[mirror_qemu.git] / tests / qtest / fdc-test.c

/*
 * Floppy test cases.
 *
 * Copyright (c) 2012 Kevin Wolf <kwolf@redhat.com>
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 * THE SOFTWARE.
 */

#include "qemu/osdep.h"


#include "libqtest-single.h"
#include "qapi/qmp/qdict.h"

/* TODO actually test the results and get rid of this */
#define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__))

#define DRIVE_FLOPPY_BLANK \
    "-drive if=floppy,file=null-co://,file.read-zeroes=on,format=raw,size=1440k"

#define TEST_IMAGE_SIZE 1440 * 1024

#define FLOPPY_BASE 0x3f0
#define FLOPPY_IRQ 6

enum {
    reg_sra         = 0x0,
    reg_srb         = 0x1,
    reg_dor         = 0x2,
    reg_msr         = 0x4,
    reg_dsr         = 0x4,
    reg_fifo        = 0x5,
    reg_dir         = 0x7,
};

enum {
    CMD_SENSE_INT           = 0x08,
    CMD_READ_ID             = 0x0a,
    CMD_SEEK                = 0x0f,
    CMD_VERIFY              = 0x16,
    CMD_READ                = 0xe6,
    CMD_RELATIVE_SEEK_OUT   = 0x8f,
    CMD_RELATIVE_SEEK_IN    = 0xcf,
};

enum {
    BUSY    = 0x10,
    NONDMA  = 0x20,
    RQM     = 0x80,
    DIO     = 0x40,

    DSKCHG  = 0x80,
};

static char test_image[] = "/tmp/qtest.XXXXXX";

#define assert_bit_set(data, mask) g_assert_cmphex((data) & (mask), ==, (mask))
#define assert_bit_clear(data, mask) g_assert_cmphex((data) & (mask), ==, 0)

static uint8_t base = 0x70;

enum {
    CMOS_FLOPPY     = 0x10,
};

static void floppy_send(uint8_t byte)
{
    uint8_t msr;

    msr = inb(FLOPPY_BASE + reg_msr);
    assert_bit_set(msr, RQM);
    assert_bit_clear(msr, DIO);

    outb(FLOPPY_BASE + reg_fifo, byte);
}

static uint8_t floppy_recv(void)
{
    uint8_t msr;

    msr = inb(FLOPPY_BASE + reg_msr);
    assert_bit_set(msr, RQM | DIO);

    return inb(FLOPPY_BASE + reg_fifo);
}

/* pcn: Present Cylinder Number */
static void ack_irq(uint8_t *pcn)
{
    uint8_t ret;

    g_assert(get_irq(FLOPPY_IRQ));
    floppy_send(CMD_SENSE_INT);
    floppy_recv();

    ret = floppy_recv();
    if (pcn != NULL) {
        *pcn = ret;
    }

    g_assert(!get_irq(FLOPPY_IRQ));
}

static uint8_t send_read_command(uint8_t cmd)
{
    uint8_t drive = 0;
    uint8_t head = 0;
    uint8_t cyl = 0;
    uint8_t sect_addr = 1;
    uint8_t sect_size = 2;
    uint8_t eot = 1;
    uint8_t gap = 0x1b;
    uint8_t gpl = 0xff;

    uint8_t msr = 0;
    uint8_t st0;

    uint8_t ret = 0;

    floppy_send(cmd);
    floppy_send(head << 2 | drive);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(cyl);
    floppy_send(head);
    floppy_send(sect_addr);
    floppy_send(sect_size);
    floppy_send(eot);
    floppy_send(gap);
    floppy_send(gpl);

    uint8_t i = 0;
    uint8_t n = 2;
    for (; i < n; i++) {
        msr = inb(FLOPPY_BASE + reg_msr);
        if (msr == 0xd0) {
            break;
        }
        sleep(1);
    }

    if (i >= n) {
        return 1;
    }

    st0 = floppy_recv();
    if (st0 != 0x40) {
        ret = 1;
    }

    floppy_recv();
    floppy_recv();
    floppy_recv();
    floppy_recv();
    floppy_recv();
    floppy_recv();

    return ret;
}

static uint8_t send_read_no_dma_command(int nb_sect, uint8_t expected_st0)
{
    uint8_t drive = 0;
    uint8_t head = 0;
    uint8_t cyl = 0;
    uint8_t sect_addr = 1;
    uint8_t sect_size = 2;
    uint8_t eot = nb_sect;
    uint8_t gap = 0x1b;
    uint8_t gpl = 0xff;

    uint8_t msr = 0;
    uint8_t st0;

    uint8_t ret = 0;

    floppy_send(CMD_READ);
    floppy_send(head << 2 | drive);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(cyl);
    floppy_send(head);
    floppy_send(sect_addr);
    floppy_send(sect_size);
    floppy_send(eot);
    floppy_send(gap);
    floppy_send(gpl);

    uint16_t i = 0;
    uint8_t n = 2;
    for (; i < n; i++) {
        msr = inb(FLOPPY_BASE + reg_msr);
        if (msr == (BUSY | NONDMA | DIO | RQM)) {
            break;
        }
        sleep(1);
    }

    if (i >= n) {
        return 1;
    }

    /* Non-DMA mode */
    for (i = 0; i < 512 * 2 * nb_sect; i++) {
        msr = inb(FLOPPY_BASE + reg_msr);
        assert_bit_set(msr, BUSY | RQM | DIO);
        inb(FLOPPY_BASE + reg_fifo);
    }

    msr = inb(FLOPPY_BASE + reg_msr);
    assert_bit_set(msr, BUSY | RQM | DIO);
    g_assert(get_irq(FLOPPY_IRQ));

    st0 = floppy_recv();
    if (st0 != expected_st0) {
        ret = 1;
    }

    floppy_recv();
    floppy_recv();
    floppy_recv();
    floppy_recv();
    floppy_recv();
    g_assert(get_irq(FLOPPY_IRQ));
    floppy_recv();

    /* Check that we're back in command phase */
    msr = inb(FLOPPY_BASE + reg_msr);
    assert_bit_clear(msr, BUSY | DIO);
    assert_bit_set(msr, RQM);
    g_assert(!get_irq(FLOPPY_IRQ));

    return ret;
}

static void send_seek(int cyl)
{
    int drive = 0;
    int head = 0;

    floppy_send(CMD_SEEK);
    floppy_send(head << 2 | drive);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(cyl);
    ack_irq(NULL);
}

static uint8_t cmos_read(uint8_t reg)
{
    outb(base + 0, reg);
    return inb(base + 1);
}

static void test_cmos(void)
{
    uint8_t cmos;

    cmos = cmos_read(CMOS_FLOPPY);
    g_assert(cmos == 0x40 || cmos == 0x50);
}

static void test_no_media_on_start(void)
{
    uint8_t dir;

    /* Media changed bit must be set all time after start if there is
     * no media in drive. */
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    send_seek(1);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
}

static void test_read_without_media(void)
{
    uint8_t ret;

    ret = send_read_command(CMD_READ);
    g_assert(ret == 0);
}

static void test_media_insert(void)
{
    uint8_t dir;

    /* Insert media in drive. DSKCHK should not be reset until a step pulse
     * is sent. */
    qmp_discard_response("{'execute':'blockdev-change-medium', 'arguments':{"
                         " 'id':'floppy0', 'filename': %s, 'format': 'raw' }}",
                         test_image);

    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);

    send_seek(0);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);

    /* Step to next track should clear DSKCHG bit. */
    send_seek(1);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_clear(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_clear(dir, DSKCHG);
}

static void test_media_change(void)
{
    uint8_t dir;

    test_media_insert();

    /* Eject the floppy and check that DSKCHG is set. Reading it out doesn't
     * reset the bit. */
    qmp_discard_response("{'execute':'eject', 'arguments':{"
                         " 'id':'floppy0' }}");

    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);

    send_seek(0);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);

    send_seek(1);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
    dir = inb(FLOPPY_BASE + reg_dir);
    assert_bit_set(dir, DSKCHG);
}

static void test_sense_interrupt(void)
{
    int drive = 0;
    int head = 0;
    int cyl = 0;
    int ret = 0;

    floppy_send(CMD_SENSE_INT);
    ret = floppy_recv();
    g_assert(ret == 0x80);

    floppy_send(CMD_SEEK);
    floppy_send(head << 2 | drive);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(cyl);

    floppy_send(CMD_SENSE_INT);
    ret = floppy_recv();
    g_assert(ret == 0x20);
    floppy_recv();
}

static void test_relative_seek(void)
{
    uint8_t drive = 0;
    uint8_t head = 0;
    uint8_t cyl = 1;
    uint8_t pcn;

    /* Send seek to track 0 */
    send_seek(0);

    /* Send relative seek to increase track by 1 */
    floppy_send(CMD_RELATIVE_SEEK_IN);
    floppy_send(head << 2 | drive);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(cyl);

    ack_irq(&pcn);
    g_assert(pcn == 1);

    /* Send relative seek to decrease track by 1 */
    floppy_send(CMD_RELATIVE_SEEK_OUT);
    floppy_send(head << 2 | drive);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(cyl);

    ack_irq(&pcn);
    g_assert(pcn == 0);
}

static void test_read_id(void)
{
    uint8_t drive = 0;
    uint8_t head = 0;
    uint8_t cyl;
    uint8_t st0;
    uint8_t msr;

    /* Seek to track 0 and check with READ ID */
    send_seek(0);

    floppy_send(CMD_READ_ID);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(head << 2 | drive);

    msr = inb(FLOPPY_BASE + reg_msr);
    if (!get_irq(FLOPPY_IRQ)) {
        assert_bit_set(msr, BUSY);
        assert_bit_clear(msr, RQM);
    }

    while (!get_irq(FLOPPY_IRQ)) {
        /* qemu involves a timer with READ ID... */
        clock_step(1000000000LL / 50);
    }

    msr = inb(FLOPPY_BASE + reg_msr);
    assert_bit_set(msr, BUSY | RQM | DIO);

    st0 = floppy_recv();
    floppy_recv();
    floppy_recv();
    cyl = floppy_recv();
    head = floppy_recv();
    floppy_recv();
    g_assert(get_irq(FLOPPY_IRQ));
    floppy_recv();
    g_assert(!get_irq(FLOPPY_IRQ));

    g_assert_cmpint(cyl, ==, 0);
    g_assert_cmpint(head, ==, 0);
    g_assert_cmpint(st0, ==, head << 2);

    /* Seek to track 8 on head 1 and check with READ ID */
    head = 1;
    cyl = 8;

    floppy_send(CMD_SEEK);
    floppy_send(head << 2 | drive);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(cyl);
    g_assert(get_irq(FLOPPY_IRQ));
    ack_irq(NULL);

    floppy_send(CMD_READ_ID);
    g_assert(!get_irq(FLOPPY_IRQ));
    floppy_send(head << 2 | drive);

    msr = inb(FLOPPY_BASE + reg_msr);
    if (!get_irq(FLOPPY_IRQ)) {
        assert_bit_set(msr, BUSY);
        assert_bit_clear(msr, RQM);
    }

    while (!get_irq(FLOPPY_IRQ)) {
        /* qemu involves a timer with READ ID... */
        clock_step(1000000000LL / 50);
    }

    msr = inb(FLOPPY_BASE + reg_msr);
    assert_bit_set(msr, BUSY | RQM | DIO);

    st0 = floppy_recv();
    floppy_recv();
    floppy_recv();
    cyl = floppy_recv();
    head = floppy_recv();
    floppy_recv();
    g_assert(get_irq(FLOPPY_IRQ));
    floppy_recv();
    g_assert(!get_irq(FLOPPY_IRQ));

    g_assert_cmpint(cyl, ==, 8);
    g_assert_cmpint(head, ==, 1);
    g_assert_cmpint(st0, ==, head << 2);
}

static void test_read_no_dma_1(void)
{
    uint8_t ret;

    outb(FLOPPY_BASE + reg_dor, inb(FLOPPY_BASE + reg_dor) & ~0x08);
    send_seek(0);
    ret = send_read_no_dma_command(1, 0x04);
    g_assert(ret == 0);
}

static void test_read_no_dma_18(void)
{
    uint8_t ret;

    outb(FLOPPY_BASE + reg_dor, inb(FLOPPY_BASE + reg_dor) & ~0x08);
    send_seek(0);
    ret = send_read_no_dma_command(18, 0x04);
    g_assert(ret == 0);
}

static void test_read_no_dma_19(void)
{
    uint8_t ret;

    outb(FLOPPY_BASE + reg_dor, inb(FLOPPY_BASE + reg_dor) & ~0x08);
    send_seek(0);
    ret = send_read_no_dma_command(19, 0x20);
    g_assert(ret == 0);
}

static void test_verify(void)
{
    uint8_t ret;

    ret = send_read_command(CMD_VERIFY);
    g_assert(ret == 0);
}

/* success if no crash or abort */
static void fuzz_registers(void)
{
    unsigned int i;

    for (i = 0; i < 1000; i++) {
        uint8_t reg, val;

        reg = (uint8_t)g_test_rand_int_range(0, 8);
        val = (uint8_t)g_test_rand_int_range(0, 256);

        outb(FLOPPY_BASE + reg, val);
        inb(FLOPPY_BASE + reg);
    }
}

static bool qtest_check_clang_sanitizer(void)
{
#if defined(__SANITIZE_ADDRESS__) || __has_feature(address_sanitizer)
    return true;
#else
    g_test_skip("QEMU not configured using --enable-sanitizers");
    return false;
#endif
}
static void test_cve_2021_20196(void)
{
    QTestState *s;

    if (!qtest_check_clang_sanitizer()) {
        return;
    }

    s = qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK);

    qtest_outw(s, 0x3f4, 0x0500);
    qtest_outb(s, 0x3f5, 0x00);
    qtest_outb(s, 0x3f5, 0x00);
    qtest_outw(s, 0x3f4, 0x0000);
    qtest_outb(s, 0x3f5, 0x00);
    qtest_outw(s, 0x3f1, 0x0400);
    qtest_outw(s, 0x3f4, 0x0000);
    qtest_outw(s, 0x3f4, 0x0000);
    qtest_outb(s, 0x3f5, 0x00);
    qtest_outb(s, 0x3f5, 0x01);
    qtest_outw(s, 0x3f1, 0x0500);
    qtest_outb(s, 0x3f5, 0x00);
    qtest_quit(s);
}

int main(int argc, char **argv)
{
    int fd;
    int ret;

    /* Create a temporary raw image */
    fd = mkstemp(test_image);
    g_assert(fd >= 0);
    ret = ftruncate(fd, TEST_IMAGE_SIZE);
    g_assert(ret == 0);
    close(fd);

    /* Run the tests */
    g_test_init(&argc, &argv, NULL);

    qtest_start("-machine pc -device floppy,id=floppy0");
    qtest_irq_intercept_in(global_qtest, "ioapic");
    qtest_add_func("/fdc/cmos", test_cmos);
    qtest_add_func("/fdc/no_media_on_start", test_no_media_on_start);
    qtest_add_func("/fdc/read_without_media", test_read_without_media);
    qtest_add_func("/fdc/media_change", test_media_change);
    qtest_add_func("/fdc/sense_interrupt", test_sense_interrupt);
    qtest_add_func("/fdc/relative_seek", test_relative_seek);
    qtest_add_func("/fdc/read_id", test_read_id);
    qtest_add_func("/fdc/verify", test_verify);
    qtest_add_func("/fdc/media_insert", test_media_insert);
    qtest_add_func("/fdc/read_no_dma_1", test_read_no_dma_1);
    qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18);
    qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
    qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
    qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);

    ret = g_test_run();

    /* Cleanup */
    qtest_end();
    unlink(test_image);

    return ret;
}
Commit	Line	Data
93e9eb68 KW	1	/*
	2	* Floppy test cases.
	3	*
	4	* Copyright (c) 2012 Kevin Wolf <kwolf@redhat.com>
	5	*
	6	* Permission is hereby granted, free of charge, to any person obtaining a copy
	7	* of this software and associated documentation files (the "Software"), to deal
	8	* in the Software without restriction, including without limitation the rights
	9	* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	10	* copies of the Software, and to permit persons to whom the Software is
	11	* furnished to do so, subject to the following conditions:
	12	*
	13	* The above copyright notice and this permission notice shall be included in
	14	* all copies or substantial portions of the Software.
	15	*
	16	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	17	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	18	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
	19	* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	20	* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	21	* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
	22	* THE SOFTWARE.
	23	*/
	24
681c28a3	25	#include "qemu/osdep.h"
93e9eb68	26
93e9eb68	27
dd210749	28	#include "libqtest-single.h"
055a1efc	29	#include "qapi/qmp/qdict.h"
93e9eb68	30
055a1efc MA	31	/* TODO actually test the results and get rid of this */
	32	#define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__))
	33
cc20926e PMD	34	#define DRIVE_FLOPPY_BLANK \
	35	"-drive if=floppy,file=null-co://,file.read-zeroes=on,format=raw,size=1440k"
	36
93e9eb68 KW	37	#define TEST_IMAGE_SIZE 1440 * 1024
	38
	39	#define FLOPPY_BASE 0x3f0
	40	#define FLOPPY_IRQ 6
	41
	42	enum {
	43	reg_sra = 0x0,
	44	reg_srb = 0x1,
	45	reg_dor = 0x2,
	46	reg_msr = 0x4,
	47	reg_dsr = 0x4,
	48	reg_fifo = 0x5,
	49	reg_dir = 0x7,
	50	};
	51
	52	enum {
98272dbb	53	CMD_SENSE_INT = 0x08,
67f194bd	54	CMD_READ_ID = 0x0a,
98272dbb	55	CMD_SEEK = 0x0f,
6f442fe8	56	CMD_VERIFY = 0x16,
98272dbb PH	57	CMD_READ = 0xe6,
	58	CMD_RELATIVE_SEEK_OUT = 0x8f,
	59	CMD_RELATIVE_SEEK_IN = 0xcf,
93e9eb68 KW	60	};
	61
	62	enum {
5f8ae8e2 HP	63	BUSY = 0x10,
5f8ae8e2 HP	64	NONDMA = 0x20,
93e9eb68 KW	65	RQM = 0x80,
	66	DIO = 0x40,
	67
	68	DSKCHG = 0x80,
	69	};
	70
748bfb4e	71	static char test_image[] = "/tmp/qtest.XXXXXX";
93e9eb68 KW	72
	73	#define assert_bit_set(data, mask) g_assert_cmphex((data) & (mask), ==, (mask))
	74	#define assert_bit_clear(data, mask) g_assert_cmphex((data) & (mask), ==, 0)
	75
7cd33161 PH	76	static uint8_t base = 0x70;
	77
	78	enum {
	79	CMOS_FLOPPY = 0x10,
	80	};
	81
93e9eb68 KW	82	static void floppy_send(uint8_t byte)
	83	{
	84	uint8_t msr;
	85
	86	msr = inb(FLOPPY_BASE + reg_msr);
	87	assert_bit_set(msr, RQM);
	88	assert_bit_clear(msr, DIO);
	89
	90	outb(FLOPPY_BASE + reg_fifo, byte);
	91	}
	92
	93	static uint8_t floppy_recv(void)
	94	{
	95	uint8_t msr;
	96
	97	msr = inb(FLOPPY_BASE + reg_msr);
	98	assert_bit_set(msr, RQM \| DIO);
	99
	100	return inb(FLOPPY_BASE + reg_fifo);
	101	}
	102
c3cdc1b0 KW	103	/* pcn: Present Cylinder Number */
c3cdc1b0 KW	104	static void ack_irq(uint8_t *pcn)
93e9eb68	105	{
98272dbb PH	106	uint8_t ret;
98272dbb PH	107
93e9eb68 KW	108	g_assert(get_irq(FLOPPY_IRQ));
	109	floppy_send(CMD_SENSE_INT);
	110	floppy_recv();
c3cdc1b0	111
98272dbb	112	ret = floppy_recv();
c3cdc1b0 KW	113	if (pcn != NULL) {
	114	*pcn = ret;
	115	}
98272dbb	116
c3cdc1b0	117	g_assert(!get_irq(FLOPPY_IRQ));
93e9eb68 KW	118	}
93e9eb68 KW	119
6f442fe8	120	static uint8_t send_read_command(uint8_t cmd)
8b9ef60d PH	121	{
	122	uint8_t drive = 0;
	123	uint8_t head = 0;
	124	uint8_t cyl = 0;
	125	uint8_t sect_addr = 1;
	126	uint8_t sect_size = 2;
	127	uint8_t eot = 1;
	128	uint8_t gap = 0x1b;
	129	uint8_t gpl = 0xff;
	130
	131	uint8_t msr = 0;
	132	uint8_t st0;
	133
	134	uint8_t ret = 0;
	135
6f442fe8	136	floppy_send(cmd);
8b9ef60d PH	137	floppy_send(head << 2 \| drive);
	138	g_assert(!get_irq(FLOPPY_IRQ));
	139	floppy_send(cyl);
	140	floppy_send(head);
	141	floppy_send(sect_addr);
	142	floppy_send(sect_size);
	143	floppy_send(eot);
	144	floppy_send(gap);
	145	floppy_send(gpl);
	146
	147	uint8_t i = 0;
	148	uint8_t n = 2;
	149	for (; i < n; i++) {
	150	msr = inb(FLOPPY_BASE + reg_msr);
	151	if (msr == 0xd0) {
	152	break;
	153	}
	154	sleep(1);
	155	}
	156
	157	if (i >= n) {
	158	return 1;
	159	}
	160
	161	st0 = floppy_recv();
075f5532	162	if (st0 != 0x40) {
8b9ef60d PH	163	ret = 1;
	164	}
	165
	166	floppy_recv();
	167	floppy_recv();
	168	floppy_recv();
	169	floppy_recv();
	170	floppy_recv();
	171	floppy_recv();
	172
	173	return ret;
	174	}
	175
5f8ae8e2 HP	176	static uint8_t send_read_no_dma_command(int nb_sect, uint8_t expected_st0)
	177	{
	178	uint8_t drive = 0;
	179	uint8_t head = 0;
	180	uint8_t cyl = 0;
	181	uint8_t sect_addr = 1;
	182	uint8_t sect_size = 2;
	183	uint8_t eot = nb_sect;
	184	uint8_t gap = 0x1b;
	185	uint8_t gpl = 0xff;
	186
	187	uint8_t msr = 0;
	188	uint8_t st0;
	189
	190	uint8_t ret = 0;
	191
	192	floppy_send(CMD_READ);
	193	floppy_send(head << 2 \| drive);
	194	g_assert(!get_irq(FLOPPY_IRQ));
	195	floppy_send(cyl);
	196	floppy_send(head);
	197	floppy_send(sect_addr);
	198	floppy_send(sect_size);
	199	floppy_send(eot);
	200	floppy_send(gap);
	201	floppy_send(gpl);
	202
	203	uint16_t i = 0;
	204	uint8_t n = 2;
	205	for (; i < n; i++) {
	206	msr = inb(FLOPPY_BASE + reg_msr);
	207	if (msr == (BUSY \| NONDMA \| DIO \| RQM)) {
	208	break;
	209	}
	210	sleep(1);
	211	}
	212
	213	if (i >= n) {
	214	return 1;
	215	}
	216
	217	/* Non-DMA mode */
	218	for (i = 0; i < 512 * 2 * nb_sect; i++) {
	219	msr = inb(FLOPPY_BASE + reg_msr);
	220	assert_bit_set(msr, BUSY \| RQM \| DIO);
	221	inb(FLOPPY_BASE + reg_fifo);
	222	}
	223
4964e18e KW	224	msr = inb(FLOPPY_BASE + reg_msr);
	225	assert_bit_set(msr, BUSY \| RQM \| DIO);
	226	g_assert(get_irq(FLOPPY_IRQ));
	227
5f8ae8e2 HP	228	st0 = floppy_recv();
	229	if (st0 != expected_st0) {
	230	ret = 1;
	231	}
	232
	233	floppy_recv();
	234	floppy_recv();
	235	floppy_recv();
	236	floppy_recv();
	237	floppy_recv();
4964e18e	238	g_assert(get_irq(FLOPPY_IRQ));
5f8ae8e2 HP	239	floppy_recv();
5f8ae8e2 HP	240
4964e18e KW	241	/* Check that we're back in command phase */
	242	msr = inb(FLOPPY_BASE + reg_msr);
	243	assert_bit_clear(msr, BUSY \| DIO);
	244	assert_bit_set(msr, RQM);
	245	g_assert(!get_irq(FLOPPY_IRQ));
	246
5f8ae8e2 HP	247	return ret;
	248	}
	249
c3cdc1b0	250	static void send_seek(int cyl)
93e9eb68 KW	251	{
	252	int drive = 0;
	253	int head = 0;
93e9eb68 KW	254
	255	floppy_send(CMD_SEEK);
	256	floppy_send(head << 2 \| drive);
	257	g_assert(!get_irq(FLOPPY_IRQ));
	258	floppy_send(cyl);
c3cdc1b0	259	ack_irq(NULL);
93e9eb68 KW	260	}
93e9eb68 KW	261
7cd33161	262	static uint8_t cmos_read(uint8_t reg)
93e9eb68	263	{
7cd33161 PH	264	outb(base + 0, reg);
	265	return inb(base + 1);
	266	}
93e9eb68	267
7cd33161 PH	268	static void test_cmos(void)
	269	{
	270	uint8_t cmos;
93e9eb68	271
7cd33161	272	cmos = cmos_read(CMOS_FLOPPY);
62c76250	273	g_assert(cmos == 0x40 \|\| cmos == 0x50);
7cd33161	274	}
93e9eb68	275
7cd33161 PH	276	static void test_no_media_on_start(void)
	277	{
	278	uint8_t dir;
	279
	280	/* Media changed bit must be set all time after start if there is
	281	* no media in drive. */
93e9eb68 KW	282	dir = inb(FLOPPY_BASE + reg_dir);
	283	assert_bit_set(dir, DSKCHG);
	284	dir = inb(FLOPPY_BASE + reg_dir);
	285	assert_bit_set(dir, DSKCHG);
c3cdc1b0	286	send_seek(1);
93e9eb68 KW	287	dir = inb(FLOPPY_BASE + reg_dir);
	288	assert_bit_set(dir, DSKCHG);
	289	dir = inb(FLOPPY_BASE + reg_dir);
	290	assert_bit_set(dir, DSKCHG);
7cd33161 PH	291	}
7cd33161 PH	292
8b9ef60d PH	293	static void test_read_without_media(void)
	294	{
	295	uint8_t ret;
	296
6f442fe8	297	ret = send_read_command(CMD_READ);
8b9ef60d PH	298	g_assert(ret == 0);
	299	}
	300
1f507913	301	static void test_media_insert(void)
7cd33161 PH	302	{
7cd33161 PH	303	uint8_t dir;
93e9eb68	304
7cd33161	305	/* Insert media in drive. DSKCHK should not be reset until a step pulse
93e9eb68	306	* is sent. */
ccb61bdd EB	307	qmp_discard_response("{'execute':'blockdev-change-medium', 'arguments':{"
ccb61bdd EB	308	" 'id':'floppy0', 'filename': %s, 'format': 'raw' }}",
0d1aa05e	309	test_image);
93e9eb68 KW	310
	311	dir = inb(FLOPPY_BASE + reg_dir);
	312	assert_bit_set(dir, DSKCHG);
	313	dir = inb(FLOPPY_BASE + reg_dir);
	314	assert_bit_set(dir, DSKCHG);
	315
c3cdc1b0	316	send_seek(0);
59240c34 PH	317	dir = inb(FLOPPY_BASE + reg_dir);
	318	assert_bit_set(dir, DSKCHG);
	319	dir = inb(FLOPPY_BASE + reg_dir);
	320	assert_bit_set(dir, DSKCHG);
	321
	322	/* Step to next track should clear DSKCHG bit. */
c3cdc1b0	323	send_seek(1);
93e9eb68 KW	324	dir = inb(FLOPPY_BASE + reg_dir);
	325	assert_bit_clear(dir, DSKCHG);
	326	dir = inb(FLOPPY_BASE + reg_dir);
	327	assert_bit_clear(dir, DSKCHG);
1f507913 HP	328	}
	329
	330	static void test_media_change(void)
	331	{
	332	uint8_t dir;
	333
	334	test_media_insert();
7cd33161 PH	335
	336	/* Eject the floppy and check that DSKCHG is set. Reading it out doesn't
	337	* reset the bit. */
0d1aa05e	338	qmp_discard_response("{'execute':'eject', 'arguments':{"
ccb61bdd	339	" 'id':'floppy0' }}");
7cd33161 PH	340
	341	dir = inb(FLOPPY_BASE + reg_dir);
	342	assert_bit_set(dir, DSKCHG);
	343	dir = inb(FLOPPY_BASE + reg_dir);
	344	assert_bit_set(dir, DSKCHG);
	345
c3cdc1b0	346	send_seek(0);
59240c34 PH	347	dir = inb(FLOPPY_BASE + reg_dir);
	348	assert_bit_set(dir, DSKCHG);
	349	dir = inb(FLOPPY_BASE + reg_dir);
	350	assert_bit_set(dir, DSKCHG);
	351
c3cdc1b0	352	send_seek(1);
7cd33161 PH	353	dir = inb(FLOPPY_BASE + reg_dir);
	354	assert_bit_set(dir, DSKCHG);
	355	dir = inb(FLOPPY_BASE + reg_dir);
	356	assert_bit_set(dir, DSKCHG);
93e9eb68 KW	357	}
93e9eb68 KW	358
b3ce604e PH	359	static void test_sense_interrupt(void)
	360	{
	361	int drive = 0;
	362	int head = 0;
	363	int cyl = 0;
	364	int ret = 0;
	365
	366	floppy_send(CMD_SENSE_INT);
	367	ret = floppy_recv();
	368	g_assert(ret == 0x80);
	369
	370	floppy_send(CMD_SEEK);
	371	floppy_send(head << 2 \| drive);
	372	g_assert(!get_irq(FLOPPY_IRQ));
	373	floppy_send(cyl);
	374
	375	floppy_send(CMD_SENSE_INT);
	376	ret = floppy_recv();
	377	g_assert(ret == 0x20);
	378	floppy_recv();
	379	}
	380
98272dbb PH	381	static void test_relative_seek(void)
	382	{
	383	uint8_t drive = 0;
	384	uint8_t head = 0;
	385	uint8_t cyl = 1;
c3cdc1b0	386	uint8_t pcn;
98272dbb PH	387
98272dbb PH	388	/* Send seek to track 0 */
c3cdc1b0	389	send_seek(0);
98272dbb PH	390
	391	/* Send relative seek to increase track by 1 */
	392	floppy_send(CMD_RELATIVE_SEEK_IN);
	393	floppy_send(head << 2 \| drive);
	394	g_assert(!get_irq(FLOPPY_IRQ));
	395	floppy_send(cyl);
	396
c3cdc1b0 KW	397	ack_irq(&pcn);
c3cdc1b0 KW	398	g_assert(pcn == 1);
98272dbb PH	399
	400	/* Send relative seek to decrease track by 1 */
	401	floppy_send(CMD_RELATIVE_SEEK_OUT);
	402	floppy_send(head << 2 \| drive);
	403	g_assert(!get_irq(FLOPPY_IRQ));
	404	floppy_send(cyl);
	405
c3cdc1b0 KW	406	ack_irq(&pcn);
c3cdc1b0 KW	407	g_assert(pcn == 0);
98272dbb PH	408	}
98272dbb PH	409
67f194bd KW	410	static void test_read_id(void)
	411	{
	412	uint8_t drive = 0;
	413	uint8_t head = 0;
	414	uint8_t cyl;
	415	uint8_t st0;
4964e18e	416	uint8_t msr;
67f194bd KW	417
	418	/* Seek to track 0 and check with READ ID */
	419	send_seek(0);
	420
	421	floppy_send(CMD_READ_ID);
	422	g_assert(!get_irq(FLOPPY_IRQ));
	423	floppy_send(head << 2 \| drive);
	424
4964e18e KW	425	msr = inb(FLOPPY_BASE + reg_msr);
	426	if (!get_irq(FLOPPY_IRQ)) {
	427	assert_bit_set(msr, BUSY);
	428	assert_bit_clear(msr, RQM);
	429	}
	430
67f194bd KW	431	while (!get_irq(FLOPPY_IRQ)) {
	432	/* qemu involves a timer with READ ID... */
	433	clock_step(1000000000LL / 50);
	434	}
	435
4964e18e KW	436	msr = inb(FLOPPY_BASE + reg_msr);
	437	assert_bit_set(msr, BUSY \| RQM \| DIO);
	438
67f194bd KW	439	st0 = floppy_recv();
	440	floppy_recv();
	441	floppy_recv();
	442	cyl = floppy_recv();
	443	head = floppy_recv();
	444	floppy_recv();
4964e18e	445	g_assert(get_irq(FLOPPY_IRQ));
67f194bd	446	floppy_recv();
4964e18e	447	g_assert(!get_irq(FLOPPY_IRQ));
67f194bd KW	448
	449	g_assert_cmpint(cyl, ==, 0);
	450	g_assert_cmpint(head, ==, 0);
	451	g_assert_cmpint(st0, ==, head << 2);
	452
	453	/* Seek to track 8 on head 1 and check with READ ID */
	454	head = 1;
	455	cyl = 8;
	456
	457	floppy_send(CMD_SEEK);
	458	floppy_send(head << 2 \| drive);
	459	g_assert(!get_irq(FLOPPY_IRQ));
	460	floppy_send(cyl);
	461	g_assert(get_irq(FLOPPY_IRQ));
	462	ack_irq(NULL);
	463
	464	floppy_send(CMD_READ_ID);
	465	g_assert(!get_irq(FLOPPY_IRQ));
	466	floppy_send(head << 2 \| drive);
	467
4964e18e KW	468	msr = inb(FLOPPY_BASE + reg_msr);
	469	if (!get_irq(FLOPPY_IRQ)) {
	470	assert_bit_set(msr, BUSY);
	471	assert_bit_clear(msr, RQM);
	472	}
	473
67f194bd KW	474	while (!get_irq(FLOPPY_IRQ)) {
	475	/* qemu involves a timer with READ ID... */
	476	clock_step(1000000000LL / 50);
	477	}
	478
4964e18e KW	479	msr = inb(FLOPPY_BASE + reg_msr);
	480	assert_bit_set(msr, BUSY \| RQM \| DIO);
	481
67f194bd KW	482	st0 = floppy_recv();
	483	floppy_recv();
	484	floppy_recv();
	485	cyl = floppy_recv();
	486	head = floppy_recv();
	487	floppy_recv();
4964e18e	488	g_assert(get_irq(FLOPPY_IRQ));
67f194bd	489	floppy_recv();
4964e18e	490	g_assert(!get_irq(FLOPPY_IRQ));
67f194bd KW	491
	492	g_assert_cmpint(cyl, ==, 8);
	493	g_assert_cmpint(head, ==, 1);
	494	g_assert_cmpint(st0, ==, head << 2);
	495	}
	496
5f8ae8e2 HP	497	static void test_read_no_dma_1(void)
	498	{
	499	uint8_t ret;
	500
	501	outb(FLOPPY_BASE + reg_dor, inb(FLOPPY_BASE + reg_dor) & ~0x08);
	502	send_seek(0);
075f5532	503	ret = send_read_no_dma_command(1, 0x04);
5f8ae8e2 HP	504	g_assert(ret == 0);
	505	}
	506
	507	static void test_read_no_dma_18(void)
	508	{
	509	uint8_t ret;
	510
	511	outb(FLOPPY_BASE + reg_dor, inb(FLOPPY_BASE + reg_dor) & ~0x08);
	512	send_seek(0);
075f5532	513	ret = send_read_no_dma_command(18, 0x04);
5f8ae8e2 HP	514	g_assert(ret == 0);
	515	}
	516
	517	static void test_read_no_dma_19(void)
	518	{
	519	uint8_t ret;
	520
	521	outb(FLOPPY_BASE + reg_dor, inb(FLOPPY_BASE + reg_dor) & ~0x08);
	522	send_seek(0);
	523	ret = send_read_no_dma_command(19, 0x20);
	524	g_assert(ret == 0);
	525	}
	526
6f442fe8 HP	527	static void test_verify(void)
	528	{
	529	uint8_t ret;
	530
	531	ret = send_read_command(CMD_VERIFY);
	532	g_assert(ret == 0);
	533	}
	534
3359847e BS	535	/* success if no crash or abort */
	536	static void fuzz_registers(void)
	537	{
	538	unsigned int i;
	539
	540	for (i = 0; i < 1000; i++) {
	541	uint8_t reg, val;
	542
	543	reg = (uint8_t)g_test_rand_int_range(0, 8);
	544	val = (uint8_t)g_test_rand_int_range(0, 256);
	545
	546	outb(FLOPPY_BASE + reg, val);
	547	inb(FLOPPY_BASE + reg);
	548	}
	549	}
	550
cc20926e PMD	551	static bool qtest_check_clang_sanitizer(void)
	552	{
	553	#if defined(__SANITIZE_ADDRESS__) \|\| __has_feature(address_sanitizer)
	554	return true;
	555	#else
	556	g_test_skip("QEMU not configured using --enable-sanitizers");
	557	return false;
	558	#endif
	559	}
	560	static void test_cve_2021_20196(void)
	561	{
	562	QTestState *s;
	563
	564	if (!qtest_check_clang_sanitizer()) {
	565	return;
	566	}
	567
	568	s = qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK);
	569
	570	qtest_outw(s, 0x3f4, 0x0500);
	571	qtest_outb(s, 0x3f5, 0x00);
	572	qtest_outb(s, 0x3f5, 0x00);
	573	qtest_outw(s, 0x3f4, 0x0000);
	574	qtest_outb(s, 0x3f5, 0x00);
	575	qtest_outw(s, 0x3f1, 0x0400);
	576	qtest_outw(s, 0x3f4, 0x0000);
	577	qtest_outw(s, 0x3f4, 0x0000);
	578	qtest_outb(s, 0x3f5, 0x00);
	579	qtest_outb(s, 0x3f5, 0x01);
	580	qtest_outw(s, 0x3f1, 0x0500);
	581	qtest_outb(s, 0x3f5, 0x00);
	582	qtest_quit(s);
	583	}
	584
93e9eb68 KW	585	int main(int argc, char **argv)
93e9eb68 KW	586	{
93e9eb68 KW	587	int fd;
	588	int ret;
	589
93e9eb68 KW	590	/* Create a temporary raw image */
	591	fd = mkstemp(test_image);
	592	g_assert(fd >= 0);
	593	ret = ftruncate(fd, TEST_IMAGE_SIZE);
	594	g_assert(ret == 0);
	595	close(fd);
	596
	597	/* Run the tests */
	598	g_test_init(&argc, &argv, NULL);
	599
fedcc379	600	qtest_start("-machine pc -device floppy,id=floppy0");
93e9eb68	601	qtest_irq_intercept_in(global_qtest, "ioapic");
7cd33161 PH	602	qtest_add_func("/fdc/cmos", test_cmos);
7cd33161 PH	603	qtest_add_func("/fdc/no_media_on_start", test_no_media_on_start);
8b9ef60d	604	qtest_add_func("/fdc/read_without_media", test_read_without_media);
93e9eb68	605	qtest_add_func("/fdc/media_change", test_media_change);
b3ce604e	606	qtest_add_func("/fdc/sense_interrupt", test_sense_interrupt);
98272dbb	607	qtest_add_func("/fdc/relative_seek", test_relative_seek);
67f194bd	608	qtest_add_func("/fdc/read_id", test_read_id);
6f442fe8	609	qtest_add_func("/fdc/verify", test_verify);
44212dcc	610	qtest_add_func("/fdc/media_insert", test_media_insert);
5f8ae8e2 HP	611	qtest_add_func("/fdc/read_no_dma_1", test_read_no_dma_1);
	612	qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18);
	613	qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
3359847e	614	qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
cc20926e	615	qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
93e9eb68 KW	616
	617	ret = g_test_run();
	618
	619	/* Cleanup */
1d9358e6	620	qtest_end();
93e9eb68 KW	621	unlink(test_image);
	622
	623	return ret;
	624	}