hw/ide/core.c | 30 +++++--- tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- 2 files changed, 96 insertions(+), 108 deletions(-)
Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in ide_dma_cb() introduced in the commit a718978ed58a in July 2015. This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() and improves the ide-test to cover more PRDT cases (including one that causes that particular qemu crash). Changes from v2 (thanks to Kevin Wolf for the feedback): - the assertion about prepare_buf() return value is improved; - the patch order is reversed to keep the tree bisectable; - the unit-test performance is improved -- now it runs 8 seconds instead of 3 minutes on my laptop. Alexander Popov (2): ide: Fix incorrect handling of some PRDTs in ide_dma_cb() tests/ide-test: Create a single unit-test covering more PRDT cases hw/ide/core.c | 30 +++++--- tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- 2 files changed, 96 insertions(+), 108 deletions(-) -- 2.23.0
On 23.12.2019 20:51, Alexander Popov wrote: > Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu > using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in > ide_dma_cb() introduced in the commit a718978ed58a in July 2015. > > This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() > and improves the ide-test to cover more PRDT cases (including one > that causes that particular qemu crash). > > Changes from v2 (thanks to Kevin Wolf for the feedback): > - the assertion about prepare_buf() return value is improved; > - the patch order is reversed to keep the tree bisectable; > - the unit-test performance is improved -- now it runs 8 seconds > instead of 3 minutes on my laptop. > > Alexander Popov (2): > ide: Fix incorrect handling of some PRDTs in ide_dma_cb() > tests/ide-test: Create a single unit-test covering more PRDT cases > > hw/ide/core.c | 30 +++++--- > tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- > 2 files changed, 96 insertions(+), 108 deletions(-) Hello! Just a friendly ping. Could I have the feedback for this patch series? Kevin, do you like the changes? Best regards, Alexander
On 23.12.2019 20:51, Alexander Popov wrote: > Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu > using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in > ide_dma_cb() introduced in the commit a718978ed58a in July 2015. > > This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() > and improves the ide-test to cover more PRDT cases (including one > that causes that particular qemu crash). > > Changes from v2 (thanks to Kevin Wolf for the feedback): > - the assertion about prepare_buf() return value is improved; > - the patch order is reversed to keep the tree bisectable; > - the unit-test performance is improved -- now it runs 8 seconds > instead of 3 minutes on my laptop. > > Alexander Popov (2): > ide: Fix incorrect handling of some PRDTs in ide_dma_cb() > tests/ide-test: Create a single unit-test covering more PRDT cases > > hw/ide/core.c | 30 +++++--- > tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- > 2 files changed, 96 insertions(+), 108 deletions(-) Hello! Pinging again about this fix and unit-test... It's ready. Kevin Wolf has reviewed this (thanks a lot!). What is next? Best regards, Alexander
Am 22.01.2020 um 12:53 hat Alexander Popov geschrieben: > On 23.12.2019 20:51, Alexander Popov wrote: > > Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu > > using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in > > ide_dma_cb() introduced in the commit a718978ed58a in July 2015. > > > > This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() > > and improves the ide-test to cover more PRDT cases (including one > > that causes that particular qemu crash). > > > > Changes from v2 (thanks to Kevin Wolf for the feedback): > > - the assertion about prepare_buf() return value is improved; > > - the patch order is reversed to keep the tree bisectable; > > - the unit-test performance is improved -- now it runs 8 seconds > > instead of 3 minutes on my laptop. > > > > Alexander Popov (2): > > ide: Fix incorrect handling of some PRDTs in ide_dma_cb() > > tests/ide-test: Create a single unit-test covering more PRDT cases > > > > hw/ide/core.c | 30 +++++--- > > tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- > > 2 files changed, 96 insertions(+), 108 deletions(-) > > Hello! > > Pinging again about this fix and unit-test... > > It's ready. Kevin Wolf has reviewed this (thanks a lot!). > > What is next? I asked John about it just yesterday (if he will merge it or if he would prefer me to take it through my tree) and he promised to take a look very soon. Kevin
On 1/22/20 7:23 AM, Kevin Wolf wrote: > Am 22.01.2020 um 12:53 hat Alexander Popov geschrieben: >> On 23.12.2019 20:51, Alexander Popov wrote: >>> Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu >>> using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in >>> ide_dma_cb() introduced in the commit a718978ed58a in July 2015. >>> >>> This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() >>> and improves the ide-test to cover more PRDT cases (including one >>> that causes that particular qemu crash). >>> >>> Changes from v2 (thanks to Kevin Wolf for the feedback): >>> - the assertion about prepare_buf() return value is improved; >>> - the patch order is reversed to keep the tree bisectable; >>> - the unit-test performance is improved -- now it runs 8 seconds >>> instead of 3 minutes on my laptop. >>> >>> Alexander Popov (2): >>> ide: Fix incorrect handling of some PRDTs in ide_dma_cb() >>> tests/ide-test: Create a single unit-test covering more PRDT cases >>> >>> hw/ide/core.c | 30 +++++--- >>> tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- >>> 2 files changed, 96 insertions(+), 108 deletions(-) >> >> Hello! >> >> Pinging again about this fix and unit-test... >> >> It's ready. Kevin Wolf has reviewed this (thanks a lot!). >> >> What is next? > > I asked John about it just yesterday (if he will merge it or if he would > prefer me to take it through my tree) and he promised to take a look > very soon. > > Kevin > Going to merge it today. --js
On 12/23/19 12:51 PM, Alexander Popov wrote: > Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu > using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in > ide_dma_cb() introduced in the commit a718978ed58a in July 2015. > > This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() > and improves the ide-test to cover more PRDT cases (including one > that causes that particular qemu crash). > > Changes from v2 (thanks to Kevin Wolf for the feedback): > - the assertion about prepare_buf() return value is improved; > - the patch order is reversed to keep the tree bisectable; > - the unit-test performance is improved -- now it runs 8 seconds > instead of 3 minutes on my laptop. > > Alexander Popov (2): > ide: Fix incorrect handling of some PRDTs in ide_dma_cb() > tests/ide-test: Create a single unit-test covering more PRDT cases > > hw/ide/core.c | 30 +++++--- > tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- > 2 files changed, 96 insertions(+), 108 deletions(-) > Thanks, applied to my IDE tree: https://github.com/jnsnow/qemu/commits/ide https://github.com/jnsnow/qemu.git --js
On 23.01.2020 02:14, John Snow wrote: > On 12/23/19 12:51 PM, Alexander Popov wrote: >> Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu >> using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in >> ide_dma_cb() introduced in the commit a718978ed58a in July 2015. >> >> This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() >> and improves the ide-test to cover more PRDT cases (including one >> that causes that particular qemu crash). >> >> Changes from v2 (thanks to Kevin Wolf for the feedback): >> - the assertion about prepare_buf() return value is improved; >> - the patch order is reversed to keep the tree bisectable; >> - the unit-test performance is improved -- now it runs 8 seconds >> instead of 3 minutes on my laptop. >> >> Alexander Popov (2): >> ide: Fix incorrect handling of some PRDTs in ide_dma_cb() >> tests/ide-test: Create a single unit-test covering more PRDT cases >> >> hw/ide/core.c | 30 +++++--- >> tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- >> 2 files changed, 96 insertions(+), 108 deletions(-) >> > > Thanks, applied to my IDE tree: > > https://github.com/jnsnow/qemu/commits/ide > https://github.com/jnsnow/qemu.git Happy end! Thanks a lot! Best regards, Alexander
© 2016 - 2024 Red Hat, Inc.