From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263476; cv=none; d=zohomail.com; s=zohoarc; b=LzdzzthDN9y9oDpHR6xEWaoDw4e9ywiYQbUiqswJT/+JSsa38PR1ksfO4MTopaSr7JJAGIv4eXcQpzXo8kDtVmWjvAqxDredNpVVsTePjQRnLEyLLMgfdwy9gKdfCMIVdsLHI9DTUuNF1TkhL0kx0abV1Brot4MyTgnpOdtgjwI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263476; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=xjP4X/VSqGm74RxOoU+OSS6AUAYNUYFL6q+/mpbnLlI=; b=azurwO38C6lmpNhiK50154soKpnMeqUl8tayhEe9WFXDkTSEpR8F/F7yiWMwc7Ixf91KcanU+KlosHjfwEHwcVCG8gkq7CszuPymwAVm5vx68SiTlKNdfMu8w9WNZ64KpndxAzCn/rfd8XjoYhXkaf50zThTzM+KBuyJTjm4ZRU= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263476708838.5462643706501; Thu, 1 Apr 2021 00:51:16 -0700 (PDT) Received: from localhost ([::1]:33196 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRs6l-0006Xd-I4 for importer@patchew.org; Thu, 01 Apr 2021 03:51:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56920) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5Q-0005DW-RK for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:49:52 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:56998 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5P-0000fh-A5 for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:49:52 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs5S-0004IO-72; Thu, 01 Apr 2021 08:50:01 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:23 +0100 Message-Id: <20210401074933.9923-2-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 01/11] esp: always check current_req is not NULL before use in DMA callbacks X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel callback which resets both current_req and current_dev to NULL. If any data is left in the transfer buffer (async_len !=3D 0) then the next TI (Transfer Information) command will attempt to reference the NULL pointer causing a segfault. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 507ab363bc..bafea0d4e6 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -496,6 +496,10 @@ static void do_dma_pdma_cb(ESPState *s) return; } =20 + if (!s->current_req) { + return; + } + if (to_device) { /* Copy FIFO data to device */ len =3D MIN(s->async_len, ESP_FIFO_SZ); @@ -527,11 +531,9 @@ static void do_dma_pdma_cb(ESPState *s) return; } else { if (s->async_len =3D=3D 0) { - if (s->current_req) { - /* Defer until the scsi layer has completed */ - scsi_req_continue(s->current_req); - s->data_in_ready =3D false; - } + /* Defer until the scsi layer has completed */ + scsi_req_continue(s->current_req); + s->data_in_ready =3D false; return; } =20 @@ -604,6 +606,9 @@ static void esp_do_dma(ESPState *s) } return; } + if (!s->current_req) { + return; + } if (s->async_len =3D=3D 0) { /* Defer until data is available. */ return; @@ -713,6 +718,10 @@ static void esp_do_nodma(ESPState *s) return; } =20 + if (!s->current_req) { + return; + } + if (s->async_len =3D=3D 0) { /* Defer until data is available. */ return; --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263548; cv=none; d=zohomail.com; s=zohoarc; b=mKtlay6VAEYkvGC1AWYYvTmo0c7YONVQYRFLj4c38M417rn/uFg98jje0BBpbSE+E6KNvSD0GtzxkoFRF1kq1qxhs79PefpX95O0VKcpbZLboFJrT9DNgZAePJjp6ngpq9zkvlYxfzIFqt9/TJaYHmteGbVpzD/RFn1UMimg0K8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263548; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=hhcAfUw037WO+Hk8ljfAaZ7ulFJXNCNT+SN4S1slMTA=; b=jdNcZJ8KHXtBmIvSJGwVJnaWP7gb/qSocGBVduo//AxVml/rvS0Ta13WEfJqkTUdfPpRPaC5ByThHsjW7CNR9NkhVIV8nWSQL/X7Ec5UW0e8iuvm8KnntSvW2hDO7plKxFwfNu7upY2lG+64oOvwuTeYPJQ1XCOQDgweNwPwvdY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 161726354877914.799198810337089; Thu, 1 Apr 2021 00:52:28 -0700 (PDT) Received: from localhost ([::1]:40376 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRs7u-000148-7I for importer@patchew.org; Thu, 01 Apr 2021 03:52:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56946) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5W-0005Lp-Gt for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:49:58 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57008 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5V-0000kR-2W for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:49:58 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs5Z-0004IO-8s; Thu, 01 Apr 2021 08:50:07 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:24 +0100 Message-Id: <20210401074933.9923-3-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 02/11] esp: rework write_response() to avoid using the FIFO for DMA transactions X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The code for write_response() has always used the FIFO to store the data for the status/message in phases, even for DMA transactions. Switch to using a separate buffer that can be used directly for DMA transactions and restrict the FIFO use to the non-DMA case. Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index bafea0d4e6..26fe1dcb9d 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -445,18 +445,16 @@ static void write_response_pdma_cb(ESPState *s) =20 static void write_response(ESPState *s) { - uint32_t n; + uint8_t buf[2]; =20 trace_esp_write_response(s->status); =20 - fifo8_reset(&s->fifo); - esp_fifo_push(s, s->status); - esp_fifo_push(s, 0); + buf[0] =3D s->status; + buf[1] =3D 0; =20 if (s->dma) { if (s->dma_memory_write) { - s->dma_memory_write(s->dma_opaque, - (uint8_t *)fifo8_pop_buf(&s->fifo, 2, &n),= 2); + s->dma_memory_write(s->dma_opaque, buf, 2); s->rregs[ESP_RSTAT] =3D STAT_TC | STAT_ST; s->rregs[ESP_RINTR] |=3D INTR_BS | INTR_FC; s->rregs[ESP_RSEQ] =3D SEQ_CD; @@ -466,7 +464,8 @@ static void write_response(ESPState *s) return; } } else { - s->ti_size =3D 2; + fifo8_reset(&s->fifo); + fifo8_push_all(&s->fifo, buf, 2); s->rregs[ESP_RFLAGS] =3D 2; } esp_raise_irq(s); --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263488; cv=none; d=zohomail.com; s=zohoarc; b=JKiEx8J1ZWmexiAO9hyeFvvJGYJEafqtpP9IC+2sOeXZaZE+cxkknqpQHO6H9jYvBaXXsFIiiZOtS7Ex8AgDW6koT2l7/zi1ZoG13T9knwj/xtjRSKkpqYV8PVMmoLc47S7M0UPVSnCulX8Qw6zxnDfEIQdvQSqNz+V2MW21flI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263488; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jnTXjr6px9+4w2J6MHEXLWQn/6C8fXmb5fIjxuRtOng=; b=IFUwPZF1qg6H4PDLH9jHQ6qp3u4qc/0YkUkeMn3qe893hpTlOJFnWOuWkyKdnXi2gcJi2F5Gzw2CQRsFP/wTgdhwUQMmbFXSka5fe+7SXPWw/3qoAm2A9gGfJfXNgwFiKIxS6ypYL1QZn3JZQ9rU8gjaF2ZEdwTKiNOjy+BjOII= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263488933103.6472768241897; Thu, 1 Apr 2021 00:51:28 -0700 (PDT) Received: from localhost ([::1]:34356 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRs6v-00071c-R3 for importer@patchew.org; Thu, 01 Apr 2021 03:51:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56960) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5Z-0005Rp-Ny for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:01 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57018 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5Y-0000m8-61 for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:01 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs5f-0004IO-IB; Thu, 01 Apr 2021 08:50:10 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:25 +0100 Message-Id: <20210401074933.9923-4-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 03/11] esp: consolidate esp_cmdfifo_push() into esp_fifo_push() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Each FIFO currently has its own push functions with the only difference bei= ng the capacity check. The original reason for this was that the fifo8 implementation doesn't have a formal API for retrieving the FIFO capacity, however there are multiple examples within QEMU where the capacity field is accessed directly. Change esp_fifo_push() to access the FIFO capacity directly and then consol= idate esp_cmdfifo_push() into esp_fifo_push(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 26fe1dcb9d..16aaf8be93 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -98,16 +98,15 @@ void esp_request_cancelled(SCSIRequest *req) } } =20 -static void esp_fifo_push(ESPState *s, uint8_t val) +static void esp_fifo_push(Fifo8 *fifo, uint8_t val) { - if (fifo8_num_used(&s->fifo) =3D=3D ESP_FIFO_SZ) { + if (fifo8_num_used(fifo) =3D=3D fifo->capacity) { trace_esp_error_fifo_overrun(); return; } =20 - fifo8_push(&s->fifo, val); + fifo8_push(fifo, val); } - static uint8_t esp_fifo_pop(ESPState *s) { if (fifo8_is_empty(&s->fifo)) { @@ -117,16 +116,6 @@ static uint8_t esp_fifo_pop(ESPState *s) return fifo8_pop(&s->fifo); } =20 -static void esp_cmdfifo_push(ESPState *s, uint8_t val) -{ - if (fifo8_num_used(&s->cmdfifo) =3D=3D ESP_CMDFIFO_SZ) { - trace_esp_error_fifo_overrun(); - return; - } - - fifo8_push(&s->cmdfifo, val); -} - static uint8_t esp_cmdfifo_pop(ESPState *s) { if (fifo8_is_empty(&s->cmdfifo)) { @@ -187,9 +176,9 @@ static void esp_pdma_write(ESPState *s, uint8_t val) } =20 if (s->do_cmd) { - esp_cmdfifo_push(s, val); + esp_fifo_push(&s->cmdfifo, val); } else { - esp_fifo_push(s, val); + esp_fifo_push(&s->fifo, val); } =20 dmalen--; @@ -645,7 +634,7 @@ static void esp_do_dma(ESPState *s) */ if (len < esp_get_tc(s) && esp_get_tc(s) <=3D ESP_FIFO_SZ) { while (fifo8_num_used(&s->fifo) < ESP_FIFO_SZ) { - esp_fifo_push(s, 0); + esp_fifo_push(&s->fifo, 0); len++; } } @@ -947,9 +936,9 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_= t val) break; case ESP_FIFO: if (s->do_cmd) { - esp_cmdfifo_push(s, val); + esp_fifo_push(&s->cmdfifo, val); } else { - esp_fifo_push(s, val); + esp_fifo_push(&s->fifo, val); } =20 /* Non-DMA transfers raise an interrupt after every byte */ --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263637; cv=none; d=zohomail.com; s=zohoarc; b=bb9dTnpnmlp1bg9JIBih4vv/mRBspYuF7/eaYH+APxgiQZoYQrCnK0W8bOdAkatUjzAcwYxFWuVlTsjt8vNSSIbJP5ug6/q7g3FwSLpQGhBE5HFI7xxEb2zX2nmkM7ab9IMEjOTYqcH5/qlTAJ0J0TAz8pdcysgm+815nfqu9Aw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263637; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=o856PUeuYeOH3zC12ngHJrmpyfSD9OLErUJBnSfedZo=; b=JObfW5BPnYiqQac+H684mSe9NXuGboHEiyPjHi+LzyYK6hO6Ov2x9yS59J/le+7mLl5JHqsfwsdhGLUNU8/ItBhkkMiTX6mY23E0WPrShZd9FJTyQmwxe8itibEJatC0qh8lYqPZxgZqy3wnZ4viFe558F0nuUP0yiOPhy6egKY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263637039295.7202965451062; Thu, 1 Apr 2021 00:53:57 -0700 (PDT) Received: from localhost ([::1]:44094 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRs9J-0002bE-Vx for importer@patchew.org; Thu, 01 Apr 2021 03:53:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56998) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5e-0005ax-KM for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:06 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57024 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5c-0000rH-VO for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:06 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs5i-0004IO-TH; Thu, 01 Apr 2021 08:50:15 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:26 +0100 Message-Id: <20210401074933.9923-5-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 04/11] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Each FIFO currently has its own pop functions with the only difference being the capacity check. The original reason for this was that the fifo8 implementation doesn't have a formal API for retrieving the FIFO capacity, however there are multiple examples within QEMU where the capacity field is accessed directly. Change esp_fifo_pop() to access the FIFO capacity directly and then consoli= date esp_cmdfifo_pop() into esp_fifo_pop(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 16aaf8be93..ce88866803 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -107,22 +107,13 @@ static void esp_fifo_push(Fifo8 *fifo, uint8_t val) =20 fifo8_push(fifo, val); } -static uint8_t esp_fifo_pop(ESPState *s) +static uint8_t esp_fifo_pop(Fifo8 *fifo) { - if (fifo8_is_empty(&s->fifo)) { + if (fifo8_is_empty(fifo)) { return 0; } =20 - return fifo8_pop(&s->fifo); -} - -static uint8_t esp_cmdfifo_pop(ESPState *s) -{ - if (fifo8_is_empty(&s->cmdfifo)) { - return 0; - } - - return fifo8_pop(&s->cmdfifo); + return fifo8_pop(fifo); } =20 static uint32_t esp_get_tc(ESPState *s) @@ -159,9 +150,9 @@ static uint8_t esp_pdma_read(ESPState *s) uint8_t val; =20 if (s->do_cmd) { - val =3D esp_cmdfifo_pop(s); + val =3D esp_fifo_pop(&s->cmdfifo); } else { - val =3D esp_fifo_pop(s); + val =3D esp_fifo_pop(&s->fifo); } =20 return val; @@ -887,7 +878,7 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr) qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n= "); s->rregs[ESP_FIFO] =3D 0; } else { - s->rregs[ESP_FIFO] =3D esp_fifo_pop(s); + s->rregs[ESP_FIFO] =3D esp_fifo_pop(&s->fifo); } val =3D s->rregs[ESP_FIFO]; break; --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263745; cv=none; d=zohomail.com; s=zohoarc; b=MGtycySsxAt4yxKLs9MfZ12IM6ro9Bz7gvCJEwy6i/lp9ATLJRLtIxLXYUC24P0Bxa4iHilbT1EFdrBHhjvaDjjSmIqbvpIFkGmhZiwbpXJlgeZ9QghS+Fp9dT5nudn0fo+c8UtuvBBH6GjnvUl6e/yVxWvVCPjBF+c5eaRk7js= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263745; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Pz8nWC2SA8f2VYDoUPhyDs+VNT8tA0l/FEgTukjecrY=; b=bmPIKE1KLi4O/DbzcjmG6u5jJ7/FwdMFk9s/bRE1O4mGhYlXUIgVam4wmdF9ySRJ0fU5belGwEMJ0QfOgeD/u0N6qhW1RsAcPDsQKGmdlWeRXvw2WBboAWbgqBj3AdCAzgVUJ/Rd8cOIj+UwB/p8jJiJjXn5Esgabe7R8oYTsDA= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263745890593.4535552543462; Thu, 1 Apr 2021 00:55:45 -0700 (PDT) Received: from localhost ([::1]:48328 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRsB6-0004Py-Sd for importer@patchew.org; Thu, 01 Apr 2021 03:55:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57026) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5j-0005ia-A0 for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:11 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57038 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5h-0000ur-Bt for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:10 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs5n-0004IO-IM; Thu, 01 Apr 2021 08:50:19 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:27 +0100 Message-Id: <20210401074933.9923-6-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 05/11] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The const pointer returned by fifo8_pop_buf() lies directly within the arra= y used to model the FIFO. Building with address sanitisers enabled shows that if t= he caller expects a minimum number of bytes present then if the FIFO is nearly= full, the caller may unexpectedly access past the end of the array. Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a memcpy() in it to guarantee that the caller cannot overwrite the FIFO array= and update all callers to use it. Similarly add underflow protection similar to esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert() the operation becomes a no-op. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index ce88866803..1aa2caf57d 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -107,6 +107,7 @@ static void esp_fifo_push(Fifo8 *fifo, uint8_t val) =20 fifo8_push(fifo, val); } + static uint8_t esp_fifo_pop(Fifo8 *fifo) { if (fifo8_is_empty(fifo)) { @@ -116,6 +117,23 @@ static uint8_t esp_fifo_pop(Fifo8 *fifo) return fifo8_pop(fifo); } =20 +static uint32_t esp_fifo_pop_buf(Fifo8 *fifo, uint8_t *dest, int maxlen) +{ + const uint8_t *buf; + uint32_t n; + + if (maxlen =3D=3D 0) { + return 0; + } + + buf =3D fifo8_pop_buf(fifo, maxlen, &n); + if (dest) { + memcpy(dest, buf, n); + } + + return n; +} + static uint32_t esp_get_tc(ESPState *s) { uint32_t dmalen; @@ -240,11 +258,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) if (dmalen =3D=3D 0) { return 0; } - memcpy(buf, fifo8_pop_buf(&s->fifo, dmalen, &n), dmalen); - if (dmalen >=3D 3) { + n =3D esp_fifo_pop_buf(&s->fifo, buf, dmalen); + if (n >=3D 3) { buf[0] =3D buf[2] >> 5; } - fifo8_push_all(&s->cmdfifo, buf, dmalen); + fifo8_push_all(&s->cmdfifo, buf, n); } trace_esp_get_cmd(dmalen, target); =20 @@ -257,16 +275,16 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) =20 static void do_busid_cmd(ESPState *s, uint8_t busid) { - uint32_t n, cmdlen; + uint32_t cmdlen; int32_t datalen; int lun; SCSIDevice *current_lun; - uint8_t *buf; + uint8_t buf[ESP_CMDFIFO_SZ]; =20 trace_esp_do_busid_cmd(busid); lun =3D busid & 7; cmdlen =3D fifo8_num_used(&s->cmdfifo); - buf =3D (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); + esp_fifo_pop_buf(&s->cmdfifo, buf, cmdlen); =20 current_lun =3D scsi_device_find(&s->bus, 0, s->current_dev->id, lun); s->current_req =3D scsi_req_new(current_lun, 0, lun, buf, s); @@ -299,13 +317,12 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) static void do_cmd(ESPState *s) { uint8_t busid =3D fifo8_pop(&s->cmdfifo); - uint32_t n; =20 s->cmdfifo_cdb_offset--; =20 /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - fifo8_pop_buf(&s->cmdfifo, s->cmdfifo_cdb_offset, &n); + esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); s->cmdfifo_cdb_offset =3D 0; } =20 @@ -483,7 +500,7 @@ static void do_dma_pdma_cb(ESPState *s) /* Copy FIFO data to device */ len =3D MIN(s->async_len, ESP_FIFO_SZ); len =3D MIN(len, fifo8_num_used(&s->fifo)); - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + n =3D esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D n; s->async_len -=3D n; s->ti_size +=3D n; @@ -491,7 +508,7 @@ static void do_dma_pdma_cb(ESPState *s) if (n < len) { /* Unaligned accesses can cause FIFO wraparound */ len =3D len - n; - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + n =3D esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D n; s->async_len -=3D n; s->ti_size +=3D n; @@ -667,7 +684,7 @@ static void esp_do_dma(ESPState *s) static void esp_do_nodma(ESPState *s) { int to_device =3D ((s->rregs[ESP_RSTAT] & 7) =3D=3D STAT_DO); - uint32_t cmdlen, n; + uint32_t cmdlen; int len; =20 if (s->do_cmd) { @@ -708,7 +725,7 @@ static void esp_do_nodma(ESPState *s) =20 if (to_device) { len =3D MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D len; s->async_len -=3D len; s->ti_size +=3D len; --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263821; cv=none; d=zohomail.com; s=zohoarc; b=bsDF26wG7Q9/nWUxl5/vmS8FQe/4LO889jl8ZdJks4n+plm/qzfg6xUso3SCWcP8jyAazYaJbc0hUKXzARf1tEGVtez+Xo07i2S5Wo+xUs7+RN0Y9EKRAHuiTpYeYAhm8YmM2xVwhgjcLHztL3wfp9tVKH4q/7/pYt5pJoDKV58= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263821; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=600C3dKampO8ameQEYhF1efGKNearpaXqPef51a4irY=; b=VZQpl9M7ACE6WzrFG+ouLX5mEHwiFX2Xg0jUYYsHxb2ptfPQ8vDgWia4dRX4Ft4bIbAtSCGkp1A386gTgpChM5IZT3/GozB06lb4saMMUSnLtkUq1XQX2IhCo2M0xIMChPOIMOfsevoVGONP0DvNwIK2/Ow14CWbh69Bk51VkOI= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263821092372.43750242171734; Thu, 1 Apr 2021 00:57:01 -0700 (PDT) Received: from localhost ([::1]:51646 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRsCK-00060M-2H for importer@patchew.org; Thu, 01 Apr 2021 03:57:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57074) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5p-0005lO-6W for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:17 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57046 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5m-0000z4-L5 for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:16 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs5r-0004IO-Pe; Thu, 01 Apr 2021 08:50:24 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:28 +0100 Message-Id: <20210401074933.9923-7-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 06/11] esp: ensure cmdfifo is not empty and current_dev is non-NULL X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" When about to execute a SCSI command, ensure that cmdfifo is not empty and current_dev is non-NULL. This can happen if the guest tries to execute a TI (Transfer Information) command without issuing one of the select commands first. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 1aa2caf57d..4decbbfc29 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -284,6 +284,9 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) trace_esp_do_busid_cmd(busid); lun =3D busid & 7; cmdlen =3D fifo8_num_used(&s->cmdfifo); + if (!cmdlen || !s->current_dev) { + return; + } esp_fifo_pop_buf(&s->cmdfifo, buf, cmdlen); =20 current_lun =3D scsi_device_find(&s->bus, 0, s->current_dev->id, lun); --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263904; cv=none; d=zohomail.com; s=zohoarc; b=Ycp6MbW5Y4IlzE46lC+Fj4nUUIdh6Zihm1JuOG6GEuqMmzBrf5HbD2B0Rbnz6VIox115jaGBASuOwdrd242cmi8WSgDorZRFuvaFxGwGJE5QQw807U6WjvzQXDIrvg25tBldYjaQ4XmfWiB7eXquwuXoHgil+y5HltulPjWr2t0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263904; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=pcyYtSRc6ol8rajx7sQnwqJw19SoLDOr05LNIjUDGIo=; b=FcP9XLQWv0wSu/Ff7v6NXcSVSdJrbCXRj7gkzspGWR/ir3ysng23X6ij9bODUMx7ON3/GW4HOcUiNtgUTlv8/L7vONw6kCgoUVbBNbKDxOFbmIG9cy6ozQBDeocoJ8vv6TKMw5rTw2bGCrOWZV9u1us1zJmg6jjCZrETDlSpUjE= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263904967169.0611163759154; Thu, 1 Apr 2021 00:58:24 -0700 (PDT) Received: from localhost ([::1]:53810 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRsDf-0006yO-Mb for importer@patchew.org; Thu, 01 Apr 2021 03:58:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57182) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs63-0005qY-J2 for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:31 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57056 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5r-00012W-DJ for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:27 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs5w-0004IO-VH; Thu, 01 Apr 2021 08:50:29 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:29 +0100 Message-Id: <20210401074933.9923-8-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 07/11] esp: don't underflow cmdfifo in do_cmd() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" If the guest tries to execute a CDB when cmdfifo is not empty before the st= art of the message out phase then clearing the message out phase data will cause cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount= of data within. Since this can only occur by issuing deliberately incorrect instruction sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited = to the size of the data within cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 4decbbfc29..7f49522e1d 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -319,13 +319,15 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) =20 static void do_cmd(ESPState *s) { - uint8_t busid =3D fifo8_pop(&s->cmdfifo); + uint8_t busid =3D esp_fifo_pop(&s->cmdfifo); + int len; =20 s->cmdfifo_cdb_offset--; =20 /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); + len =3D MIN(s->cmdfifo_cdb_offset, fifo8_num_used(&s->cmdfifo)); + esp_fifo_pop_buf(&s->cmdfifo, NULL, len); s->cmdfifo_cdb_offset =3D 0; } =20 --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263989; cv=none; d=zohomail.com; s=zohoarc; b=JXGlvqc02HfJzz36V5Qrqmfm4fAKhhFbjHzOoL1z3OvUi+CGqCzjPupRgDBGHF7GHlyfaXLpbcN5Sh+gqOBS0ULswzTLyXGqzrkfxsoYAIc4G7wCDW3sTr5up/pKimHfd7W3cXQuev3u8mEu6Ng2ThvZzvlCoKZB7PzdNr47VrU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263989; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2q7vCfMgXyY29ErWB8uenQtGlCV4DdUXrRm5AkvyaFE=; b=cCQN2Ci9uQHZaXlRv20hDkTw9iFlf7yJjPcv29pn5CUGfmu/UKg54+//f/k1cvthi4DzAWQX+XmEzYI8nApgr3nHNJeP3gF0LB9oey7gPRe+k6MAC0l8yWQBtGBn58OgWQQsp/kfSvilg7sf/QqsWkGBsR9XwJIM62BlPKabI+I= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263989800832.2684488504816; Thu, 1 Apr 2021 00:59:49 -0700 (PDT) Received: from localhost ([::1]:58044 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRsF2-0000N9-Qn for importer@patchew.org; Thu, 01 Apr 2021 03:59:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57198) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs65-0005t0-HF for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:33 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57064 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs5z-00016p-FN for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:32 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs61-0004IO-Jk; Thu, 01 Apr 2021 08:50:35 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:30 +0100 Message-Id: <20210401074933.9923-9-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 08/11] esp: don't overflow cmdfifo in get_cmd() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" If the guest tries to read a CDB using DMA and cmdfifo is not empty then it= is possible to overflow cmdfifo. Since this can only occur by issuing deliberately incorrect instruction sequences, ensure that the maximum length of the CDB transferred to cmdfifo= is limited to the available free space within cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 7f49522e1d..c547c60395 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -243,6 +243,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) } if (s->dma_memory_read) { s->dma_memory_read(s->dma_opaque, buf, dmalen); + dmalen =3D MIN(fifo8_num_free(&s->fifo), dmalen); fifo8_push_all(&s->cmdfifo, buf, dmalen); } else { if (esp_select(s) < 0) { --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263499; cv=none; d=zohomail.com; s=zohoarc; b=mpBOZWQ3VlQ2dHfbkxQSmnQoWrFT+ixxaFYUfz0g5foBan6wkQCJxFKIos/bjlqBZsUn/LJKgP7fElHfAwh9qFIcwqzTfX0rXWu6K8kqR//Z8JOzVCLpxA7Wc8plvc3JAp/V46/9p+tcEFvr0UPmxTD34GSHwAKY+sUtYQxk/tg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263499; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=40UwELE4pfxq01jc45ik2KC/3xEKJT7qoSWhEFeQaOY=; b=dS3LUW1iM2Q7MddGCnRm1FcYDMsi5eaxB+EAzWL1CvlAU242W8E7mXfhneZt8U26LIXilrElH4ysU1c8PqM+/flzTPQW5u+t6Opu29hpV7Tdymu1TV1d0pmGas8i8FKWPhJ7TX9L+WDK2ubrilzzWKsyI/tutLypMFQYIc55tlk= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263499896116.26668093012063; Thu, 1 Apr 2021 00:51:39 -0700 (PDT) Received: from localhost ([::1]:35854 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRs78-0007hC-U5 for importer@patchew.org; Thu, 01 Apr 2021 03:51:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57240) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs6A-0005vt-56 for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:38 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57076 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs63-00017h-Cq for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:37 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs67-0004IO-MA; Thu, 01 Apr 2021 08:50:40 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:31 +0100 Message-Id: <20210401074933.9923-10-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 09/11] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" If a guest transfers the message out/command phase data using DMA with a TC that is larger than the cmdfifo size then the cmdfifo overflows triggering an assert. Limit the size of the transfer to the free space available in cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1919036 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index c547c60395..b7f2680617 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -577,6 +577,7 @@ static void esp_do_dma(ESPState *s) cmdlen =3D fifo8_num_used(&s->cmdfifo); trace_esp_do_dma(cmdlen, len); if (s->dma_memory_read) { + len =3D MIN(len, fifo8_num_free(&s->cmdfifo)); s->dma_memory_read(s->dma_opaque, buf, len); fifo8_push_all(&s->cmdfifo, buf, len); } else { --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617264072; cv=none; d=zohomail.com; s=zohoarc; b=WAyPcNgI8Xq5wILIUfbWH7RoYGEkRRnHZ8S6imsicd6WmJswjY1V5zy3zsL8UCekcGmK5fDtfrknanfG8MXCKmHbXdkxokTrdI6aXMe7f1b3CA8E33rt/TVVrM4YlXXV9wzu1xeUEqlxAPH4I1OZyUvO5OIE+VnoEX6FkIuoGwM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617264072; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=RFcLm0+sgr7vF5omRcLDuuTW6I7L9T9Mk8huzyaUOAU=; b=AkpjtUIcoofUsGlLx+32LSNc1P2dsHJTWcBL0rcYGZYtF1lTg5pwC9PWjy+rnSMZ3db0U0vcci4JqltYc3gqi1tq04t2kUmPjCPu7sQoOl7J8iAF/qIsPZ0dSLNHkZnodT3q90RQ0GzVUXLpOatMp6788DRuKYHW08tNCarcqbs= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617264072795577.258370262432; Thu, 1 Apr 2021 01:01:12 -0700 (PDT) Received: from localhost ([::1]:34154 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRsGN-0002E6-8E for importer@patchew.org; Thu, 01 Apr 2021 04:01:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57252) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs6A-0005xO-P2 for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:38 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57086 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs68-00019y-Se for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:38 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs6C-0004IO-IQ; Thu, 01 Apr 2021 08:50:46 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:32 +0100 Message-Id: <20210401074933.9923-11-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 10/11] esp: don't reset async_len directly in esp_select() if cancelling request X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Instead let the SCSI layer invoke the .cancel callback itself to cancel and reset the request state. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index b7f2680617..ca062a0400 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -95,6 +95,7 @@ void esp_request_cancelled(SCSIRequest *req) scsi_req_unref(s->current_req); s->current_req =3D NULL; s->current_dev =3D NULL; + s->async_len =3D 0; } } =20 @@ -206,7 +207,6 @@ static int esp_select(ESPState *s) if (s->current_req) { /* Started a new command before the old one finished. Cancel it. = */ scsi_req_cancel(s->current_req); - s->async_len =3D 0; } =20 s->current_dev =3D scsi_device_find(&s->bus, 0, target, 0); --=20 2.20.1 From nobody Wed May 1 10:54:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617263555; cv=none; d=zohomail.com; s=zohoarc; b=CGjDDBUvoY5x5JA26opxWo+35lzBgtfAMOSgak7o+/3QWFdpiydtSCMkVTZ4YiJ1DOhiTdUefqkots5hcLrp9ypRTaBdA2BqVCRs+hBs8FrsMt+uwjj6L3Z4OFgVywAS7kJCPNwFuG+vTamld8nTpJjkkSGCFd27QK2glfW2LZM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617263555; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Zsv9he2IswnOIecmJs2EJk+L4/yCCuqvy9lVf43zgi0=; b=oBhq1AD57BG5dz0U9P7KdOQS01NvyhQGKUmW3J2ypEb6pQ/OA2stThbe42SPTCv1IdqEum16W2xx0QCccp3wLplRHWBzYwZav7otNpEnPTh9dWqDPKvqEF6cEnlBrxDKMxVKr/7+Z6/vUu2LA4y2udAvUoUnVh+mwnP4K7d2Q+8= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617263555868153.79076205464798; Thu, 1 Apr 2021 00:52:35 -0700 (PDT) Received: from localhost ([::1]:41134 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lRs82-0001Ny-Rh for importer@patchew.org; Thu, 01 Apr 2021 03:52:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57292) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs6F-00068p-4H for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:43 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:57096 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lRs6C-0001DG-Sp for qemu-devel@nongnu.org; Thu, 01 Apr 2021 03:50:42 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRs6I-0004IO-N4; Thu, 01 Apr 2021 08:50:51 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Thu, 1 Apr 2021 08:49:33 +0100 Message-Id: <20210401074933.9923-12-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> References: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v3 11/11] tests/qtest: add tests for am53c974 device X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Use the autogenerated fuzzer test cases as the basis for a set of am53c974 regression tests. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov --- MAINTAINERS | 1 + tests/qtest/am53c974-test.c | 216 ++++++++++++++++++++++++++++++++++++ tests/qtest/meson.build | 1 + 3 files changed, 218 insertions(+) create mode 100644 tests/qtest/am53c974-test.c diff --git a/MAINTAINERS b/MAINTAINERS index 554be84b32..675f35d3af 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1776,6 +1776,7 @@ F: include/hw/scsi/* F: hw/scsi/* F: tests/qtest/virtio-scsi-test.c F: tests/qtest/fuzz-virtio-scsi-test.c +F: tests/qtest/am53c974-test.c T: git https://github.com/bonzini/qemu.git scsi-next =20 SSI diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c new file mode 100644 index 0000000000..9c4285d0c0 --- /dev/null +++ b/tests/qtest/am53c974-test.c @@ -0,0 +1,216 @@ +/* + * QTest testcase for am53c974 + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + + +static void test_cmdfifo_underflow_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0x8a000000); + qtest_outl(s, 0x8a09, 0x42000000); + qtest_outl(s, 0x8a0d, 0x00); + qtest_outl(s, 0x8a0b, 0x1000); + qtest_quit(s); +} + +/* Reported as crash_1548bd10e7 */ +static void test_cmdfifo_underflow2_ok(void) +{ + QTestState *s =3D qtest_init( + "-m 512M -device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00c, 0x41); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} + +static void test_cmdfifo_overflow_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0x0e000000); + qtest_outl(s, 0xe40, 0x03); + qtest_outl(s, 0xe0b, 0x4100); + qtest_outl(s, 0xe0b, 0x9000); + qtest_quit(s); +} + +/* Reported as crash_530ff2e211 */ +static void test_cmdfifo_overflow2_ok(void) +{ + QTestState *s =3D qtest_init( + "-m 512M -device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc03f, 0x0300); + qtest_quit(s); +} + +/* Reported as crash_0900379669 */ +static void test_fifo_pop_buf(void) +{ + QTestState *s =3D qtest_init( + "-m 512M -device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outb(s, 0xc008, 0xa0); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} + +static void test_target_selected_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001001); + qtest_outl(s, 0xcfc, 0x01000000); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0xef800000); + qtest_outl(s, 0xef8b, 0x4100); + qtest_outw(s, 0xef80, 0x01); + qtest_outl(s, 0xefc0, 0x03); + qtest_outl(s, 0xef8b, 0xc100); + qtest_outl(s, 0xef8b, 0x9000); + qtest_quit(s); +} + +static void test_fifo_underflow_on_write_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc008, 0x0a); + qtest_outl(s, 0xc009, 0x41000000); + qtest_outl(s, 0xc009, 0x41000000); + qtest_outl(s, 0xc00b, 0x1000); + qtest_quit(s); +} + +static void test_cancelled_request_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x05); + qtest_outb(s, 0xc046, 0x02); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outl(s, 0xc040, 0x03); + qtest_outl(s, 0xc040, 0x03); + qtest_bufwrite(s, 0x0, "\x41", 0x1); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outw(s, 0xc040, 0x02); + qtest_outw(s, 0xc040, 0x81); + qtest_outl(s, 0xc00b, 0x9000); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch =3D qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") =3D=3D 0) { + qtest_add_func("am53c974/test_cmdfifo_underflow_ok", + test_cmdfifo_underflow_ok); + qtest_add_func("am53c974/test_cmdfifo_underflow2_ok", + test_cmdfifo_underflow2_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow_ok", + test_cmdfifo_overflow_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow2_ok", + test_cmdfifo_overflow2_ok); + qtest_add_func("am53c974/test_fifo_pop_buf", + test_fifo_pop_buf); + qtest_add_func("am53c974/test_target_selected_ok", + test_target_selected_ok); + qtest_add_func("am53c974/test_fifo_underflow_on_write_ok", + test_fifo_underflow_on_write_ok); + qtest_add_func("am53c974/test_cancelled_request_ok", + test_cancelled_request_ok); + } + + return g_test_run(); +} diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 902cfef7cb..25f605cf1d 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -68,6 +68,7 @@ qtests_i386 =3D \ (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test= '] : []) + \ (config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : [= ]) + \ (config_all_devices.has_key('CONFIG_E1000E_PCI_EXPRESS') ? ['fuzz-e1000e= -test'] : []) + \ + (config_all_devices.has_key('CONFIG_ESP_PCI') ? ['am53c974-test'] : []) = + \ qtests_pci + = \ ['fdc-test', 'ide-test', --=20 2.20.1