From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Subject: [PULL 19/27] esp: ensure in-flight SCSI requests are always cancelled
Date: Wed, 3 Nov 2021 16:04:34 +0100 [thread overview]
Message-ID: <20211103150442.387121-20-pbonzini@redhat.com> (raw)
In-Reply-To: <20211103150442.387121-1-pbonzini@redhat.com>
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
There is currently a check in esp_select() to cancel any in-flight SCSI requests
to ensure that issuing multiple select commands without continuing through the
rest of the ESP state machine ignores all but the last SCSI request. This is
also enforced through the addition of assert()s in esp_transfer_data() and
scsi_read_data().
The get_cmd() function does not call esp_select() when TC == 0 which means it is
possible for a fuzzer to trigger these assert()s by sending a select command when
TC == 0 immediately after a valid SCSI CDB has been submitted.
Since esp_select() is only called from get_cmd(), hoist the check to cancel
in-flight SCSI requests from esp_select() into get_cmd() to ensure it is always
called when executing a select command to initiate a new SCSI request.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Closes: https://gitlab.com/qemu-project/qemu/-/issues/662
Closes: https://gitlab.com/qemu-project/qemu/-/issues/663
Message-Id: <20211101183516.8455-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/esp.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8454ed1773..84f935b549 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -204,11 +204,6 @@ static int esp_select(ESPState *s)
s->ti_size = 0;
fifo8_reset(&s->fifo);
- if (s->current_req) {
- /* Started a new command before the old one finished. Cancel it. */
- scsi_req_cancel(s->current_req);
- }
-
s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
if (!s->current_dev) {
/* No such drive */
@@ -235,6 +230,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
uint32_t dmalen, n;
int target;
+ if (s->current_req) {
+ /* Started a new command before the old one finished. Cancel it. */
+ scsi_req_cancel(s->current_req);
+ }
+
target = s->wregs[ESP_WBUSID] & BUSID_DID;
if (s->dma) {
dmalen = MIN(esp_get_tc(s), maxlen);
--
2.31.1
next prev parent reply other threads:[~2021-11-03 15:19 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-03 15:04 [PULL 00/27] Misc patches for QEMU 6.2 soft freeze Paolo Bonzini
2021-11-03 15:04 ` [PULL 01/27] Makefile: Fix gtags generation Paolo Bonzini
2021-11-03 15:04 ` [PULL 02/27] Makefile: Fix cscope issues on MacOS and soft links Paolo Bonzini
2021-11-03 15:04 ` [PULL 03/27] Partially revert "build: -no-pie is no functional linker flag" Paolo Bonzini
2021-11-03 15:04 ` [PULL 04/27] configure/optionrom: Fix MSYS2 multiboot.bin issue Paolo Bonzini
2021-11-03 15:04 ` [PULL 05/27] util: Make some iova_tree parameters const Paolo Bonzini
2021-11-03 15:04 ` [PULL 06/27] MAINTAINERS: update location of microvm docs Paolo Bonzini
2021-11-03 15:04 ` [PULL 07/27] target/i386: move linuxboot_dma_enabled to X86MachineState Paolo Bonzini
2021-11-03 15:04 ` [PULL 08/27] optionrom: add a DMA-enabled multiboot ROM Paolo Bonzini
2021-11-03 15:04 ` [PULL 09/27] target/i386: use DMA-enabled multiboot ROM for new-enough QEMU machine types Paolo Bonzini
2021-11-03 15:04 ` [PULL 10/27] configure: remove useless NPTL probe Paolo Bonzini
2021-11-03 15:04 ` [PULL 11/27] configure: do not duplicate CPU_CFLAGS into QEMU_LDFLAGS Paolo Bonzini
2021-11-03 15:04 ` [PULL 12/27] hvf: Avoid mapping regions < PAGE_SIZE as ram Paolo Bonzini
2021-11-03 15:04 ` [PULL 13/27] hw/i386: Rename default_bus_bypass_iommu Paolo Bonzini
2021-11-03 15:04 ` [PULL 14/27] watchdog: add information from -watchdog help to -device help Paolo Bonzini
2021-11-03 15:04 ` [PULL 15/27] vl: deprecate -watchdog Paolo Bonzini
2021-11-03 15:04 ` [PULL 16/27] watchdog: remove select_watchdog_action Paolo Bonzini
2021-11-03 15:04 ` [PULL 17/27] hw/i386: fix vmmouse registration Paolo Bonzini
2021-11-03 15:04 ` [PULL 18/27] KVM: SVM: add migration support for nested TSC scaling Paolo Bonzini
2021-11-03 15:04 ` Paolo Bonzini [this message]
2021-11-03 15:04 ` [PULL 20/27] qtest/am53c974-test: add test for cancelling in-flight requests Paolo Bonzini
2021-11-03 15:04 ` [PULL 21/27] meson: bump submodule to 0.59.3 Paolo Bonzini
2021-11-03 15:04 ` [PULL 22/27] meson.build: Allow to disable OSS again Paolo Bonzini
2021-11-03 15:04 ` [PULL 23/27] meson: remove pointless warnings Paolo Bonzini
2021-11-03 15:04 ` [PULL 24/27] meson: remove unnecessary coreaudio test program Paolo Bonzini
2021-11-03 15:04 ` [PULL 25/27] Move the l2tpv3 test from configure to meson.build Paolo Bonzini
2021-11-03 15:04 ` [PULL 26/27] configure: Remove the check for the __thread keyword Paolo Bonzini
2021-11-03 15:04 ` [PULL 27/27] configure: fix --audio-drv-list help message Paolo Bonzini
2021-11-04 4:42 ` [PULL 00/27] Misc patches for QEMU 6.2 soft freeze Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211103150442.387121-20-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).