From nobody Mon Feb 9 04:22:01 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496751739096790.9064174245387; Tue, 6 Jun 2017 05:22:19 -0700 (PDT) Received: from localhost ([::1]:38156 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDV3-0005Q1-IC for importer@patchew.org; Tue, 06 Jun 2017 08:22:17 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56999) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dIDR0-0001yX-8J for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dIDQy-0005IJ-Nt for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:06 -0400 Received: from mx1.redhat.com ([209.132.183.28]:32774) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dIDQy-0005I7-FF for qemu-devel@nongnu.org; Tue, 06 Jun 2017 08:18:04 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8F68981243; Tue, 6 Jun 2017 12:18:03 +0000 (UTC) Received: from donizetti.redhat.com (ovpn-117-248.ams2.redhat.com [10.36.117.248]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v56CHmMF003973; Tue, 6 Jun 2017 08:18:01 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 8F68981243 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=pbonzini@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 8F68981243 From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 6 Jun 2017 14:17:47 +0200 Message-Id: <20170606121747.25356-8-pbonzini@redhat.com> In-Reply-To: <20170606121747.25356-1-pbonzini@redhat.com> References: <20170606121747.25356-1-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 06 Jun 2017 12:18:03 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 7/7] megasas: always store SCSIRequest* into MegasasCmd X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zyy4013@stu.ouc.edu.cn, hare@suse.de, ppandit@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This ensures that the request is unref'ed properly, and avoids a segmentation fault in the new qtest testcase that is added. Reported-by: Zhangyanyu Signed-off-by: Paolo Bonzini --- hw/scsi/megasas.c | 31 ++++++++++++++++--------------- tests/megasas-test.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 15 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 135662df31..734fdaef90 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -609,6 +609,9 @@ static void megasas_reset_frames(MegasasState *s) static void megasas_abort_command(MegasasCmd *cmd) { /* Never abort internal commands. */ + if (cmd->dcmd_opcode !=3D -1) { + return; + } if (cmd->req !=3D NULL) { scsi_req_cancel(cmd->req); } @@ -1017,7 +1020,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sde= v, int lun, uint64_t pd_size; uint16_t pd_id =3D ((sdev->id & 0xFF) << 8) | (lun & 0xFF); uint8_t cmdbuf[6]; - SCSIRequest *req; size_t len, resid; =20 if (!cmd->iov_buf) { @@ -1026,8 +1028,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sde= v, int lun, info->inquiry_data[0] =3D 0x7f; /* Force PQual 0x3, PType 0x1f */ info->vpd_page83[0] =3D 0x7f; megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data)); - req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); - if (!req) { + cmd->req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "PD get info std inquiry"); g_free(cmd->iov_buf); @@ -1036,26 +1038,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *s= dev, int lun, } trace_megasas_dcmd_internal_submit(cmd->index, "PD get info std inquiry", lun); - len =3D scsi_req_enqueue(req); + len =3D scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size =3D len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } else if (info->inquiry_data[0] !=3D 0x7f && info->vpd_page83[0] =3D= =3D 0x7f) { megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83)); - req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); - if (!req) { + cmd->req =3D scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "PD get info vpd inquiry"); return MFI_STAT_FLASH_ALLOC_FAIL; } trace_megasas_dcmd_internal_submit(cmd->index, "PD get info vpd inquiry", lun); - len =3D scsi_req_enqueue(req); + len =3D scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size =3D len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } @@ -1217,7 +1219,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sde= v, int lun, struct mfi_ld_info *info =3D cmd->iov_buf; size_t dcmd_size =3D sizeof(struct mfi_ld_info); uint8_t cdb[6]; - SCSIRequest *req; ssize_t len, resid; uint16_t sdev_id =3D ((sdev->id & 0xFF) << 8) | (lun & 0xFF); uint64_t ld_size; @@ -1226,8 +1227,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sde= v, int lun, cmd->iov_buf =3D g_malloc0(dcmd_size); info =3D cmd->iov_buf; megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83)); - req =3D scsi_req_new(sdev, cmd->index, lun, cdb, cmd); - if (!req) { + cmd->req =3D scsi_req_new(sdev, cmd->index, lun, cdb, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "LD get info vpd inquiry"); g_free(cmd->iov_buf); @@ -1236,10 +1237,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *s= dev, int lun, } trace_megasas_dcmd_internal_submit(cmd->index, "LD get info vpd inquiry", lun); - len =3D scsi_req_enqueue(req); + len =3D scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size =3D len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } @@ -1851,7 +1852,7 @@ static void megasas_command_complete(SCSIRequest *req= , uint32_t status, return; } =20 - if (cmd->req =3D=3D NULL) { + if (cmd->dcmd_opcode !=3D -1) { /* * Internal command complete */ diff --git a/tests/megasas-test.c b/tests/megasas-test.c index a9e56a2389..ce960e7f81 100644 --- a/tests/megasas-test.c +++ b/tests/megasas-test.c @@ -42,10 +42,45 @@ static void pci_nop(void) qmegasas_stop(qs); } =20 +/* This used to cause a NULL pointer dereference. */ +static void megasas_pd_get_info_fuzz(void) +{ + QPCIDevice *dev; + QOSState *qs; + QPCIBar bar; + uint32_t context[256]; + uint64_t context_pa; + int i; + + qs =3D qmegasas_start(NULL); + dev =3D qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0)); + g_assert(dev !=3D NULL); + + qpci_device_enable(dev); + bar =3D qpci_iomap(dev, 0, NULL); + + memset(context, 0, sizeof(context)); + context[0] =3D cpu_to_le32(0x05050505); + context[1] =3D cpu_to_le32(0x01010101); + for (i =3D 2; i < ARRAY_SIZE(context); i++) { + context[i] =3D cpu_to_le32(0x41414141); + } + context[6] =3D cpu_to_le32(0x02020000); + context[7] =3D cpu_to_le32(0); + + context_pa =3D qmalloc(qs, sizeof(context)); + memwrite(context_pa, context, sizeof(context)); + qpci_io_writel(dev, bar, 0x40, context_pa); + + g_free(dev); + qmegasas_stop(qs); +} + int main(int argc, char **argv) { g_test_init(&argc, &argv, NULL); qtest_add_func("/megasas/pci/nop", pci_nop); + qtest_add_func("/megasas/dcmd/pd-get-info/fuzz", megasas_pd_get_info_f= uzz); =20 return g_test_run(); } --=20 2.13.0