From c7f41e4f53c4763bf1e350723a560dc3bf46e04b Mon Sep 17 00:00:00 2001 From: Ilya Leoshkevich Date: Mon, 7 Aug 2023 13:48:20 +0200 Subject: [PATCH 1/7] target/s390x: Define TARGET_HAS_PRECISE_SMC PoP (Sequence of Storage References -> Instruction Fetching) says: ... if a store that is conceptually earlier is made by the same CPU using the same effective address as that by which the instruction is subse- quently fetched, the updated information is obtained ... QEMU already has support for this in the common code; enable it for s390x. Signed-off-by: Ilya Leoshkevich Message-Id: <20230807114921.438881-1-iii@linux.ibm.com> Acked-by: David Hildenbrand Signed-off-by: Thomas Huth --- target/s390x/cpu.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h index eb5b65b7d3..304029e57c 100644 --- a/target/s390x/cpu.h +++ b/target/s390x/cpu.h @@ -36,6 +36,8 @@ /* The z/Architecture has a strong memory model with some store-after-load re-ordering */ #define TCG_GUEST_DEFAULT_MO (TCG_MO_ALL & ~TCG_MO_ST_LD) +#define TARGET_HAS_PRECISE_SMC + #define TARGET_INSN_START_EXTRA_WORDS 2 #define MMU_USER_IDX 0 From c3513ce5c8736807cb4e5ff529eebadf7a82dbde Mon Sep 17 00:00:00 2001 From: Ilya Leoshkevich Date: Mon, 7 Aug 2023 13:48:21 +0200 Subject: [PATCH 2/7] tests/tcg/s390x: Test precise self-modifying code handling Add small softmmu and user tests to prevent regressions. Signed-off-by: Ilya Leoshkevich Message-Id: <20230807114921.438881-2-iii@linux.ibm.com> Signed-off-by: Thomas Huth --- tests/tcg/s390x/Makefile.softmmu-target | 1 + tests/tcg/s390x/Makefile.target | 1 + tests/tcg/s390x/precise-smc-softmmu.S | 63 +++++++++++++++++++++++++ tests/tcg/s390x/precise-smc-user.c | 39 +++++++++++++++ 4 files changed, 104 insertions(+) create mode 100644 tests/tcg/s390x/precise-smc-softmmu.S create mode 100644 tests/tcg/s390x/precise-smc-user.c diff --git a/tests/tcg/s390x/Makefile.softmmu-target b/tests/tcg/s390x/Makefile.softmmu-target index 76345b6e64..1a1f088b28 100644 --- a/tests/tcg/s390x/Makefile.softmmu-target +++ b/tests/tcg/s390x/Makefile.softmmu-target @@ -25,6 +25,7 @@ ASM_TESTS = \ lpswe-early \ lra \ mc \ + precise-smc-softmmu \ ssm-early \ stosm-early \ stpq \ diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target index 9c0e70c6ca..c650aefe5c 100644 --- a/tests/tcg/s390x/Makefile.target +++ b/tests/tcg/s390x/Makefile.target @@ -61,6 +61,7 @@ Z13_TESTS+=locfhr Z13_TESTS+=vcksm Z13_TESTS+=vstl Z13_TESTS+=vrep +Z13_TESTS+=precise-smc-user $(Z13_TESTS): CFLAGS+=-march=z13 -O2 TESTS+=$(Z13_TESTS) diff --git a/tests/tcg/s390x/precise-smc-softmmu.S b/tests/tcg/s390x/precise-smc-softmmu.S new file mode 100644 index 0000000000..f7fa57d899 --- /dev/null +++ b/tests/tcg/s390x/precise-smc-softmmu.S @@ -0,0 +1,63 @@ +/* + * Test s390x-softmmu precise self-modifying code handling. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + .org 0x8e +program_interruption_code: + .org 0x150 +program_old_psw: + .org 0x1D0 /* program new PSW */ + .quad 0x180000000,pgm /* 64-bit mode */ + .org 0x200 /* lowcore padding */ + .globl _start +_start: + lctlg %c0,%c0,c0 + lghi %r0,15 + + /* Test 1: replace sgr with agr. */ + lghi %r1,21 + vl %v0,patch1 + jg 1f /* start a new TB */ +0: + .org . + 6 /* pad patched code to 16 bytes */ +1: + vstl %v0,%r0,0b /* start writing before TB */ + sgr %r1,%r1 /* this becomes `agr %r1,%r1` */ + cgijne %r1,42,failure + + /* Test 2: replace agr with division by zero. */ + vl %v0,patch2 + jg 1f /* start a new TB */ +0: + .org . + 6 /* pad patched code to 16 bytes */ +1: + vstl %v0,%r0,0b /* start writing before TB */ + sgr %r1,%r1 /* this becomes `d %r0,zero` */ +failure: + lpswe failure_psw + +pgm: + chhsi program_interruption_code,0x9 /* divide exception? */ + jne failure + clc program_old_psw(16),expected_old_psw2 /* correct old PSW? */ + jne failure + lpswe success_psw + +patch1: + .fill 12 /* replaces padding and stpq */ + agr %r1,%r1 /* replaces sgr */ +patch2: + .fill 12 /* replaces padding and stpq */ + d %r0,zero /* replaces sgr */ +zero: + .long 0 +expected_old_psw2: + .quad 0x200180000000,failure /* cc is from addition */ + .align 8 +c0: + .quad 0x60000 /* AFP, VX */ +success_psw: + .quad 0x2000000000000,0xfff /* see is_special_wait_psw() */ +failure_psw: + .quad 0x2000000000000,0 /* disabled wait */ diff --git a/tests/tcg/s390x/precise-smc-user.c b/tests/tcg/s390x/precise-smc-user.c new file mode 100644 index 0000000000..33a5270865 --- /dev/null +++ b/tests/tcg/s390x/precise-smc-user.c @@ -0,0 +1,39 @@ +/* + * Test s390x-linux-user precise self-modifying code handling. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ +#include +#include +#include +#include + +extern __uint128_t __attribute__((__aligned__(1))) smc; +extern __uint128_t __attribute__((__aligned__(1))) patch; + +int main(void) +{ + char *aligned_smc = (char *)((uintptr_t)&smc & ~0xFFFULL); + char *smc_end = (char *)&smc + sizeof(smc); + uint64_t value = 21; + int err; + + err = mprotect(aligned_smc, smc_end - aligned_smc, + PROT_READ | PROT_WRITE | PROT_EXEC); + assert(err == 0); + + asm("jg 0f\n" /* start a new TB */ + "patch: .byte 0,0,0,0,0,0\n" /* replaces padding */ + ".byte 0,0,0,0,0,0\n" /* replaces vstl */ + "agr %[value],%[value]\n" /* replaces sgr */ + "smc: .org . + 6\n" /* pad patched code to 16 bytes */ + "0: vstl %[patch],%[idx],%[smc]\n" /* start writing before TB */ + "sgr %[value],%[value]" /* this becomes `agr %r0,%r0` */ + : [smc] "=R" (smc) + , [value] "+r" (value) + : [patch] "v" (patch) + , [idx] "r" (sizeof(patch) - 1) + : "cc"); + + return value == 42 ? EXIT_SUCCESS : EXIT_FAILURE; +} From 0a1e462daf03bf0c8119e4369807d0d4a965fbc6 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Tue, 22 Aug 2023 18:30:24 +0200 Subject: [PATCH 3/7] tests/qtest/usb-hcd-xhci-test: Check availability of devices before using them The "usb-uas" and "usb-ccid" might not be compiled into the QEMU binary, so let's better check first whether they are available. Message-Id: <20230822163024.61529-1-thuth@redhat.com> Reviewed-by: Fabiano Rosas Signed-off-by: Thomas Huth --- tests/qtest/usb-hcd-xhci-test.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/qtest/usb-hcd-xhci-test.c b/tests/qtest/usb-hcd-xhci-test.c index 10ef9d2a91..80bc039446 100644 --- a/tests/qtest/usb-hcd-xhci-test.c +++ b/tests/qtest/usb-hcd-xhci-test.c @@ -56,8 +56,12 @@ int main(int argc, char **argv) qtest_add_func("/xhci/pci/init", test_xhci_init); qtest_add_func("/xhci/pci/hotplug", test_xhci_hotplug); - qtest_add_func("/xhci/pci/hotplug/usb-uas", test_usb_uas_hotplug); - qtest_add_func("/xhci/pci/hotplug/usb-ccid", test_usb_ccid_hotplug); + if (qtest_has_device("usb-uas")) { + qtest_add_func("/xhci/pci/hotplug/usb-uas", test_usb_uas_hotplug); + } + if (qtest_has_device("usb-ccid")) { + qtest_add_func("/xhci/pci/hotplug/usb-ccid", test_usb_ccid_hotplug); + } qtest_start("-device nec-usb-xhci,id=xhci" " -drive id=drive0,if=none,file=null-co://," From b2a7d8633ff31ea97e7d4edc23af461a28a66d9d Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 24 Aug 2023 17:45:35 +0100 Subject: [PATCH 4/7] tests/qtest/netdev-socket: Avoid variable-length array in inet_get_free_port_multiple() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We use a variable-length array in inet_get_free_port_multiple(). This is only test code called at the start of a test, so switch to a heap allocation instead. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Message-Id: <20230824164535.2652070-1-peter.maydell@linaro.org> Reviewed-by: Laurent Vivier Reviewed-by: Thomas Huth Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Huth --- tests/qtest/netdev-socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/qtest/netdev-socket.c b/tests/qtest/netdev-socket.c index 097abc0230..8eed54801f 100644 --- a/tests/qtest/netdev-socket.c +++ b/tests/qtest/netdev-socket.c @@ -82,7 +82,7 @@ static int inet_get_free_port_socket_ipv6(int sock) static int inet_get_free_port_multiple(int nb, int *port, bool ipv6) { - int sock[nb]; + g_autofree int *sock = g_new(int, nb); int i; for (i = 0; i < nb; i++) { From a864cc54eed251d2928aaf189fc4131db2841285 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Tue, 22 Aug 2023 18:49:48 +0200 Subject: [PATCH 5/7] tests/qtest/bios-tables-test: Check for virtio-iommu device before using it The virtio-iommu device might be missing in the QEMU binary (e.g. in downstream RHEL builds), so let's better check for its availability first before using it. Message-Id: <20230822164948.65187-1-thuth@redhat.com> Acked-by: Igor Mammedov Signed-off-by: Thomas Huth --- tests/qtest/bios-tables-test.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c index 47ba20b957..dd06e6300a 100644 --- a/tests/qtest/bios-tables-test.c +++ b/tests/qtest/bios-tables-test.c @@ -2138,7 +2138,9 @@ int main(int argc, char *argv[]) qtest_add_func("acpi/q35/core-count2", test_acpi_q35_tcg_core_count2); } - qtest_add_func("acpi/q35/viot", test_acpi_q35_viot); + if (qtest_has_device("virtio-iommu-pci")) { + qtest_add_func("acpi/q35/viot", test_acpi_q35_viot); + } #ifdef CONFIG_POSIX qtest_add_func("acpi/q35/cxl", test_acpi_q35_cxl); #endif @@ -2173,7 +2175,9 @@ int main(int argc, char *argv[]) qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp); qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb); qtest_add_func("acpi/virt/oem-fields", test_acpi_virt_oem_fields); - qtest_add_func("acpi/virt/viot", test_acpi_virt_viot); + if (qtest_has_device("virtio-iommu-pci")) { + qtest_add_func("acpi/virt/viot", test_acpi_virt_viot); + } } } ret = g_test_run(); From c01196bdddc280ae3710912e98e78f3103155eaf Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Wed, 16 Aug 2023 11:15:22 +0200 Subject: [PATCH 6/7] subprojects/berkeley-testfloat-3: Update to fix a problem with compiler warnings Update the berkeley-testfloat-3 wrap to include a patch provided by Olaf Hering. This fixes a problem with "control reaches end of non-void function [-Werror=return-type]" compiler warning/errors that are now enabled by default in certain versions of GCC. Reported-by: Olaf Hering Message-Id: <20230816091522.1292029-1-thuth@redhat.com> Signed-off-by: Thomas Huth --- subprojects/berkeley-testfloat-3.wrap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subprojects/berkeley-testfloat-3.wrap b/subprojects/berkeley-testfloat-3.wrap index 6ad80a37b2..c86dc078a8 100644 --- a/subprojects/berkeley-testfloat-3.wrap +++ b/subprojects/berkeley-testfloat-3.wrap @@ -1,5 +1,5 @@ [wrap-git] url = https://gitlab.com/qemu-project/berkeley-testfloat-3 -revision = 40619cbb3bf32872df8c53cc457039229428a263 +revision = e7af9751d9f9fd3b47911f51a5cfd08af256a9ab patch_directory = berkeley-testfloat-3 depth = 1 From 03b8a71e8459c9dfdafdb6fde673827eb17a89a2 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 30 Aug 2023 11:53:47 +0200 Subject: [PATCH 7/7] meson: test for CONFIG_TCG in config_all MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CONFIG_TCG is not included in *-config-devices.h, so the test is always failing. Fixes: 74884cb1a6d ("qtest/meson.build: check CONFIG_TCG for boot-serial-test in qtests_ppc", 2022-03-14) Fixes: 44d827ea69e ("qtest/meson.build: check CONFIG_TCG for prom-env-test in qtests_ppc", 2022-03-14) Signed-off-by: Paolo Bonzini Message-Id: <20230830095347.132485-1-pbonzini@redhat.com> Reviewed-by: Thomas Huth Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Huth --- tests/qtest/meson.build | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index b071d400b3..3afe9e9ee3 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -155,8 +155,8 @@ qtests_ppc = \ qtests_filter + \ (config_all_devices.has_key('CONFIG_ISA_TESTDEV') ? ['endianness-test'] : []) + \ (config_all_devices.has_key('CONFIG_M48T59') ? ['m48t59-test'] : []) + \ - (config_all_devices.has_key('CONFIG_TCG') ? ['prom-env-test'] : []) + \ - (config_all_devices.has_key('CONFIG_TCG') ? ['boot-serial-test'] : []) + \ + (config_all.has_key('CONFIG_TCG') ? ['prom-env-test'] : []) + \ + (config_all.has_key('CONFIG_TCG') ? ['boot-serial-test'] : []) + \ ['boot-order-test'] qtests_ppc64 = \