From nobody Sat Nov 23 23:21:47 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1730754691; cv=none; d=zohomail.com; s=zohoarc; b=OZpxLhoK+wmfflAVCvQTO7ARF+6fy54ffaqt8+BTpWMrZupe+Q9gBoOhnnwsM/JKJk9c8+Fra01eCou89nugvp9BQlCXiwUnOJiLPvDeVz9pcg28bAiDJQszT7D3HvcWZkW0LA48lq/nzOdmMEzkMBHBTTAlhXlBtjhS2P+g7Ws= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1730754691; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SEbzwh5CXMMgSRIskBWVC858+AHstI7QTR6oOdrnG3c=; b=bTrMwQUW5ZzWdvuetzw8ghCwbhIUiskOO7OBCa1xH4MdoyM50VqJvhFPy2cw1rxd2cYZycUmV+z4UIwXo+VIYXk6OcCELqjvp4QwajdSNckTAEki8OP6Tklk9ftqoKW7kPTr1Qg0wwsEYy5aW4TvMesj6S1dkpANU+9uqQqIYJo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1730754691931105.22249729894281; Mon, 4 Nov 2024 13:11:31 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t84J5-00033N-T0; Mon, 04 Nov 2024 16:08:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t84Im-0002hA-LW for qemu-devel@nongnu.org; Mon, 04 Nov 2024 16:07:58 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t84Ik-0005Qe-JD for qemu-devel@nongnu.org; Mon, 04 Nov 2024 16:07:56 -0500 Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-19-eS6HA3PGPlO41o5ByrGXZw-1; Mon, 04 Nov 2024 16:07:51 -0500 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-43152cd2843so27537085e9.3 for ; Mon, 04 Nov 2024 13:07:51 -0800 (PST) Received: from redhat.com ([2.52.14.134]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-431bd947c0esm202542105e9.24.2024.11.04.13.07.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Nov 2024 13:07:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1730754473; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SEbzwh5CXMMgSRIskBWVC858+AHstI7QTR6oOdrnG3c=; b=TEUPNb0fX8tD0BBRLmRE9b/2s3LCLjukuY8txZCisbm93dYX1XHcae4fDkrO0OdzKAKM+1 GXnPvSDPk01mQHudnx38rr7N9g9bOl4aSwtPQ8qyfuHtZoSEr//WzFJ6fQQxcGzmxx9gDt Nu/m27+Cb4ZJj3SbjfIkUX5VsaqoO04= X-MC-Unique: eS6HA3PGPlO41o5ByrGXZw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730754470; x=1731359270; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SEbzwh5CXMMgSRIskBWVC858+AHstI7QTR6oOdrnG3c=; b=ZWTbzUNVSZrOCUAJFmNaozGOi3vkqlgtnMlT6HyeUTmazh8msWIM/pU+khPW8lk5Sp oBn8Mn5ENvDI5X5a6fVmXrEio3HsE1Qcy0h7IwrliSiLz9FypWGiWT6X5N1LD6opM9Kn t2wTfflrQiYxmqGaWKGRi8TbCs/dAlI+eA94n42lshXv3WjrZz98j5sT2UxbJE89Kcdq Z9GFsPRl1Xdf8jXboKPPZI51ShOGqf6dOQVV27R/uUOMz+3ZpmPTT3ldgVUoCwEsqBNH /N6daGDUutmdg+VMPqk8GcSMsn0L8jDMfzWHaUhMVN2eGGEG8Eg3WG0jZvwFJK133HRB UfUA== X-Gm-Message-State: AOJu0YzPUazBbV77S737GD7eKWCEKu97IiR+cUw3+J5arMigMPTjS2CA rNaEWnSPRE0RfutfV5J0gqZHuh3ZE40lpWPXDFfXSw/puotu5sQPBi35ukV2WPYAqjLCXjYKIQB o2iLDJGw5ZM9nBq4aybEtxMQY4NycPydBLC63WYolz7gAT1UngDckXSks4llg5n/3kFsAKkJTaq UvRqxoPsCyFP88zkBtnf2rEBEEzvJBzQ== X-Received: by 2002:a05:600c:1c94:b0:431:59b2:f0d1 with SMTP id 5b1f17b1804b1-431bb976dd4mr184005015e9.4.1730754469919; Mon, 04 Nov 2024 13:07:49 -0800 (PST) X-Google-Smtp-Source: AGHT+IHVb1FEqhrNf0kR3HAjQ/CCgEH/mDlp2ntwv3Bm06ATDPZvsq2zPcCMpuTU7MvM8yx22m9bqQ== X-Received: by 2002:a05:600c:1c94:b0:431:59b2:f0d1 with SMTP id 5b1f17b1804b1-431bb976dd4mr184004725e9.4.1730754469429; Mon, 04 Nov 2024 13:07:49 -0800 (PST) Date: Mon, 4 Nov 2024 16:07:43 -0500 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Cc: Peter Maydell , Gao Shiyuan , Zuo Boqun , Wang Liang , Daniel P =?utf-8?B?LiBCZXJyYW5nw6k=?= , Marcel Apfelbaum , Alexander Bulekov , Paolo Bonzini , Bandan Das , Stefan Hajnoczi , Fabiano Rosas , Darren Kenny , Qiuhao Li , Laurent Vivier Subject: [PULL 33/65] virtio-pci: fix memory_region_find for VirtIOPCIRegion's MR Message-ID: <55fa4be6f76a3e1b1caa33a8f0ab4dc217d32e49.1730754238.git.mst@redhat.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: X-Mailer: git-send-email 2.27.0.106.g8ac3dc51b1 X-Mutt-Fcc: =sent Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=mst@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1730754692616116600 From: Gao Shiyuan As shown below, if a virtio PCI device is attached under a pci-bridge, the = MR of VirtIOPCIRegion does not belong to any address space. So memory_region_f= ind cannot be used to search for this MR. Introduce the virtio-pci and pci_bridge address spaces to solve this proble= m. Before: memory-region: pci_bridge_pci 0000000000000000-ffffffffffffffff (prio 0, i/o): pci_bridge_pci 00000000fe840000-00000000fe840fff (prio 1, i/o): virtio-net-pci-msix 00000000fe840000-00000000fe84003f (prio 0, i/o): msix-table 00000000fe840800-00000000fe840807 (prio 0, i/o): msix-pba 0000380000000000-0000380000003fff (prio 1, i/o): virtio-pci 0000380000000000-0000380000000fff (prio 0, i/o): virtio-pci-common-vi= rtio-net 0000380000001000-0000380000001fff (prio 0, i/o): virtio-pci-isr-virti= o-net 0000380000002000-0000380000002fff (prio 0, i/o): virtio-pci-device-vi= rtio-net 0000380000003000-0000380000003fff (prio 0, i/o): virtio-pci-notify-vi= rtio-net After: address-space: virtio-pci-cfg-mem-as 0000380000000000-0000380000003fff (prio 1, i/o): virtio-pci 0000380000000000-0000380000000fff (prio 0, i/o): virtio-pci-common-virt= io-net 0000380000001000-0000380000001fff (prio 0, i/o): virtio-pci-isr-virtio-= net 0000380000002000-0000380000002fff (prio 0, i/o): virtio-pci-device-virt= io-net 0000380000003000-0000380000003fff (prio 0, i/o): virtio-pci-notify-virt= io-net address-space: pci_bridge_pci_mem 0000000000000000-ffffffffffffffff (prio 0, i/o): pci_bridge_pci 00000000fe840000-00000000fe840fff (prio 1, i/o): virtio-net-pci-msix 00000000fe840000-00000000fe84003f (prio 0, i/o): msix-table 00000000fe840800-00000000fe840807 (prio 0, i/o): msix-pba 0000380000000000-0000380000003fff (prio 1, i/o): virtio-pci 0000380000000000-0000380000000fff (prio 0, i/o): virtio-pci-common-vi= rtio-net 0000380000001000-0000380000001fff (prio 0, i/o): virtio-pci-isr-virti= o-net 0000380000002000-0000380000002fff (prio 0, i/o): virtio-pci-device-vi= rtio-net 0000380000003000-0000380000003fff (prio 0, i/o): virtio-pci-notify-vi= rtio-net Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2576 Fixes: ffa8a3e3b2e6 ("virtio-pci: Add lookup subregion of VirtIOPCIRegion M= R") Co-developed-by: Zuo Boqun Signed-off-by: Zuo Boqun Co-developed-by: Wang Liang Signed-off-by: Wang Liang Signed-off-by: Gao Shiyuan Message-Id: <20241030131324.34144-1-gaoshiyuan@baidu.com> Tested-by: Daniel P. Berrang=C3=A9 Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- include/hw/pci/pci_bridge.h | 2 ++ include/hw/virtio/virtio-pci.h | 3 +++ hw/pci/pci_bridge.c | 5 ++++ hw/virtio/virtio-pci.c | 10 +++++++ tests/qtest/fuzz-virtio-balloon-test.c | 37 ++++++++++++++++++++++++++ tests/qtest/meson.build | 1 + 6 files changed, 58 insertions(+) create mode 100644 tests/qtest/fuzz-virtio-balloon-test.c diff --git a/include/hw/pci/pci_bridge.h b/include/hw/pci/pci_bridge.h index 5456e24883..b0f5204d80 100644 --- a/include/hw/pci/pci_bridge.h +++ b/include/hw/pci/pci_bridge.h @@ -72,6 +72,8 @@ struct PCIBridge { */ MemoryRegion address_space_mem; MemoryRegion address_space_io; + AddressSpace as_mem; + AddressSpace as_io; =20 PCIBridgeWindows windows; =20 diff --git a/include/hw/virtio/virtio-pci.h b/include/hw/virtio/virtio-pci.h index 9e67ba38c7..971c5fabd4 100644 --- a/include/hw/virtio/virtio-pci.h +++ b/include/hw/virtio/virtio-pci.h @@ -147,6 +147,9 @@ struct VirtIOPCIProxy { }; MemoryRegion modern_bar; MemoryRegion io_bar; + /* address space for VirtIOPCIRegions */ + AddressSpace modern_cfg_mem_as; + AddressSpace modern_cfg_io_as; uint32_t legacy_io_bar_idx; uint32_t msix_bar_idx; uint32_t modern_io_bar_idx; diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c index 6a4e38856d..2c7bb1a525 100644 --- a/hw/pci/pci_bridge.c +++ b/hw/pci/pci_bridge.c @@ -380,9 +380,12 @@ void pci_bridge_initfn(PCIDevice *dev, const char *typ= ename) sec_bus->map_irq =3D br->map_irq ? br->map_irq : pci_swizzle_map_irq_f= n; sec_bus->address_space_mem =3D &br->address_space_mem; memory_region_init(&br->address_space_mem, OBJECT(br), "pci_bridge_pci= ", UINT64_MAX); + address_space_init(&br->as_mem, &br->address_space_mem, + "pci_bridge_pci_mem"); sec_bus->address_space_io =3D &br->address_space_io; memory_region_init(&br->address_space_io, OBJECT(br), "pci_bridge_io", 4 * GiB); + address_space_init(&br->as_io, &br->address_space_io, "pci_bridge_pci_= io"); pci_bridge_region_init(br); QLIST_INIT(&sec_bus->child); QLIST_INSERT_HEAD(&parent->child, sec_bus, sibling); @@ -399,6 +402,8 @@ void pci_bridge_exitfn(PCIDevice *pci_dev) PCIBridge *s =3D PCI_BRIDGE(pci_dev); assert(QLIST_EMPTY(&s->sec_bus.child)); QLIST_REMOVE(&s->sec_bus, sibling); + address_space_destroy(&s->as_mem); + address_space_destroy(&s->as_io); pci_bridge_region_del(s, &s->windows); pci_bridge_region_cleanup(s, &s->windows); /* object_unparent() is called automatically during device deletion */ diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c index c5a809b956..5a394821da 100644 --- a/hw/virtio/virtio-pci.c +++ b/hw/virtio/virtio-pci.c @@ -2057,6 +2057,8 @@ static void virtio_pci_device_plugged(DeviceState *d,= Error **errp) if (modern_pio) { memory_region_init(&proxy->io_bar, OBJECT(proxy), "virtio-pci-io", 0x4); + address_space_init(&proxy->modern_cfg_io_as, &proxy->io_bar, + "virtio-pci-cfg-io-as"); =20 pci_register_bar(&proxy->pci_dev, proxy->modern_io_bar_idx, PCI_BASE_ADDRESS_SPACE_IO, &proxy->io_bar); @@ -2180,6 +2182,9 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Er= ror **errp) /* PCI BAR regions must be powers of 2 */ pow2ceil(proxy->notify.offset + proxy->notify.size)= ); =20 + address_space_init(&proxy->modern_cfg_mem_as, &proxy->modern_bar, + "virtio-pci-cfg-mem-as"); + if (proxy->disable_legacy =3D=3D ON_OFF_AUTO_AUTO) { proxy->disable_legacy =3D pcie_port ? ON_OFF_AUTO_ON : ON_OFF_AUTO= _OFF; } @@ -2269,12 +2274,17 @@ static void virtio_pci_exit(PCIDevice *pci_dev) VirtIOPCIProxy *proxy =3D VIRTIO_PCI(pci_dev); bool pcie_port =3D pci_bus_is_express(pci_get_bus(pci_dev)) && !pci_bus_is_root(pci_get_bus(pci_dev)); + bool modern_pio =3D proxy->flags & VIRTIO_PCI_FLAG_MODERN_PIO_NOTIFY; =20 msix_uninit_exclusive_bar(pci_dev); if (proxy->flags & VIRTIO_PCI_FLAG_AER && pcie_port && pci_is_express(pci_dev)) { pcie_aer_exit(pci_dev); } + address_space_destroy(&proxy->modern_cfg_mem_as); + if (modern_pio) { + address_space_destroy(&proxy->modern_cfg_io_as); + } } =20 static void virtio_pci_reset(DeviceState *qdev) diff --git a/tests/qtest/fuzz-virtio-balloon-test.c b/tests/qtest/fuzz-virt= io-balloon-test.c new file mode 100644 index 0000000000..ecb597fbee --- /dev/null +++ b/tests/qtest/fuzz-virtio-balloon-test.c @@ -0,0 +1,37 @@ +/* + * QTest fuzzer-generated testcase for virtio balloon device + * + * Copyright (c) 2024 Gao Shiyuan + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "libqtest.h" + +/* + * https://gitlab.com/qemu-project/qemu/-/issues/2576 + * Used to trigger: + * virtio_address_space_lookup: Assertion `mrs.mr' failed. + */ +static void oss_fuzz_71649(void) +{ + QTestState *s =3D qtest_init("-device virtio-balloon -machine q35" + " -nodefaults"); + + qtest_outl(s, 0xcf8, 0x80000890); + qtest_outl(s, 0xcfc, 0x2); + qtest_outl(s, 0xcf8, 0x80000891); + qtest_inl(s, 0xcfc); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + g_test_init(&argc, &argv, NULL); + + qtest_add_func("fuzz/virtio/oss_fuzz_71649", oss_fuzz_71649); + + return g_test_run(); +} + diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 9d51114539..924dc4be57 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -88,6 +88,7 @@ qtests_i386 =3D \ (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-= test'] : []) + \ (config_all_devices.has_key('CONFIG_LSI_SCSI_PCI') ? ['fuzz-lsi53c895a-t= est'] : []) + \ (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-t= est'] : []) + \ + (config_all_devices.has_key('CONFIG_VIRTIO_BALLOON') ? ['fuzz-virtio-bal= loon-test'] : []) + \ (config_all_devices.has_key('CONFIG_Q35') ? ['q35-test'] : []) + = \ (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + = \ (config_all_devices.has_key('CONFIG_SDHCI_PCI') ? ['fuzz-sdcard-test'] := []) + \ --=20 MST