diff options
28 files changed, 232 insertions, 71 deletions
diff --git a/VERSION b/VERSION index f51337edb0..7c5f12f378 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.0.91 +6.0.92 diff --git a/block/io.c b/block/io.c index e0a689c584..a19942718b 100644 --- a/block/io.c +++ b/block/io.c @@ -1841,7 +1841,7 @@ int coroutine_fn bdrv_co_preadv_part(BdrvChild *child, ret = bdrv_pad_request(bs, &qiov, &qiov_offset, &offset, &bytes, &pad, NULL); if (ret < 0) { - return ret; + goto fail; } tracked_request_begin(&req, bs, offset, bytes, BDRV_TRACKED_READ); @@ -1849,10 +1849,11 @@ int coroutine_fn bdrv_co_preadv_part(BdrvChild *child, bs->bl.request_alignment, qiov, qiov_offset, flags); tracked_request_end(&req); - bdrv_dec_in_flight(bs); - bdrv_padding_destroy(&pad); +fail: + bdrv_dec_in_flight(bs); + return ret; } diff --git a/chardev/char-fd.c b/chardev/char-fd.c index 1cd62f2779..93c56913b4 100644 --- a/chardev/char-fd.c +++ b/chardev/char-fd.c @@ -28,6 +28,7 @@ #include "qemu/sockets.h" #include "qapi/error.h" #include "chardev/char.h" +#include "chardev/char-fe.h" #include "io/channel-file.h" #include "chardev/char-fd.h" @@ -38,6 +39,10 @@ static int fd_chr_write(Chardev *chr, const uint8_t *buf, int len) { FDChardev *s = FD_CHARDEV(chr); + if (!s->ioc_out) { + return -1; + } + return io_channel_send(s->ioc_out, buf, len); } @@ -80,10 +85,85 @@ static int fd_chr_read_poll(void *opaque) return s->max_size; } +typedef struct FDSource { + GSource parent; + + GIOCondition cond; +} FDSource; + +static gboolean +fd_source_prepare(GSource *source, + gint *timeout_) +{ + FDSource *src = (FDSource *)source; + + return src->cond != 0; +} + +static gboolean +fd_source_check(GSource *source) +{ + FDSource *src = (FDSource *)source; + + return src->cond != 0; +} + +static gboolean +fd_source_dispatch(GSource *source, GSourceFunc callback, + gpointer user_data) +{ + FDSource *src = (FDSource *)source; + FEWatchFunc func = (FEWatchFunc)callback; + gboolean ret = G_SOURCE_CONTINUE; + + if (src->cond) { + ret = func(NULL, src->cond, user_data); + src->cond = 0; + } + + return ret; +} + +static GSourceFuncs fd_source_funcs = { + fd_source_prepare, + fd_source_check, + fd_source_dispatch, + NULL, NULL, NULL +}; + +static GSource *fd_source_new(FDChardev *chr) +{ + return g_source_new(&fd_source_funcs, sizeof(FDSource)); +} + +static gboolean child_func(GIOChannel *source, + GIOCondition condition, + gpointer data) +{ + FDSource *parent = data; + + parent->cond |= condition; + + return G_SOURCE_CONTINUE; +} + static GSource *fd_chr_add_watch(Chardev *chr, GIOCondition cond) { FDChardev *s = FD_CHARDEV(chr); - return qio_channel_create_watch(s->ioc_out, cond); + g_autoptr(GSource) source = fd_source_new(s); + + if (s->ioc_out) { + g_autoptr(GSource) child = qio_channel_create_watch(s->ioc_out, cond & ~G_IO_IN); + g_source_set_callback(child, (GSourceFunc)child_func, source, NULL); + g_source_add_child_source(source, child); + } + if (s->ioc_in) { + g_autoptr(GSource) child = qio_channel_create_watch(s->ioc_in, cond & ~G_IO_OUT); + g_source_set_callback(child, (GSourceFunc)child_func, source, NULL); + g_source_add_child_source(source, child); + } + + return g_steal_pointer(&source); } static void fd_chr_update_read_handler(Chardev *chr) @@ -131,17 +211,32 @@ void qemu_chr_open_fd(Chardev *chr, int fd_in, int fd_out) { FDChardev *s = FD_CHARDEV(chr); - char *name; - - s->ioc_in = QIO_CHANNEL(qio_channel_file_new_fd(fd_in)); - name = g_strdup_printf("chardev-file-in-%s", chr->label); - qio_channel_set_name(QIO_CHANNEL(s->ioc_in), name); - g_free(name); - s->ioc_out = QIO_CHANNEL(qio_channel_file_new_fd(fd_out)); - name = g_strdup_printf("chardev-file-out-%s", chr->label); - qio_channel_set_name(QIO_CHANNEL(s->ioc_out), name); - g_free(name); - qemu_set_nonblock(fd_out); + g_autofree char *name = NULL; + + if (fd_out >= 0) { + qemu_set_nonblock(fd_out); + } + + if (fd_out == fd_in && fd_in >= 0) { + s->ioc_in = QIO_CHANNEL(qio_channel_file_new_fd(fd_in)); + name = g_strdup_printf("chardev-file-%s", chr->label); + qio_channel_set_name(QIO_CHANNEL(s->ioc_in), name); + s->ioc_out = QIO_CHANNEL(object_ref(s->ioc_in)); + return; + } + + if (fd_in >= 0) { + s->ioc_in = QIO_CHANNEL(qio_channel_file_new_fd(fd_in)); + name = g_strdup_printf("chardev-file-in-%s", chr->label); + qio_channel_set_name(QIO_CHANNEL(s->ioc_in), name); + } + + if (fd_out >= 0) { + s->ioc_out = QIO_CHANNEL(qio_channel_file_new_fd(fd_out)); + g_free(name); + name = g_strdup_printf("chardev-file-out-%s", chr->label); + qio_channel_set_name(QIO_CHANNEL(s->ioc_out), name); + } } static void char_fd_class_init(ObjectClass *oc, void *data) diff --git a/chardev/char-fe.c b/chardev/char-fe.c index 474715c5a9..7789f7be9c 100644 --- a/chardev/char-fe.c +++ b/chardev/char-fe.c @@ -354,7 +354,7 @@ void qemu_chr_fe_set_open(CharBackend *be, int fe_open) } guint qemu_chr_fe_add_watch(CharBackend *be, GIOCondition cond, - GIOFunc func, void *user_data) + FEWatchFunc func, void *user_data) { Chardev *s = be->chr; GSource *src; diff --git a/chardev/char-socket.c b/chardev/char-socket.c index d0fb545963..c43668cc15 100644 --- a/chardev/char-socket.c +++ b/chardev/char-socket.c @@ -468,9 +468,9 @@ static char *qemu_chr_socket_address(SocketChardev *s, const char *prefix) #ifdef CONFIG_LINUX if (sa->has_abstract && sa->abstract) { - abstract = ",abstract"; + abstract = ",abstract=on"; if (sa->has_tight && sa->tight) { - tight = ",tight"; + tight = ",tight=on"; } } #endif diff --git a/chardev/char.c b/chardev/char.c index d959eec522..4595a8d430 100644 --- a/chardev/char.c +++ b/chardev/char.c @@ -1031,27 +1031,31 @@ Chardev *qemu_chardev_new(const char *id, const char *typename, ChardevReturn *qmp_chardev_add(const char *id, ChardevBackend *backend, Error **errp) { + ERRP_GUARD(); const ChardevClass *cc; ChardevReturn *ret; - Chardev *chr; + g_autoptr(Chardev) chr = NULL; + + if (qemu_chr_find(id)) { + error_setg(errp, "Chardev with id '%s' already exists", id); + return NULL; + } cc = char_get_class(ChardevBackendKind_str(backend->type), errp); if (!cc) { - return NULL; + goto err; } chr = chardev_new(id, object_class_get_name(OBJECT_CLASS(cc)), backend, NULL, false, errp); if (!chr) { - return NULL; + goto err; } if (!object_property_try_add_child(get_chardevs_root(), id, OBJECT(chr), errp)) { - object_unref(OBJECT(chr)); - return NULL; + goto err; } - object_unref(OBJECT(chr)); ret = g_new0(ChardevReturn, 1); if (CHARDEV_IS_PTY(chr)) { @@ -1060,6 +1064,10 @@ ChardevReturn *qmp_chardev_add(const char *id, ChardevBackend *backend, } return ret; + +err: + error_prepend(errp, "Failed to add chardev '%s': ", id); + return NULL; } ChardevReturn *qmp_chardev_change(const char *id, ChardevBackend *backend, diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c index ceb677bc5a..b4b5e8a3ee 100644 --- a/hw/char/cadence_uart.c +++ b/hw/char/cadence_uart.c @@ -288,7 +288,7 @@ static void uart_write_rx_fifo(void *opaque, const uint8_t *buf, int size) uart_update_status(s); } -static gboolean cadence_uart_xmit(GIOChannel *chan, GIOCondition cond, +static gboolean cadence_uart_xmit(void *do_not_use, GIOCondition cond, void *opaque) { CadenceUARTState *s = opaque; diff --git a/hw/char/cmsdk-apb-uart.c b/hw/char/cmsdk-apb-uart.c index ba2cbbee3d..f8dc89ee3d 100644 --- a/hw/char/cmsdk-apb-uart.c +++ b/hw/char/cmsdk-apb-uart.c @@ -191,7 +191,7 @@ static uint64_t uart_read(void *opaque, hwaddr offset, unsigned size) /* Try to send tx data, and arrange to be called back later if * we can't (ie the char backend is busy/blocking). */ -static gboolean uart_transmit(GIOChannel *chan, GIOCondition cond, void *opaque) +static gboolean uart_transmit(void *do_not_use, GIOCondition cond, void *opaque) { CMSDKAPBUART *s = CMSDK_APB_UART(opaque); int ret; diff --git a/hw/char/ibex_uart.c b/hw/char/ibex_uart.c index 6b0c9330bf..9b0a817713 100644 --- a/hw/char/ibex_uart.c +++ b/hw/char/ibex_uart.c @@ -135,7 +135,7 @@ static void ibex_uart_receive(void *opaque, const uint8_t *buf, int size) ibex_uart_update_irqs(s); } -static gboolean ibex_uart_xmit(GIOChannel *chan, GIOCondition cond, +static gboolean ibex_uart_xmit(void *do_not_use, GIOCondition cond, void *opaque) { IbexUartState *s = opaque; diff --git a/hw/char/nrf51_uart.c b/hw/char/nrf51_uart.c index 045ca5fa40..3c6f982de9 100644 --- a/hw/char/nrf51_uart.c +++ b/hw/char/nrf51_uart.c @@ -75,7 +75,7 @@ static uint64_t uart_read(void *opaque, hwaddr addr, unsigned int size) return r; } -static gboolean uart_transmit(GIOChannel *chan, GIOCondition cond, void *opaque) +static gboolean uart_transmit(void *do_not_use, GIOCondition cond, void *opaque) { NRF51UARTState *s = NRF51_UART(opaque); int r; diff --git a/hw/char/serial.c b/hw/char/serial.c index bc2e322970..7061aacbce 100644 --- a/hw/char/serial.c +++ b/hw/char/serial.c @@ -220,7 +220,7 @@ static void serial_update_msl(SerialState *s) } } -static gboolean serial_watch_cb(GIOChannel *chan, GIOCondition cond, +static gboolean serial_watch_cb(void *do_not_use, GIOCondition cond, void *opaque) { SerialState *s = opaque; diff --git a/hw/char/virtio-console.c b/hw/char/virtio-console.c index 6b132caa29..dd5a02e339 100644 --- a/hw/char/virtio-console.c +++ b/hw/char/virtio-console.c @@ -38,7 +38,7 @@ struct VirtConsole { * Callback function that's called from chardevs when backend becomes * writable. */ -static gboolean chr_write_unblocked(GIOChannel *chan, GIOCondition cond, +static gboolean chr_write_unblocked(void *do_not_use, GIOCondition cond, void *opaque) { VirtConsole *vcon = opaque; diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index 17836149fe..a33ac8b91e 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -374,7 +374,7 @@ static void build_append_pci_bus_devices(Aml *parent_scope, PCIBus *bus, Aml *dev, *notify_method = NULL, *method; QObject *bsel; PCIBus *sec; - int i; + int devfn; bsel = object_property_get_qobject(OBJECT(bus), ACPI_PCIHP_PROP_BSEL, NULL); if (bsel) { @@ -384,23 +384,31 @@ static void build_append_pci_bus_devices(Aml *parent_scope, PCIBus *bus, notify_method = aml_method("DVNT", 2, AML_NOTSERIALIZED); } - for (i = 0; i < ARRAY_SIZE(bus->devices); i += PCI_FUNC_MAX) { + for (devfn = 0; devfn < ARRAY_SIZE(bus->devices); devfn++) { DeviceClass *dc; PCIDeviceClass *pc; - PCIDevice *pdev = bus->devices[i]; - int slot = PCI_SLOT(i); + PCIDevice *pdev = bus->devices[devfn]; + int slot = PCI_SLOT(devfn); + int func = PCI_FUNC(devfn); + /* ACPI spec: 1.0b: Table 6-2 _ADR Object Bus Types, PCI type */ + int adr = slot << 16 | func; bool hotplug_enabled_dev; bool bridge_in_acpi; bool cold_plugged_bridge; if (!pdev) { - if (bsel) { /* add hotplug slots for non present devices */ + /* + * add hotplug slots for non present devices. + * hotplug is supported only for non-multifunction device + * so generate device description only for function 0 + */ + if (bsel && !func) { if (pci_bus_is_express(bus) && slot > 0) { break; } - dev = aml_device("S%.02X", PCI_DEVFN(slot, 0)); + dev = aml_device("S%.02X", devfn); aml_append(dev, aml_name_decl("_SUN", aml_int(slot))); - aml_append(dev, aml_name_decl("_ADR", aml_int(slot << 16))); + aml_append(dev, aml_name_decl("_ADR", aml_int(adr))); method = aml_method("_EJ0", 1, AML_NOTSERIALIZED); aml_append(method, aml_call2("PCEJ", aml_name("BSEL"), aml_name("_SUN")) @@ -436,9 +444,18 @@ static void build_append_pci_bus_devices(Aml *parent_scope, PCIBus *bus, continue; } - /* start to compose PCI slot descriptor */ - dev = aml_device("S%.02X", PCI_DEVFN(slot, 0)); - aml_append(dev, aml_name_decl("_ADR", aml_int(slot << 16))); + /* + * allow describing coldplugged bridges in ACPI even if they are not + * on function 0, as they are not unpluggable, for all other devices + * generate description only for function 0 per slot + */ + if (func && !bridge_in_acpi) { + continue; + } + + /* start to compose PCI device descriptor */ + dev = aml_device("S%.02X", devfn); + aml_append(dev, aml_name_decl("_ADR", aml_int(adr))); if (bsel) { /* @@ -496,7 +513,7 @@ static void build_append_pci_bus_devices(Aml *parent_scope, PCIBus *bus, build_append_pci_bus_devices(dev, sec_bus, pcihp_bridge_en); } - /* slot descriptor has been composed, add it into parent context */ + /* device descriptor has been composed, add it into parent context */ aml_append(parent_scope, dev); } @@ -525,13 +542,12 @@ static void build_append_pci_bus_devices(Aml *parent_scope, PCIBus *bus, /* Notify about child bus events in any case */ if (pcihp_bridge_en) { QLIST_FOREACH(sec, &bus->child, sibling) { - int32_t devfn = sec->parent_dev->devfn; - if (pci_bus_is_root(sec)) { continue; } - aml_append(method, aml_name("^S%.02X.PCNT", devfn)); + aml_append(method, aml_name("^S%.02X.PCNT", + sec->parent_dev->devfn)); } } diff --git a/hw/pci-bridge/gen_pcie_root_port.c b/hw/pci-bridge/gen_pcie_root_port.c index ec9907917e..20099a8ae3 100644 --- a/hw/pci-bridge/gen_pcie_root_port.c +++ b/hw/pci-bridge/gen_pcie_root_port.c @@ -28,6 +28,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(GenPCIERootPort, GEN_PCIE_ROOT_PORT) (GEN_PCIE_ROOT_PORT_AER_OFFSET + PCI_ERR_SIZEOF) #define GEN_PCIE_ROOT_PORT_MSIX_NR_VECTOR 1 +#define GEN_PCIE_ROOT_DEFAULT_IO_RANGE 4096 struct GenPCIERootPort { /*< private >*/ @@ -75,6 +76,7 @@ static bool gen_rp_test_migrate_msix(void *opaque, int version_id) static void gen_rp_realize(DeviceState *dev, Error **errp) { PCIDevice *d = PCI_DEVICE(dev); + PCIESlot *s = PCIE_SLOT(d); GenPCIERootPort *grp = GEN_PCIE_ROOT_PORT(d); PCIERootPortClass *rpc = PCIE_ROOT_PORT_GET_CLASS(d); Error *local_err = NULL; @@ -85,6 +87,9 @@ static void gen_rp_realize(DeviceState *dev, Error **errp) return; } + if (grp->res_reserve.io == -1 && s->hotplug && !s->native_hotplug) { + grp->res_reserve.io = GEN_PCIE_ROOT_DEFAULT_IO_RANGE; + } int rc = pci_bridge_qemu_reserve_cap_init(d, 0, grp->res_reserve, errp); diff --git a/hw/pci-host/gpex-acpi.c b/hw/pci-host/gpex-acpi.c index 0f01f13a6e..e7e162a00a 100644 --- a/hw/pci-host/gpex-acpi.c +++ b/hw/pci-host/gpex-acpi.c @@ -112,26 +112,10 @@ static void acpi_dsdt_add_pci_osc(Aml *dev) UUID = aml_touuid("E5C937D0-3553-4D7A-9117-EA4D19C3434D"); ifctx = aml_if(aml_equal(aml_arg(0), UUID)); ifctx1 = aml_if(aml_equal(aml_arg(2), aml_int(0))); - uint8_t byte_list[] = { - 0x1 << 0 /* support for functions other than function 0 */ | - 0x1 << 5 /* support for function 5 */ - }; - buf = aml_buffer(ARRAY_SIZE(byte_list), byte_list); + uint8_t byte_list[1] = {1}; + buf = aml_buffer(1, byte_list); aml_append(ifctx1, aml_return(buf)); aml_append(ifctx, ifctx1); - - /* - * PCI Firmware Specification 3.1 - * 4.6.5. _DSM for Ignoring PCI Boot Configurations - */ - /* Arg2: Function Index: 5 */ - ifctx1 = aml_if(aml_equal(aml_arg(2), aml_int(5))); - /* - * 0 - The operating system must not ignore the PCI configuration that - * firmware has done at boot time. - */ - aml_append(ifctx1, aml_return(aml_int(0))); - aml_append(ifctx, ifctx1); aml_append(method, ifctx); byte_list[0] = 0; diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 1f964e022b..bb5dbff68c 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -821,8 +821,15 @@ static uint32_t sd_wpbits(SDState *sd, uint64_t addr) wpnum = sd_addr_to_wpnum(addr); for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { + if (addr >= sd->size) { + /* + * If the addresses of the last groups are outside the valid range, + * then the corresponding write protection bits shall be set to 0. + */ + continue; + } assert(wpnum < sd->wpgrps_size); - if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { + if (test_bit(wpnum, sd->wp_groups)) { ret |= (1 << i); } } diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 1ec909a63a..5f0ef9cb3b 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -270,7 +270,7 @@ static int usbredir_read(void *priv, uint8_t *data, int count) return count; } -static gboolean usbredir_write_unblocked(GIOChannel *chan, GIOCondition cond, +static gboolean usbredir_write_unblocked(void *do_not_use, GIOCondition cond, void *opaque) { USBRedirDevice *dev = opaque; diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index 29ea2b4fce..aec6cc1990 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -303,7 +303,7 @@ struct vhost_user_read_cb_data { int ret; }; -static gboolean vhost_user_read_cb(GIOChannel *source, GIOCondition condition, +static gboolean vhost_user_read_cb(void *do_not_use, GIOCondition condition, gpointer opaque) { struct vhost_user_read_cb_data *data = opaque; diff --git a/include/chardev/char-fe.h b/include/chardev/char-fe.h index a553843364..867ef1b3b2 100644 --- a/include/chardev/char-fe.h +++ b/include/chardev/char-fe.h @@ -174,6 +174,9 @@ void qemu_chr_fe_set_open(CharBackend *be, int fe_open); void qemu_chr_fe_printf(CharBackend *be, const char *fmt, ...) GCC_FMT_ATTR(2, 3); + +typedef gboolean (*FEWatchFunc)(void *do_not_use, GIOCondition condition, void *data); + /** * qemu_chr_fe_add_watch: * @cond: the condition to poll for @@ -188,10 +191,13 @@ void qemu_chr_fe_printf(CharBackend *be, const char *fmt, ...) * Note that you are responsible to update the front-end sources if * you are switching the main context with qemu_chr_fe_set_handlers(). * + * Warning: DO NOT use the first callback argument (it may be either + * a GIOChannel or a QIOChannel, depending on the underlying chardev) + * * Returns: the source tag */ guint qemu_chr_fe_add_watch(CharBackend *be, GIOCondition cond, - GIOFunc func, void *user_data); + FEWatchFunc func, void *user_data); /** * qemu_chr_fe_write: diff --git a/monitor/monitor.c b/monitor/monitor.c index b90c0f4051..46a171bca6 100644 --- a/monitor/monitor.c +++ b/monitor/monitor.c @@ -156,7 +156,7 @@ static inline bool monitor_is_hmp_non_interactive(const Monitor *mon) static void monitor_flush_locked(Monitor *mon); -static gboolean monitor_unblocked(GIOChannel *chan, GIOCondition cond, +static gboolean monitor_unblocked(void *do_not_use, GIOCondition cond, void *opaque) { Monitor *mon = opaque; diff --git a/net/vhost-user.c b/net/vhost-user.c index ffbd94d944..6adfcd623a 100644 --- a/net/vhost-user.c +++ b/net/vhost-user.c @@ -208,8 +208,8 @@ static NetClientInfo net_vhost_user_info = { .set_vnet_le = vhost_user_set_vnet_endianness, }; -static gboolean net_vhost_user_watch(GIOChannel *chan, GIOCondition cond, - void *opaque) +static gboolean net_vhost_user_watch(void *do_not_use, GIOCondition cond, + void *opaque) { NetVhostUserState *s = opaque; diff --git a/tests/data/acpi/microvm/DSDT.pcie b/tests/data/acpi/microvm/DSDT.pcie index 3fb373fd97..765f14ef3d 100644 --- a/tests/data/acpi/microvm/DSDT.pcie +++ b/tests/data/acpi/microvm/DSDT.pcie Binary files differdiff --git a/tests/data/acpi/virt/DSDT b/tests/data/acpi/virt/DSDT index 134d8ae5b6..c475039907 100644 --- a/tests/data/acpi/virt/DSDT +++ b/tests/data/acpi/virt/DSDT Binary files differdiff --git a/tests/data/acpi/virt/DSDT.memhp b/tests/data/acpi/virt/DSDT.memhp index 140976b23e..bae36cdd39 100644 --- a/tests/data/acpi/virt/DSDT.memhp +++ b/tests/data/acpi/virt/DSDT.memhp Binary files differdiff --git a/tests/data/acpi/virt/DSDT.numamem b/tests/data/acpi/virt/DSDT.numamem index 134d8ae5b6..c475039907 100644 --- a/tests/data/acpi/virt/DSDT.numamem +++ b/tests/data/acpi/virt/DSDT.numamem Binary files differdiff --git a/tests/data/acpi/virt/DSDT.pxb b/tests/data/acpi/virt/DSDT.pxb index 46b9c4cad5..fbd78f44c4 100644 --- a/tests/data/acpi/virt/DSDT.pxb +++ b/tests/data/acpi/virt/DSDT.pxb Binary files differdiff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c index 96602eac7e..ae14305344 100644 --- a/tests/qtest/fuzz-sdcard-test.c +++ b/tests/qtest/fuzz-sdcard-test.c @@ -52,6 +52,41 @@ static void oss_fuzz_29225(void) qtest_quit(s); } +/* + * https://gitlab.com/qemu-project/qemu/-/issues/495 + * Used to trigger: + * Assertion `wpnum < sd->wpgrps_size' failed. + */ +static void oss_fuzz_36217(void) +{ + QTestState *s; + + s = qtest_init(" -display none -m 32 -nodefaults -nographic" + " -device sdhci-pci,sd-spec-version=3 " + "-device sd-card,drive=d0 " + "-drive if=none,index=0,file=null-co://,format=raw,id=d0"); + + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xe0000000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x02); + qtest_bufwrite(s, 0xe000002c, "\x05", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x37", 0x1); + qtest_bufwrite(s, 0xe000000a, "\x01", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x29", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x02", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x03", 0x1); + qtest_bufwrite(s, 0xe0000005, "\x01", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x06", 0x1); + qtest_bufwrite(s, 0xe000000c, "\x05", 0x1); + qtest_bufwrite(s, 0xe000000e, "\x20", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x08", 0x1); + qtest_bufwrite(s, 0xe000000b, "\x3d", 0x1); + qtest_bufwrite(s, 0xe000000f, "\x1e", 0x1); + + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch = qtest_get_arch(); @@ -60,6 +95,7 @@ int main(int argc, char **argv) if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225); + qtest_add_func("fuzz/sdcard/oss_fuzz_36217", oss_fuzz_36217); } return g_test_run(); diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c index 080a240b74..f2f3676d1f 100644 --- a/util/qemu-sockets.c +++ b/util/qemu-sockets.c @@ -1345,13 +1345,16 @@ socket_sockaddr_to_address_unix(struct sockaddr_storage *sa, SocketAddress *addr; struct sockaddr_un *su = (struct sockaddr_un *)sa; + assert(salen >= sizeof(su->sun_family) + 1 && + salen <= sizeof(struct sockaddr_un)); + addr = g_new0(SocketAddress, 1); addr->type = SOCKET_ADDRESS_TYPE_UNIX; #ifdef CONFIG_LINUX if (!su->sun_path[0]) { /* Linux abstract socket */ addr->u.q_unix.path = g_strndup(su->sun_path + 1, - sizeof(su->sun_path) - 1); + salen - sizeof(su->sun_family) - 1); addr->u.q_unix.has_abstract = true; addr->u.q_unix.abstract = true; addr->u.q_unix.has_tight = true; |