From: Kevin Wolf <kwolf@redhat.com>
To: John Snow <jsnow@redhat.com>
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>,
hpoussin@reactos.org, mreitz@redhat.com, qemu-block@nongnu.org,
qemu-devel@nongnu.org, martin@duskware.de
Subject: Re: [Qemu-devel] [PATCH for-3.1] fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled
Date: Tue, 13 Nov 2018 14:16:56 +0100 [thread overview]
Message-ID: <20181113131656.GD4830@localhost.localdomain> (raw)
In-Reply-To: <96edc28b-1752-dc4e-ceb8-7078cb041392@redhat.com>
Am 12.11.2018 um 20:58 hat John Snow geschrieben:
>
>
> On 11/11/18 4:40 AM, Mark Cave-Ayland wrote:
> > Commit c8a35f1cf0f "fdc: use IsaDma interface instead of global DMA_*
> > functions" accidentally introduced a segfault in fdctrl_stop_transfer() for
> > non-DMA transfers.
> >
> > If fdctrl->dma_chann has not been configured then the fdctrl->dma interface
> > reference isn't initialised during isabus_fdc_realize(). Unfortunately
> > fdctrl_stop_transfer() unconditionally references the DMA interface when
> > finishing the transfer causing a NULL pointer dereference.
> >
> > Fix the issue by adding a check in fdctrl_stop_transfer() so that the DMA
> > interface reference and release method is only invoked if fdctrl->dma_chann
> > has been set.
> >
> > (This issue was discovered by Martin testing a recent change in the NetBSD
> > installer under qemu-system-sparc)
> >
> > Reported-by: Martin Husemann <martin@duskware.de>
> > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
> > ---
> > hw/block/fdc.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/block/fdc.c b/hw/block/fdc.c
> > index 2e9c1e1e2f..6f19f127a5 100644
> > --- a/hw/block/fdc.c
> > +++ b/hw/block/fdc.c
> > @@ -1617,7 +1617,7 @@ static void fdctrl_stop_transfer(FDCtrl *fdctrl, uint8_t status0,
> > fdctrl->fifo[5] = cur_drv->sect;
> > fdctrl->fifo[6] = FD_SECTOR_SC;
> > fdctrl->data_dir = FD_DIR_READ;
> > - if (!(fdctrl->msr & FD_MSR_NONDMA)) {
> > + if (fdctrl->dma_chann != -1 && !(fdctrl->msr & FD_MSR_NONDMA)) {
> > IsaDmaClass *k = ISADMA_GET_CLASS(fdctrl->dma);
> > k->release_DREQ(fdctrl->dma, fdctrl->dma_chann);
> > }
> >
>
> Thanks.
>
> Reviewed-by: John Snow <jsnow@redhat.com>
>
> ... Kevin, would you mind staging this one-off for the next RC?
No problem, I'm applying this to my block branch. However, my pull
request for -rc1 is already merged, so this will have to wait until next
week and -rc2.
Kevin
next prev parent reply other threads:[~2018-11-13 13:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-11 9:40 [Qemu-devel] [PATCH for-3.1] fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled Mark Cave-Ayland
2018-11-11 10:09 ` Philippe Mathieu-Daudé
2018-11-12 18:03 ` Hervé Poussineau
2018-11-12 19:58 ` John Snow
2018-11-13 13:16 ` Kevin Wolf [this message]
2018-11-13 20:29 ` John Snow
2018-11-18 12:32 ` Mark Cave-Ayland
2018-11-19 11:52 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181113131656.GD4830@localhost.localdomain \
--to=kwolf@redhat.com \
--cc=hpoussin@reactos.org \
--cc=jsnow@redhat.com \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=martin@duskware.de \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.