vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
[qemu.git] / tests / ivshmem-test.c
blobc027ff1e098e4e412ef13f3a4463b13fe9d22071
1 /*
2 * QTest testcase for ivshmem
4 * Copyright (c) 2014 SUSE LINUX Products GmbH
5 * Copyright (c) 2015 Red Hat, Inc.
7 * This work is licensed under the terms of the GNU GPL, version 2 or later.
8 * See the COPYING file in the top-level directory.
9 */
11 #include "qemu/osdep.h"
12 #include <glib.h>
13 #include <glib/gstdio.h>
14 #include <sys/mman.h>
15 #include "contrib/ivshmem-server/ivshmem-server.h"
16 #include "libqos/pci-pc.h"
17 #include "libqtest.h"
18 #include "qemu-common.h"
20 #define TMPSHMSIZE (1 << 20)
21 static char *tmpshm;
22 static void *tmpshmem;
23 static char *tmpdir;
24 static char *tmpserver;
26 static void save_fn(QPCIDevice *dev, int devfn, void *data)
28 QPCIDevice **pdev = (QPCIDevice **) data;
30 *pdev = dev;
33 static QPCIDevice *get_device(QPCIBus *pcibus)
35 QPCIDevice *dev;
37 dev = NULL;
38 qpci_device_foreach(pcibus, 0x1af4, 0x1110, save_fn, &dev);
39 g_assert(dev != NULL);
41 return dev;
44 typedef struct _IVState {
45 QTestState *qtest;
46 void *reg_base, *mem_base;
47 QPCIBus *pcibus;
48 QPCIDevice *dev;
49 } IVState;
51 enum Reg {
52 INTRMASK = 0,
53 INTRSTATUS = 4,
54 IVPOSITION = 8,
55 DOORBELL = 12,
58 static const char* reg2str(enum Reg reg) {
59 switch (reg) {
60 case INTRMASK:
61 return "IntrMask";
62 case INTRSTATUS:
63 return "IntrStatus";
64 case IVPOSITION:
65 return "IVPosition";
66 case DOORBELL:
67 return "DoorBell";
68 default:
69 return NULL;
73 static inline unsigned in_reg(IVState *s, enum Reg reg)
75 const char *name = reg2str(reg);
76 QTestState *qtest = global_qtest;
77 unsigned res;
79 global_qtest = s->qtest;
80 res = qpci_io_readl(s->dev, s->reg_base + reg);
81 g_test_message("*%s -> %x\n", name, res);
82 global_qtest = qtest;
84 return res;
87 static inline void out_reg(IVState *s, enum Reg reg, unsigned v)
89 const char *name = reg2str(reg);
90 QTestState *qtest = global_qtest;
92 global_qtest = s->qtest;
93 g_test_message("%x -> *%s\n", v, name);
94 qpci_io_writel(s->dev, s->reg_base + reg, v);
95 global_qtest = qtest;
98 static void cleanup_vm(IVState *s)
100 g_free(s->dev);
101 qpci_free_pc(s->pcibus);
102 qtest_quit(s->qtest);
105 static void setup_vm_cmd(IVState *s, const char *cmd, bool msix)
107 uint64_t barsize;
109 s->qtest = qtest_start(cmd);
110 s->pcibus = qpci_init_pc();
111 s->dev = get_device(s->pcibus);
113 s->reg_base = qpci_iomap(s->dev, 0, &barsize);
114 g_assert_nonnull(s->reg_base);
115 g_assert_cmpuint(barsize, ==, 256);
117 if (msix) {
118 qpci_msix_enable(s->dev);
121 s->mem_base = qpci_iomap(s->dev, 2, &barsize);
122 g_assert_nonnull(s->mem_base);
123 g_assert_cmpuint(barsize, ==, TMPSHMSIZE);
125 qpci_device_enable(s->dev);
128 static void setup_vm(IVState *s)
130 char *cmd = g_strdup_printf("-object memory-backend-file"
131 ",id=mb1,size=1M,share,mem-path=/dev/shm%s"
132 " -device ivshmem-plain,memdev=mb1", tmpshm);
134 setup_vm_cmd(s, cmd, false);
136 g_free(cmd);
139 static void test_ivshmem_single(void)
141 IVState state, *s;
142 uint32_t data[1024];
143 int i;
145 setup_vm(&state);
146 s = &state;
148 /* initial state of readable registers */
149 g_assert_cmpuint(in_reg(s, INTRMASK), ==, 0);
150 g_assert_cmpuint(in_reg(s, INTRSTATUS), ==, 0);
151 g_assert_cmpuint(in_reg(s, IVPOSITION), ==, 0);
153 /* trigger interrupt via registers */
154 out_reg(s, INTRMASK, 0xffffffff);
155 g_assert_cmpuint(in_reg(s, INTRMASK), ==, 0xffffffff);
156 out_reg(s, INTRSTATUS, 1);
157 /* check interrupt status */
158 g_assert_cmpuint(in_reg(s, INTRSTATUS), ==, 1);
159 /* reading clears */
160 g_assert_cmpuint(in_reg(s, INTRSTATUS), ==, 0);
161 /* TODO intercept actual interrupt (needs qtest work) */
163 /* invalid register access */
164 out_reg(s, IVPOSITION, 1);
165 in_reg(s, DOORBELL);
167 /* ring the (non-functional) doorbell */
168 out_reg(s, DOORBELL, 8 << 16);
170 /* write shared memory */
171 for (i = 0; i < G_N_ELEMENTS(data); i++) {
172 data[i] = i;
174 qtest_memwrite(s->qtest, (uintptr_t)s->mem_base, data, sizeof(data));
176 /* verify write */
177 for (i = 0; i < G_N_ELEMENTS(data); i++) {
178 g_assert_cmpuint(((uint32_t *)tmpshmem)[i], ==, i);
181 /* read it back and verify read */
182 memset(data, 0, sizeof(data));
183 qtest_memread(s->qtest, (uintptr_t)s->mem_base, data, sizeof(data));
184 for (i = 0; i < G_N_ELEMENTS(data); i++) {
185 g_assert_cmpuint(data[i], ==, i);
188 cleanup_vm(s);
191 static void test_ivshmem_pair(void)
193 IVState state1, state2, *s1, *s2;
194 char *data;
195 int i;
197 setup_vm(&state1);
198 s1 = &state1;
199 setup_vm(&state2);
200 s2 = &state2;
202 data = g_malloc0(TMPSHMSIZE);
204 /* host write, guest 1 & 2 read */
205 memset(tmpshmem, 0x42, TMPSHMSIZE);
206 qtest_memread(s1->qtest, (uintptr_t)s1->mem_base, data, TMPSHMSIZE);
207 for (i = 0; i < TMPSHMSIZE; i++) {
208 g_assert_cmpuint(data[i], ==, 0x42);
210 qtest_memread(s2->qtest, (uintptr_t)s2->mem_base, data, TMPSHMSIZE);
211 for (i = 0; i < TMPSHMSIZE; i++) {
212 g_assert_cmpuint(data[i], ==, 0x42);
215 /* guest 1 write, guest 2 read */
216 memset(data, 0x43, TMPSHMSIZE);
217 qtest_memwrite(s1->qtest, (uintptr_t)s1->mem_base, data, TMPSHMSIZE);
218 memset(data, 0, TMPSHMSIZE);
219 qtest_memread(s2->qtest, (uintptr_t)s2->mem_base, data, TMPSHMSIZE);
220 for (i = 0; i < TMPSHMSIZE; i++) {
221 g_assert_cmpuint(data[i], ==, 0x43);
224 /* guest 2 write, guest 1 read */
225 memset(data, 0x44, TMPSHMSIZE);
226 qtest_memwrite(s2->qtest, (uintptr_t)s2->mem_base, data, TMPSHMSIZE);
227 memset(data, 0, TMPSHMSIZE);
228 qtest_memread(s1->qtest, (uintptr_t)s2->mem_base, data, TMPSHMSIZE);
229 for (i = 0; i < TMPSHMSIZE; i++) {
230 g_assert_cmpuint(data[i], ==, 0x44);
233 cleanup_vm(s1);
234 cleanup_vm(s2);
235 g_free(data);
238 typedef struct ServerThread {
239 GThread *thread;
240 IvshmemServer *server;
241 int pipe[2]; /* to handle quit */
242 } ServerThread;
244 static void *server_thread(void *data)
246 ServerThread *t = data;
247 IvshmemServer *server = t->server;
249 while (true) {
250 fd_set fds;
251 int maxfd, ret;
253 FD_ZERO(&fds);
254 FD_SET(t->pipe[0], &fds);
255 maxfd = t->pipe[0] + 1;
257 ivshmem_server_get_fds(server, &fds, &maxfd);
259 ret = select(maxfd, &fds, NULL, NULL, NULL);
261 if (ret < 0) {
262 if (errno == EINTR) {
263 continue;
266 g_critical("select error: %s\n", strerror(errno));
267 break;
269 if (ret == 0) {
270 continue;
273 if (FD_ISSET(t->pipe[0], &fds)) {
274 break;
277 if (ivshmem_server_handle_fds(server, &fds, maxfd) < 0) {
278 g_critical("ivshmem_server_handle_fds() failed\n");
279 break;
283 return NULL;
286 static void setup_vm_with_server(IVState *s, int nvectors, bool msi)
288 char *cmd = g_strdup_printf("-chardev socket,id=chr0,path=%s,nowait "
289 "-device ivshmem%s,chardev=chr0,vectors=%d",
290 tmpserver,
291 msi ? "-doorbell" : ",size=1M,msi=off",
292 nvectors);
294 setup_vm_cmd(s, cmd, msi);
296 g_free(cmd);
299 static void test_ivshmem_server(bool msi)
301 IVState state1, state2, *s1, *s2;
302 ServerThread thread;
303 IvshmemServer server;
304 int ret, vm1, vm2;
305 int nvectors = 2;
306 guint64 end_time = g_get_monotonic_time() + 5 * G_TIME_SPAN_SECOND;
308 ret = ivshmem_server_init(&server, tmpserver, tmpshm, true,
309 TMPSHMSIZE, nvectors,
310 g_test_verbose());
311 g_assert_cmpint(ret, ==, 0);
313 ret = ivshmem_server_start(&server);
314 g_assert_cmpint(ret, ==, 0);
316 thread.server = &server;
317 ret = pipe(thread.pipe);
318 g_assert_cmpint(ret, ==, 0);
319 thread.thread = g_thread_new("ivshmem-server", server_thread, &thread);
320 g_assert(thread.thread != NULL);
322 setup_vm_with_server(&state1, nvectors, msi);
323 s1 = &state1;
324 setup_vm_with_server(&state2, nvectors, msi);
325 s2 = &state2;
327 /* check got different VM ids */
328 vm1 = in_reg(s1, IVPOSITION);
329 vm2 = in_reg(s2, IVPOSITION);
330 g_assert_cmpint(vm1, >=, 0);
331 g_assert_cmpint(vm2, >=, 0);
332 g_assert_cmpint(vm1, !=, vm2);
334 /* check number of MSI-X vectors */
335 global_qtest = s1->qtest;
336 if (msi) {
337 ret = qpci_msix_table_size(s1->dev);
338 g_assert_cmpuint(ret, ==, nvectors);
341 /* TODO test behavior before MSI-X is enabled */
343 /* ping vm2 -> vm1 on vector 0 */
344 if (msi) {
345 ret = qpci_msix_pending(s1->dev, 0);
346 g_assert_cmpuint(ret, ==, 0);
347 } else {
348 g_assert_cmpuint(in_reg(s1, INTRSTATUS), ==, 0);
350 out_reg(s2, DOORBELL, vm1 << 16);
351 do {
352 g_usleep(10000);
353 ret = msi ? qpci_msix_pending(s1->dev, 0) : in_reg(s1, INTRSTATUS);
354 } while (ret == 0 && g_get_monotonic_time() < end_time);
355 g_assert_cmpuint(ret, !=, 0);
357 /* ping vm1 -> vm2 on vector 1 */
358 global_qtest = s2->qtest;
359 if (msi) {
360 ret = qpci_msix_pending(s2->dev, 1);
361 g_assert_cmpuint(ret, ==, 0);
362 } else {
363 g_assert_cmpuint(in_reg(s2, INTRSTATUS), ==, 0);
365 out_reg(s1, DOORBELL, vm2 << 16 | 1);
366 do {
367 g_usleep(10000);
368 ret = msi ? qpci_msix_pending(s2->dev, 1) : in_reg(s2, INTRSTATUS);
369 } while (ret == 0 && g_get_monotonic_time() < end_time);
370 g_assert_cmpuint(ret, !=, 0);
372 cleanup_vm(s2);
373 cleanup_vm(s1);
375 if (qemu_write_full(thread.pipe[1], "q", 1) != 1) {
376 g_error("qemu_write_full: %s", g_strerror(errno));
379 g_thread_join(thread.thread);
381 ivshmem_server_close(&server);
382 close(thread.pipe[1]);
383 close(thread.pipe[0]);
386 static void test_ivshmem_server_msi(void)
388 test_ivshmem_server(true);
391 static void test_ivshmem_server_irq(void)
393 test_ivshmem_server(false);
396 #define PCI_SLOT_HP 0x06
398 static void test_ivshmem_hotplug(void)
400 gchar *opts;
402 qtest_start("");
404 opts = g_strdup_printf("'shm': '%s', 'size': '1M'", tmpshm);
406 qpci_plug_device_test("ivshmem", "iv1", PCI_SLOT_HP, opts);
407 qpci_unplug_acpi_device_test("iv1", PCI_SLOT_HP);
409 qtest_end();
410 g_free(opts);
413 static void test_ivshmem_memdev(void)
415 IVState state;
417 /* just for the sake of checking memory-backend property */
418 setup_vm_cmd(&state, "-object memory-backend-ram,size=1M,id=mb1"
419 " -device ivshmem-plain,memdev=mb1", false);
421 cleanup_vm(&state);
424 static void cleanup(void)
426 if (tmpshmem) {
427 munmap(tmpshmem, TMPSHMSIZE);
428 tmpshmem = NULL;
431 if (tmpshm) {
432 shm_unlink(tmpshm);
433 g_free(tmpshm);
434 tmpshm = NULL;
437 if (tmpserver) {
438 g_unlink(tmpserver);
439 g_free(tmpserver);
440 tmpserver = NULL;
443 if (tmpdir) {
444 g_rmdir(tmpdir);
445 tmpdir = NULL;
449 static void abrt_handler(void *data)
451 cleanup();
454 static gchar *mktempshm(int size, int *fd)
456 while (true) {
457 gchar *name;
459 name = g_strdup_printf("/qtest-%u-%u", getpid(), g_random_int());
460 *fd = shm_open(name, O_CREAT|O_RDWR|O_EXCL,
461 S_IRWXU|S_IRWXG|S_IRWXO);
462 if (*fd > 0) {
463 g_assert(ftruncate(*fd, size) == 0);
464 return name;
467 g_free(name);
469 if (errno != EEXIST) {
470 perror("shm_open");
471 return NULL;
476 int main(int argc, char **argv)
478 int ret, fd;
479 gchar dir[] = "/tmp/ivshmem-test.XXXXXX";
481 #if !GLIB_CHECK_VERSION(2, 31, 0)
482 if (!g_thread_supported()) {
483 g_thread_init(NULL);
485 #endif
487 g_test_init(&argc, &argv, NULL);
489 qtest_add_abrt_handler(abrt_handler, NULL);
490 /* shm */
491 tmpshm = mktempshm(TMPSHMSIZE, &fd);
492 if (!tmpshm) {
493 return 0;
495 tmpshmem = mmap(0, TMPSHMSIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
496 g_assert(tmpshmem != MAP_FAILED);
497 /* server */
498 if (mkdtemp(dir) == NULL) {
499 g_error("mkdtemp: %s", g_strerror(errno));
501 tmpdir = dir;
502 tmpserver = g_strconcat(tmpdir, "/server", NULL);
504 qtest_add_func("/ivshmem/single", test_ivshmem_single);
505 qtest_add_func("/ivshmem/hotplug", test_ivshmem_hotplug);
506 qtest_add_func("/ivshmem/memdev", test_ivshmem_memdev);
507 if (g_test_slow()) {
508 qtest_add_func("/ivshmem/pair", test_ivshmem_pair);
509 qtest_add_func("/ivshmem/server-msi", test_ivshmem_server_msi);
510 qtest_add_func("/ivshmem/server-irq", test_ivshmem_server_irq);
513 ret = g_test_run();
515 cleanup();
517 return ret;