qemu/hw/mem/sparse-mem.c

/*
 * A sparse memory device. Useful for fuzzing
 *
 * Copyright Red Hat Inc., 2021
 *
 * Authors:
 *  Alexander Bulekov   <alxndr@bu.edu>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */

#include "qemu/osdep.h"
#include "qemu/error-report.h"

#include "hw/qdev-properties.h"
#include "hw/sysbus.h"
#include "qapi/error.h"
#include "qemu/units.h"
#include "sysemu/qtest.h"
#include "hw/mem/sparse-mem.h"

#define SPARSE_MEM(obj) OBJECT_CHECK(SparseMemState, (obj), TYPE_SPARSE_MEM)
#define SPARSE_BLOCK_SIZE 0x1000

typedef struct SparseMemState {
    SysBusDevice parent_obj;
    MemoryRegion mmio;
    uint64_t baseaddr;
    uint64_t length;
    uint64_t size_used;
    uint64_t maxsize;
    GHashTable *mapped;
} SparseMemState;

typedef struct sparse_mem_block {
    uint8_t data[SPARSE_BLOCK_SIZE];
} sparse_mem_block;

static uint64_t sparse_mem_read(void *opaque, hwaddr addr, unsigned int size)
{
    SparseMemState *s = opaque;
    uint64_t ret = 0;
    size_t pfn = addr / SPARSE_BLOCK_SIZE;
    size_t offset = addr % SPARSE_BLOCK_SIZE;
    sparse_mem_block *block;

    block = g_hash_table_lookup(s->mapped, (void *)pfn);
    if (block) {
        assert(offset + size <= sizeof(block->data));
        memcpy(&ret, block->data + offset, size);
    }
    return ret;
}

static void sparse_mem_write(void *opaque, hwaddr addr, uint64_t v,
                             unsigned int size)
{
    SparseMemState *s = opaque;
    size_t pfn = addr / SPARSE_BLOCK_SIZE;
    size_t offset = addr % SPARSE_BLOCK_SIZE;
    sparse_mem_block *block;

    if (!g_hash_table_lookup(s->mapped, (void *)pfn) &&
        s->size_used + SPARSE_BLOCK_SIZE < s->maxsize && v) {
        g_hash_table_insert(s->mapped, (void *)pfn,
                            g_new0(sparse_mem_block, 1));
        s->size_used += sizeof(block->data);
    }
    block = g_hash_table_lookup(s->mapped, (void *)pfn);
    if (!block) {
        return;
    }

    assert(offset + size <= sizeof(block->data));

    memcpy(block->data + offset, &v, size);

}

static void sparse_mem_enter_reset(Object *obj, ResetType type)
{
    SparseMemState *s = SPARSE_MEM(obj);
    g_hash_table_remove_all(s->mapped);
    return;
}

static const MemoryRegionOps sparse_mem_ops = {
    .read = sparse_mem_read,
    .write = sparse_mem_write,
    .endianness = DEVICE_LITTLE_ENDIAN,
    .valid = {
            .min_access_size = 1,
            .max_access_size = 8,
            .unaligned = false,
        },
};

static Property sparse_mem_properties[] = {
    /* The base address of the memory */
    DEFINE_PROP_UINT64("baseaddr", SparseMemState, baseaddr, 0x0),
    /* The length of the sparse memory region */
    DEFINE_PROP_UINT64("length", SparseMemState, length, UINT64_MAX),
    /* Max amount of actual memory that can be used to back the sparse memory */
    DEFINE_PROP_UINT64("maxsize", SparseMemState, maxsize, 10 * MiB),
    DEFINE_PROP_END_OF_LIST(),
};

MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length)
{
    DeviceState *dev;

    dev = qdev_new(TYPE_SPARSE_MEM);
    qdev_prop_set_uint64(dev, "baseaddr", addr);
    qdev_prop_set_uint64(dev, "length", length);
    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
    sysbus_mmio_map_overlap(SYS_BUS_DEVICE(dev), 0, addr, -10000);
    return &SPARSE_MEM(dev)->mmio;
}

static void sparse_mem_realize(DeviceState *dev, Error **errp)
{
    SparseMemState *s = SPARSE_MEM(dev);
    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);

    if (!qtest_enabled()) {
        error_setg(errp, "sparse_mem device should only be used "
                         "for testing with QTest");
        return;
    }

    assert(s->baseaddr + s->length > s->baseaddr);

    s->mapped = g_hash_table_new_full(NULL, NULL, NULL,
                                      (GDestroyNotify)g_free);
    memory_region_init_io(&s->mmio, OBJECT(s), &sparse_mem_ops, s,
                          "sparse-mem", s->length);
    sysbus_init_mmio(sbd, &s->mmio);
}

static void sparse_mem_class_init(ObjectClass *klass, void *data)
{
    ResettableClass *rc = RESETTABLE_CLASS(klass);
    DeviceClass *dc = DEVICE_CLASS(klass);

    device_class_set_props(dc, sparse_mem_properties);

    dc->desc = "Sparse Memory Device";
    dc->realize = sparse_mem_realize;

    rc->phases.enter = sparse_mem_enter_reset;
}

static const TypeInfo sparse_mem_types[] = {
    {
        .name = TYPE_SPARSE_MEM,
        .parent = TYPE_SYS_BUS_DEVICE,
        .instance_size = sizeof(SparseMemState),
        .class_init = sparse_mem_class_init,
    },
};
DEFINE_TYPES(sparse_mem_types);
memory: add a sparse memory device for fuzzing For testing, it can be useful to simulate an enormous amount of memory (e.g. 2^64 RAM). This adds an MMIO device that acts as sparse memory. When something writes a nonzero value to a sparse-mem address, we allocate a block of memory. For now, since the only user of this device is the fuzzer, we do not track and free zeroed blocks. The device has a very low priority (so it can be mapped beneath actual RAM, and virtual device MMIO regions). Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2021-03-15 10:05:10 -04:00			`/*`
			`* A sparse memory device. Useful for fuzzing`
			`*`
			`* Copyright Red Hat Inc., 2021`
			`*`
			`* Authors:`
			`* Alexander Bulekov <alxndr@bu.edu>`
			`*`
			`* This work is licensed under the terms of the GNU GPL, version 2 or later.`
			`* See the COPYING file in the top-level directory.`
			`*/`

			`#include "qemu/osdep.h"`
*: Add missing includes of qemu/error-report.h This had been pulled in via qemu/plugin.h from hw/core/cpu.h, but that will be removed. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230310195252.210956-5-richard.henderson@linaro.org> [AJB: add various additional cases shown by CI] Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20230315174331.2959-15-alex.bennee@linaro.org> Reviewed-by: Emilio Cota <cota@braap.org> 2023-03-15 17:43:13 +00:00			`#include "qemu/error-report.h"`
memory: add a sparse memory device for fuzzing For testing, it can be useful to simulate an enormous amount of memory (e.g. 2^64 RAM). This adds an MMIO device that acts as sparse memory. When something writes a nonzero value to a sparse-mem address, we allocate a block of memory. For now, since the only user of this device is the fuzzer, we do not track and free zeroed blocks. The device has a very low priority (so it can be mapped beneath actual RAM, and virtual device MMIO regions). Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2021-03-15 10:05:10 -04:00
			`#include "hw/qdev-properties.h"`
			`#include "hw/sysbus.h"`
			`#include "qapi/error.h"`
			`#include "qemu/units.h"`
			`#include "sysemu/qtest.h"`
			`#include "hw/mem/sparse-mem.h"`

			`#define SPARSE_MEM(obj) OBJECT_CHECK(SparseMemState, (obj), TYPE_SPARSE_MEM)`
			`#define SPARSE_BLOCK_SIZE 0x1000`

			`typedef struct SparseMemState {`
			`SysBusDevice parent_obj;`
			`MemoryRegion mmio;`
			`uint64_t baseaddr;`
			`uint64_t length;`
			`uint64_t size_used;`
			`uint64_t maxsize;`
			`GHashTable *mapped;`
			`} SparseMemState;`

			`typedef struct sparse_mem_block {`
			`uint8_t data[SPARSE_BLOCK_SIZE];`
			`} sparse_mem_block;`

			`static uint64_t sparse_mem_read(void *opaque, hwaddr addr, unsigned int size)`
			`{`
			`SparseMemState *s = opaque;`
			`uint64_t ret = 0;`
			`size_t pfn = addr / SPARSE_BLOCK_SIZE;`
			`size_t offset = addr % SPARSE_BLOCK_SIZE;`
			`sparse_mem_block *block;`

			`block = g_hash_table_lookup(s->mapped, (void *)pfn);`
			`if (block) {`
			`assert(offset + size <= sizeof(block->data));`
			`memcpy(&ret, block->data + offset, size);`
			`}`
			`return ret;`
			`}`

			`static void sparse_mem_write(void *opaque, hwaddr addr, uint64_t v,`
			`unsigned int size)`
			`{`
			`SparseMemState *s = opaque;`
			`size_t pfn = addr / SPARSE_BLOCK_SIZE;`
			`size_t offset = addr % SPARSE_BLOCK_SIZE;`
			`sparse_mem_block *block;`

			`if (!g_hash_table_lookup(s->mapped, (void *)pfn) &&`
			`s->size_used + SPARSE_BLOCK_SIZE < s->maxsize && v) {`
			`g_hash_table_insert(s->mapped, (void *)pfn,`
			`g_new0(sparse_mem_block, 1));`
			`s->size_used += sizeof(block->data);`
			`}`
			`block = g_hash_table_lookup(s->mapped, (void *)pfn);`
			`if (!block) {`
			`return;`
			`}`

			`assert(offset + size <= sizeof(block->data));`

			`memcpy(block->data + offset, &v, size);`

			`}`

hw/sparse-mem: clear memory on reset We use sparse-mem for fuzzing. For long-running fuzzing processes, we eventually end up with many allocated sparse-mem pages. To avoid this, clear the allocated pages on system-reset. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> 2023-02-04 23:29:42 -05:00			`static void sparse_mem_enter_reset(Object *obj, ResetType type)`
			`{`
			`SparseMemState *s = SPARSE_MEM(obj);`
			`g_hash_table_remove_all(s->mapped);`
			`return;`
			`}`

memory: add a sparse memory device for fuzzing For testing, it can be useful to simulate an enormous amount of memory (e.g. 2^64 RAM). This adds an MMIO device that acts as sparse memory. When something writes a nonzero value to a sparse-mem address, we allocate a block of memory. For now, since the only user of this device is the fuzzer, we do not track and free zeroed blocks. The device has a very low priority (so it can be mapped beneath actual RAM, and virtual device MMIO regions). Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2021-03-15 10:05:10 -04:00			`static const MemoryRegionOps sparse_mem_ops = {`
			`.read = sparse_mem_read,`
			`.write = sparse_mem_write,`
			`.endianness = DEVICE_LITTLE_ENDIAN,`
			`.valid = {`
			`.min_access_size = 1,`
			`.max_access_size = 8,`
			`.unaligned = false,`
			`},`
			`};`

			`static Property sparse_mem_properties[] = {`
			`/* The base address of the memory */`
			`DEFINE_PROP_UINT64("baseaddr", SparseMemState, baseaddr, 0x0),`
			`/* The length of the sparse memory region */`
			`DEFINE_PROP_UINT64("length", SparseMemState, length, UINT64_MAX),`
			`/* Max amount of actual memory that can be used to back the sparse memory */`
			`DEFINE_PROP_UINT64("maxsize", SparseMemState, maxsize, 10 * MiB),`
			`DEFINE_PROP_END_OF_LIST(),`
			`};`

			`MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length)`
			`{`
			`DeviceState *dev;`

			`dev = qdev_new(TYPE_SPARSE_MEM);`
			`qdev_prop_set_uint64(dev, "baseaddr", addr);`
			`qdev_prop_set_uint64(dev, "length", length);`
			`sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);`
			`sysbus_mmio_map_overlap(SYS_BUS_DEVICE(dev), 0, addr, -10000);`
			`return &SPARSE_MEM(dev)->mmio;`
			`}`

			`static void sparse_mem_realize(DeviceState dev, Error *errp)`
			`{`
			`SparseMemState *s = SPARSE_MEM(dev);`
			`SysBusDevice *sbd = SYS_BUS_DEVICE(dev);`

			`if (!qtest_enabled()) {`
			`error_setg(errp, "sparse_mem device should only be used "`
			`"for testing with QTest");`
			`return;`
			`}`

			`assert(s->baseaddr + s->length > s->baseaddr);`

hw/sparse-mem: clear memory on reset We use sparse-mem for fuzzing. For long-running fuzzing processes, we eventually end up with many allocated sparse-mem pages. To avoid this, clear the allocated pages on system-reset. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> 2023-02-04 23:29:42 -05:00			`s->mapped = g_hash_table_new_full(NULL, NULL, NULL,`
			`(GDestroyNotify)g_free);`
memory: add a sparse memory device for fuzzing For testing, it can be useful to simulate an enormous amount of memory (e.g. 2^64 RAM). This adds an MMIO device that acts as sparse memory. When something writes a nonzero value to a sparse-mem address, we allocate a block of memory. For now, since the only user of this device is the fuzzer, we do not track and free zeroed blocks. The device has a very low priority (so it can be mapped beneath actual RAM, and virtual device MMIO regions). Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2021-03-15 10:05:10 -04:00			`memory_region_init_io(&s->mmio, OBJECT(s), &sparse_mem_ops, s,`
			`"sparse-mem", s->length);`
			`sysbus_init_mmio(sbd, &s->mmio);`
			`}`

			`static void sparse_mem_class_init(ObjectClass klass, void data)`
			`{`
hw/sparse-mem: clear memory on reset We use sparse-mem for fuzzing. For long-running fuzzing processes, we eventually end up with many allocated sparse-mem pages. To avoid this, clear the allocated pages on system-reset. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> 2023-02-04 23:29:42 -05:00			`ResettableClass *rc = RESETTABLE_CLASS(klass);`
memory: add a sparse memory device for fuzzing For testing, it can be useful to simulate an enormous amount of memory (e.g. 2^64 RAM). This adds an MMIO device that acts as sparse memory. When something writes a nonzero value to a sparse-mem address, we allocate a block of memory. For now, since the only user of this device is the fuzzer, we do not track and free zeroed blocks. The device has a very low priority (so it can be mapped beneath actual RAM, and virtual device MMIO regions). Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2021-03-15 10:05:10 -04:00			`DeviceClass *dc = DEVICE_CLASS(klass);`

			`device_class_set_props(dc, sparse_mem_properties);`

			`dc->desc = "Sparse Memory Device";`
			`dc->realize = sparse_mem_realize;`
hw/sparse-mem: clear memory on reset We use sparse-mem for fuzzing. For long-running fuzzing processes, we eventually end up with many allocated sparse-mem pages. To avoid this, clear the allocated pages on system-reset. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> 2023-02-04 23:29:42 -05:00
			`rc->phases.enter = sparse_mem_enter_reset;`
memory: add a sparse memory device for fuzzing For testing, it can be useful to simulate an enormous amount of memory (e.g. 2^64 RAM). This adds an MMIO device that acts as sparse memory. When something writes a nonzero value to a sparse-mem address, we allocate a block of memory. For now, since the only user of this device is the fuzzer, we do not track and free zeroed blocks. The device has a very low priority (so it can be mapped beneath actual RAM, and virtual device MMIO regions). Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 2021-03-15 10:05:10 -04:00			`}`

			`static const TypeInfo sparse_mem_types[] = {`
			`{`
			`.name = TYPE_SPARSE_MEM,`
			`.parent = TYPE_SYS_BUS_DEVICE,`
			`.instance_size = sizeof(SparseMemState),`
			`.class_init = sparse_mem_class_init,`
			`},`
			`};`
			`DEFINE_TYPES(sparse_mem_types);`