[PULL 0/7] Lasi fixes patches

[PULL 0/7] Lasi fixes patches

[deller]

From: Helge Deller <deller@gmx.de>

The following changes since commit 917ac07f9aef579b9538a81d45f45850aba42906:

  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2025-11-05 16:07:18 +0100)

are available in the Git repository at:

  https://github.com/hdeller/qemu-hppa.git tags/lasi-fixes-pull-request

for you to fetch changes up to 8c1fa9cbecba50ae7e732923ee567fe40551d1a6:

  target/hppa: Update SeaBIOS-hppa to version 20 (2025-11-09 22:47:31 +0100)

----------------------------------------------------------------
hppa lasi bugfixes pull request

Please pull a bunch of fixes which repair issues introduced due to the previous
patch series which added LASI SCSI and LASI network card support as  well as
the new 715 machines.
This includes fixes for reported coverty issues, and repairs the B160L machine
emulation.

Thanks!
Helge

----------------------------------------------------------------

Helge Deller (1):
  target/hppa: Update SeaBIOS-hppa to version 20

Soumyajyotii Ssarkar (6):
  ncr710: Fix potential null pointer dereference
  ncr710: Drop leftover debug code
  i82596: Remove crc_valid variable
  i82596: Adding proper break-statement functionality in RX functions
  ncr710: Add missing vmstate entries
  ncr710: Use address space of device instead of global address space

 hw/net/i82596.c             |  14 +++++---------
 hw/scsi/lasi_ncr710.c       |   4 ++++
 hw/scsi/lasi_ncr710.h       |   1 -
 hw/scsi/ncr53c710.c         |  16 +++++-----------
 hw/scsi/ncr53c710.h         |   1 +
 pc-bios/hppa-firmware.img   | Bin 630056 -> 630644 bytes
 pc-bios/hppa-firmware64.img | Bin 699872 -> 700304 bytes
 roms/seabios-hppa           |   2 +-
 8 files changed, 16 insertions(+), 22 deletions(-)

-- 
2.51.1

[PULL 1/7] ncr710: Fix potential null pointer dereference

[deller]

From: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>

The code dereferences s->current before checking if it is NULL. Move the
null check before the dereference to prevent potential crashes.

This issue could occur if s->current is NULL when the function reaches
the "Host adapter (re)connected" path, though this should not normally
happen during correct operation.

Reported-by: Stefan Hajnoczi <stefanha@gmail.com>
Reported-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Suggested-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Signed-off-by: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 hw/scsi/ncr53c710.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c
index ade951b1d1..a35c41b67f 100644
--- a/hw/scsi/ncr53c710.c
+++ b/hw/scsi/ncr53c710.c
@@ -832,12 +832,11 @@ void ncr710_transfer_data(SCSIRequest *req, uint32_t len)
     }
 
     /* Host adapter (re)connected */
-    s->current->dma_len = len;
     s->command_complete = NCR710_CMD_DATA_READY;
-
     if (!s->current) {
         return;
     }
+    s->current->dma_len = len;
 
     if (s->waiting) {
         s->scntl1 |= NCR710_SCNTL1_CON;
-- 
2.51.1

[PULL 2/7] ncr710: Drop leftover debug code

[deller]

From: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>

That code was part of some debugging code. Now it has no effect any
longer, so let's drop it.

Reported-by: Stefan Hajnoczi <stefanha@gmail.com>
Signed-off-by: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 hw/scsi/ncr53c710.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c
index a35c41b67f..aaac31cbb9 100644
--- a/hw/scsi/ncr53c710.c
+++ b/hw/scsi/ncr53c710.c
@@ -1361,11 +1361,6 @@ again:
         case PHASE_DI:
             s->waiting = NCR710_WAIT_DMA;
             ncr710_do_dma(s, 0);
-            if (s->waiting != NCR710_WAIT_NONE) {
-                /* Async - stop and wait */
-                break;
-            }
-            /* Sync - continue execution */
             break;
         case PHASE_CO:
             ncr710_do_command(s);
-- 
2.51.1

[PULL 3/7] i82596: Remove crc_valid variable

[deller]

From: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>

While testing and developing for the HPUX 10.20 the crc_valid variable
was used in performing CRC checks for the loopback. I expected the
CRC to be absent on specific condition and would skip some
functional checks for the loopback packet, so initially it added
a if-clause that would skip the checks preventing HPUX from
getting stuck at phase loopback.

However, we can remove it, and this then fixes Coverity CID 1642868.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 hw/net/i82596.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/hw/net/i82596.c b/hw/net/i82596.c
index 37dcc0387b..fb6b54fd71 100644
--- a/hw/net/i82596.c
+++ b/hw/net/i82596.c
@@ -992,7 +992,6 @@ static ssize_t i82596_receive_packet(I82596State *s, const uint8_t *buf,
     size_t payload_size = 0;
     size_t bytes_copied = 0;
     const uint8_t *packet_data = buf;
-    bool crc_valid = true;
     bool out_of_resources = false;
     size_t crc_size = i82596_get_crc_size(s);
 
@@ -1155,16 +1154,11 @@ rx_complete:
         }
     }
 
-    if (packet_completed && crc_valid) {
+    if (packet_completed) {
         rx_status |= STAT_C | STAT_OK;
         if (is_broadcast) {
             rx_status |= 0x0001;
         }
-    } else if (packet_completed) {
-        rx_status |= STAT_C;
-        if (!crc_valid) {
-            rx_status |= RX_CRC_ERRORS;
-        }
     } else {
         rx_status |= STAT_B;
     }
@@ -1187,7 +1181,7 @@ rx_complete:
         return size;
     }
 
-    if (packet_completed && crc_valid && s->rx_status == RX_READY) {
+    if (packet_completed && s->rx_status == RX_READY) {
         uint32_t next_rfd_addr = i82596_translate_address(s, rfd.link, false);
         if (next_rfd_addr != 0 && next_rfd_addr != I596_NULL) {
             set_uint32(s->scb + 8, next_rfd_addr);
-- 
2.51.1

[PULL 4/7] i82596: Adding proper break-statement functionality in RX functions

[deller]

From: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>

Fix coverty reported logic error CID 1642873.
The initial issue was the break statement exited out of the for loop
unconditionally.
Now, the break only happens if rfd is null, out_of_resources or
bytes_copied < payload_size.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 hw/net/i82596.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/net/i82596.c b/hw/net/i82596.c
index fb6b54fd71..af1abd4996 100644
--- a/hw/net/i82596.c
+++ b/hw/net/i82596.c
@@ -1092,6 +1092,7 @@ static ssize_t i82596_receive_packet(I82596State *s, const uint8_t *buf,
                     rx_status |= RFD_STATUS_TRUNC | RFD_STATUS_NOBUFS;
                     i82596_record_error(s, RFD_STATUS_NOBUFS, false);
                     packet_completed = true;
+                    break;
                 } else {
                     hwaddr remaining_rbd = I596_NULL;
                     size_t rbd_bytes = i82596_rx_copy_to_rbds(
@@ -1118,17 +1119,18 @@ static ssize_t i82596_receive_packet(I82596State *s, const uint8_t *buf,
                         i82596_record_error(s, RFD_STATUS_NOBUFS, false);
                         rx_status |= RFD_STATUS_TRUNC | RFD_STATUS_NOBUFS;
                         packet_completed = true;
+                        break;
                     }
 
                     if (bytes_copied < payload_size) {
                         trace_i82596_rx_incomplete(bytes_copied, payload_size);
                         rx_status |= RFD_STATUS_TRUNC;
                         packet_completed = true;
+                        break;
                     }
                 }
             }
         }
-        break;
 
     } while (bytes_copied < payload_size);
 
-- 
2.51.1

[PULL 5/7] ncr710: Add missing vmstate entries

[deller]

From: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>

Signed-off-by: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 hw/scsi/lasi_ncr710.c | 4 ++++
 hw/scsi/lasi_ncr710.h | 1 -
 hw/scsi/ncr53c710.c   | 2 +-
 hw/scsi/ncr53c710.h   | 1 +
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/hw/scsi/lasi_ncr710.c b/hw/scsi/lasi_ncr710.c
index b674a4066f..7e0076c7a3 100644
--- a/hw/scsi/lasi_ncr710.c
+++ b/hw/scsi/lasi_ncr710.c
@@ -160,6 +160,10 @@ static const VMStateDescription vmstate_lasi_ncr710 = {
     .version_id = 1,
     .minimum_version_id = 1,
     .fields = (const VMStateField[]) {
+        VMSTATE_UINT32(hw_type, LasiNCR710State),
+        VMSTATE_UINT32(sversion, LasiNCR710State),
+        VMSTATE_UINT32(hversion, LasiNCR710State),
+        VMSTATE_STRUCT(ncr710, LasiNCR710State, 1, vmstate_ncr710, NCR710State),
         VMSTATE_END_OF_LIST()
     }
 };
diff --git a/hw/scsi/lasi_ncr710.h b/hw/scsi/lasi_ncr710.h
index 3711233b0f..058718068e 100644
--- a/hw/scsi/lasi_ncr710.h
+++ b/hw/scsi/lasi_ncr710.h
@@ -46,7 +46,6 @@ typedef struct LasiNCR710State {
     uint32_t hw_type;        /* Hardware type (HPHW_*) */
     uint32_t sversion;       /* Software version */
     uint32_t hversion;       /* Hardware version */
-    SCSIBus bus;
     NCR710State ncr710;
 } LasiNCR710State;
 
diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c
index aaac31cbb9..ba064c6ecf 100644
--- a/hw/scsi/ncr53c710.c
+++ b/hw/scsi/ncr53c710.c
@@ -2250,7 +2250,7 @@ static const VMStateDescription vmstate_ncr710_scsi_fifo = {
     }
 };
 
-static const VMStateDescription vmstate_ncr710 = {
+const VMStateDescription vmstate_ncr710 = {
     .name = "ncr710",
     .version_id = 1,
     .minimum_version_id = 1,
diff --git a/hw/scsi/ncr53c710.h b/hw/scsi/ncr53c710.h
index 380e3959b3..6d30f9b663 100644
--- a/hw/scsi/ncr53c710.h
+++ b/hw/scsi/ncr53c710.h
@@ -242,5 +242,6 @@ void ncr710_transfer_data(SCSIRequest *req, uint32_t len);
 void ncr710_execute_script(NCR710State *s);
 void ncr710_set_phase(NCR710State *s, int phase);
 void ncr710_reselection_retry_callback(void *opaque);
+extern const VMStateDescription vmstate_ncr710;
 
 #endif /* HW_NCR53C710_H */
-- 
2.51.1

[PULL 6/7] ncr710: Use address space of device instead of global address space

[deller]

From: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>

Signed-off-by: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 hw/scsi/ncr53c710.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c
index ba064c6ecf..47a6983491 100644
--- a/hw/scsi/ncr53c710.c
+++ b/hw/scsi/ncr53c710.c
@@ -550,7 +550,7 @@ static inline uint8_t ncr710_scsi_fifo_dequeue(NCR710_SCSI_FIFO *fifo,
 static inline uint32_t ncr710_read_dword(NCR710State *s, uint32_t addr)
 {
     uint32_t buf;
-    address_space_read(&address_space_memory, addr, MEMTXATTRS_UNSPECIFIED,
+    address_space_read(s->as, addr, MEMTXATTRS_UNSPECIFIED,
                        (uint8_t *)&buf, 4);
     /*
      * The NCR710 datasheet saying "operates internally in LE mode"
@@ -565,7 +565,7 @@ static inline uint32_t ncr710_read_dword(NCR710State *s, uint32_t addr)
 static inline void ncr710_dma_read(NCR710State *s, uint32_t addr,
                                    void *buf, uint32_t len)
 {
-    address_space_read(&address_space_memory, addr, MEMTXATTRS_UNSPECIFIED,
+    address_space_read(s->as, addr, MEMTXATTRS_UNSPECIFIED,
                        buf, len);
     NCR710_DPRINTF("Read %d bytes from %08x: ", len, addr);
     for (int i = 0; i < len && i < 16; i++) {
@@ -577,7 +577,7 @@ static inline void ncr710_dma_read(NCR710State *s, uint32_t addr,
 static inline void ncr710_dma_write(NCR710State *s, uint32_t addr,
                                     const void *buf, uint32_t len)
 {
-    address_space_write(&address_space_memory, addr, MEMTXATTRS_UNSPECIFIED,
+    address_space_write(s->as, addr, MEMTXATTRS_UNSPECIFIED,
                         buf, len);
     NCR710_DPRINTF("Wrote %d bytes to %08x\n", len, addr);
 }
-- 
2.51.1

Re: [PULL 0/7] Lasi fixes patches

[Richard Henderson]

On 11/9/25 23:06, deller@kernel.org wrote:
> From: Helge Deller<deller@gmx.de>
> 
> The following changes since commit 917ac07f9aef579b9538a81d45f45850aba42906:
> 
>    Merge tag 'for-upstream' ofhttps://gitlab.com/bonzini/qemu into staging (2025-11-05 16:07:18 +0100)
> 
> are available in the Git repository at:
> 
>    https://github.com/hdeller/qemu-hppa.git tags/lasi-fixes-pull-request
> 
> for you to fetch changes up to 8c1fa9cbecba50ae7e732923ee567fe40551d1a6:
> 
>    target/hppa: Update SeaBIOS-hppa to version 20 (2025-11-09 22:47:31 +0100)
> 
> ----------------------------------------------------------------
> hppa lasi bugfixes pull request
> 
> Please pull a bunch of fixes which repair issues introduced due to the previous
> patch series which added LASI SCSI and LASI network card support as  well as
> the new 715 machines.
> This includes fixes for reported coverty issues, and repairs the B160L machine
> emulation.

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate.

r~