qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 1/2] tests/ide-test: Create a single unit-test covering more P

From: Alexander Popov
Subject: [PATCH v2 1/2] tests/ide-test: Create a single unit-test covering more PRDT cases
Date: Mon, 16 Dec 2019 21:14:04 +0300 
Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu
using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in
ide_dma_cb() introduced in the commit a718978ed58a in July 2015.
Currently this bug is not reproduced by the unit tests.

Let's improve the ide-test to cover more PRDT cases including one
that causes this particular qemu crash.

The test is developed according to the Programming Interface for
Bus Master IDE Controller (Revision 1.0 5/16/94).

Signed-off-by: Alexander Popov <address@hidden>
---
 tests/ide-test.c | 137 +++++++++++++++++++++--------------------------
 1 file changed, 61 insertions(+), 76 deletions(-)

diff --git a/tests/ide-test.c b/tests/ide-test.c
index 0277e7d5a9..f042d8a700 100644
--- a/tests/ide-test.c
+++ b/tests/ide-test.c
@@ -445,7 +445,8 @@ static void test_bmdma_trim(void)
     test_bmdma_teardown(qts);
 }
 
-static void test_bmdma_short_prdt(void)
+static void test_bmdma_prdt(uint32_t prdt_size, int nb_sectors,
+                            uint8_t req_status, uint8_t abort_req_status)
 {
     QTestState *qts;
     QPCIDevice *dev;
@@ -455,94 +456,81 @@ static void test_bmdma_short_prdt(void)
     PrdtEntry prdt[] = {
         {
             .addr = 0,
-            .size = cpu_to_le32(0x10 | PRDT_EOT),
+            .size = cpu_to_le32(prdt_size | PRDT_EOT),
         },
     };
 
     qts = test_bmdma_setup();
-
     dev = get_pci_device(qts, &bmdma_bar, &ide_bar);
 
-    /* Normal request */
-    status = send_dma_request(qts, CMD_READ_DMA, 0, 1,
+    /* Test the request */
+    status = send_dma_request(qts, CMD_READ_DMA, 0, nb_sectors,
                               prdt, ARRAY_SIZE(prdt), NULL);
-    g_assert_cmphex(status, ==, 0);
+    g_assert_cmphex(status, ==, req_status);
     assert_bit_clear(qpci_io_readb(dev, ide_bar, reg_status), DF | ERR);
 
-    /* Abort the request before it completes */
-    status = send_dma_request(qts, CMD_READ_DMA | CMDF_ABORT, 0, 1,
-                              prdt, ARRAY_SIZE(prdt), NULL);
-    g_assert_cmphex(status, ==, 0);
+    /* Now test aborting the same request */
+    status = send_dma_request(qts, CMD_READ_DMA | CMDF_ABORT, 0,
+                              nb_sectors, prdt, ARRAY_SIZE(prdt), NULL);
+    g_assert_cmphex(status, ==, abort_req_status);
     assert_bit_clear(qpci_io_readb(dev, ide_bar, reg_status), DF | ERR);
-    free_pci_device(dev);
-    test_bmdma_teardown(qts);
-}
 
-static void test_bmdma_one_sector_short_prdt(void)
-{
-    QTestState *qts;
-    QPCIDevice *dev;
-    QPCIBar bmdma_bar, ide_bar;
-    uint8_t status;
-
-    /* Read 2 sectors but only give 1 sector in PRDT */
-    PrdtEntry prdt[] = {
-        {
-            .addr = 0,
-            .size = cpu_to_le32(0x200 | PRDT_EOT),
-        },
-    };
-
-    qts = test_bmdma_setup();
-
-    dev = get_pci_device(qts, &bmdma_bar, &ide_bar);
-
-    /* Normal request */
-    status = send_dma_request(qts, CMD_READ_DMA, 0, 2,
-                              prdt, ARRAY_SIZE(prdt), NULL);
-    g_assert_cmphex(status, ==, 0);
-    assert_bit_clear(qpci_io_readb(dev, ide_bar, reg_status), DF | ERR);
-
-    /* Abort the request before it completes */
-    status = send_dma_request(qts, CMD_READ_DMA | CMDF_ABORT, 0, 2,
-                              prdt, ARRAY_SIZE(prdt), NULL);
-    g_assert_cmphex(status, ==, 0);
-    assert_bit_clear(qpci_io_readb(dev, ide_bar, reg_status), DF | ERR);
     free_pci_device(dev);
     test_bmdma_teardown(qts);
 }
 
-static void test_bmdma_long_prdt(void)
+/*
+ * This test is developed according to the Programming Interface for
+ * Bus Master IDE Controller (Revision 1.0 5/16/94)
+ */
+static void test_bmdma_various_prdts(void)
 {
-    QTestState *qts;
-    QPCIDevice *dev;
-    QPCIBar bmdma_bar, ide_bar;
-    uint8_t status;
-
-    PrdtEntry prdt[] = {
-        {
-            .addr = 0,
-            .size = cpu_to_le32(0x1000 | PRDT_EOT),
-        },
-    };
-
-    qts = test_bmdma_setup();
-
-    dev = get_pci_device(qts, &bmdma_bar, &ide_bar);
-
-    /* Normal request */
-    status = send_dma_request(qts, CMD_READ_DMA, 0, 1,
-                              prdt, ARRAY_SIZE(prdt), NULL);
-    g_assert_cmphex(status, ==, BM_STS_ACTIVE | BM_STS_INTR);
-    assert_bit_clear(qpci_io_readb(dev, ide_bar, reg_status), DF | ERR);
+    uint32_t size = 0;
+    uint32_t prd_size = 0;
+    int req_sectors = 0;
+    uint32_t req_size = 0;
+    uint8_t s1 = 0, s2 = 0;
+
+    for (size = 0; size < 65536; size += 256) {
+        /*
+         * Two bytes specify the count of the region in bytes.
+         * The bit 0 is always set to 0.
+         * A value of zero in these two bytes indicates 64K.
+         */
+        prd_size = size & 0xfffe;
+        if (prd_size == 0) {
+            prd_size = 65536;
+        }
 
-    /* Abort the request before it completes */
-    status = send_dma_request(qts, CMD_READ_DMA | CMDF_ABORT, 0, 1,
-                              prdt, ARRAY_SIZE(prdt), NULL);
-    g_assert_cmphex(status, ==, BM_STS_INTR);
-    assert_bit_clear(qpci_io_readb(dev, ide_bar, reg_status), DF | ERR);
-    free_pci_device(dev);
-    test_bmdma_teardown(qts);
+        for (req_sectors = 1; req_sectors <= 256; req_sectors *= 2) {
+            req_size = req_sectors * 512;
+
+            /*
+             * 1. If PRDs specified a smaller size than the IDE transfer
+             * size, then the Interrupt and Active bits in the Controller
+             * status register are not set (Error Condition).
+             *
+             * 2. If the size of the physical memory regions was equal to
+             * the IDE device transfer size, the Interrupt bit in the
+             * Controller status register is set to 1, Active bit is set to 0.
+             *
+             * 3. If PRDs specified a larger size than the IDE transfer size,
+             * the Interrupt and Active bits in the Controller status register
+             * are both set to 1.
+             */
+            if (prd_size < req_size) {
+                s1 = 0;
+                s2 = 0;
+            } else if (prd_size == req_size) {
+                s1 = BM_STS_INTR;
+                s2 = BM_STS_INTR;
+            } else {
+                s1 = BM_STS_ACTIVE | BM_STS_INTR;
+                s2 = BM_STS_INTR;
+            }
+            test_bmdma_prdt(size, req_sectors, s1, s2);
+        }
+    }
 }
 
 static void test_bmdma_no_busmaster(void)
@@ -1066,10 +1054,7 @@ int main(int argc, char **argv)
 
     qtest_add_func("/ide/bmdma/simple_rw", test_bmdma_simple_rw);
     qtest_add_func("/ide/bmdma/trim", test_bmdma_trim);
-    qtest_add_func("/ide/bmdma/short_prdt", test_bmdma_short_prdt);
-    qtest_add_func("/ide/bmdma/one_sector_short_prdt",
-                   test_bmdma_one_sector_short_prdt);
-    qtest_add_func("/ide/bmdma/long_prdt", test_bmdma_long_prdt);
+    qtest_add_func("/ide/bmdma/various_prdts", test_bmdma_various_prdts);
     qtest_add_func("/ide/bmdma/no_busmaster", test_bmdma_no_busmaster);
 
     qtest_add_func("/ide/flush", test_flush);
-- 
2.23.0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]