tests/qtest: Rework libqos PCI BAR handling to support fuzzing

[PATCH v2 2/5] libqos: pci: Require size for legacy I/O port mapping

Posted by Navid Emamdoost 2 days, 10 hours ago

The accessor functions for QPCIBar (qpci_io_readb, etc.) perform
strict bounds checking to ensure memory safety. However, the
qpci_legacy_iomap function created QPCIBar tokens for legacy I/O
ports without an associated size, making this safety check impossible.

To fix this, modify the signature of qpci_legacy_iomap to require the
caller to explicitly provide the size of the legacy I/O region.

Update all existing callers of this function, including the IDE
(ide-test.c) and TCO watchdog (tco-test.c) test suites, to provide
the correct, known sizes for the hardware they are testing. This not
only fixes the test failures but also makes the tests more robust and
explicit about the I/O regions they interact with.

Signed-off-by: Navid Emamdoost <navidem@google.com>
---
 tests/qtest/ide-test.c   | 2 +-
 tests/qtest/libqos/pci.c | 4 ++--
 tests/qtest/libqos/pci.h | 2 +-
 tests/qtest/tco-test.c   | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/qtest/ide-test.c b/tests/qtest/ide-test.c
index ceee444a9e..524458e9f6 100644
--- a/tests/qtest/ide-test.c
+++ b/tests/qtest/ide-test.c
@@ -173,7 +173,7 @@ static QPCIDevice *get_pci_device(QTestState *qts, QPCIBar *bmdma_bar,
     /* Map bmdma BAR */
     *bmdma_bar = qpci_iomap(dev, 4, NULL);
 
-    *ide_bar = qpci_legacy_iomap(dev, IDE_BASE);
+    *ide_bar = qpci_legacy_iomap(dev, IDE_BASE, 8);
 
     qpci_device_enable(dev);
 
diff --git a/tests/qtest/libqos/pci.c b/tests/qtest/libqos/pci.c
index 70caf382cc..f07fc9140e 100644
--- a/tests/qtest/libqos/pci.c
+++ b/tests/qtest/libqos/pci.c
@@ -603,9 +603,9 @@ void qpci_iounmap(QPCIDevice *dev, QPCIBar bar)
     /* FIXME */
 }
 
-QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr)
+QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr, uint64_t size)
 {
-    QPCIBar bar = { .addr = addr, .is_io = true };
+    QPCIBar bar = { .addr = addr, .size = size, .is_io = true };
     return bar;
 }
 
diff --git a/tests/qtest/libqos/pci.h b/tests/qtest/libqos/pci.h
index e790e5293d..6e8e0fbff6 100644
--- a/tests/qtest/libqos/pci.h
+++ b/tests/qtest/libqos/pci.h
@@ -123,7 +123,7 @@ void qpci_memwrite(QPCIDevice *bus, QPCIBar token, uint64_t off,
                    const void *buf, size_t len);
 QPCIBar qpci_iomap(QPCIDevice *dev, int barno, uint64_t *sizeptr);
 void qpci_iounmap(QPCIDevice *dev, QPCIBar addr);
-QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr);
+QPCIBar qpci_legacy_iomap(QPCIDevice *dev, uint16_t addr, uint64_t size);
 
 void qpci_unplug_acpi_device_test(QTestState *qs, const char *id, uint8_t slot);
 
diff --git a/tests/qtest/tco-test.c b/tests/qtest/tco-test.c
index 20ccefabcb..3af7c14e73 100644
--- a/tests/qtest/tco-test.c
+++ b/tests/qtest/tco-test.c
@@ -77,7 +77,7 @@ static void test_init(TestData *d)
     /* set Root Complex BAR */
     qpci_config_writel(d->dev, ICH9_LPC_RCBA, RCBA_BASE_ADDR | 0x1);
 
-    d->tco_io_bar = qpci_legacy_iomap(d->dev, PM_IO_BASE_ADDR + 0x60);
+    d->tco_io_bar = qpci_legacy_iomap(d->dev, PM_IO_BASE_ADDR + 0x60, 32);
     d->qts = qs;
 }
 
-- 
2.52.0.158.g65b55ccf14-goog

Re: [PATCH v2 2/5] libqos: pci: Require size for legacy I/O port mapping

Posted by Peter Maydell 1 day, 20 hours ago

On Thu, 27 Nov 2025 at 00:12, Navid Emamdoost <navidem@google.com> wrote:
>
> The accessor functions for QPCIBar (qpci_io_readb, etc.) perform
> strict bounds checking to ensure memory safety. However, the
> qpci_legacy_iomap function created QPCIBar tokens for legacy I/O
> ports without an associated size, making this safety check impossible.
>
> To fix this, modify the signature of qpci_legacy_iomap to require the
> caller to explicitly provide the size of the legacy I/O region.
>
> Update all existing callers of this function, including the IDE
> (ide-test.c) and TCO watchdog (tco-test.c) test suites, to provide
> the correct, known sizes for the hardware they are testing. This not
> only fixes the test failures but also makes the tests more robust and
> explicit about the I/O regions they interact with.
>
> Signed-off-by: Navid Emamdoost <navidem@google.com>
> ---
>  tests/qtest/ide-test.c   | 2 +-
>  tests/qtest/libqos/pci.c | 4 ++--
>  tests/qtest/libqos/pci.h | 2 +-
>  tests/qtest/tco-test.c   | 2 +-
>  4 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/tests/qtest/ide-test.c b/tests/qtest/ide-test.c
> index ceee444a9e..524458e9f6 100644
> --- a/tests/qtest/ide-test.c
> +++ b/tests/qtest/ide-test.c
> @@ -173,7 +173,7 @@ static QPCIDevice *get_pci_device(QTestState *qts, QPCIBar *bmdma_bar,
>      /* Map bmdma BAR */
>      *bmdma_bar = qpci_iomap(dev, 4, NULL);
>
> -    *ide_bar = qpci_legacy_iomap(dev, IDE_BASE);
> +    *ide_bar = qpci_legacy_iomap(dev, IDE_BASE, 8);

I think we could add a
#define IDE_SIZE 8
after the existing #define of IDE_BASE, and then use that rather
than a plain constant 8 here.

>
>      qpci_device_enable(dev);
> diff --git a/tests/qtest/tco-test.c b/tests/qtest/tco-test.c
> index 20ccefabcb..3af7c14e73 100644
> --- a/tests/qtest/tco-test.c
> +++ b/tests/qtest/tco-test.c
> @@ -77,7 +77,7 @@ static void test_init(TestData *d)
>      /* set Root Complex BAR */
>      qpci_config_writel(d->dev, ICH9_LPC_RCBA, RCBA_BASE_ADDR | 0x1);
>
> -    d->tco_io_bar = qpci_legacy_iomap(d->dev, PM_IO_BASE_ADDR + 0x60);
> +    d->tco_io_bar = qpci_legacy_iomap(d->dev, PM_IO_BASE_ADDR + 0x60, 32);

we already include ich9.h which defines a named constant
for the IO size, so we can use ICH9_PMIO_TCO_LEN here.

thanks
-- PMM

[PATCH v2 1/5] libqos: pci: Handle zero-sized BARs gracefully
[PATCH v2 2/5] libqos: pci: Require size for legacy I/O port mapping
[PATCH v2 3/5] tests/qtest: ahci-test: Check only implemented ports in verify_state
[PATCH v2 4/5] tests/qtest: Rework nvmetest_oob_cmb_test for BAR check
[PATCH v2 5/5] tests/qtest/fuzz: Add generic fuzzer for pcie-pci-bridge