* [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs
@ 2017-06-06 12:17 Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 1/7] megasas: add qtest Paolo Bonzini
` (7 more replies)
0 siblings, 8 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
The first patch add a simple no-op qtest. Patches 2-6 change the
device to only read from cmd->frame once, thus avoiding TOC-TOU
bugs and possible vulnerabilities.
The last patch fixes a NULL pointer dereference reported by PJP.
It has a dependency on patch 4, because megasas_abort_command now
needs an extra cmd->dcmd_opcode != -1 check (and cmd->dcmd_opcode is
added in patch 4).
Paolo
Paolo Bonzini (7):
megasas: add qtest
megasas: do not read sense length more than once from frame
megasas: do not read iovec count more than once from frame
megasas: do not read DCMD opcode more than once from frame
megasas: do not read command more than once from frame
megasas: do not read SCSI req parameters more than once from frame
megasas: always store SCSIRequest* into MegasasCmd
hw/scsi/megasas.c | 175 ++++++++++++++++++++++---------------------------
tests/Makefile.include | 3 +
tests/megasas-test.c | 86 ++++++++++++++++++++++++
3 files changed, 168 insertions(+), 96 deletions(-)
create mode 100644 tests/megasas-test.c
--
2.13.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 1/7] megasas: add qtest
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
@ 2017-06-06 12:17 ` Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame Paolo Bonzini
` (6 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
The test does nothing at all except starting QEMU, but it's a start.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
tests/Makefile.include | 3 +++
tests/megasas-test.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+)
create mode 100644 tests/megasas-test.c
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 75893838e5..eb6b724ed6 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -205,6 +205,8 @@ check-qtest-pci-y += tests/intel-hda-test$(EXESUF)
gcov-files-pci-y += hw/audio/intel-hda.c hw/audio/hda-codec.c
check-qtest-pci-$(CONFIG_EVENTFD) += tests/ivshmem-test$(EXESUF)
gcov-files-pci-y += hw/misc/ivshmem.c
+check-qtest-pci-y += tests/megasas-test$(EXESUF)
+gcov-files-pci-y += hw/scsi/megasas.c
check-qtest-i386-y = tests/endianness-test$(EXESUF)
check-qtest-i386-y += tests/fdc-test$(EXESUF)
@@ -753,6 +755,7 @@ tests/test-filter-mirror$(EXESUF): tests/test-filter-mirror.o $(qtest-obj-y)
tests/test-filter-redirector$(EXESUF): tests/test-filter-redirector.o $(qtest-obj-y)
tests/test-x86-cpuid-compat$(EXESUF): tests/test-x86-cpuid-compat.o $(qtest-obj-y)
tests/ivshmem-test$(EXESUF): tests/ivshmem-test.o contrib/ivshmem-server/ivshmem-server.o $(libqos-pc-obj-y) $(libqos-spapr-obj-y)
+tests/megasas-test$(EXESUF): tests/megasas-test.o $(libqos-spapr-obj-y) $(libqos-pc-obj-y)
tests/vhost-user-bridge$(EXESUF): tests/vhost-user-bridge.o contrib/libvhost-user/libvhost-user.o $(test-util-obj-y)
tests/test-uuid$(EXESUF): tests/test-uuid.o $(test-util-obj-y)
tests/test-arm-mptimer$(EXESUF): tests/test-arm-mptimer.o
diff --git a/tests/megasas-test.c b/tests/megasas-test.c
new file mode 100644
index 0000000000..a9e56a2389
--- /dev/null
+++ b/tests/megasas-test.c
@@ -0,0 +1,51 @@
+/*
+ * QTest testcase for LSI MegaRAID
+ *
+ * Copyright (c) 2017 Red Hat Inc.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "libqtest.h"
+#include "qemu/bswap.h"
+#include "libqos/libqos-pc.h"
+#include "libqos/libqos-spapr.h"
+
+static QOSState *qmegasas_start(const char *extra_opts)
+{
+ const char *arch = qtest_get_arch();
+ const char *cmd = "-drive id=hd0,if=none,file=null-co://,format=raw "
+ "-device megasas,id=scsi0,addr=04.0 "
+ "-device scsi-hd,bus=scsi0.0,drive=hd0 %s";
+
+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
+ return qtest_pc_boot(cmd, extra_opts ? : "");
+ }
+
+ g_printerr("virtio-scsi tests are only available on x86 or ppc64\n");
+ exit(EXIT_FAILURE);
+}
+
+static void qmegasas_stop(QOSState *qs)
+{
+ qtest_shutdown(qs);
+}
+
+/* Tests only initialization so far. TODO: Replace with functional tests */
+static void pci_nop(void)
+{
+ QOSState *qs;
+
+ qs = qmegasas_start(NULL);
+ qmegasas_stop(qs);
+}
+
+int main(int argc, char **argv)
+{
+ g_test_init(&argc, &argv, NULL);
+ qtest_add_func("/megasas/pci/nop", pci_nop);
+
+ return g_test_run();
+}
--
2.13.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 1/7] megasas: add qtest Paolo Bonzini
@ 2017-06-06 12:17 ` Paolo Bonzini
2017-06-06 13:26 ` Philippe Mathieu-Daudé
2017-06-06 12:17 ` [Qemu-devel] [PATCH 3/7] megasas: do not read iovec count " Paolo Bonzini
` (5 subsequent siblings)
7 siblings, 1 reply; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
Avoid TOC-TOU bugs depending on how the compiler behaves.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 804122ab05..1888118e5f 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -309,9 +309,11 @@ static int megasas_build_sense(MegasasCmd *cmd, uint8_t *sense_ptr,
PCIDevice *pcid = PCI_DEVICE(cmd->state);
uint32_t pa_hi = 0, pa_lo;
hwaddr pa;
+ int frame_sense_len;
- if (sense_len > cmd->frame->header.sense_len) {
- sense_len = cmd->frame->header.sense_len;
+ frame_sense_len = cmd->frame->header.sense_len;
+ if (sense_len > frame_sense_len) {
+ sense_len = frame_sense_len;
}
if (sense_len) {
pa_lo = le32_to_cpu(cmd->frame->pass.sense_addr_lo);
--
2.13.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 3/7] megasas: do not read iovec count more than once from frame
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 1/7] megasas: add qtest Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame Paolo Bonzini
@ 2017-06-06 12:17 ` Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 4/7] megasas: do not read DCMD opcode " Paolo Bonzini
` (4 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
Avoid TOC-TOU bugs depending on how the compiler behaves.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 1888118e5f..c353118882 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -675,15 +675,16 @@ out:
static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
{
dma_addr_t iov_pa, iov_size;
+ int iov_count;
cmd->flags = le16_to_cpu(cmd->frame->header.flags);
- if (!cmd->frame->header.sge_count) {
+ iov_count = cmd->frame->header.sge_count;
+ if (!iov_count) {
trace_megasas_dcmd_zero_sge(cmd->index);
cmd->iov_size = 0;
return 0;
- } else if (cmd->frame->header.sge_count > 1) {
- trace_megasas_dcmd_invalid_sge(cmd->index,
- cmd->frame->header.sge_count);
+ } else if (iov_count > 1) {
+ trace_megasas_dcmd_invalid_sge(cmd->index, iov_count);
cmd->iov_size = 0;
return -EINVAL;
}
--
2.13.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 4/7] megasas: do not read DCMD opcode more than once from frame
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
` (2 preceding siblings ...)
2017-06-06 12:17 ` [Qemu-devel] [PATCH 3/7] megasas: do not read iovec count " Paolo Bonzini
@ 2017-06-06 12:17 ` Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 5/7] megasas: do not read command " Paolo Bonzini
` (3 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index c353118882..a3f75c1650 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -63,6 +63,7 @@ typedef struct MegasasCmd {
hwaddr pa;
hwaddr pa_size;
+ uint32_t dcmd_opcode;
union mfi_frame *frame;
SCSIRequest *req;
QEMUSGList qsg;
@@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
cmd->context &= (uint64_t)0xFFFFFFFF;
}
cmd->count = count;
+ cmd->dcmd_opcode = -1;
s->busy++;
if (s->consumer_pa) {
@@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t {
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
{
- int opcode;
int retval = 0;
size_t len;
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
+ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
+ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
if (megasas_map_dcmd(s, cmd) < 0) {
return MFI_STAT_MEMORY_NOT_AVAILABLE;
}
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
+ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
cmdptr++;
}
len = cmd->iov_size;
if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
+ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
retval = megasas_dcmd_dummy(s, cmd);
} else {
trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
@@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
SCSIRequest *req)
{
- int opcode;
int retval = MFI_STAT_OK;
int lun = req->lun;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
- switch (opcode) {
+ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
+ switch (cmd->dcmd_opcode) {
case MFI_DCMD_PD_GET_INFO:
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
break;
@@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
break;
default:
- trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
+ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
retval = MFI_STAT_INVALID_DCMD;
break;
}
@@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
{
MegasasCmd *cmd = req->hba_private;
uint8_t *buf;
- uint32_t opcode;
trace_megasas_io_complete(cmd->index, len);
@@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
}
buf = scsi_req_get_buf(req);
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
+ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
struct mfi_pd_info *info = cmd->iov_buf;
if (info->inquiry_data[0] == 0x7f) {
@@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
memcpy(info->vpd_page83, buf, len);
}
scsi_req_continue(req);
- } else if (opcode == MFI_DCMD_LD_GET_INFO) {
+ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
struct mfi_ld_info *info = cmd->iov_buf;
if (cmd->iov_buf) {
--
2.13.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 5/7] megasas: do not read command more than once from frame
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
` (3 preceding siblings ...)
2017-06-06 12:17 ` [Qemu-devel] [PATCH 4/7] megasas: do not read DCMD opcode " Paolo Bonzini
@ 2017-06-06 12:17 ` Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 6/7] megasas: do not read SCSI req parameters " Paolo Bonzini
` (2 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
Avoid TOC-TOU bugs by passing the frame_cmd down, and checking
cmd->dcmd_opcode instead of cmd->frame->header.frame_cmd.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 60 +++++++++++++++++++++++--------------------------------
1 file changed, 25 insertions(+), 35 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index a3f75c1650..38e0a2f5ef 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1591,12 +1591,13 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
}
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
- SCSIRequest *req)
+ SCSIRequest *req, size_t resid)
{
int retval = MFI_STAT_OK;
int lun = req->lun;
trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
+ cmd->iov_size -= resid;
switch (cmd->dcmd_opcode) {
case MFI_DCMD_PD_GET_INFO:
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
@@ -1649,11 +1650,12 @@ static int megasas_enqueue_req(MegasasCmd *cmd, bool is_write)
}
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
- bool is_logical)
+ int frame_cmd)
{
uint8_t *cdb;
bool is_write;
struct SCSIDevice *sdev = NULL;
+ bool is_logical = (frame_cmd == MFI_CMD_LD_SCSI_IO);
cdb = cmd->frame->pass.cdb;
@@ -1661,7 +1663,7 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
if (cmd->frame->header.target_id >= MFI_MAX_LD ||
cmd->frame->header.lun_id != 0) {
trace_megasas_scsi_target_not_present(
- mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical,
+ mfi_frame_desc[frame_cmd], is_logical,
cmd->frame->header.target_id, cmd->frame->header.lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
@@ -1671,19 +1673,20 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
cmd->iov_size = le32_to_cpu(cmd->frame->header.data_len);
trace_megasas_handle_scsi(mfi_frame_desc[cmd->frame->header.frame_cmd],
- is_logical, cmd->frame->header.target_id,
+ trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical,
+ cmd->frame->header.target_id,
cmd->frame->header.lun_id, sdev, cmd->iov_size);
if (!sdev || (megasas_is_jbod(s) && is_logical)) {
trace_megasas_scsi_target_not_present(
- mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical,
+ mfi_frame_desc[frame_cmd], is_logical,
cmd->frame->header.target_id, cmd->frame->header.lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
if (cmd->frame->header.cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
- mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical,
+ mfi_frame_desc[frame_cmd], is_logical,
cmd->frame->header.target_id, cmd->frame->header.lun_id,
cmd->frame->header.cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
@@ -1703,7 +1706,7 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
cmd->frame->header.lun_id, cdb, cmd);
if (!cmd->req) {
trace_megasas_scsi_req_alloc_failed(
- mfi_frame_desc[cmd->frame->header.frame_cmd],
+ mfi_frame_desc[frame_cmd],
cmd->frame->header.target_id, cmd->frame->header.lun_id);
megasas_write_sense(cmd, SENSE_CODE(NO_SENSE));
cmd->frame->header.scsi_status = BUSY;
@@ -1725,11 +1728,11 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
return MFI_STAT_INVALID_STATUS;
}
-static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd)
+static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
{
uint32_t lba_count, lba_start_hi, lba_start_lo;
uint64_t lba_start;
- bool is_write = (cmd->frame->header.frame_cmd == MFI_CMD_LD_WRITE);
+ bool is_write = (frame_cmd == MFI_CMD_LD_WRITE);
uint8_t cdb[16];
int len;
struct SCSIDevice *sdev = NULL;
@@ -1746,20 +1749,20 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd)
}
trace_megasas_handle_io(cmd->index,
- mfi_frame_desc[cmd->frame->header.frame_cmd],
+ mfi_frame_desc[frame_cmd],
cmd->frame->header.target_id,
cmd->frame->header.lun_id,
(unsigned long)lba_start, (unsigned long)lba_count);
if (!sdev) {
trace_megasas_io_target_not_present(cmd->index,
- mfi_frame_desc[cmd->frame->header.frame_cmd],
+ mfi_frame_desc[frame_cmd],
cmd->frame->header.target_id, cmd->frame->header.lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
if (cmd->frame->header.cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
- mfi_frame_desc[cmd->frame->header.frame_cmd], 1,
+ mfi_frame_desc[frame_cmd], 1,
cmd->frame->header.target_id, cmd->frame->header.lun_id,
cmd->frame->header.cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
@@ -1781,7 +1784,7 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd)
cmd->frame->header.lun_id, cdb, cmd);
if (!cmd->req) {
trace_megasas_scsi_req_alloc_failed(
- mfi_frame_desc[cmd->frame->header.frame_cmd],
+ mfi_frame_desc[frame_cmd],
cmd->frame->header.target_id, cmd->frame->header.lun_id);
megasas_write_sense(cmd, SENSE_CODE(NO_SENSE));
cmd->frame->header.scsi_status = BUSY;
@@ -1799,23 +1802,11 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd)
return MFI_STAT_INVALID_STATUS;
}
-static int megasas_finish_internal_command(MegasasCmd *cmd,
- SCSIRequest *req, size_t resid)
-{
- int retval = MFI_STAT_INVALID_CMD;
-
- if (cmd->frame->header.frame_cmd == MFI_CMD_DCMD) {
- cmd->iov_size -= resid;
- retval = megasas_finish_internal_dcmd(cmd, req);
- }
- return retval;
-}
-
static QEMUSGList *megasas_get_sg_list(SCSIRequest *req)
{
MegasasCmd *cmd = req->hba_private;
- if (cmd->frame->header.frame_cmd == MFI_CMD_DCMD) {
+ if (cmd->dcmd_opcode != -1) {
return NULL;
} else {
return &cmd->qsg;
@@ -1829,7 +1820,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
trace_megasas_io_complete(cmd->index, len);
- if (cmd->frame->header.frame_cmd != MFI_CMD_DCMD) {
+ if (cmd->dcmd_opcode != -1) {
scsi_req_continue(req);
return;
}
@@ -1872,7 +1863,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status,
/*
* Internal command complete
*/
- cmd_status = megasas_finish_internal_command(cmd, req, resid);
+ cmd_status = megasas_finish_internal_dcmd(cmd, req, resid);
if (cmd_status == MFI_STAT_INVALID_STATUS) {
return;
}
@@ -1943,6 +1934,7 @@ static void megasas_handle_frame(MegasasState *s, uint64_t frame_addr,
{
uint8_t frame_status = MFI_STAT_INVALID_CMD;
uint64_t frame_context;
+ int frame_cmd;
MegasasCmd *cmd;
/*
@@ -1961,7 +1953,8 @@ static void megasas_handle_frame(MegasasState *s, uint64_t frame_addr,
s->event_count++;
return;
}
- switch (cmd->frame->header.frame_cmd) {
+ frame_cmd = cmd->frame->header.frame_cmd;
+ switch (frame_cmd) {
case MFI_CMD_INIT:
frame_status = megasas_init_firmware(s, cmd);
break;
@@ -1972,18 +1965,15 @@ static void megasas_handle_frame(MegasasState *s, uint64_t frame_addr,
frame_status = megasas_handle_abort(s, cmd);
break;
case MFI_CMD_PD_SCSI_IO:
- frame_status = megasas_handle_scsi(s, cmd, 0);
- break;
case MFI_CMD_LD_SCSI_IO:
- frame_status = megasas_handle_scsi(s, cmd, 1);
+ frame_status = megasas_handle_scsi(s, cmd, frame_cmd);
break;
case MFI_CMD_LD_READ:
case MFI_CMD_LD_WRITE:
- frame_status = megasas_handle_io(s, cmd);
+ frame_status = megasas_handle_io(s, cmd, frame_cmd);
break;
default:
- trace_megasas_unhandled_frame_cmd(cmd->index,
- cmd->frame->header.frame_cmd);
+ trace_megasas_unhandled_frame_cmd(cmd->index, frame_cmd);
s->event_count++;
break;
}
--
2.13.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 6/7] megasas: do not read SCSI req parameters more than once from frame
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
` (4 preceding siblings ...)
2017-06-06 12:17 ` [Qemu-devel] [PATCH 5/7] megasas: do not read command " Paolo Bonzini
@ 2017-06-06 12:17 ` Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 7/7] megasas: always store SCSIRequest* into MegasasCmd Paolo Bonzini
2017-06-06 17:07 ` [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs no-reply
7 siblings, 0 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 60 ++++++++++++++++++++++++-------------------------------
1 file changed, 26 insertions(+), 34 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 38e0a2f5ef..135662df31 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1653,42 +1653,39 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
uint8_t *cdb;
+ int target_id, lun_id, cdb_len;
bool is_write;
struct SCSIDevice *sdev = NULL;
bool is_logical = (frame_cmd == MFI_CMD_LD_SCSI_IO);
cdb = cmd->frame->pass.cdb;
+ target_id = cmd->frame->header.target_id;
+ lun_id = cmd->frame->header.lun_id;
+ cdb_len = cmd->frame->header.cdb_len;
if (is_logical) {
- if (cmd->frame->header.target_id >= MFI_MAX_LD ||
- cmd->frame->header.lun_id != 0) {
+ if (target_id >= MFI_MAX_LD || lun_id != 0) {
trace_megasas_scsi_target_not_present(
- mfi_frame_desc[frame_cmd], is_logical,
- cmd->frame->header.target_id, cmd->frame->header.lun_id);
+ mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
}
- sdev = scsi_device_find(&s->bus, 0, cmd->frame->header.target_id,
- cmd->frame->header.lun_id);
+ sdev = scsi_device_find(&s->bus, 0, target_id, lun_id);
cmd->iov_size = le32_to_cpu(cmd->frame->header.data_len);
- trace_megasas_handle_scsi(mfi_frame_desc[cmd->frame->header.frame_cmd],
trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical,
- cmd->frame->header.target_id,
- cmd->frame->header.lun_id, sdev, cmd->iov_size);
+ target_id, lun_id, sdev, cmd->iov_size);
if (!sdev || (megasas_is_jbod(s) && is_logical)) {
trace_megasas_scsi_target_not_present(
- mfi_frame_desc[frame_cmd], is_logical,
- cmd->frame->header.target_id, cmd->frame->header.lun_id);
+ mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
- if (cmd->frame->header.cdb_len > 16) {
+ if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
- cmd->frame->header.target_id, cmd->frame->header.lun_id,
- cmd->frame->header.cdb_len);
+ target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
@@ -1702,12 +1699,10 @@ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
- cmd->req = scsi_req_new(sdev, cmd->index,
- cmd->frame->header.lun_id, cdb, cmd);
+ cmd->req = scsi_req_new(sdev, cmd->index, lun_id, cdb, cmd);
if (!cmd->req) {
trace_megasas_scsi_req_alloc_failed(
- mfi_frame_desc[frame_cmd],
- cmd->frame->header.target_id, cmd->frame->header.lun_id);
+ mfi_frame_desc[frame_cmd], target_id, lun_id);
megasas_write_sense(cmd, SENSE_CODE(NO_SENSE));
cmd->frame->header.scsi_status = BUSY;
s->event_count++;
@@ -1736,35 +1731,33 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
uint8_t cdb[16];
int len;
struct SCSIDevice *sdev = NULL;
+ int target_id, lun_id, cdb_len;
lba_count = le32_to_cpu(cmd->frame->io.header.data_len);
lba_start_lo = le32_to_cpu(cmd->frame->io.lba_lo);
lba_start_hi = le32_to_cpu(cmd->frame->io.lba_hi);
lba_start = ((uint64_t)lba_start_hi << 32) | lba_start_lo;
- if (cmd->frame->header.target_id < MFI_MAX_LD &&
- cmd->frame->header.lun_id == 0) {
- sdev = scsi_device_find(&s->bus, 0, cmd->frame->header.target_id,
- cmd->frame->header.lun_id);
+ target_id = cmd->frame->header.target_id;
+ lun_id = cmd->frame->header.lun_id;
+ cdb_len = cmd->frame->header.cdb_len;
+
+ if (target_id < MFI_MAX_LD && lun_id == 0) {
+ sdev = scsi_device_find(&s->bus, 0, target_id, lun_id);
}
trace_megasas_handle_io(cmd->index,
- mfi_frame_desc[frame_cmd],
- cmd->frame->header.target_id,
- cmd->frame->header.lun_id,
+ mfi_frame_desc[frame_cmd], target_id, lun_id,
(unsigned long)lba_start, (unsigned long)lba_count);
if (!sdev) {
trace_megasas_io_target_not_present(cmd->index,
- mfi_frame_desc[frame_cmd],
- cmd->frame->header.target_id, cmd->frame->header.lun_id);
+ mfi_frame_desc[frame_cmd], target_id, lun_id);
return MFI_STAT_DEVICE_NOT_FOUND;
}
- if (cmd->frame->header.cdb_len > 16) {
+ if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
- mfi_frame_desc[frame_cmd], 1,
- cmd->frame->header.target_id, cmd->frame->header.lun_id,
- cmd->frame->header.cdb_len);
+ mfi_frame_desc[frame_cmd], 1, target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
@@ -1781,11 +1774,10 @@ static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_cmd)
megasas_encode_lba(cdb, lba_start, lba_count, is_write);
cmd->req = scsi_req_new(sdev, cmd->index,
- cmd->frame->header.lun_id, cdb, cmd);
+ lun_id, cdb, cmd);
if (!cmd->req) {
trace_megasas_scsi_req_alloc_failed(
- mfi_frame_desc[frame_cmd],
- cmd->frame->header.target_id, cmd->frame->header.lun_id);
+ mfi_frame_desc[frame_cmd], target_id, lun_id);
megasas_write_sense(cmd, SENSE_CODE(NO_SENSE));
cmd->frame->header.scsi_status = BUSY;
s->event_count++;
--
2.13.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 7/7] megasas: always store SCSIRequest* into MegasasCmd
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
` (5 preceding siblings ...)
2017-06-06 12:17 ` [Qemu-devel] [PATCH 6/7] megasas: do not read SCSI req parameters " Paolo Bonzini
@ 2017-06-06 12:17 ` Paolo Bonzini
2017-06-06 17:07 ` [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs no-reply
7 siblings, 0 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 12:17 UTC (permalink / raw)
To: qemu-devel; +Cc: zyy4013, ppandit, hare
This ensures that the request is unref'ed properly, and avoids a
segmentation fault in the new qtest testcase that is added.
Reported-by: Zhangyanyu <zyy4013@stu.ouc.edu.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 31 ++++++++++++++++---------------
tests/megasas-test.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 15 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 135662df31..734fdaef90 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -609,6 +609,9 @@ static void megasas_reset_frames(MegasasState *s)
static void megasas_abort_command(MegasasCmd *cmd)
{
/* Never abort internal commands. */
+ if (cmd->dcmd_opcode != -1) {
+ return;
+ }
if (cmd->req != NULL) {
scsi_req_cancel(cmd->req);
}
@@ -1017,7 +1020,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
uint64_t pd_size;
uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
uint8_t cmdbuf[6];
- SCSIRequest *req;
size_t len, resid;
if (!cmd->iov_buf) {
@@ -1026,8 +1028,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */
info->vpd_page83[0] = 0x7f;
megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data));
- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"PD get info std inquiry");
g_free(cmd->iov_buf);
@@ -1036,26 +1038,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
}
trace_megasas_dcmd_internal_submit(cmd->index,
"PD get info std inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
} else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) {
megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83));
- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"PD get info vpd inquiry");
return MFI_STAT_FLASH_ALLOC_FAIL;
}
trace_megasas_dcmd_internal_submit(cmd->index,
"PD get info vpd inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
}
@@ -1217,7 +1219,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
struct mfi_ld_info *info = cmd->iov_buf;
size_t dcmd_size = sizeof(struct mfi_ld_info);
uint8_t cdb[6];
- SCSIRequest *req;
ssize_t len, resid;
uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
uint64_t ld_size;
@@ -1226,8 +1227,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
cmd->iov_buf = g_malloc0(dcmd_size);
info = cmd->iov_buf;
megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83));
- req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"LD get info vpd inquiry");
g_free(cmd->iov_buf);
@@ -1236,10 +1237,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
}
trace_megasas_dcmd_internal_submit(cmd->index,
"LD get info vpd inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
}
@@ -1851,7 +1852,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status,
return;
}
- if (cmd->req == NULL) {
+ if (cmd->dcmd_opcode != -1) {
/*
* Internal command complete
*/
diff --git a/tests/megasas-test.c b/tests/megasas-test.c
index a9e56a2389..ce960e7f81 100644
--- a/tests/megasas-test.c
+++ b/tests/megasas-test.c
@@ -42,10 +42,45 @@ static void pci_nop(void)
qmegasas_stop(qs);
}
+/* This used to cause a NULL pointer dereference. */
+static void megasas_pd_get_info_fuzz(void)
+{
+ QPCIDevice *dev;
+ QOSState *qs;
+ QPCIBar bar;
+ uint32_t context[256];
+ uint64_t context_pa;
+ int i;
+
+ qs = qmegasas_start(NULL);
+ dev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
+ g_assert(dev != NULL);
+
+ qpci_device_enable(dev);
+ bar = qpci_iomap(dev, 0, NULL);
+
+ memset(context, 0, sizeof(context));
+ context[0] = cpu_to_le32(0x05050505);
+ context[1] = cpu_to_le32(0x01010101);
+ for (i = 2; i < ARRAY_SIZE(context); i++) {
+ context[i] = cpu_to_le32(0x41414141);
+ }
+ context[6] = cpu_to_le32(0x02020000);
+ context[7] = cpu_to_le32(0);
+
+ context_pa = qmalloc(qs, sizeof(context));
+ memwrite(context_pa, context, sizeof(context));
+ qpci_io_writel(dev, bar, 0x40, context_pa);
+
+ g_free(dev);
+ qmegasas_stop(qs);
+}
+
int main(int argc, char **argv)
{
g_test_init(&argc, &argv, NULL);
qtest_add_func("/megasas/pci/nop", pci_nop);
+ qtest_add_func("/megasas/dcmd/pd-get-info/fuzz", megasas_pd_get_info_fuzz);
return g_test_run();
}
--
2.13.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame
2017-06-06 12:17 ` [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame Paolo Bonzini
@ 2017-06-06 13:26 ` Philippe Mathieu-Daudé
2017-06-06 13:33 ` Paolo Bonzini
0 siblings, 1 reply; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2017-06-06 13:26 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel; +Cc: zyy4013, hare, ppandit
Hi Paolo,
Should this patch go in qemu-stable?
On 06/06/2017 09:17 AM, Paolo Bonzini wrote:
> Avoid TOC-TOU bugs depending on how the compiler behaves.
Can you be more descriptive here? Which compiler? (thinking about how to
prevent this class of bugs).
Regards,
Phil.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> hw/scsi/megasas.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
> index 804122ab05..1888118e5f 100644
> --- a/hw/scsi/megasas.c
> +++ b/hw/scsi/megasas.c
> @@ -309,9 +309,11 @@ static int megasas_build_sense(MegasasCmd *cmd, uint8_t *sense_ptr,
> PCIDevice *pcid = PCI_DEVICE(cmd->state);
> uint32_t pa_hi = 0, pa_lo;
> hwaddr pa;
> + int frame_sense_len;
>
> - if (sense_len > cmd->frame->header.sense_len) {
> - sense_len = cmd->frame->header.sense_len;
> + frame_sense_len = cmd->frame->header.sense_len;
> + if (sense_len > frame_sense_len) {
> + sense_len = frame_sense_len;
> }
> if (sense_len) {
> pa_lo = le32_to_cpu(cmd->frame->pass.sense_addr_lo);
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame
2017-06-06 13:26 ` Philippe Mathieu-Daudé
@ 2017-06-06 13:33 ` Paolo Bonzini
0 siblings, 0 replies; 11+ messages in thread
From: Paolo Bonzini @ 2017-06-06 13:33 UTC (permalink / raw)
To: Philippe Mathieu-Daudé, qemu-devel; +Cc: zyy4013, hare, ppandit
On 06/06/2017 15:26, Philippe Mathieu-Daudé wrote:
> Hi Paolo,
>
> Should this patch go in qemu-stable?
>
> On 06/06/2017 09:17 AM, Paolo Bonzini wrote:
>> Avoid TOC-TOU bugs depending on how the compiler behaves.
>
> Can you be more descriptive here? Which compiler? (thinking about how to
> prevent this class of bugs).
If you do
int f(int *x)
{
if (*x == 0) {
return 42;
}
return *x;
}
It's possible that the guest races against the two reads and f() returns
zero. This is unlikely in the case at least at -O2, but pretty likely
at -O0.
For other patches later in the series, there is no compiler dependence
at all, since the two accesses occur very far from each other.
There is no way really to prevent them except being careful: the rule is
basically that guest-provided data must only be read once.
Thanks,
Paolo
> Regards,
>
> Phil.
>
>>
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> ---
>> hw/scsi/megasas.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
>> index 804122ab05..1888118e5f 100644
>> --- a/hw/scsi/megasas.c
>> +++ b/hw/scsi/megasas.c
>> @@ -309,9 +309,11 @@ static int megasas_build_sense(MegasasCmd *cmd,
>> uint8_t *sense_ptr,
>> PCIDevice *pcid = PCI_DEVICE(cmd->state);
>> uint32_t pa_hi = 0, pa_lo;
>> hwaddr pa;
>> + int frame_sense_len;
>>
>> - if (sense_len > cmd->frame->header.sense_len) {
>> - sense_len = cmd->frame->header.sense_len;
>> + frame_sense_len = cmd->frame->header.sense_len;
>> + if (sense_len > frame_sense_len) {
>> + sense_len = frame_sense_len;
>> }
>> if (sense_len) {
>> pa_lo = le32_to_cpu(cmd->frame->pass.sense_addr_lo);
>>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
` (6 preceding siblings ...)
2017-06-06 12:17 ` [Qemu-devel] [PATCH 7/7] megasas: always store SCSIRequest* into MegasasCmd Paolo Bonzini
@ 2017-06-06 17:07 ` no-reply
7 siblings, 0 replies; 11+ messages in thread
From: no-reply @ 2017-06-06 17:07 UTC (permalink / raw)
To: pbonzini; +Cc: famz, qemu-devel, zyy4013, hare, ppandit
Hi,
This series seems to have some coding style problems. See output below for
more information:
Type: series
Message-id: 20170606121747.25356-1-pbonzini@redhat.com
Subject: [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs
=== TEST SCRIPT BEGIN ===
#!/bin/bash
BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0
git config --local diff.renamelimit 0
git config --local diff.renames True
commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
failed=1
echo
fi
n=$((n+1))
done
exit $failed
=== TEST SCRIPT END ===
Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
- [tag update] patchew/149676554488.4134.16095044562334102742.stgit@bahia.lab.toulouse-stg.fr.ibm.com -> patchew/149676554488.4134.16095044562334102742.stgit@bahia.lab.toulouse-stg.fr.ibm.com
* [new tag] patchew/20170606162652.112122-1-vsementsov@virtuozzo.com -> patchew/20170606162652.112122-1-vsementsov@virtuozzo.com
Switched to a new branch 'test'
0b82e47 megasas: always store SCSIRequest* into MegasasCmd
2ce51ba megasas: do not read SCSI req parameters more than once from frame
61b5ec4 megasas: do not read command more than once from frame
54af167 megasas: do not read DCMD opcode more than once from frame
6b02091 megasas: do not read iovec count more than once from frame
48401c2 megasas: do not read sense length more than once from frame
9520472 megasas: add qtest
=== OUTPUT BEGIN ===
Checking PATCH 1/7: megasas: add qtest...
Checking PATCH 2/7: megasas: do not read sense length more than once from frame...
Checking PATCH 3/7: megasas: do not read iovec count more than once from frame...
Checking PATCH 4/7: megasas: do not read DCMD opcode more than once from frame...
Checking PATCH 5/7: megasas: do not read command more than once from frame...
Checking PATCH 6/7: megasas: do not read SCSI req parameters more than once from frame...
Checking PATCH 7/7: megasas: always store SCSIRequest* into MegasasCmd...
ERROR: space required after that ',' (ctx:VxV)
#139: FILE: tests/megasas-test.c:56:
+ dev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
^
total: 1 errors, 0 warnings, 140 lines checked
Your patch has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
=== OUTPUT END ===
Test command exited with code: 1
---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@freelists.org
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2017-06-06 17:07 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-06 12:17 [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 1/7] megasas: add qtest Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame Paolo Bonzini
2017-06-06 13:26 ` Philippe Mathieu-Daudé
2017-06-06 13:33 ` Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 3/7] megasas: do not read iovec count " Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 4/7] megasas: do not read DCMD opcode " Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 5/7] megasas: do not read command " Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 6/7] megasas: do not read SCSI req parameters " Paolo Bonzini
2017-06-06 12:17 ` [Qemu-devel] [PATCH 7/7] megasas: always store SCSIRequest* into MegasasCmd Paolo Bonzini
2017-06-06 17:07 ` [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs no-reply
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).