From nobody Sun Dec 29 01:06:54 2024 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=swemel.ru ARC-Seal: i=1; a=rsa-sha256; t=1718870369; cv=none; d=zohomail.com; s=zohoarc; b=dpXbQIbmdtC12tkgyOSnuCgJXa+iWQ0G6yGdYsFfd8XwFkiMATOO9pylTiMKYIzx1WedDssSWReQwwBiNhFh0Ri2JMxlI6g8Ozqhz/lCowJgPXBzmcj7uft4FWNzOE+3iSR6wBg4izuOD9IVlbrMtFVEc2I/FqWv6jbkVdtXjjI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1718870369; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=KaU9cgmLIerNEpu6u9oGU8K3uAdhAJgSaULPLqMWsaQ=; b=kZX0klw2LRghxfpm2264J7R/pKRNt+CqXRLku5TF+I3OU3WnvB28P3tzmalBRVKq6QwRaUNWyMk5DWUkltB9WvgPYDSlRvOicS/1lEGZqw/sLPO//A1/rZ59koZuP1N4rFQB/LV0mhJWS9q47Foo5QT5A56DYAfKSPJtWOfOaRs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1718870369143268.40369575213583; Thu, 20 Jun 2024 00:59:29 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sKCgN-0003Ls-3Z; Thu, 20 Jun 2024 03:58:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sKCgK-0003II-R3 for qemu-devel@nongnu.org; Thu, 20 Jun 2024 03:58:09 -0400 Received: from mx.swemel.ru ([95.143.211.150]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sKCgH-00004s-UC for qemu-devel@nongnu.org; Thu, 20 Jun 2024 03:58:08 -0400 From: Dmitry Frolov DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swemel.ru; s=mail; t=1718870279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=KaU9cgmLIerNEpu6u9oGU8K3uAdhAJgSaULPLqMWsaQ=; b=k3wWWZsYI1qpXno8XASbJ7Np0aPpEI2x9X0apHKOtkwLWgp9gV0EJ+YWmlzO/2lhhMbigx +v8V664PnnZoWKh60DmG+6+xCfixCq36FmeEdJBBWrtVsmVdjdfsCWXSas5DcwF2v3zWeb c8WCLhy5Tv8wOTL8mZs0hou1cmjqw+8= To: alxndr@bu.edu Cc: sdl.qemu@linuxtesting.org, qemu-devel@nongnu.org, Dmitry Frolov Subject: [PATCH v2] tests/qtest/fuzz/virtio_net_fuzz.c: fix virtio_net_fuzz_multi Date: Thu, 20 Jun 2024 10:54:35 +0300 Message-ID: <20240620075454.194425-3-frolov@swemel.ru> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=95.143.211.150; envelope-from=frolov@swemel.ru; helo=mx.swemel.ru X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @swemel.ru) X-ZM-MESSAGEID: 1718870372391100003 Content-Type: text/plain; charset="utf-8" The main loop is executed during flush_events(), where virtio error may occ= ur. This behavior is legit and should not produce any crash report. But the test is waiting on used descriptors w/o a check, and, in case of er= ror fails with message: "assertion timer !=3D NULL failed". Thus, any invalid input data produces a meaningless crash report. Debuging the problem, I found that in case of virtio error in the main loop, dev->bus->get_status(dev) is 0 in most cases. In rare cases VIRTIO_CONFIG_S_NEEDS_RESET bit is set. So, checking only for VIRTIO_CONFIG_S_NEEDS_RESET bit is not enough. Also, the second qvirtqueue_add() call with corresponding comment are redun= dant. v1: https://patchew.org/QEMU/20240523102813.396750-2-frolov@swemel.ru/ v2: modified error-check & clean-up Signed-off-by: Dmitry Frolov --- tests/qtest/fuzz/virtio_net_fuzz.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/qtest/fuzz/virtio_net_fuzz.c b/tests/qtest/fuzz/virtio_n= et_fuzz.c index e239875e3b..f62d2b9478 100644 --- a/tests/qtest/fuzz/virtio_net_fuzz.c +++ b/tests/qtest/fuzz/virtio_net_fuzz.c @@ -65,22 +65,21 @@ static void virtio_net_fuzz_multi(QTestState *s, } else { vqa.rx =3D 0; uint64_t req_addr =3D guest_alloc(t_alloc, vqa.length); - /* - * If checking used ring, ensure that the fuzzer doesn't trigg= er - * trivial asserion failure on zero-zied buffer - */ qtest_memwrite(s, req_addr, Data, vqa.length); =20 - free_head =3D qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write, vqa.next); - qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.nex= t); qvirtqueue_kick(s, dev, q, free_head); } =20 /* Run the main loop */ qtest_clock_step(s, 100); flush_events(s); + /* Input led to a virtio_error */ + if (dev->bus->get_status(dev) & VIRTIO_CONFIG_S_NEEDS_RESET || + !(dev->bus->get_status(dev) & VIRTIO_CONFIG_S_DRIVER_OK)) { + return; + } =20 /* Wait on used descriptors */ if (check_used && !vqa.rx) { @@ -92,10 +91,6 @@ static void virtio_net_fuzz_multi(QTestState *s, */ while (!vqa.rx && q !=3D net_if->queues[QVIRTIO_RX_VQ]) { uint32_t got_desc_idx; - /* Input led to a virtio_error */ - if (dev->bus->get_status(dev) & VIRTIO_CONFIG_S_NEEDS_RESE= T) { - break; - } if (dev->bus->get_queue_isr_status(dev, q) && qvirtqueue_get_buf(s, q, &got_desc_idx, NULL)) { g_assert_cmpint(got_desc_idx, =3D=3D, free_head); @@ -107,6 +102,11 @@ static void virtio_net_fuzz_multi(QTestState *s, /* Run the main loop */ qtest_clock_step(s, 100); flush_events(s); + /* Input led to a virtio_error */ + if (dev->bus->get_status(dev) & VIRTIO_CONFIG_S_NEEDS_RESE= T || + !(dev->bus->get_status(dev) & VIRTIO_CONFIG_S_DRIVER_OK)= ) { + return; + } } } Data +=3D vqa.length; --=20 2.43.0