MAINTAINERS | 1 + hw/scsi/esp.c | 116 ++++++++++--------- tests/qtest/am53c974-test.c | 216 ++++++++++++++++++++++++++++++++++++ tests/qtest/meson.build | 1 + 4 files changed, 282 insertions(+), 52 deletions(-) create mode 100644 tests/qtest/am53c974-test.c
Recently there have been a number of issues raised on Launchpad as a result of
fuzzing the am53c974 (ESP) device. I spent some time over the past couple of
days checking to see if anything had improved since my last patchset: from
what I can tell the issues are still present, but the cmdfifo related failures
now assert rather than corrupting memory.
This patchset applied to master passes my local tests using the qtest fuzz test
cases added by Alexander for the following Launchpad bugs:
https://bugs.launchpad.net/qemu/+bug/1919035
https://bugs.launchpad.net/qemu/+bug/1919036
https://bugs.launchpad.net/qemu/+bug/1910723
https://bugs.launchpad.net/qemu/+bug/1909247
I'm posting this now just before soft freeze since I see that some of the issues
have recently been allocated CVEs and so it could be argued that even though
they have existed for some time, it is worth fixing them for 6.0.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
v3:
- Rebase onto master
- Rearrange patch ordering (move patch 5 to the front) to help reduce cross-talk
between the regression tests
- Introduce patch 2 to remove unnecessary FIFO usage
- Introduce patches 3-4 to consolidate esp_fifo_pop()/esp_fifo_push() wrapper
functions to avoid having to introduce 2 variants of esp_fifo_pop_buf()
- Introduce esp_fifo_pop_buf() in patch 5 to prevent callers from overflowing
the array used to model the FIFO
- Introduce patch 10 to clarify cancellation logic should all occur in the .cancel
SCSI callback rather than at the site of the caller
- Add extra qtests in patch 11 to cover addition test cases provided on LP
v2:
- Add Alexander's R-B tag for patch 2 and Phil's R-B for patch 3
- Add patch 4 for additional testcase provided in Alexander's patch 1 comment
- Move current_req NULL checks forward in DMA functions (fixes ASAN bug reported
at https://bugs.launchpad.net/qemu/+bug/1909247/comments/6) in patch 3
- Add qtest for am53c974 containing a basic set of regression tests using the
automatic test cases generated by the fuzzer as requested by Paolo
Mark Cave-Ayland (11):
esp: always check current_req is not NULL before use in DMA callbacks
esp: rework write_response() to avoid using the FIFO for DMA
transactions
esp: consolidate esp_cmdfifo_push() into esp_fifo_push()
esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop()
esp: introduce esp_fifo_pop_buf() and use it instead of
fifo8_pop_buf()
esp: ensure cmdfifo is not empty and current_dev is non-NULL
esp: don't underflow cmdfifo in do_cmd()
esp: don't overflow cmdfifo in get_cmd()
esp: don't overflow cmdfifo if TC is larger than the cmdfifo size
esp: don't reset async_len directly in esp_select() if cancelling
request
tests/qtest: add tests for am53c974 device
MAINTAINERS | 1 +
hw/scsi/esp.c | 116 ++++++++++---------
tests/qtest/am53c974-test.c | 216 ++++++++++++++++++++++++++++++++++++
tests/qtest/meson.build | 1 +
4 files changed, 282 insertions(+), 52 deletions(-)
create mode 100644 tests/qtest/am53c974-test.c
--
2.20.1
On 210401 0849, Mark Cave-Ayland wrote: > Recently there have been a number of issues raised on Launchpad as a result of > fuzzing the am53c974 (ESP) device. I spent some time over the past couple of > days checking to see if anything had improved since my last patchset: from > what I can tell the issues are still present, but the cmdfifo related failures > now assert rather than corrupting memory. > > This patchset applied to master passes my local tests using the qtest fuzz test > cases added by Alexander for the following Launchpad bugs: > > https://bugs.launchpad.net/qemu/+bug/1919035 > https://bugs.launchpad.net/qemu/+bug/1919036 > https://bugs.launchpad.net/qemu/+bug/1910723 > https://bugs.launchpad.net/qemu/+bug/1909247 > > I'm posting this now just before soft freeze since I see that some of the issues > have recently been allocated CVEs and so it could be argued that even though > they have existed for some time, it is worth fixing them for 6.0. > > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > > v3: > - Rebase onto master > - Rearrange patch ordering (move patch 5 to the front) to help reduce cross-talk > between the regression tests > - Introduce patch 2 to remove unnecessary FIFO usage > - Introduce patches 3-4 to consolidate esp_fifo_pop()/esp_fifo_push() wrapper > functions to avoid having to introduce 2 variants of esp_fifo_pop_buf() > - Introduce esp_fifo_pop_buf() in patch 5 to prevent callers from overflowing > the array used to model the FIFO > - Introduce patch 10 to clarify cancellation logic should all occur in the .cancel > SCSI callback rather than at the site of the caller > - Add extra qtests in patch 11 to cover addition test cases provided on LP > Hi Mark, I applied this and ran through the whole fuzzer corpus, and all I'm seeing are just a few assertion failures: handle_satn_stop -> get_cmd -> util/fifo8.c:43:5 and hw/scsi/esp.c:790:5 Tested-by: Alexander Bulekov <alxndr@bu.edu> Thank you -Alex > v2: > - Add Alexander's R-B tag for patch 2 and Phil's R-B for patch 3 > - Add patch 4 for additional testcase provided in Alexander's patch 1 comment > - Move current_req NULL checks forward in DMA functions (fixes ASAN bug reported > at https://bugs.launchpad.net/qemu/+bug/1909247/comments/6) in patch 3 > - Add qtest for am53c974 containing a basic set of regression tests using the > automatic test cases generated by the fuzzer as requested by Paolo > > > Mark Cave-Ayland (11): > esp: always check current_req is not NULL before use in DMA callbacks > esp: rework write_response() to avoid using the FIFO for DMA > transactions > esp: consolidate esp_cmdfifo_push() into esp_fifo_push() > esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop() > esp: introduce esp_fifo_pop_buf() and use it instead of > fifo8_pop_buf() > esp: ensure cmdfifo is not empty and current_dev is non-NULL > esp: don't underflow cmdfifo in do_cmd() > esp: don't overflow cmdfifo in get_cmd() > esp: don't overflow cmdfifo if TC is larger than the cmdfifo size > esp: don't reset async_len directly in esp_select() if cancelling > request > tests/qtest: add tests for am53c974 device > > MAINTAINERS | 1 + > hw/scsi/esp.c | 116 ++++++++++--------- > tests/qtest/am53c974-test.c | 216 ++++++++++++++++++++++++++++++++++++ > tests/qtest/meson.build | 1 + > 4 files changed, 282 insertions(+), 52 deletions(-) > create mode 100644 tests/qtest/am53c974-test.c > > -- > 2.20.1 >
On 01/04/2021 18:00, Alexander Bulekov wrote:
> On 210401 0849, Mark Cave-Ayland wrote:
>> Recently there have been a number of issues raised on Launchpad as a result of
>> fuzzing the am53c974 (ESP) device. I spent some time over the past couple of
>> days checking to see if anything had improved since my last patchset: from
>> what I can tell the issues are still present, but the cmdfifo related failures
>> now assert rather than corrupting memory.
>>
>> This patchset applied to master passes my local tests using the qtest fuzz test
>> cases added by Alexander for the following Launchpad bugs:
>>
>> https://bugs.launchpad.net/qemu/+bug/1919035
>> https://bugs.launchpad.net/qemu/+bug/1919036
>> https://bugs.launchpad.net/qemu/+bug/1910723
>> https://bugs.launchpad.net/qemu/+bug/1909247
>>
>> I'm posting this now just before soft freeze since I see that some of the issues
>> have recently been allocated CVEs and so it could be argued that even though
>> they have existed for some time, it is worth fixing them for 6.0.
>>
>> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
>>
>> v3:
>> - Rebase onto master
>> - Rearrange patch ordering (move patch 5 to the front) to help reduce cross-talk
>> between the regression tests
>> - Introduce patch 2 to remove unnecessary FIFO usage
>> - Introduce patches 3-4 to consolidate esp_fifo_pop()/esp_fifo_push() wrapper
>> functions to avoid having to introduce 2 variants of esp_fifo_pop_buf()
>> - Introduce esp_fifo_pop_buf() in patch 5 to prevent callers from overflowing
>> the array used to model the FIFO
>> - Introduce patch 10 to clarify cancellation logic should all occur in the .cancel
>> SCSI callback rather than at the site of the caller
>> - Add extra qtests in patch 11 to cover addition test cases provided on LP
>>
>
> Hi Mark,
> I applied this and ran through the whole fuzzer corpus, and all I'm
> seeing are just a few assertion failures:
> handle_satn_stop -> get_cmd -> util/fifo8.c:43:5 and
> hw/scsi/esp.c:790:5
>
> Tested-by: Alexander Bulekov <alxndr@bu.edu>
>
> Thank you
> -Alex
Thanks for the testing! I've just realised that there is an error in the get_cmd()
MIN() check (it should be cmdfifo, not fifo) and also the limit is missing from the
non-DMA path.
Does the following patch on v3 fix the outstanding get_cmd() asserts?
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index ca062a0400..3b9037e4f4 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -243,7 +243,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
}
if (s->dma_memory_read) {
s->dma_memory_read(s->dma_opaque, buf, dmalen);
- dmalen = MIN(fifo8_num_free(&s->fifo), dmalen);
+ dmalen = MIN(fifo8_num_free(&s->cmdfifo), dmalen);
fifo8_push_all(&s->cmdfifo, buf, dmalen);
} else {
if (esp_select(s) < 0) {
@@ -263,6 +263,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
if (n >= 3) {
buf[0] = buf[2] >> 5;
}
+ n = MIN(fifo8_num_free(&s->cmdfifo), n);
fifo8_push_all(&s->cmdfifo, buf, n);
}
trace_esp_get_cmd(dmalen, target);
Given that there is going to be a v4 now, if you are able to provide a handful of
test cases for hw/scsi/esp.c:790:5 as a diff on v3 like you did before then I can
take a quick look.
ATB,
Mark.
Original crash:
qemu-fuzz-i386: ../hw/scsi/esp.c:791: void esp_transfer_data(SCSIRequest *, uint32_t): Assertion `!s->do_cmd' failed.
==257532== ERROR: libFuzzer: deadly signal
__assert_fail assert/assert.c:101:3
esp_transfer_data hw/scsi/esp.c:791:5
scsi_req_data hw/scsi/scsi-bus.c:1412:9
scsi_disk_emulate_read_data hw/scsi/scsi-disk.c:1407:9
scsi_req_continue hw/scsi/scsi-bus.c:1394:9
do_busid_cmd hw/scsi/esp.c:317:9
handle_s_without_atn hw/scsi/esp.c:393:9
esp_reg_write hw/scsi/esp.c:1029:13
esp_pci_io_write hw/scsi/esp-pci.c:215:9
memory_region_write_accessor softmmu/memory.c:491:5
access_with_adjusted_size softmmu/memory.c:552:18
memory_region_dispatch_write softmmu/memory.c:1502:16
flatview_write_continue softmmu/physmem.c:2746:23
flatview_write softmmu/physmem.c:2786:14
address_space_write softmmu/physmem.c:2878:18
cpu_outl softmmu/ioport.c:80:5
Based-on: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/am53c974-test.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
The patch took care of the handle_satn_stop assert. Here's a test case
for the other assert.
Pasteable:
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc000
outl 0xcf8 0x80001004
outw 0xcfc 0x01
outl 0xc00b 0x4100
outb 0xc008 0x42
outw 0xc03f 0x0300
outl 0xc00b 0xc100
EOF
diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c
index 9c4285d0c0..506276677a 100644
--- a/tests/qtest/am53c974-test.c
+++ b/tests/qtest/am53c974-test.c
@@ -9,6 +9,22 @@
#include "libqos/libqtest.h"
+static void test_do_cmd_assert(void)
+{
+ QTestState *s = qtest_init(
+ "-device am53c974,id=scsi "
+ "-device scsi-hd,drive=disk0 -drive "
+ "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
+ qtest_outl(s, 0xcf8, 0x80001010);
+ qtest_outl(s, 0xcfc, 0xc000);
+ qtest_outl(s, 0xcf8, 0x80001004);
+ qtest_outw(s, 0xcfc, 0x01);
+ qtest_outl(s, 0xc00b, 0x4100);
+ qtest_outb(s, 0xc008, 0x42);
+ qtest_outw(s, 0xc03f, 0x0300);
+ qtest_outl(s, 0xc00b, 0xc100);
+ qtest_quit(s);
+}
static void test_cmdfifo_underflow_ok(void)
{
@@ -194,6 +210,8 @@ int main(int argc, char **argv)
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
+ qtest_add_func("am53c974/test_do_cmd_asser",
+ test_do_cmd_assert);
qtest_add_func("am53c974/test_cmdfifo_underflow_ok",
test_cmdfifo_underflow_ok);
qtest_add_func("am53c974/test_cmdfifo_underflow2_ok",
--
2.28.0
On 02/04/2021 17:20, Alexander Bulekov wrote:
> Original crash:
> qemu-fuzz-i386: ../hw/scsi/esp.c:791: void esp_transfer_data(SCSIRequest *, uint32_t): Assertion `!s->do_cmd' failed.
> ==257532== ERROR: libFuzzer: deadly signal
> __assert_fail assert/assert.c:101:3
> esp_transfer_data hw/scsi/esp.c:791:5
> scsi_req_data hw/scsi/scsi-bus.c:1412:9
> scsi_disk_emulate_read_data hw/scsi/scsi-disk.c:1407:9
> scsi_req_continue hw/scsi/scsi-bus.c:1394:9
> do_busid_cmd hw/scsi/esp.c:317:9
> handle_s_without_atn hw/scsi/esp.c:393:9
> esp_reg_write hw/scsi/esp.c:1029:13
> esp_pci_io_write hw/scsi/esp-pci.c:215:9
> memory_region_write_accessor softmmu/memory.c:491:5
> access_with_adjusted_size softmmu/memory.c:552:18
> memory_region_dispatch_write softmmu/memory.c:1502:16
> flatview_write_continue softmmu/physmem.c:2746:23
> flatview_write softmmu/physmem.c:2786:14
> address_space_write softmmu/physmem.c:2878:18
> cpu_outl softmmu/ioport.c:80:5
>
> Based-on: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
> tests/qtest/am53c974-test.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> The patch took care of the handle_satn_stop assert. Here's a test case
> for the other assert.
Great! I've squashed the get_cmd() changes into a v4 version of the patchset.
> Pasteable:
>
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
> id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xc000
> outl 0xcf8 0x80001004
> outw 0xcfc 0x01
> outl 0xc00b 0x4100
> outb 0xc008 0x42
> outw 0xc03f 0x0300
> outl 0xc00b 0xc100
> EOF
>
>
> diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c
> index 9c4285d0c0..506276677a 100644
> --- a/tests/qtest/am53c974-test.c
> +++ b/tests/qtest/am53c974-test.c
> @@ -9,6 +9,22 @@
>
> #include "libqos/libqtest.h"
>
> +static void test_do_cmd_assert(void)
> +{
> + QTestState *s = qtest_init(
> + "-device am53c974,id=scsi "
> + "-device scsi-hd,drive=disk0 -drive "
> + "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
> + qtest_outl(s, 0xcf8, 0x80001010);
> + qtest_outl(s, 0xcfc, 0xc000);
> + qtest_outl(s, 0xcf8, 0x80001004);
> + qtest_outw(s, 0xcfc, 0x01);
> + qtest_outl(s, 0xc00b, 0x4100);
> + qtest_outb(s, 0xc008, 0x42);
> + qtest_outw(s, 0xc03f, 0x0300);
> + qtest_outl(s, 0xc00b, 0xc100);
> + qtest_quit(s);
> +}
>
> static void test_cmdfifo_underflow_ok(void)
> {
> @@ -194,6 +210,8 @@ int main(int argc, char **argv)
> g_test_init(&argc, &argv, NULL);
>
> if (strcmp(arch, "i386") == 0) {
> + qtest_add_func("am53c974/test_do_cmd_asser",
> + test_do_cmd_assert);
> qtest_add_func("am53c974/test_cmdfifo_underflow_ok",
> test_cmdfifo_underflow_ok);
> qtest_add_func("am53c974/test_cmdfifo_underflow2_ok",
When I try this patch on top of the v4 patchset I don't get an assert() in
esp_transfer_data here?
ATB,
Mark.
On 03/04/2021 15:38, Mark Cave-Ayland wrote:
> On 02/04/2021 17:20, Alexander Bulekov wrote:
>
>> Original crash:
>> qemu-fuzz-i386: ../hw/scsi/esp.c:791: void esp_transfer_data(SCSIRequest *,
>> uint32_t): Assertion `!s->do_cmd' failed.
>> ==257532== ERROR: libFuzzer: deadly signal
>> __assert_fail assert/assert.c:101:3
>> esp_transfer_data hw/scsi/esp.c:791:5
>> scsi_req_data hw/scsi/scsi-bus.c:1412:9
>> scsi_disk_emulate_read_data hw/scsi/scsi-disk.c:1407:9
>> scsi_req_continue hw/scsi/scsi-bus.c:1394:9
>> do_busid_cmd hw/scsi/esp.c:317:9
>> handle_s_without_atn hw/scsi/esp.c:393:9
>> esp_reg_write hw/scsi/esp.c:1029:13
>> esp_pci_io_write hw/scsi/esp-pci.c:215:9
>> memory_region_write_accessor softmmu/memory.c:491:5
>> access_with_adjusted_size softmmu/memory.c:552:18
>> memory_region_dispatch_write softmmu/memory.c:1502:16
>> flatview_write_continue softmmu/physmem.c:2746:23
>> flatview_write softmmu/physmem.c:2786:14
>> address_space_write softmmu/physmem.c:2878:18
>> cpu_outl softmmu/ioport.c:80:5
>>
>> Based-on: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk>
>> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
>> ---
>> tests/qtest/am53c974-test.c | 18 ++++++++++++++++++
>> 1 file changed, 18 insertions(+)
>>
>> The patch took care of the handle_satn_stop assert. Here's a test case
>> for the other assert.
>
> Great! I've squashed the get_cmd() changes into a v4 version of the patchset.
>
>> Pasteable:
>>
>> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
>> 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
>> id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
>> outl 0xcf8 0x80001010
>> outl 0xcfc 0xc000
>> outl 0xcf8 0x80001004
>> outw 0xcfc 0x01
>> outl 0xc00b 0x4100
>> outb 0xc008 0x42
>> outw 0xc03f 0x0300
>> outl 0xc00b 0xc100
>> EOF
>>
>>
>> diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c
>> index 9c4285d0c0..506276677a 100644
>> --- a/tests/qtest/am53c974-test.c
>> +++ b/tests/qtest/am53c974-test.c
>> @@ -9,6 +9,22 @@
>> #include "libqos/libqtest.h"
>> +static void test_do_cmd_assert(void)
>> +{
>> + QTestState *s = qtest_init(
>> + "-device am53c974,id=scsi "
>> + "-device scsi-hd,drive=disk0 -drive "
>> + "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
>> + qtest_outl(s, 0xcf8, 0x80001010);
>> + qtest_outl(s, 0xcfc, 0xc000);
>> + qtest_outl(s, 0xcf8, 0x80001004);
>> + qtest_outw(s, 0xcfc, 0x01);
>> + qtest_outl(s, 0xc00b, 0x4100);
>> + qtest_outb(s, 0xc008, 0x42);
>> + qtest_outw(s, 0xc03f, 0x0300);
>> + qtest_outl(s, 0xc00b, 0xc100);
>> + qtest_quit(s);
>> +}
>> static void test_cmdfifo_underflow_ok(void)
>> {
>> @@ -194,6 +210,8 @@ int main(int argc, char **argv)
>> g_test_init(&argc, &argv, NULL);
>> if (strcmp(arch, "i386") == 0) {
>> + qtest_add_func("am53c974/test_do_cmd_asser",
>> + test_do_cmd_assert);
>> qtest_add_func("am53c974/test_cmdfifo_underflow_ok",
>> test_cmdfifo_underflow_ok);
>> qtest_add_func("am53c974/test_cmdfifo_underflow2_ok",
>
> When I try this patch on top of the v4 patchset I don't get an assert() in
> esp_transfer_data here?
If I also revert the suggested updates for get_cmd() then I don't get the assert()
either, so I believe this particular case is already covered by the existing tests.
I'll drop this change for v4.
ATB,
Mark.
On 02/04/2021 17:20, Alexander Bulekov wrote:
> Original crash:
> qemu-fuzz-i386: ../hw/scsi/esp.c:791: void esp_transfer_data(SCSIRequest *, uint32_t): Assertion `!s->do_cmd' failed.
> ==257532== ERROR: libFuzzer: deadly signal
> __assert_fail assert/assert.c:101:3
> esp_transfer_data hw/scsi/esp.c:791:5
> scsi_req_data hw/scsi/scsi-bus.c:1412:9
> scsi_disk_emulate_read_data hw/scsi/scsi-disk.c:1407:9
> scsi_req_continue hw/scsi/scsi-bus.c:1394:9
> do_busid_cmd hw/scsi/esp.c:317:9
> handle_s_without_atn hw/scsi/esp.c:393:9
> esp_reg_write hw/scsi/esp.c:1029:13
> esp_pci_io_write hw/scsi/esp-pci.c:215:9
> memory_region_write_accessor softmmu/memory.c:491:5
> access_with_adjusted_size softmmu/memory.c:552:18
> memory_region_dispatch_write softmmu/memory.c:1502:16
> flatview_write_continue softmmu/physmem.c:2746:23
> flatview_write softmmu/physmem.c:2786:14
> address_space_write softmmu/physmem.c:2878:18
> cpu_outl softmmu/ioport.c:80:5
>
> Based-on: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
> tests/qtest/am53c974-test.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> The patch took care of the handle_satn_stop assert. Here's a test case
> for the other assert.
Even though I can't reproduce the assert() here, looking at the code I think I can
see how do_cmd is not being reset when a DMA command is issued. Does the following
solve the outstanding fuzzer asserts?
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 0037197bdb..b668acef82 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -357,6 +357,7 @@ static void handle_satn(ESPState *s)
cmdlen = get_cmd(s, ESP_CMDFIFO_SZ);
if (cmdlen > 0) {
s->cmdfifo_cdb_offset = 1;
+ s->do_cmd = 0;
do_cmd(s);
} else if (cmdlen == 0) {
s->do_cmd = 1;
@@ -390,6 +391,7 @@ static void handle_s_without_atn(ESPState *s)
cmdlen = get_cmd(s, ESP_CMDFIFO_SZ);
if (cmdlen > 0) {
s->cmdfifo_cdb_offset = 0;
+ s->do_cmd = 0;
do_busid_cmd(s, 0);
} else if (cmdlen == 0) {
s->do_cmd = 1;
ATB,
Mark.
On 210407 1404, Mark Cave-Ayland wrote:
>
> Even though I can't reproduce the assert() here, looking at the code I think
> I can see how do_cmd is not being reset when a DMA command is issued. Does
> the following solve the outstanding fuzzer asserts?
Hi Mark,
I guess there must have been something timing-sensitive in the
reproducer... Too bad it didn't work.
>
> diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
> index 0037197bdb..b668acef82 100644
> --- a/hw/scsi/esp.c
> +++ b/hw/scsi/esp.c
> @@ -357,6 +357,7 @@ static void handle_satn(ESPState *s)
> cmdlen = get_cmd(s, ESP_CMDFIFO_SZ);
> if (cmdlen > 0) {
> s->cmdfifo_cdb_offset = 1;
> + s->do_cmd = 0;
> do_cmd(s);
> } else if (cmdlen == 0) {
> s->do_cmd = 1;
> @@ -390,6 +391,7 @@ static void handle_s_without_atn(ESPState *s)
> cmdlen = get_cmd(s, ESP_CMDFIFO_SZ);
> if (cmdlen > 0) {
> s->cmdfifo_cdb_offset = 0;
> + s->do_cmd = 0;
> do_busid_cmd(s, 0);
> } else if (cmdlen == 0) {
> s->do_cmd = 1;
>
With this applied, I don't see either of those asserts anymore.
Thank you!
-Alex
>
> ATB,
>
> Mark.
On 07/04/2021 15:49, Alexander Bulekov wrote:
> Hi Mark,
> I guess there must have been something timing-sensitive in the
> reproducer... Too bad it didn't work.
Yeah, it would have been nice to have something that could be triggered directly by a
test but never mind.
>> diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
>> index 0037197bdb..b668acef82 100644
>> --- a/hw/scsi/esp.c
>> +++ b/hw/scsi/esp.c
>> @@ -357,6 +357,7 @@ static void handle_satn(ESPState *s)
>> cmdlen = get_cmd(s, ESP_CMDFIFO_SZ);
>> if (cmdlen > 0) {
>> s->cmdfifo_cdb_offset = 1;
>> + s->do_cmd = 0;
>> do_cmd(s);
>> } else if (cmdlen == 0) {
>> s->do_cmd = 1;
>> @@ -390,6 +391,7 @@ static void handle_s_without_atn(ESPState *s)
>> cmdlen = get_cmd(s, ESP_CMDFIFO_SZ);
>> if (cmdlen > 0) {
>> s->cmdfifo_cdb_offset = 0;
>> + s->do_cmd = 0;
>> do_busid_cmd(s, 0);
>> } else if (cmdlen == 0) {
>> s->do_cmd = 1;
>>
>
> With this applied, I don't see either of those asserts anymore.
> Thank you!
> -Alex
Awesome! I'll include this in v4. BTW does this now mean that the am53c974 survives a
run through your fuzzer corpus?
ATB,
Mark.
© 2016 - 2024 Red Hat, Inc.