ktstr 0.15.0

Test harness for Linux process schedulers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335

use super::super::super::*;
use super::*;

// ----------------------------------------------------------------
// Hostile-guest control message defenses (handle_control_event).
//
// The kernel's virtio-console driver
// (drivers/char/virtio_console.c `virtcons_probe`) sends
// DEVICE_READY exactly once and PORT_READY exactly once per port.
// A hostile or buggy guest that re-sends either message would
// re-enqueue PORT_ADD / CONSOLE_PORT / PORT_OPEN / PORT_NAME and
// grow `control_out` without bound, exhausting host memory. The
// device gates each repeat behind `device_ready` / `port_readied`
// flags; these tests pin the gates against regressions.
// ----------------------------------------------------------------

/// DEVICE_READY repeats must be ignored — the second message
/// must NOT enqueue a second batch of PORT_ADD frames. Pins the
/// `if self.device_ready` early-return at handle_control_event
/// (the DEVICE_READY arm). Without the gate, a guest spamming
/// DEVICE_READY would grow `control_out` by NUM_PORTS entries
/// per message until the host OOMs.
#[test]
fn handle_device_ready_repeat_ignored() {
    let mut dev = VirtioConsole::new();
    // First DEVICE_READY: enqueues NUM_PORTS PORT_ADD frames.
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_DEVICE_READY,
        value: 1,
    });
    assert!(
        dev.device_ready,
        "device_ready must be set after first message"
    );
    let after_first = dev.control_out.len();
    assert_eq!(
        after_first, NUM_PORTS as usize,
        "first DEVICE_READY must enqueue exactly NUM_PORTS PORT_ADD frames",
    );

    // Second DEVICE_READY: the gate must reject; control_out
    // must NOT grow.
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_DEVICE_READY,
        value: 1,
    });
    assert_eq!(
        dev.control_out.len(),
        after_first,
        "DEVICE_READY repeat must be a no-op — control_out length must \
         remain at NUM_PORTS, otherwise a hostile guest can grow it \
         unboundedly",
    );
    // device_ready stays true — the repeat does not flip it back.
    assert!(
        dev.device_ready,
        "device_ready must remain set after repeat"
    );
}

/// PORT_READY repeat for the same port must be ignored — the
/// second message must NOT re-enqueue
/// CONSOLE_PORT/PORT_NAME/PORT_OPEN. Pins the
/// `if self.port_readied[id as usize]` early-return at
/// handle_control_event (the PORT_READY arm). Mirrors the
/// DEVICE_READY gate but per-port — readying port 0 twice would
/// otherwise enqueue 6 frames (3 per call) instead of 3.
#[test]
fn handle_port_ready_repeat_ignored_port0() {
    let mut dev = VirtioConsole::new();
    // First PORT_READY for port 0: enqueues 3 frames
    // (CONSOLE_PORT, PORT_NAME, PORT_OPEN).
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    assert!(
        dev.ports[0].readied,
        "port_readied[0] must be set after first PORT_READY"
    );
    let after_first = dev.control_out.len();
    assert_eq!(
        after_first, 3,
        "first PORT_READY for port 0 must enqueue 3 frames \
         (CONSOLE_PORT, PORT_NAME, PORT_OPEN)",
    );

    // Second PORT_READY for port 0: the gate must reject;
    // control_out must NOT grow.
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    assert_eq!(
        dev.control_out.len(),
        after_first,
        "PORT_READY repeat for the same port must be a no-op — \
         control_out length must remain at 3, otherwise a hostile \
         guest can re-enqueue announce frames unboundedly",
    );
}

/// PORT_READY repeat for port 1 must be ignored — symmetric to
/// the port-0 case but exercises the port-1 branch (PORT_NAME
/// then PORT_OPEN, 2 frames per legitimate message). A regression
/// that scoped the gate per port-0 only would surface here.
#[test]
fn handle_port_ready_repeat_ignored_port1() {
    let mut dev = VirtioConsole::new();
    dev.handle_control_event(VirtioConsoleControl {
        id: 1,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    assert!(dev.ports[1].readied);
    let after_first = dev.control_out.len();
    assert_eq!(
        after_first, 2,
        "first PORT_READY for port 1 must enqueue 2 frames (PORT_NAME, PORT_OPEN)",
    );

    dev.handle_control_event(VirtioConsoleControl {
        id: 1,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    assert_eq!(
        dev.control_out.len(),
        after_first,
        "PORT_READY repeat for port 1 must be a no-op",
    );
}

/// PORT_READY for port 0 must NOT inhibit a subsequent PORT_READY
/// for port 1 — the gate is per-port, not global. Pins the array
/// indexing in `port_readied[id as usize]`. A regression that
/// used a single global flag would let only one port's announce
/// frames go through.
#[test]
fn handle_port_ready_per_port_not_global() {
    let mut dev = VirtioConsole::new();
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    let after_port0 = dev.control_out.len();
    assert_eq!(after_port0, 3, "port 0 announce: 3 frames");

    dev.handle_control_event(VirtioConsoleControl {
        id: 1,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    // Now both ports have enqueued: 3 (port 0) + 2 (port 1) = 5.
    assert_eq!(
        dev.control_out.len(),
        5,
        "PORT_READY for port 1 after PORT_READY for port 0 must \
         enqueue port 1's announce frames — the gate is per-port",
    );
    assert!(dev.ports[0].readied);
    assert!(dev.ports[1].readied);
}

/// PORT_READY with value=0 must log an error and skip the
/// announce-frame enqueue. value=0 is the kernel's
/// `add_port` failed signal (drivers/char/virtio_console.c
/// `add_port` error path). Pins the early-return without
/// setting `port_readied[id]` so a future legitimate PORT_READY
/// (after recovery) is not blocked by the gate.
#[test]
fn handle_port_ready_value_zero_skipped() {
    let mut dev = VirtioConsole::new();
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 0,
    });
    assert!(
        dev.control_out.is_empty(),
        "PORT_READY value=0 must NOT enqueue announce frames",
    );
    // port_readied[0] must remain false — the early-return for
    // value=0 happens BEFORE the gate flag is set, so a future
    // PORT_READY value=1 can still complete.
    assert!(
        !dev.ports[0].readied,
        "PORT_READY value=0 must NOT set port_readied — the kernel \
         may legitimately retry with value=1 after the host fixes \
         the underlying issue",
    );
}

/// PORT_READY value=0 must NOT block a subsequent PORT_READY
/// value=1 from completing the handshake. Pins the rule that
/// the value=0 early-return precedes the `port_readied` flag
/// flip.
#[test]
fn handle_port_ready_value_zero_then_one_completes() {
    let mut dev = VirtioConsole::new();
    // value=0 first: skipped, no announce frames.
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 0,
    });
    assert!(dev.control_out.is_empty());
    assert!(!dev.ports[0].readied);
    // value=1 next: must fire the announce as normal.
    dev.handle_control_event(VirtioConsoleControl {
        id: 0,
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    assert!(dev.ports[0].readied);
    assert_eq!(
        dev.control_out.len(),
        3,
        "PORT_READY value=1 after value=0 must enqueue the announce \
         — the value=0 path must not poison the per-port gate",
    );
}

/// PORT_READY for an unknown port id (>= NUM_PORTS) must be
/// ignored. The existing `handle_port_ready_unknown_port_ignored`
/// covers value=1; this pins the port id bounds check is the
/// outer gate (rejected before the value-check or repeat-check).
/// Verifies port_readied stays all-false and control_out is empty.
#[test]
fn handle_port_ready_unknown_port_state_unchanged() {
    let mut dev = VirtioConsole::new();
    dev.handle_control_event(VirtioConsoleControl {
        id: NUM_PORTS, // first invalid id (NUM_PORTS == 2)
        event: VIRTIO_CONSOLE_PORT_READY,
        value: 1,
    });
    assert!(dev.control_out.is_empty());
    for p in &dev.ports {
        assert!(
            !p.readied,
            "unknown-port PORT_READY must not flip any port readied flag",
        );
    }
}

/// PORT_OPEN for an unknown port id (>= NUM_PORTS) must be
/// ignored. Pins the `if id >= NUM_PORTS` gate at the head of
/// the PORT_OPEN arm. Without the gate, an out-of-bounds
/// `port_opened[id as usize]` index would panic with
/// "index out of bounds" — far worse than a tracing warning.
#[test]
fn handle_port_open_unknown_port_ignored() {
    let mut dev = VirtioConsole::new();
    // Try multiple invalid ids — anything >= NUM_PORTS.
    dev.handle_control_event(VirtioConsoleControl {
        id: NUM_PORTS,
        event: VIRTIO_CONSOLE_PORT_OPEN,
        value: 1,
    });
    dev.handle_control_event(VirtioConsoleControl {
        id: 0xFFFF_FFFF,
        event: VIRTIO_CONSOLE_PORT_OPEN,
        value: 1,
    });
    // No panic. Every port's `opened` stays at the initial false.
    for p in &dev.ports {
        assert!(
            !p.opened,
            "unknown-port PORT_OPEN must not flip any port opened \
             flag — the gate prevents out-of-bounds array access on \
             a hostile id",
        );
    }
}

/// Unhandled c_ovq event values must be absorbed silently — the
/// `other` arm in handle_control_event logs a debug line and
/// returns. The kernel today only sends DEVICE_READY, PORT_READY,
/// and PORT_OPEN on c_ovq (drivers/char/virtio_console.c
/// `send_control_msg` callers); a future kernel may add new
/// event types. Pins that an unrecognised event does not panic,
/// does not enqueue control_out, and does not flip any FSM flag.
#[test]
fn handle_unhandled_event_absorbed() {
    let mut dev = VirtioConsole::new();
    // Pick events that are valid wire values but the device
    // does not act on. PORT_ADD is the kernel's PORT_ADD —
    // the host emits it (PORT_ADD on c_ivq), the guest does not
    // send it back on c_ovq, so seeing it here is "the guest
    // sent something we don't handle." PORT_REMOVE / RESIZE
    // / PORT_NAME / CONSOLE_PORT round out the wire-defined
    // events that hit the `other` arm.
    let unhandled = [
        VIRTIO_CONSOLE_PORT_ADD,
        VIRTIO_CONSOLE_PORT_REMOVE,
        VIRTIO_CONSOLE_CONSOLE_PORT,
        VIRTIO_CONSOLE_RESIZE,
        VIRTIO_CONSOLE_PORT_NAME,
        // Completely synthetic event id — pins that even values
        // beyond the wire-defined set fall through cleanly.
        0xBEEF,
    ];
    for ev in unhandled {
        dev.handle_control_event(VirtioConsoleControl {
            id: 0,
            event: ev,
            value: 1,
        });
    }
    // Nothing must have been enqueued, no FSM flag must have
    // been flipped.
    assert!(
        dev.control_out.is_empty(),
        "unhandled events must NOT enqueue control_out",
    );
    assert!(
        !dev.device_ready,
        "unhandled events must NOT flip device_ready",
    );
    for p in &dev.ports {
        assert!(
            !p.opened,
            "unhandled events must NOT flip any port opened flag"
        );
        assert!(
            !p.readied,
            "unhandled events must NOT flip any port readied flag"
        );
    }
}