *argv[])
+{
+    g_test_init(&argc, &argv, NULL);
+
+    if (!strcmp(qtest_get_arch(), "ppc64")) {
+        qtest_add_func("spapr/sm501_2d_op", test_sm501_2d_drawing_engine_o=
p);
+    }
+
+    return g_test_run();
+}
diff --git a/tests/qtest/Makefile.include b/tests/qtest/Makefile.include
index 9e5a51d033..7ec894a7a9 100644
--- a/tests/qtest/Makefile.include
+++ b/tests/qtest/Makefile.include
@@ -109,6 +109,7 @@ check-qtest-ppc64-$(CONFIG_VGA) +=3D display-vga-test
 check-qtest-ppc64-y +=3D numa-test
 check-qtest-ppc64-$(CONFIG_IVSHMEM_DEVICE) +=3D ivshmem-test
 check-qtest-ppc64-y +=3D cpu-plug-test
+check-qtest-ppc64-$(CONFIG_SM501) +=3D sm501-test
=20
 check-qtest-sh4-$(CONFIG_ISA_TESTDEV) =3D endianness-test
=20
@@ -253,6 +254,7 @@ tests/qtest/pflash-cfi02$(EXESUF): tests/qtest/pflash-c=
fi02-test.o
 tests/qtest/endianness-test$(EXESUF): tests/qtest/endianness-test.o
 tests/qtest/prom-env-test$(EXESUF): tests/qtest/prom-env-test.o $(libqos-o=
bj-y)
 tests/qtest/rtas-test$(EXESUF): tests/qtest/rtas-test.o $(libqos-spapr-obj=
-y)
+tests/qtest/sm501-test$(EXESUF): tests/qtest/sm501-test.o $(libqos-spapr-o=
bj-y)
 tests/qtest/fdc-test$(EXESUF): tests/qtest/fdc-test.o
 tests/qtest/ide-test$(EXESUF): tests/qtest/ide-test.o $(libqos-pc-obj-y)
 tests/qtest/ahci-test$(EXESUF): tests/qtest/ahci-test.o $(libqos-pc-obj-y)=
 qemu-img$(EXESUF)
--=20
2.21.1