hw/net/e1000e.c | 8 ++++---- hw/usb/hcd-xhci.c | 25 ++++++++++++++--------- include/exec/memory.h | 9 +++++++++ include/hw/qdev-core.h | 1 + softmmu/memory.c | 46 +++++++++++++++++++++++++++++++++++++++--- 5 files changed, 72 insertions(+), 17 deletions(-)
Currently the qemu device fuzzer find some DMA to MMIO issue. If the device handling MMIO currently trigger a DMA which the address is MMIO, this will reenter the device MMIO handler. As some of the device doesn't consider this it will sometimes crash the qemu. This patch tries to solve this by adding a per-device flag 'in_mmio'. When the memory core dispatch MMIO it will check/set this flag and when it leaves it will clean this flag. Li Qiang (4): memory: add memory_region_init_io_with_dev interface memory: avoid reenter the device's MMIO handler while processing MMIO e1000e: use the new memory_region_init_io_with_dev interface hcd-xhci: use the new memory_region_init_io_with_dev interface hw/net/e1000e.c | 8 ++++---- hw/usb/hcd-xhci.c | 25 ++++++++++++++--------- include/exec/memory.h | 9 +++++++++ include/hw/qdev-core.h | 1 + softmmu/memory.c | 46 +++++++++++++++++++++++++++++++++++++++--- 5 files changed, 72 insertions(+), 17 deletions(-) -- 2.17.1
On 2020/9/9 上午12:41, Li Qiang wrote: > Currently the qemu device fuzzer find some DMA to MMIO issue. If the > device handling MMIO currently trigger a DMA which the address is MMIO, > this will reenter the device MMIO handler. As some of the device doesn't > consider this it will sometimes crash the qemu. > > This patch tries to solve this by adding a per-device flag 'in_mmio'. > When the memory core dispatch MMIO it will check/set this flag and when > it leaves it will clean this flag. What's the plan for fixing the irq issues pointed out by Peter? Thanks > > > Li Qiang (4): > memory: add memory_region_init_io_with_dev interface > memory: avoid reenter the device's MMIO handler while processing MMIO > e1000e: use the new memory_region_init_io_with_dev interface > hcd-xhci: use the new memory_region_init_io_with_dev interface > > hw/net/e1000e.c | 8 ++++---- > hw/usb/hcd-xhci.c | 25 ++++++++++++++--------- > include/exec/memory.h | 9 +++++++++ > include/hw/qdev-core.h | 1 + > softmmu/memory.c | 46 +++++++++++++++++++++++++++++++++++++++--- > 5 files changed, 72 insertions(+), 17 deletions(-) >
Jason Wang <jasowang@redhat.com> 于2020年9月9日周三 上午10:17写道: > > > On 2020/9/9 上午12:41, Li Qiang wrote: > > Currently the qemu device fuzzer find some DMA to MMIO issue. If the > > device handling MMIO currently trigger a DMA which the address is MMIO, > > this will reenter the device MMIO handler. As some of the device doesn't > > consider this it will sometimes crash the qemu. > > > > This patch tries to solve this by adding a per-device flag 'in_mmio'. > > When the memory core dispatch MMIO it will check/set this flag and when > > it leaves it will clean this flag. > > > What's the plan for fixing the irq issues pointed out by Peter? > Just have a basic idea. Just like this we can add a per-device flag, 'in_mmio' or 'in_emulation' or some other names. The device need solve the irq handler/mmio and anything other reenter issue by themself or they can just check/set/clean this flag. This way we may can define a principle which Peter mentioned that the device emulation should obey. Thanks, Li Qiang > Thanks > > > > > > > > Li Qiang (4): > > memory: add memory_region_init_io_with_dev interface > > memory: avoid reenter the device's MMIO handler while processing MMIO > > e1000e: use the new memory_region_init_io_with_dev interface > > hcd-xhci: use the new memory_region_init_io_with_dev interface > > > > hw/net/e1000e.c | 8 ++++---- > > hw/usb/hcd-xhci.c | 25 ++++++++++++++--------- > > include/exec/memory.h | 9 +++++++++ > > include/hw/qdev-core.h | 1 + > > softmmu/memory.c | 46 +++++++++++++++++++++++++++++++++++++++--- > > 5 files changed, 72 insertions(+), 17 deletions(-) > > >
On 08/09/20 18:41, Li Qiang wrote: > Currently the qemu device fuzzer find some DMA to MMIO issue. If the > device handling MMIO currently trigger a DMA which the address is MMIO, > this will reenter the device MMIO handler. As some of the device doesn't > consider this it will sometimes crash the qemu. > > This patch tries to solve this by adding a per-device flag 'in_mmio'. > When the memory core dispatch MMIO it will check/set this flag and when > it leaves it will clean this flag. > > > Li Qiang (4): > memory: add memory_region_init_io_with_dev interface > memory: avoid reenter the device's MMIO handler while processing MMIO > e1000e: use the new memory_region_init_io_with_dev interface > hcd-xhci: use the new memory_region_init_io_with_dev interface > > hw/net/e1000e.c | 8 ++++---- > hw/usb/hcd-xhci.c | 25 ++++++++++++++--------- > include/exec/memory.h | 9 +++++++++ > include/hw/qdev-core.h | 1 + > softmmu/memory.c | 46 +++++++++++++++++++++++++++++++++++++++--- > 5 files changed, 72 insertions(+), 17 deletions(-) > I don't think this is a good solution. These are device bugs and they need to be fixed. Paolo
On Sun, 20 Sep 2020 at 08:56, Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 08/09/20 18:41, Li Qiang wrote: > > Currently the qemu device fuzzer find some DMA to MMIO issue. If the > > device handling MMIO currently trigger a DMA which the address is MMIO, > > this will reenter the device MMIO handler. As some of the device doesn't > > consider this it will sometimes crash the qemu. > I don't think this is a good solution. These are device bugs and they > need to be fixed. Do you have an opinion on what the right approach to fixing them is? It seems like a hard problem to me; my brain has been too full of cotton wool recently and I haven't felt up to sitting down and trying to think through whether there's a clean way to handle the reentrancy-into-device-code problem in the general case... thanks -- PMM
Paolo Bonzini <pbonzini@redhat.com> 于2020年9月20日周日 下午3:56写道: > > On 08/09/20 18:41, Li Qiang wrote: > > Currently the qemu device fuzzer find some DMA to MMIO issue. If the > > device handling MMIO currently trigger a DMA which the address is MMIO, > > this will reenter the device MMIO handler. As some of the device doesn't > > consider this it will sometimes crash the qemu. > > > > This patch tries to solve this by adding a per-device flag 'in_mmio'. > > When the memory core dispatch MMIO it will check/set this flag and when > > it leaves it will clean this flag. > > > > > > Li Qiang (4): > > memory: add memory_region_init_io_with_dev interface > > memory: avoid reenter the device's MMIO handler while processing MMIO > > e1000e: use the new memory_region_init_io_with_dev interface > > hcd-xhci: use the new memory_region_init_io_with_dev interface > > > > hw/net/e1000e.c | 8 ++++---- > > hw/usb/hcd-xhci.c | 25 ++++++++++++++--------- > > include/exec/memory.h | 9 +++++++++ > > include/hw/qdev-core.h | 1 + > > softmmu/memory.c | 46 +++++++++++++++++++++++++++++++++++++++--- > > 5 files changed, 72 insertions(+), 17 deletions(-) > > > > I don't think this is a good solution. These are device bugs and they > need to be fixed. I agree with this the device should finally handle their cases. But we can do something in a pattern if the device hasn't do that. I have posted a patchset: -->https://lists.gnu.org/archive/html/qemu-devel/2020-09/msg00906.html This is add flags in the Device State. And check/record the flag when doing reentrancy code. Once the device has fixed the reentrancy issue, they can remove this flag. Thanks, Li QIang > > Paolo >
© 2016 - 2024 Red Hat, Inc.