[Qemu-devel] [PATCH for-2.12 0/4] Fix crashes with CAN bus and ISA DMA devices

[Qemu-devel] [PATCH for-2.12 0/4] Fix crashes with CAN bus and ISA DMA devices

[Thomas Huth]

The new CAN bus devices and some older ISA devices that use DMA can be
used to crash QEMU. These patches introduce some proper checks so that
the users get a proper error message instead.

Alexey Kardashevskiy (1):
  fdc: Exit if ISA controller does not support DMA

Thomas Huth (3):
  hw/net/can: Fix segfaults when using the devices without bus
  hw/audio: Fix crashes when devices are used on ISA bus without DMA
  scripts/device-crash-test: Remove fixed isapc-with-iommu entry

 hw/audio/cs4231a.c        | 8 +++++++-
 hw/audio/gus.c            | 7 ++++++-
 hw/audio/sb16.c           | 9 +++++++--
 hw/block/fdc.c            | 5 ++++-
 hw/net/can/can_sja1000.c  | 4 ++++
 scripts/device-crash-test | 8 --------
 6 files changed, 28 insertions(+), 13 deletions(-)

-- 
1.8.3.1

[Qemu-devel] [PATCH 1/4] hw/net/can: Fix segfaults when using the devices without bus

[Thomas Huth]

The CAN devices can currently be used to crash QEMU, e.g.:

$ x86_64-softmmu/qemu-system-x86_64 -device kvaser_pci
Segmentation fault (core dumped)

So we've got to add a proper check here that the corresponding
bus is available.

Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/net/can/can_sja1000.c  | 4 ++++
 scripts/device-crash-test | 3 ---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
index 6293233..9a85038 100644
--- a/hw/net/can/can_sja1000.c
+++ b/hw/net/can/can_sja1000.c
@@ -866,6 +866,10 @@ int can_sja_connect_to_bus(CanSJA1000State *s, CanBusState *bus)
 {
     s->bus_client.info = &can_sja_bus_client_info;
 
+    if (!bus) {
+        return -EINVAL;
+    }
+
     if (can_bus_insert_client(bus, &s->bus_client) < 0) {
         return -1;
     }
diff --git a/scripts/device-crash-test b/scripts/device-crash-test
index f04f349..7ff351d 100755
--- a/scripts/device-crash-test
+++ b/scripts/device-crash-test
@@ -223,9 +223,6 @@ ERROR_WHITELIST = [
     {'exitcode':-11, 'device':'sb16', 'loglevel':logging.ERROR, 'expected':True},
     {'exitcode':-11, 'device':'cs4231a', 'loglevel':logging.ERROR, 'expected':True},
     {'exitcode':-11, 'machine':'isapc', 'device':'.*-iommu', 'loglevel':logging.ERROR, 'expected':True},
-    {'exitcode':-11, 'device':'mioe3680_pci', 'loglevel':logging.ERROR, 'expected':True},
-    {'exitcode':-11, 'device':'pcm3680_pci', 'loglevel':logging.ERROR, 'expected':True},
-    {'exitcode':-11, 'device':'kvaser_pci', 'loglevel':logging.ERROR, 'expected':True},
 
     # everything else (including SIGABRT and SIGSEGV) will be a fatal error:
     {'exitcode':None, 'fatal':True, 'loglevel':logging.FATAL},
-- 
1.8.3.1

[Qemu-devel] [PATCH 2/4] fdc: Exit if ISA controller does not support DMA

[Thomas Huth]

From: Alexey Kardashevskiy <aik@ozlabs.ru>

A "powernv" machine type defines an ISA bus but it does not add any DMA
controller to it so it is possible to hit assert(fdctrl->dma) by
adding "-machine powernv -device isa-fdc".

This replaces assert() with an error message.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
[thuth: Slightly adjusted error message and updated scripts/device-crash-test]
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/block/fdc.c            | 5 ++++-
 scripts/device-crash-test | 1 -
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index 7b7dd41..cd29e27 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -2695,7 +2695,10 @@ static void isabus_fdc_realize(DeviceState *dev, Error **errp)
     fdctrl->dma_chann = isa->dma;
     if (fdctrl->dma_chann != -1) {
         fdctrl->dma = isa_get_dma(isa_bus_from_device(isadev), isa->dma);
-        assert(fdctrl->dma);
+        if (!fdctrl->dma) {
+            error_setg(errp, "ISA controller does not support DMA");
+            return;
+        }
     }
 
     qdev_set_legacy_instance_id(dev, isa->iobase, 2);
diff --git a/scripts/device-crash-test b/scripts/device-crash-test
index 7ff351d..99d20cb 100755
--- a/scripts/device-crash-test
+++ b/scripts/device-crash-test
@@ -217,7 +217,6 @@ ERROR_WHITELIST = [
     {'exitcode':-6, 'log':r"Object .* is not an instance of type generic-pc-machine", 'loglevel':logging.ERROR},
     {'exitcode':-6, 'log':r"Object .* is not an instance of type e500-ccsr", 'loglevel':logging.ERROR},
     {'exitcode':-6, 'log':r"vmstate_register_with_alias_id: Assertion `!se->compat \|\| se->instance_id == 0' failed", 'loglevel':logging.ERROR},
-    {'exitcode':-6, 'device':'isa-fdc', 'loglevel':logging.ERROR, 'expected':True},
     {'exitcode':-11, 'device':'gus', 'loglevel':logging.ERROR, 'expected':True},
     {'exitcode':-11, 'device':'isa-serial', 'loglevel':logging.ERROR, 'expected':True},
     {'exitcode':-11, 'device':'sb16', 'loglevel':logging.ERROR, 'expected':True},
-- 
1.8.3.1

[Qemu-devel] [PATCH 3/4] hw/audio: Fix crashes when devices are used on ISA bus without DMA

[Thomas Huth]

The cs4231a, gus and sb16 sound cards crash QEMU when the user tries
to instantiate them on a machine with DMA-less ISA bus (for example
with "qemu-system-mips64el -M mips -device sb16"). Add proper checks
to the realize functions to avoid the crashes.

Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/audio/cs4231a.c        | 8 +++++++-
 hw/audio/gus.c            | 7 ++++++-
 hw/audio/sb16.c           | 9 +++++++--
 scripts/device-crash-test | 3 ---
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/hw/audio/cs4231a.c b/hw/audio/cs4231a.c
index 096e8e9..aaebec1 100644
--- a/hw/audio/cs4231a.c
+++ b/hw/audio/cs4231a.c
@@ -28,6 +28,7 @@
 #include "hw/isa/isa.h"
 #include "hw/qdev.h"
 #include "qemu/timer.h"
+#include "qapi/error.h"
 
 /*
   Missing features:
@@ -663,8 +664,13 @@ static void cs4231a_realizefn (DeviceState *dev, Error **errp)
     CSState *s = CS4231A (dev);
     IsaDmaClass *k;
 
-    isa_init_irq (d, &s->pic, s->irq);
     s->isa_dma = isa_get_dma(isa_bus_from_device(d), s->dma);
+    if (!s->isa_dma) {
+        error_setg(errp, "ISA controller does not support DMA");
+        return;
+    }
+
+    isa_init_irq(d, &s->pic, s->irq);
     k = ISADMA_GET_CLASS(s->isa_dma);
     k->register_channel(s->isa_dma, s->dma, cs_dma_read, s);
 
diff --git a/hw/audio/gus.c b/hw/audio/gus.c
index 3e864cd..8e0b27e 100644
--- a/hw/audio/gus.c
+++ b/hw/audio/gus.c
@@ -241,6 +241,12 @@ static void gus_realizefn (DeviceState *dev, Error **errp)
     IsaDmaClass *k;
     struct audsettings as;
 
+    s->isa_dma = isa_get_dma(isa_bus_from_device(d), s->emu.gusdma);
+    if (!s->isa_dma) {
+        error_setg(errp, "ISA controller does not support DMA");
+        return;
+    }
+
     AUD_register_card ("gus", &s->card);
 
     as.freq = s->freq;
@@ -272,7 +278,6 @@ static void gus_realizefn (DeviceState *dev, Error **errp)
     isa_register_portio_list(d, &s->portio_list2, (s->port + 0x100) & 0xf00,
                              gus_portio_list2, s, "gus");
 
-    s->isa_dma = isa_get_dma(isa_bus_from_device(d), s->emu.gusdma);
     k = ISADMA_GET_CLASS(s->isa_dma);
     k->register_channel(s->isa_dma, s->emu.gusdma, GUS_read_DMA, s);
     s->emu.himemaddr = s->himem;
diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
index 31de264..5a4d323 100644
--- a/hw/audio/sb16.c
+++ b/hw/audio/sb16.c
@@ -1371,6 +1371,13 @@ static void sb16_realizefn (DeviceState *dev, Error **errp)
     SB16State *s = SB16 (dev);
     IsaDmaClass *k;
 
+    s->isa_hdma = isa_get_dma(isa_bus_from_device(isadev), s->hdma);
+    s->isa_dma = isa_get_dma(isa_bus_from_device(isadev), s->dma);
+    if (!s->isa_dma || !s->isa_hdma) {
+        error_setg(errp, "ISA controller does not support DMA");
+        return;
+    }
+
     isa_init_irq (isadev, &s->pic, s->irq);
 
     s->mixer_regs[0x80] = magic_of_irq (s->irq);
@@ -1389,11 +1396,9 @@ static void sb16_realizefn (DeviceState *dev, Error **errp)
     isa_register_portio_list(isadev, &s->portio_list, s->port,
                              sb16_ioport_list, s, "sb16");
 
-    s->isa_hdma = isa_get_dma(isa_bus_from_device(isadev), s->hdma);
     k = ISADMA_GET_CLASS(s->isa_hdma);
     k->register_channel(s->isa_hdma, s->hdma, SB_read_DMA, s);
 
-    s->isa_dma = isa_get_dma(isa_bus_from_device(isadev), s->dma);
     k = ISADMA_GET_CLASS(s->isa_dma);
     k->register_channel(s->isa_dma, s->dma, SB_read_DMA, s);
 
diff --git a/scripts/device-crash-test b/scripts/device-crash-test
index 99d20cb..8ad3f44 100755
--- a/scripts/device-crash-test
+++ b/scripts/device-crash-test
@@ -217,10 +217,7 @@ ERROR_WHITELIST = [
     {'exitcode':-6, 'log':r"Object .* is not an instance of type generic-pc-machine", 'loglevel':logging.ERROR},
     {'exitcode':-6, 'log':r"Object .* is not an instance of type e500-ccsr", 'loglevel':logging.ERROR},
     {'exitcode':-6, 'log':r"vmstate_register_with_alias_id: Assertion `!se->compat \|\| se->instance_id == 0' failed", 'loglevel':logging.ERROR},
-    {'exitcode':-11, 'device':'gus', 'loglevel':logging.ERROR, 'expected':True},
     {'exitcode':-11, 'device':'isa-serial', 'loglevel':logging.ERROR, 'expected':True},
-    {'exitcode':-11, 'device':'sb16', 'loglevel':logging.ERROR, 'expected':True},
-    {'exitcode':-11, 'device':'cs4231a', 'loglevel':logging.ERROR, 'expected':True},
     {'exitcode':-11, 'machine':'isapc', 'device':'.*-iommu', 'loglevel':logging.ERROR, 'expected':True},
 
     # everything else (including SIGABRT and SIGSEGV) will be a fatal error:
-- 
1.8.3.1

[Qemu-devel] [PATCH 4/4] scripts/device-crash-test: Remove fixed isapc-with-iommu entry

[Thomas Huth]

Fixed in a0c167a18470831e359f0538c3cf67907808f13e ("x86_iommu: check
if machine has PCI bus").

Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 scripts/device-crash-test | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/device-crash-test b/scripts/device-crash-test
index 8ad3f44..b3ce720 100755
--- a/scripts/device-crash-test
+++ b/scripts/device-crash-test
@@ -218,7 +218,6 @@ ERROR_WHITELIST = [
     {'exitcode':-6, 'log':r"Object .* is not an instance of type e500-ccsr", 'loglevel':logging.ERROR},
     {'exitcode':-6, 'log':r"vmstate_register_with_alias_id: Assertion `!se->compat \|\| se->instance_id == 0' failed", 'loglevel':logging.ERROR},
     {'exitcode':-11, 'device':'isa-serial', 'loglevel':logging.ERROR, 'expected':True},
-    {'exitcode':-11, 'machine':'isapc', 'device':'.*-iommu', 'loglevel':logging.ERROR, 'expected':True},
 
     # everything else (including SIGABRT and SIGSEGV) will be a fatal error:
     {'exitcode':None, 'fatal':True, 'loglevel':logging.FATAL},
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH for-2.12 0/4] Fix crashes with CAN bus and ISA DMA devices

[Paolo Bonzini]

On 16/03/2018 10:51, Thomas Huth wrote:
> The new CAN bus devices and some older ISA devices that use DMA can be
> used to crash QEMU. These patches introduce some proper checks so that
> the users get a proper error message instead.
> 
> Alexey Kardashevskiy (1):
>   fdc: Exit if ISA controller does not support DMA
> 
> Thomas Huth (3):
>   hw/net/can: Fix segfaults when using the devices without bus
>   hw/audio: Fix crashes when devices are used on ISA bus without DMA
>   scripts/device-crash-test: Remove fixed isapc-with-iommu entry
> 
>  hw/audio/cs4231a.c        | 8 +++++++-
>  hw/audio/gus.c            | 7 ++++++-
>  hw/audio/sb16.c           | 9 +++++++--
>  hw/block/fdc.c            | 5 ++++-
>  hw/net/can/can_sja1000.c  | 4 ++++
>  scripts/device-crash-test | 8 --------
>  6 files changed, 28 insertions(+), 13 deletions(-)
> 

Queued, thanks.

Paolo

Re: [Qemu-devel] [PATCH 3/4] hw/audio: Fix crashes when devices are used on ISA bus without DMA

[Philippe Mathieu-Daudé]

On 03/16/2018 10:51 AM, Thomas Huth wrote:
> The cs4231a, gus and sb16 sound cards crash QEMU when the user tries
> to instantiate them on a machine with DMA-less ISA bus (for example
> with "qemu-system-mips64el -M mips -device sb16"). Add proper checks
> to the realize functions to avoid the crashes.
> 
> Signed-off-by: Thomas Huth <thuth@redhat.com>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

> ---
>  hw/audio/cs4231a.c        | 8 +++++++-
>  hw/audio/gus.c            | 7 ++++++-
>  hw/audio/sb16.c           | 9 +++++++--
>  scripts/device-crash-test | 3 ---
>  4 files changed, 20 insertions(+), 7 deletions(-)
> 
> diff --git a/hw/audio/cs4231a.c b/hw/audio/cs4231a.c
> index 096e8e9..aaebec1 100644
> --- a/hw/audio/cs4231a.c
> +++ b/hw/audio/cs4231a.c
> @@ -28,6 +28,7 @@
>  #include "hw/isa/isa.h"
>  #include "hw/qdev.h"
>  #include "qemu/timer.h"
> +#include "qapi/error.h"
>  
>  /*
>    Missing features:
> @@ -663,8 +664,13 @@ static void cs4231a_realizefn (DeviceState *dev, Error **errp)
>      CSState *s = CS4231A (dev);
>      IsaDmaClass *k;
>  
> -    isa_init_irq (d, &s->pic, s->irq);
>      s->isa_dma = isa_get_dma(isa_bus_from_device(d), s->dma);
> +    if (!s->isa_dma) {
> +        error_setg(errp, "ISA controller does not support DMA");
> +        return;
> +    }
> +
> +    isa_init_irq(d, &s->pic, s->irq);
>      k = ISADMA_GET_CLASS(s->isa_dma);
>      k->register_channel(s->isa_dma, s->dma, cs_dma_read, s);
>  
> diff --git a/hw/audio/gus.c b/hw/audio/gus.c
> index 3e864cd..8e0b27e 100644
> --- a/hw/audio/gus.c
> +++ b/hw/audio/gus.c
> @@ -241,6 +241,12 @@ static void gus_realizefn (DeviceState *dev, Error **errp)
>      IsaDmaClass *k;
>      struct audsettings as;
>  
> +    s->isa_dma = isa_get_dma(isa_bus_from_device(d), s->emu.gusdma);
> +    if (!s->isa_dma) {
> +        error_setg(errp, "ISA controller does not support DMA");
> +        return;
> +    }
> +
>      AUD_register_card ("gus", &s->card);
>  
>      as.freq = s->freq;
> @@ -272,7 +278,6 @@ static void gus_realizefn (DeviceState *dev, Error **errp)
>      isa_register_portio_list(d, &s->portio_list2, (s->port + 0x100) & 0xf00,
>                               gus_portio_list2, s, "gus");
>  
> -    s->isa_dma = isa_get_dma(isa_bus_from_device(d), s->emu.gusdma);
>      k = ISADMA_GET_CLASS(s->isa_dma);
>      k->register_channel(s->isa_dma, s->emu.gusdma, GUS_read_DMA, s);
>      s->emu.himemaddr = s->himem;
> diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
> index 31de264..5a4d323 100644
> --- a/hw/audio/sb16.c
> +++ b/hw/audio/sb16.c
> @@ -1371,6 +1371,13 @@ static void sb16_realizefn (DeviceState *dev, Error **errp)
>      SB16State *s = SB16 (dev);
>      IsaDmaClass *k;
>  
> +    s->isa_hdma = isa_get_dma(isa_bus_from_device(isadev), s->hdma);
> +    s->isa_dma = isa_get_dma(isa_bus_from_device(isadev), s->dma);
> +    if (!s->isa_dma || !s->isa_hdma) {
> +        error_setg(errp, "ISA controller does not support DMA");
> +        return;
> +    }
> +
>      isa_init_irq (isadev, &s->pic, s->irq);
>  
>      s->mixer_regs[0x80] = magic_of_irq (s->irq);
> @@ -1389,11 +1396,9 @@ static void sb16_realizefn (DeviceState *dev, Error **errp)
>      isa_register_portio_list(isadev, &s->portio_list, s->port,
>                               sb16_ioport_list, s, "sb16");
>  
> -    s->isa_hdma = isa_get_dma(isa_bus_from_device(isadev), s->hdma);
>      k = ISADMA_GET_CLASS(s->isa_hdma);
>      k->register_channel(s->isa_hdma, s->hdma, SB_read_DMA, s);
>  
> -    s->isa_dma = isa_get_dma(isa_bus_from_device(isadev), s->dma);
>      k = ISADMA_GET_CLASS(s->isa_dma);
>      k->register_channel(s->isa_dma, s->dma, SB_read_DMA, s);
>  
> diff --git a/scripts/device-crash-test b/scripts/device-crash-test
> index 99d20cb..8ad3f44 100755
> --- a/scripts/device-crash-test
> +++ b/scripts/device-crash-test
> @@ -217,10 +217,7 @@ ERROR_WHITELIST = [
>      {'exitcode':-6, 'log':r"Object .* is not an instance of type generic-pc-machine", 'loglevel':logging.ERROR},
>      {'exitcode':-6, 'log':r"Object .* is not an instance of type e500-ccsr", 'loglevel':logging.ERROR},
>      {'exitcode':-6, 'log':r"vmstate_register_with_alias_id: Assertion `!se->compat \|\| se->instance_id == 0' failed", 'loglevel':logging.ERROR},
> -    {'exitcode':-11, 'device':'gus', 'loglevel':logging.ERROR, 'expected':True},
>      {'exitcode':-11, 'device':'isa-serial', 'loglevel':logging.ERROR, 'expected':True},
> -    {'exitcode':-11, 'device':'sb16', 'loglevel':logging.ERROR, 'expected':True},
> -    {'exitcode':-11, 'device':'cs4231a', 'loglevel':logging.ERROR, 'expected':True},
>      {'exitcode':-11, 'machine':'isapc', 'device':'.*-iommu', 'loglevel':logging.ERROR, 'expected':True},
>  
>      # everything else (including SIGABRT and SIGSEGV) will be a fatal error:
> 

Re: [Qemu-devel] [PATCH for-2.12 0/4] Fix crashes with CAN bus and ISA DMA devices

[John Snow]

On 03/16/2018 06:15 AM, Paolo Bonzini wrote:
> On 16/03/2018 10:51, Thomas Huth wrote:
>> The new CAN bus devices and some older ISA devices that use DMA can be
>> used to crash QEMU. These patches introduce some proper checks so that
>> the users get a proper error message instead.
>>
>> Alexey Kardashevskiy (1):
>>   fdc: Exit if ISA controller does not support DMA
>>
>> Thomas Huth (3):
>>   hw/net/can: Fix segfaults when using the devices without bus
>>   hw/audio: Fix crashes when devices are used on ISA bus without DMA
>>   scripts/device-crash-test: Remove fixed isapc-with-iommu entry
>>
>>  hw/audio/cs4231a.c        | 8 +++++++-
>>  hw/audio/gus.c            | 7 ++++++-
>>  hw/audio/sb16.c           | 9 +++++++--
>>  hw/block/fdc.c            | 5 ++++-
>>  hw/net/can/can_sja1000.c  | 4 ++++
>>  scripts/device-crash-test | 8 --------
>>  6 files changed, 28 insertions(+), 13 deletions(-)
>>
> 
> Queued, thanks.
> 
> Paolo
> 

Did you not actually send a PR for this?

Re: [Qemu-devel] [PATCH for-2.12 0/4] Fix crashes with CAN bus and ISA DMA devices

[Paolo Bonzini]

On 23/03/2018 19:20, John Snow wrote:
> 
> 
> On 03/16/2018 06:15 AM, Paolo Bonzini wrote:
>> On 16/03/2018 10:51, Thomas Huth wrote:
>>> The new CAN bus devices and some older ISA devices that use DMA can be
>>> used to crash QEMU. These patches introduce some proper checks so that
>>> the users get a proper error message instead.
>>>
>>> Alexey Kardashevskiy (1):
>>>   fdc: Exit if ISA controller does not support DMA
>>>
>>> Thomas Huth (3):
>>>   hw/net/can: Fix segfaults when using the devices without bus
>>>   hw/audio: Fix crashes when devices are used on ISA bus without DMA
>>>   scripts/device-crash-test: Remove fixed isapc-with-iommu entry
>>>
>>>  hw/audio/cs4231a.c        | 8 +++++++-
>>>  hw/audio/gus.c            | 7 ++++++-
>>>  hw/audio/sb16.c           | 9 +++++++--
>>>  hw/block/fdc.c            | 5 ++++-
>>>  hw/net/can/can_sja1000.c  | 4 ++++
>>>  scripts/device-crash-test | 8 --------
>>>  6 files changed, 28 insertions(+), 13 deletions(-)
>>>
>>
>> Queued, thanks.
>>
>> Paolo
>>
> 
> Did you not actually send a PR for this?

No, today. :)

Paolo