From nobody Sat Feb 7 02:12:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751606186112.18925704460048; Tue, 6 Jun 2017 05:20:06 -0700 (PDT) Received: from localhost ([::1]:38141 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDSp-0003OX-3g for importer@patchew.org; Tue, 06 Jun 2017 08:19:59 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56935) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDQu-0001tP-Gu for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQp-0005Ec-Tj for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52036) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQp-0005EJ-Kl for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:17:55 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 050F6C0587D8; Tue, 6 Jun 2017 12:17:54 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmM9003973; Tue, 6 Jun 2017 08:17:52 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 050F6C0587D8 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 050F6C0587D8 From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:41 +0200 Message-Id: <20170606121747.25356-2-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 06 Jun 2017 12:17:54 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 1/7] megasas: add qtest X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The test does nothing at all except starting QEMU, but it's a start. Signed-off-by: Paolo Bonzini --- tests/Makefile.include | 3 +++ tests/megasas-test.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++= ++++ 2 files changed, 54 insertions(+) create mode 100644 tests/megasas-test.c diff --git a/tests/Makefile.include b/tests/Makefile.include index 75893838e5..eb6b724ed6 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include @@ -205,6 +205,8 @@ check-qtest-pci-y +=3D tests/intel-hda-test$(EXESUF) gcov-files-pci-y +=3D hw/audio/intel-hda.c hw/audio/hda-codec.c check-qtest-pci-$(CONFIG_EVENTFD) +=3D tests/ivshmem-test$(EXESUF) gcov-files-pci-y +=3D hw/misc/ivshmem.c +check-qtest-pci-y +=3D tests/megasas-test$(EXESUF) +gcov-files-pci-y +=3D hw/scsi/megasas.c =20 check-qtest-i386-y =3D tests/endianness-test$(EXESUF) check-qtest-i386-y +=3D tests/fdc-test$(EXESUF) @@ -753,6 +755,7 @@ tests/test-filter-mirror$(EXESUF): tests/test-filter-mi= rror.o $(qtest-obj-y) tests/test-filter-redirector$(EXESUF): tests/test-filter-redirector.o $(qt= est-obj-y) tests/test-x86-cpuid-compat$(EXESUF): tests/test-x86-cpuid-compat.o $(qtes= t-obj-y) tests/ivshmem-test$(EXESUF): tests/ivshmem-test.o contrib/ivshmem-server/i= vshmem-server.o $(libqos-pc-obj-y) $(libqos-spapr-obj-y) +tests/megasas-test$(EXESUF): tests/megasas-test.o $(libqos-spapr-obj-y) $(= libqos-pc-obj-y) tests/vhost-user-bridge$(EXESUF): tests/vhost-user-bridge.o contrib/libvho= st-user/libvhost-user.o $(test-util-obj-y) tests/test-uuid$(EXESUF): tests/test-uuid.o $(test-util-obj-y) tests/test-arm-mptimer$(EXESUF): tests/test-arm-mptimer.o diff --git a/tests/megasas-test.c b/tests/megasas-test.c new file mode 100644 index 0000000000..a9e56a2389 --- /dev/null +++ b/tests/megasas-test.c @@ -0,0 +1,51 @@ +/* + * QTest testcase for LSI MegaRAID + * + * Copyright (c) 2017 Red Hat Inc. + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "libqtest.h" +#include "qemu/bswap.h" +#include "libqos/libqos-pc.h" +#include "libqos/libqos-spapr.h" + +static QOSState *qmegasas_start(const char *extra_opts) +{ + const char *arch =3D qtest_get_arch(); + const char *cmd =3D "-drive id=3Dhd0,if=3Dnone,file=3Dnull-co://,forma= t=3Draw " + "-device megasas,id=3Dscsi0,addr=3D04.0 " + "-device scsi-hd,bus=3Dscsi0.0,drive=3Dhd0 %s"; + + if (strcmp(arch, "i386") =3D=3D 0 || strcmp(arch, "x86_64") =3D=3D 0) { + return qtest_pc_boot(cmd, extra_opts ? : ""); + } + + g_printerr("virtio-scsi tests are only available on x86 or ppc64\n"); + exit(EXIT_FAILURE); +} + +static void qmegasas_stop(QOSState *qs) +{ + qtest_shutdown(qs); +} + +/* Tests only initialization so far. TODO: Replace with functional tests */ +static void pci_nop(void) +{ + QOSState *qs; + + qs =3D qmegasas_start(NULL); + qmegasas_stop(qs); +} + +int main(int argc, char **argv) +{ + g_test_init(&argc, &argv, NULL); + qtest_add_func("/megasas/pci/nop", pci_nop); + + return g_test_run(); +} --=20 2.13.0 From nobody Sat Feb 7 02:12:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751849991109.93253868020668; Tue, 6 Jun 2017 05:24:09 -0700 (PDT) Received: from localhost ([::1]:38164 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDWo-00070V-IL for importer@patchew.org; Tue, 06 Jun 2017 08:24:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56941) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDQu-0001tR-Ia for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQq-0005FT-J8 for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36589) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQq-0005EY-DL for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:17:56 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7EF233345AD; Tue, 6 Jun 2017 12:17:55 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmMA003973; Tue, 6 Jun 2017 08:17:54 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7EF233345AD Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 7EF233345AD From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:42 +0200 Message-Id: <20170606121747.25356-3-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 06 Jun 2017 12:17:55 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/7] megasas: do not read sense length more than once from frame X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Avoid TOC-TOU bugs depending on how the compiler behaves. Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 804122ab05..1888118e5f 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -309,9 +309,11 @@ static int megasas_build_sense(MegasasCmd *cmd, uint8_= t *sense_ptr, PCIDevice *pcid =3D PCI_DEVICE(cmd->state); uint32_t pa_hi =3D 0, pa_lo; hwaddr pa; + int frame_sense_len; =20 - if (sense_len > cmd->frame->header.sense_len) { - sense_len =3D cmd->frame->header.sense_len; + frame_sense_len =3D cmd->frame->header.sense_len; + if (sense_len > frame_sense_len) { + sense_len =3D frame_sense_len; } if (sense_len) { pa_lo =3D le32_to_cpu(cmd->frame->pass.sense_addr_lo); --=20 2.13.0 From nobody Sat Feb 7 02:12:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751607104501.68348320927385; Tue, 6 Jun 2017 05:20:07 -0700 (PDT) Received: from localhost ([::1]:38140 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDSp-0003Nz-Ae for importer@patchew.org; Tue, 06 Jun 2017 08:19:59 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56937) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDQu-0001tQ-HA for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQs-0005Gd-4g for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54450) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQr-0005GQ-VH for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:17:58 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1270E3DBCC; Tue, 6 Jun 2017 12:17:57 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmMB003973; Tue, 6 Jun 2017 08:17:55 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1270E3DBCC Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 1270E3DBCC From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:43 +0200 Message-Id: <20170606121747.25356-4-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 06 Jun 2017 12:17:57 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 3/7] megasas: do not read iovec count more than once from frame X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Avoid TOC-TOU bugs depending on how the compiler behaves. Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 1888118e5f..c353118882 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -675,15 +675,16 @@ out: static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) { dma_addr_t iov_pa, iov_size; + int iov_count; =20 cmd->flags =3D le16_to_cpu(cmd->frame->header.flags); - if (!cmd->frame->header.sge_count) { + iov_count =3D cmd->frame->header.sge_count; + if (!iov_count) { trace_megasas_dcmd_zero_sge(cmd->index); cmd->iov_size =3D 0; return 0; - } else if (cmd->frame->header.sge_count > 1) { - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); + } else if (iov_count > 1) { + trace_megasas_dcmd_invalid_sge(cmd->index, iov_count); cmd->iov_size =3D 0; return -EINVAL; } --=20 2.13.0 From nobody Sat Feb 7 02:12:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751731328954.1737987773502; Tue, 6 Jun 2017 05:22:11 -0700 (PDT) Received: from localhost ([::1]:38154 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDUu-0005Jq-VV for importer@patchew.org; Tue, 06 Jun 2017 08:22:08 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56946) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDQu-0001tT-Sp for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQt-0005Gz-R8 for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52228) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQt-0005Gs-IC for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:17:59 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 93EB8C0587D3; Tue, 6 Jun 2017 12:17:58 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmMC003973; Tue, 6 Jun 2017 08:17:57 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 93EB8C0587D3 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 93EB8C0587D3 From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:44 +0200 Message-Id: <20170606121747.25356-5-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 06 Jun 2017 12:17:58 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 4/7] megasas: do not read DCMD opcode more than once from frame X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index c353118882..a3f75c1650 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -63,6 +63,7 @@ typedef struct MegasasCmd { =20 hwaddr pa; hwaddr pa_size; + uint32_t dcmd_opcode; union mfi_frame *frame; SCSIRequest *req; QEMUSGList qsg; @@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *= s, cmd->context &=3D (uint64_t)0xFFFFFFFF; } cmd->count =3D count; + cmd->dcmd_opcode =3D -1; s->busy++; =20 if (s->consumer_pa) { @@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t { =20 static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) { - int opcode; int retval =3D 0; size_t len; const struct dcmd_cmd_tbl_t *cmdptr =3D dcmd_cmd_tbl; =20 - opcode =3D le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); + cmd->dcmd_opcode =3D le32_to_cpu(cmd->frame->dcmd.opcode); + trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode); if (megasas_map_dcmd(s, cmd) < 0) { return MFI_STAT_MEMORY_NOT_AVAILABLE; } - while (cmdptr->opcode !=3D -1 && cmdptr->opcode !=3D opcode) { + while (cmdptr->opcode !=3D -1 && cmdptr->opcode !=3D cmd->dcmd_opcode)= { cmdptr++; } len =3D cmd->iov_size; if (cmdptr->opcode =3D=3D -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); + trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len); retval =3D megasas_dcmd_dummy(s, cmd); } else { trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len); @@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, Meg= asasCmd *cmd) static int megasas_finish_internal_dcmd(MegasasCmd *cmd, SCSIRequest *req) { - int opcode; int retval =3D MFI_STAT_OK; int lun =3D req->lun; =20 - opcode =3D le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun); - switch (opcode) { + trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun); + switch (cmd->dcmd_opcode) { case MFI_DCMD_PD_GET_INFO: retval =3D megasas_pd_get_info_submit(req->dev, lun, cmd); break; @@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *c= md, retval =3D megasas_ld_get_info_submit(req->dev, lun, cmd); break; default: - trace_megasas_dcmd_internal_invalid(cmd->index, opcode); + trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode); retval =3D MFI_STAT_INVALID_DCMD; break; } @@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, u= int32_t len) { MegasasCmd *cmd =3D req->hba_private; uint8_t *buf; - uint32_t opcode; =20 trace_megasas_io_complete(cmd->index, len); =20 @@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, u= int32_t len) } =20 buf =3D scsi_req_get_buf(req); - opcode =3D le32_to_cpu(cmd->frame->dcmd.opcode); - if (opcode =3D=3D MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { + if (cmd->dcmd_opcode =3D=3D MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { struct mfi_pd_info *info =3D cmd->iov_buf; =20 if (info->inquiry_data[0] =3D=3D 0x7f) { @@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, u= int32_t len) memcpy(info->vpd_page83, buf, len); } scsi_req_continue(req); - } else if (opcode =3D=3D MFI_DCMD_LD_GET_INFO) { + } else if (cmd->dcmd_opcode =3D=3D MFI_DCMD_LD_GET_INFO) { struct mfi_ld_info *info =3D cmd->iov_buf; =20 if (cmd->iov_buf) { --=20 2.13.0 From nobody Sat Feb 7 02:12:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751733562239.03411620807424; Tue, 6 Jun 2017 05:22:13 -0700 (PDT) Received: from localhost ([::1]:38155 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDUx-0005L6-3K for importer@patchew.org; Tue, 06 Jun 2017 08:22:11 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56976) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDQw-0001ud-LS for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQv-0005He-80 for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:02 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34337) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQv-0005H3-04 for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:01 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1D3C95A60; Tue, 6 Jun 2017 12:18:00 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmMD003973; Tue, 6 Jun 2017 08:17:58 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1D3C95A60 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 1D3C95A60 From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:45 +0200 Message-Id: <20170606121747.25356-6-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 06 Jun 2017 12:18:00 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 5/7] megasas: do not read command more than once from frame X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Avoid TOC-TOU bugs by passing the frame_cmd down, and checking cmd->dcmd_opcode instead of cmd->frame->header.frame_cmd. Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 60 +++++++++++++++++++++++----------------------------= ---- 1 file changed, 25 insertions(+), 35 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index a3f75c1650..38e0a2f5ef 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -1591,12 +1591,13 @@ static int megasas_handle_dcmd(MegasasState *s, Meg= asasCmd *cmd) } =20 static int megasas_finish_internal_dcmd(MegasasCmd *cmd, - SCSIRequest *req) + SCSIRequest *req, size_t resid) { int retval =3D MFI_STAT_OK; int lun =3D req->lun; =20 trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun); + cmd->iov_size -=3D resid; switch (cmd->dcmd_opcode) { case MFI_DCMD_PD_GET_INFO: retval =3D megasas_pd_get_info_submit(req->dev, lun, cmd); @@ -1649,11 +1650,12 @@ static int megasas_enqueue_req(MegasasCmd *cmd, boo= l is_write) } =20 static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd, - bool is_logical) + int frame_cmd) { uint8_t *cdb; bool is_write; struct SCSIDevice *sdev =3D NULL; + bool is_logical =3D (frame_cmd =3D=3D MFI_CMD_LD_SCSI_IO); =20 cdb =3D cmd->frame->pass.cdb; =20 @@ -1661,7 +1663,7 @@ static int megasas_handle_scsi(MegasasState *s, Megas= asCmd *cmd, if (cmd->frame->header.target_id >=3D MFI_MAX_LD || cmd->frame->header.lun_id !=3D 0) { trace_megasas_scsi_target_not_present( - mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical, + mfi_frame_desc[frame_cmd], is_logical, cmd->frame->header.target_id, cmd->frame->header.lun_id); return MFI_STAT_DEVICE_NOT_FOUND; } @@ -1671,19 +1673,20 @@ static int megasas_handle_scsi(MegasasState *s, Meg= asasCmd *cmd, =20 cmd->iov_size =3D le32_to_cpu(cmd->frame->header.data_len); trace_megasas_handle_scsi(mfi_frame_desc[cmd->frame->header.frame_cmd], - is_logical, cmd->frame->header.target_id, + trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical, + cmd->frame->header.target_id, cmd->frame->header.lun_id, sdev, cmd->iov_si= ze); =20 if (!sdev || (megasas_is_jbod(s) && is_logical)) { trace_megasas_scsi_target_not_present( - mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical, + mfi_frame_desc[frame_cmd], is_logical, cmd->frame->header.target_id, cmd->frame->header.lun_id); return MFI_STAT_DEVICE_NOT_FOUND; } =20 if (cmd->frame->header.cdb_len > 16) { trace_megasas_scsi_invalid_cdb_len( - mfi_frame_desc[cmd->frame->header.frame_cmd], is_logical, + mfi_frame_desc[frame_cmd], is_logical, cmd->frame->header.target_id, cmd->frame->header.lun_id, cmd->frame->header.cdb_len); megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); @@ -1703,7 +1706,7 @@ static int megasas_handle_scsi(MegasasState *s, Megas= asCmd *cmd, cmd->frame->header.lun_id, cdb, cmd); if (!cmd->req) { trace_megasas_scsi_req_alloc_failed( - mfi_frame_desc[cmd->frame->header.frame_cmd], + mfi_frame_desc[frame_cmd], cmd->frame->header.target_id, cmd->frame->header.lun_id); megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); cmd->frame->header.scsi_status =3D BUSY; @@ -1725,11 +1728,11 @@ static int megasas_handle_scsi(MegasasState *s, Meg= asasCmd *cmd, return MFI_STAT_INVALID_STATUS; } =20 -static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd) +static int megasas_handle_io(MegasasState *s, MegasasCmd *cmd, int frame_c= md) { uint32_t lba_count, lba_start_hi, lba_start_lo; uint64_t lba_start; - bool is_write =3D (cmd->frame->header.frame_cmd =3D=3D MFI_CMD_LD_WRIT= E); + bool is_write =3D (frame_cmd =3D=3D MFI_CMD_LD_WRITE); uint8_t cdb[16]; int len; struct SCSIDevice *sdev =3D NULL; @@ -1746,20 +1749,20 @@ static int megasas_handle_io(MegasasState *s, Megas= asCmd *cmd) } =20 trace_megasas_handle_io(cmd->index, - mfi_frame_desc[cmd->frame->header.frame_cmd], + mfi_frame_desc[frame_cmd], cmd->frame->header.target_id, cmd->frame->header.lun_id, (unsigned long)lba_start, (unsigned long)lba_c= ount); if (!sdev) { trace_megasas_io_target_not_present(cmd->index, - mfi_frame_desc[cmd->frame->header.frame_cmd], + mfi_frame_desc[frame_cmd], cmd->frame->header.target_id, cmd->frame->header.lun_id); return MFI_STAT_DEVICE_NOT_FOUND; } =20 if (cmd->frame->header.cdb_len > 16) { trace_megasas_scsi_invalid_cdb_len( - mfi_frame_desc[cmd->frame->header.frame_cmd], 1, + mfi_frame_desc[frame_cmd], 1, cmd->frame->header.target_id, cmd->frame->header.lun_id, cmd->frame->header.cdb_len); megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); @@ -1781,7 +1784,7 @@ static int megasas_handle_io(MegasasState *s, Megasas= Cmd *cmd) cmd->frame->header.lun_id, cdb, cmd); if (!cmd->req) { trace_megasas_scsi_req_alloc_failed( - mfi_frame_desc[cmd->frame->header.frame_cmd], + mfi_frame_desc[frame_cmd], cmd->frame->header.target_id, cmd->frame->header.lun_id); megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); cmd->frame->header.scsi_status =3D BUSY; @@ -1799,23 +1802,11 @@ static int megasas_handle_io(MegasasState *s, Megas= asCmd *cmd) return MFI_STAT_INVALID_STATUS; } =20 -static int megasas_finish_internal_command(MegasasCmd *cmd, - SCSIRequest *req, size_t resid) -{ - int retval =3D MFI_STAT_INVALID_CMD; - - if (cmd->frame->header.frame_cmd =3D=3D MFI_CMD_DCMD) { - cmd->iov_size -=3D resid; - retval =3D megasas_finish_internal_dcmd(cmd, req); - } - return retval; -} - static QEMUSGList *megasas_get_sg_list(SCSIRequest *req) { MegasasCmd *cmd =3D req->hba_private; =20 - if (cmd->frame->header.frame_cmd =3D=3D MFI_CMD_DCMD) { + if (cmd->dcmd_opcode !=3D -1) { return NULL; } else { return &cmd->qsg; @@ -1829,7 +1820,7 @@ static void megasas_xfer_complete(SCSIRequest *req, u= int32_t len) =20 trace_megasas_io_complete(cmd->index, len); =20 - if (cmd->frame->header.frame_cmd !=3D MFI_CMD_DCMD) { + if (cmd->dcmd_opcode !=3D -1) { scsi_req_continue(req); return; } @@ -1872,7 +1863,7 @@ static void megasas_command_complete(SCSIRequest *req= , uint32_t status, /* * Internal command complete */ - cmd_status =3D megasas_finish_internal_command(cmd, req, resid); + cmd_status =3D megasas_finish_internal_dcmd(cmd, req, resid); if (cmd_status =3D=3D MFI_STAT_INVALID_STATUS) { return; } @@ -1943,6 +1934,7 @@ static void megasas_handle_frame(MegasasState *s, uin= t64_t frame_addr, { uint8_t frame_status =3D MFI_STAT_INVALID_CMD; uint64_t frame_context; + int frame_cmd; MegasasCmd *cmd; =20 /* @@ -1961,7 +1953,8 @@ static void megasas_handle_frame(MegasasState *s, uin= t64_t frame_addr, s->event_count++; return; } - switch (cmd->frame->header.frame_cmd) { + frame_cmd =3D cmd->frame->header.frame_cmd; + switch (frame_cmd) { case MFI_CMD_INIT: frame_status =3D megasas_init_firmware(s, cmd); break; @@ -1972,18 +1965,15 @@ static void megasas_handle_frame(MegasasState *s, u= int64_t frame_addr, frame_status =3D megasas_handle_abort(s, cmd); break; case MFI_CMD_PD_SCSI_IO: - frame_status =3D megasas_handle_scsi(s, cmd, 0); - break; case MFI_CMD_LD_SCSI_IO: - frame_status =3D megasas_handle_scsi(s, cmd, 1); + frame_status =3D megasas_handle_scsi(s, cmd, frame_cmd); break; case MFI_CMD_LD_READ: case MFI_CMD_LD_WRITE: - frame_status =3D megasas_handle_io(s, cmd); + frame_status =3D megasas_handle_io(s, cmd, frame_cmd); break; default: - trace_megasas_unhandled_frame_cmd(cmd->index, - cmd->frame->header.frame_cmd); + trace_megasas_unhandled_frame_cmd(cmd->index, frame_cmd); s->event_count++; break; } --=20 2.13.0 From nobody Sat Feb 7 02:12:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751608405926.2070738906094; Tue, 6 Jun 2017 05:20:08 -0700 (PDT) Received: from localhost ([::1]:38143 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDSw-0003We-Ns for importer@patchew.org; Tue, 06 Jun 2017 08:20:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56987) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDQy-0001wW-89 for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQw-0005I1-Tc for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:04 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34524) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQw-0005Hp-LH for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:02 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AE5A580C02; Tue, 6 Jun 2017 12:18:01 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmME003973; Tue, 6 Jun 2017 08:18:00 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com AE5A580C02 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com AE5A580C02 From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:46 +0200 Message-Id: <20170606121747.25356-7-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Tue, 06 Jun 2017 12:18:01 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 6/7] megasas: do not read SCSI req parameters more than once from frame X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 60 ++++++++++++++++++++++++---------------------------= ---- 1 file changed, 26 insertions(+), 34 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 38e0a2f5ef..135662df31 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -1653,42 +1653,39 @@ static int megasas_handle_scsi(MegasasState *s, Meg= asasCmd *cmd, int frame_cmd) { uint8_t *cdb; + int target_id, lun_id, cdb_len; bool is_write; struct SCSIDevice *sdev =3D NULL; bool is_logical =3D (frame_cmd =3D=3D MFI_CMD_LD_SCSI_IO); =20 cdb =3D cmd->frame->pass.cdb; + target_id =3D cmd->frame->header.target_id; + lun_id =3D cmd->frame->header.lun_id; + cdb_len =3D cmd->frame->header.cdb_len; =20 if (is_logical) { - if (cmd->frame->header.target_id >=3D MFI_MAX_LD || - cmd->frame->header.lun_id !=3D 0) { + if (target_id >=3D MFI_MAX_LD || lun_id !=3D 0) { trace_megasas_scsi_target_not_present( - mfi_frame_desc[frame_cmd], is_logical, - cmd->frame->header.target_id, cmd->frame->header.lun_id); + mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id); return MFI_STAT_DEVICE_NOT_FOUND; } } - sdev =3D scsi_device_find(&s->bus, 0, cmd->frame->header.target_id, - cmd->frame->header.lun_id); + sdev =3D scsi_device_find(&s->bus, 0, target_id, lun_id); =20 cmd->iov_size =3D le32_to_cpu(cmd->frame->header.data_len); - trace_megasas_handle_scsi(mfi_frame_desc[cmd->frame->header.frame_cmd], trace_megasas_handle_scsi(mfi_frame_desc[frame_cmd], is_logical, - cmd->frame->header.target_id, - cmd->frame->header.lun_id, sdev, cmd->iov_si= ze); + target_id, lun_id, sdev, cmd->iov_size); =20 if (!sdev || (megasas_is_jbod(s) && is_logical)) { trace_megasas_scsi_target_not_present( - mfi_frame_desc[frame_cmd], is_logical, - cmd->frame->header.target_id, cmd->frame->header.lun_id); + mfi_frame_desc[frame_cmd], is_logical, target_id, lun_id); return MFI_STAT_DEVICE_NOT_FOUND; } =20 - if (cmd->frame->header.cdb_len > 16) { + if (cdb_len > 16) { trace_megasas_scsi_invalid_cdb_len( mfi_frame_desc[frame_cmd], is_logical, - cmd->frame->header.target_id, cmd->frame->header.lun_id, - cmd->frame->header.cdb_len); + target_id, lun_id, cdb_len); megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); cmd->frame->header.scsi_status =3D CHECK_CONDITION; s->event_count++; @@ -1702,12 +1699,10 @@ static int megasas_handle_scsi(MegasasState *s, Meg= asasCmd *cmd, return MFI_STAT_SCSI_DONE_WITH_ERROR; } =20 - cmd->req =3D scsi_req_new(sdev, cmd->index, - cmd->frame->header.lun_id, cdb, cmd); + cmd->req =3D scsi_req_new(sdev, cmd->index, lun_id, cdb, cmd); if (!cmd->req) { trace_megasas_scsi_req_alloc_failed( - mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, cmd->frame->header.lun_id); + mfi_frame_desc[frame_cmd], target_id, lun_id); megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); cmd->frame->header.scsi_status =3D BUSY; s->event_count++; @@ -1736,35 +1731,33 @@ static int megasas_handle_io(MegasasState *s, Megas= asCmd *cmd, int frame_cmd) uint8_t cdb[16]; int len; struct SCSIDevice *sdev =3D NULL; + int target_id, lun_id, cdb_len; =20 lba_count =3D le32_to_cpu(cmd->frame->io.header.data_len); lba_start_lo =3D le32_to_cpu(cmd->frame->io.lba_lo); lba_start_hi =3D le32_to_cpu(cmd->frame->io.lba_hi); lba_start =3D ((uint64_t)lba_start_hi << 32) | lba_start_lo; =20 - if (cmd->frame->header.target_id < MFI_MAX_LD && - cmd->frame->header.lun_id =3D=3D 0) { - sdev =3D scsi_device_find(&s->bus, 0, cmd->frame->header.target_id, - cmd->frame->header.lun_id); + target_id =3D cmd->frame->header.target_id; + lun_id =3D cmd->frame->header.lun_id; + cdb_len =3D cmd->frame->header.cdb_len; + + if (target_id < MFI_MAX_LD && lun_id =3D=3D 0) { + sdev =3D scsi_device_find(&s->bus, 0, target_id, lun_id); } =20 trace_megasas_handle_io(cmd->index, - mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, - cmd->frame->header.lun_id, + mfi_frame_desc[frame_cmd], target_id, lun_id, (unsigned long)lba_start, (unsigned long)lba_c= ount); if (!sdev) { trace_megasas_io_target_not_present(cmd->index, - mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, cmd->frame->header.lun_id); + mfi_frame_desc[frame_cmd], target_id, lun_id); return MFI_STAT_DEVICE_NOT_FOUND; } =20 - if (cmd->frame->header.cdb_len > 16) { + if (cdb_len > 16) { trace_megasas_scsi_invalid_cdb_len( - mfi_frame_desc[frame_cmd], 1, - cmd->frame->header.target_id, cmd->frame->header.lun_id, - cmd->frame->header.cdb_len); + mfi_frame_desc[frame_cmd], 1, target_id, lun_id, cdb_len); megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE)); cmd->frame->header.scsi_status =3D CHECK_CONDITION; s->event_count++; @@ -1781,11 +1774,10 @@ static int megasas_handle_io(MegasasState *s, Megas= asCmd *cmd, int frame_cmd) =20 megasas_encode_lba(cdb, lba_start, lba_count, is_write); cmd->req =3D scsi_req_new(sdev, cmd->index, - cmd->frame->header.lun_id, cdb, cmd); + lun_id, cdb, cmd); if (!cmd->req) { trace_megasas_scsi_req_alloc_failed( - mfi_frame_desc[frame_cmd], - cmd->frame->header.target_id, cmd->frame->header.lun_id); + mfi_frame_desc[frame_cmd], target_id, lun_id); megasas_write_sense(cmd, SENSE_CODE(NO_SENSE)); cmd->frame->header.scsi_status =3D BUSY; s->event_count++; --=20 2.13.0 From nobody Sat Feb 7 02:12:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751739096790.9064174245387; Tue, 6 Jun 2017 05:22:19 -0700 (PDT) Received: from localhost ([::1]:38156 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDV3-0005Q1-IC for importer@patchew.org; Tue, 06 Jun 2017 08:22:17 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56999) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDR0-0001yX-8J for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQy-0005IJ-Nt for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:06 -0400 Received: from mx1.redhat.com ([209.132.183.28]:32774) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQy-0005I7-FF for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:04 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8F68981243; Tue, 6 Jun 2017 12:18:03 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmMF003973; Tue, 6 Jun 2017 08:18:01 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 8F68981243 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 8F68981243 From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:47 +0200 Message-Id: <20170606121747.25356-8-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 06 Jun 2017 12:18:03 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 7/7] megasas: always store SCSIRequest* into MegasasCmd X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This ensures that the request is unref'ed properly, and avoids a segmentation fault in the new qtest testcase that is added. Reported-by: Zhangyanyu Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 31 ++++++++++++++++--------------- tests/megasas-test.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 15 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 135662df31..734fdaef90 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -609,6 +609,9 @@ static void megasas_reset_frames(MegasasState *s) static void megasas_abort_command(MegasasCmd *cmd) { /* Never abort internal commands. */ + if (cmd->dcmd_opcode !=3D -1) { + return; + } if (cmd->req !=3D NULL) { scsi_req_cancel(cmd->req); } @@ -1017,7 +1020,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sde= v, int lun, uint64_t pd_size; uint16_t pd_id =3D ((sdev->id & 0xFF) << 8) | (lun & 0xFF); uint8_t cmdbuf[6]; - SCSIRequest *req; size_t len, resid; =20 if (!cmd->iov_buf) { @@ -1026,8 +1028,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sde= v, int lun, info->inquiry_data[0] =3D 0x7f; /* Force PQual 0x3, PType 0x1f */ info->vpd_page83[0] =3D 0x7f; megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data)); - req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); - if (!req) { + cmd->req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "PD get info std inquiry"); g_free(cmd->iov_buf); @@ -1036,26 +1038,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *s= dev, int lun, } trace_megasas_dcmd_internal_submit(cmd->index, "PD get info std inquiry", lun); - len =3D scsi_req_enqueue(req); + len =3D scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size =3D len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } else if (info->inquiry_data[0] !=3D 0x7f && info->vpd_page83[0] =3D= =3D 0x7f) { megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83)); - req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); - if (!req) { + cmd->req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "PD get info vpd inquiry"); return MFI_STAT_FLASH_ALLOC_FAIL; } trace_megasas_dcmd_internal_submit(cmd->index, "PD get info vpd inquiry", lun); - len =3D scsi_req_enqueue(req); + len =3D scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size =3D len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } @@ -1217,7 +1219,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sde= v, int lun, struct mfi_ld_info *info =3D cmd->iov_buf; size_t dcmd_size =3D sizeof(struct mfi_ld_info); uint8_t cdb[6]; - SCSIRequest *req; ssize_t len, resid; uint16_t sdev_id =3D ((sdev->id & 0xFF) << 8) | (lun & 0xFF); uint64_t ld_size; @@ -1226,8 +1227,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sde= v, int lun, cmd->iov_buf =3D g_malloc0(dcmd_size); info =3D cmd->iov_buf; megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83)); - req =3D scsi_req_new(sdev, cmd->index, lun, cdb, cmd); - if (!req) { + cmd->req =3D scsi_req_new(sdev, cmd->index, lun, cdb, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "LD get info vpd inquiry"); g_free(cmd->iov_buf); @@ -1236,10 +1237,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *s= dev, int lun, } trace_megasas_dcmd_internal_submit(cmd->index, "LD get info vpd inquiry", lun); - len =3D scsi_req_enqueue(req); + len =3D scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size =3D len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } @@ -1851,7 +1852,7 @@ static void megasas_command_complete(SCSIRequest *req= , uint32_t status, return; } =20 - if (cmd->req =3D=3D NULL) { + if (cmd->dcmd_opcode !=3D -1) { /* * Internal command complete */ diff --git a/tests/megasas-test.c b/tests/megasas-test.c index a9e56a2389..ce960e7f81 100644 --- a/tests/megasas-test.c +++ b/tests/megasas-test.c @@ -42,10 +42,45 @@ static void pci_nop(void) qmegasas_stop(qs); } =20 +/* This used to cause a NULL pointer dereference. */ +static void megasas_pd_get_info_fuzz(void) +{ + QPCIDevice *dev; + QOSState *qs; + QPCIBar bar; + uint32_t context[256]; + uint64_t context_pa; + int i; + + qs =3D qmegasas_start(NULL); + dev =3D qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0)); + g_assert(dev !=3D NULL); + + qpci_device_enable(dev); + bar =3D qpci_iomap(dev, 0, NULL); + + memset(context, 0, sizeof(context)); + context[0] =3D cpu_to_le32(0x05050505); + context[1] =3D cpu_to_le32(0x01010101); + for (i =3D 2; i < ARRAY_SIZE(context); i++) { + context[i] =3D cpu_to_le32(0x41414141); + } + context[6] =3D cpu_to_le32(0x02020000); + context[7] =3D cpu_to_le32(0); + + context_pa =3D qmalloc(qs, sizeof(context)); + memwrite(context_pa, context, sizeof(context)); + qpci_io_writel(dev, bar, 0x40, context_pa); + + g_free(dev); + qmegasas_stop(qs); +} + int main(int argc, char **argv) { g_test_init(&argc, &argv, NULL); qtest_add_func("/megasas/pci/nop", pci_nop); + qtest_add_func("/megasas/dcmd/pd-get-info/fuzz", megasas_pd_get_info_f= uzz); =20 return g_test_run(); } --=20 2.13.0