From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Cc: kwolf@redhat.com, kraxel@redhat.com, hch@lst.de
Subject: [Qemu-devel] [PATCH 01/12] scsi: scsi_bus_legacy_handle_cmdline() can fail, fix callers
Date: Fri, 25 Jun 2010 18:53:21 +0200 [thread overview]
Message-ID: <1277484812-22012-2-git-send-email-armbru@redhat.com> (raw)
In-Reply-To: <1277484812-22012-1-git-send-email-armbru@redhat.com>
None of its callers checks for failure. scsi_hot_add() can crash
because of that:
(qemu) drive_add 4 if=scsi,format=host_device,file=/dev/sg1
scsi-generic: scsi generic interface too old
Segmentation fault (core dumped)
Fix all callers, not just scsi_hot_add().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
hw/esp.c | 3 +--
hw/lsi53c895a.c | 2 +-
hw/pci-hotplug.c | 3 +++
hw/scsi-bus.c | 11 +++++++----
hw/scsi.h | 2 +-
hw/usb-msd.c | 3 +++
6 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/hw/esp.c b/hw/esp.c
index 7740879..349052a 100644
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -679,8 +679,7 @@ static int esp_init1(SysBusDevice *dev)
qdev_init_gpio_in(&dev->qdev, parent_esp_reset, 1);
scsi_bus_new(&s->bus, &dev->qdev, 0, ESP_MAX_DEVS, esp_command_complete);
- scsi_bus_legacy_handle_cmdline(&s->bus);
- return 0;
+ return scsi_bus_legacy_handle_cmdline(&s->bus);
}
static SysBusDeviceInfo esp_info = {
diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index f5a91ba..c2a8010 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -2176,7 +2176,7 @@ static int lsi_scsi_init(PCIDevice *dev)
scsi_bus_new(&s->bus, &dev->qdev, 1, LSI_MAX_DEVS, lsi_command_complete);
if (!dev->qdev.hotplugged) {
- scsi_bus_legacy_handle_cmdline(&s->bus);
+ return scsi_bus_legacy_handle_cmdline(&s->bus);
}
return 0;
}
diff --git a/hw/pci-hotplug.c b/hw/pci-hotplug.c
index c39e640..55c9fe3 100644
--- a/hw/pci-hotplug.c
+++ b/hw/pci-hotplug.c
@@ -90,6 +90,9 @@ static int scsi_hot_add(Monitor *mon, DeviceState *adapter,
*/
dinfo->unit = qemu_opt_get_number(dinfo->opts, "unit", -1);
scsidev = scsi_bus_legacy_add_drive(scsibus, dinfo, dinfo->unit);
+ if (!scsidev) {
+ return -1;
+ }
dinfo->unit = scsidev->id;
if (printinfo)
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 24bd060..d5b66c1 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -83,7 +83,6 @@ void scsi_qdev_register(SCSIDeviceInfo *info)
}
/* handle legacy '-drive if=scsi,...' cmd line args */
-/* FIXME callers should check for failure, but don't */
SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, DriveInfo *dinfo, int unit)
{
const char *driver;
@@ -98,18 +97,22 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, DriveInfo *dinfo, int unit)
return DO_UPCAST(SCSIDevice, qdev, dev);
}
-void scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
+int scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
{
DriveInfo *dinfo;
- int unit;
+ int res = 0, unit;
for (unit = 0; unit < MAX_SCSI_DEVS; unit++) {
dinfo = drive_get(IF_SCSI, bus->busnr, unit);
if (dinfo == NULL) {
continue;
}
- scsi_bus_legacy_add_drive(bus, dinfo, unit);
+ if (!scsi_bus_legacy_add_drive(bus, dinfo, unit)) {
+ res = -1;
+ break;
+ }
}
+ return res;
}
void scsi_dev_clear_sense(SCSIDevice *dev)
diff --git a/hw/scsi.h b/hw/scsi.h
index b668e27..b1b5f73 100644
--- a/hw/scsi.h
+++ b/hw/scsi.h
@@ -98,7 +98,7 @@ static inline SCSIBus *scsi_bus_from_device(SCSIDevice *d)
}
SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, DriveInfo *dinfo, int unit);
-void scsi_bus_legacy_handle_cmdline(SCSIBus *bus);
+int scsi_bus_legacy_handle_cmdline(SCSIBus *bus);
void scsi_dev_clear_sense(SCSIDevice *dev);
void scsi_dev_set_sense(SCSIDevice *dev, uint8_t key);
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 003bd8a..8e9718c 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -531,6 +531,9 @@ static int usb_msd_initfn(USBDevice *dev)
s->dev.speed = USB_SPEED_FULL;
scsi_bus_new(&s->bus, &s->dev.qdev, 0, 1, usb_msd_command_complete);
s->scsi_dev = scsi_bus_legacy_add_drive(&s->bus, s->conf.dinfo, 0);
+ if (!s->scsi_dev) {
+ return -1;
+ }
s->bus.qbus.allow_hotplug = 0;
usb_msd_handle_reset(dev);
--
1.6.6.1
next prev parent reply other threads:[~2010-06-25 17:42 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-25 16:53 [Qemu-devel] [PATCH 00/12] More block-related fixes and cleanups Markus Armbruster
2010-06-25 16:53 ` Markus Armbruster [this message]
2010-06-25 19:39 ` [Qemu-devel] Re: [PATCH 01/12] scsi: scsi_bus_legacy_handle_cmdline() can fail, fix callers Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 02/12] ide: Make it explicit that ide_create_drive() can't fail Markus Armbruster
2010-06-25 19:40 ` [Qemu-devel] " Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 03/12] blockdev: Remove drive_get_serial() Markus Armbruster
2010-06-25 19:41 ` [Qemu-devel] " Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 04/12] blockdev: New drive_of_blockdev() Markus Armbruster
2010-06-25 19:42 ` [Qemu-devel] " Christoph Hellwig
2010-06-26 5:32 ` Markus Armbruster
2010-06-26 9:46 ` Christoph Hellwig
2010-06-26 14:46 ` Markus Armbruster
2010-06-27 9:36 ` Christoph Hellwig
2010-06-28 9:58 ` Paolo Bonzini
2010-06-29 8:57 ` Markus Armbruster
2010-06-25 16:53 ` [Qemu-devel] [PATCH 05/12] blockdev: Clean up automatic drive deletion Markus Armbruster
2010-06-26 9:48 ` [Qemu-devel] " Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 06/12] qdev: Decouple qdev_prop_drive from DriveInfo Markus Armbruster
2010-06-26 10:09 ` [Qemu-devel] " Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 07/12] blockdev: drive_get_by_id() is no longer used, remove Markus Armbruster
2010-06-26 10:09 ` [Qemu-devel] " Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 08/12] block: Catch attempt to attach multiple devices to a blockdev Markus Armbruster
2010-06-26 10:11 ` [Qemu-devel] " Christoph Hellwig
2010-06-26 14:44 ` Markus Armbruster
2010-06-27 9:36 ` Christoph Hellwig
2010-06-28 8:24 ` Kevin Wolf
2010-06-28 10:16 ` Christoph Hellwig
2010-06-28 10:26 ` Kevin Wolf
2010-06-30 11:52 ` Markus Armbruster
2010-06-30 12:13 ` Kevin Wolf
2010-06-29 8:06 ` Gerd Hoffmann
2010-06-30 11:33 ` Markus Armbruster
2010-06-29 13:32 ` Kevin Wolf
2010-06-29 14:29 ` Markus Armbruster
2010-06-29 14:58 ` [Qemu-devel] [PATCH v2 " Markus Armbruster
2010-06-25 16:53 ` [Qemu-devel] [PATCH 09/12] savevm: Survive hot-unplug of snapshot device Markus Armbruster
2010-06-26 10:12 ` [Qemu-devel] " Christoph Hellwig
2010-06-30 11:28 ` Markus Armbruster
2010-06-30 13:37 ` Kevin Wolf
2010-06-30 16:34 ` Markus Armbruster
2010-06-25 16:53 ` [Qemu-devel] [PATCH 10/12] block: Fix virtual media change for if=none Markus Armbruster
2010-06-26 10:14 ` [Qemu-devel] " Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 11/12] ide: Make PIIX and ISA IDE init functions return the qdev Markus Armbruster
2010-06-26 10:14 ` [Qemu-devel] " Christoph Hellwig
2010-06-25 16:53 ` [Qemu-devel] [PATCH 12/12] pc: Fix CMOS info for drives defined with -device Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1277484812-22012-2-git-send-email-armbru@redhat.com \
--to=armbru@redhat.com \
--cc=hch@lst.de \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.