On 2/18/21 5:25 PM, Philippe Mathieu-Daudé wrote: > On 2/16/21 4:46 AM, Bin Meng wrote: >> At the end of sdhci_send_command(), it starts a data transfer if the >> command register indicates data is associated. But the data transfer >> should only be initiated when the command execution has succeeded. >> >> With this fix, the following reproducer: >> >> outl 0xcf8 0x80001810 >> outl 0xcfc 0xe1068000 >> outl 0xcf8 0x80001804 >> outw 0xcfc 0x7 >> write 0xe106802c 0x1 0x0f >> write 0xe1068004 0xc 0x2801d10101fffffbff28a384 >> write 0xe106800c 0x1f >> 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f >> write 0xe1068003 0x28 >> 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 >> write 0xe1068003 0x1 0xfe >> >> cannot be reproduced with the following QEMU command line: >> >> $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ >> -device sdhci-pci,sd-spec-version=3 \ >> -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ >> -device sd-card,drive=mydrive \ >> -monitor none -serial none -qtest stdio > > Can you directly add the reproducer in tests/qtest/fuzz-sdhci-test.c > instead, similarly to tests/qtest/fuzz-test.c?
Hold on, Alexander will send a RFC series to have that conversion done automatically.
