From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617825817; cv=none; d=zohomail.com; s=zohoarc; b=lGFyFMXBdl2txUU7MNFeX3tptssOBTFhw3MORUBgpIrH6mgZ8ZbxVDQrxlMKdI6yuBWZv8SS8UFIaky6cE5hSMNw6kdS1HO8zluXOJRnIotYqOzsAweqHEIRPd+dOL0ONfi94SLKY/4k9bqaTZcupGr/Il8SWNUdKID/WrbqnLE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617825817; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=z7rYOhu7aFgobvkLr7jvXnPx1H0fyNkHsrhSVKYD6lc=; b=IlTh7vNEVaRx4xYH4bRf/NoKUCyuaI8CZJbbdYC/NEWLtLstQBnWMYCArgyfvmxzuhKDgJB+ws+Hf0L3aN6fHR+Ppin5Q9hEwR4vZIwyr3pE3HMKDpEFI2qAeeFyw1T+gw6WZ7JTftnyc2chdol8ouHIJg16sj6HHUf5IP9rCCI= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617825817112640.7208683847075; Wed, 7 Apr 2021 13:03:37 -0700 (PDT) Received: from localhost ([::1]:50452 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUEOl-0002Tr-KP for importer@patchew.org; Wed, 07 Apr 2021 16:03:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51508) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJf-0006hU-57 for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:19 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37720 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJd-00079g-Ep for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:18 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEJl-00073W-Il; Wed, 07 Apr 2021 20:58:31 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:50 +0100 Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 01/12] esp: always check current_req is not NULL before use in DMA callbacks X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel callback which resets both current_req and current_dev to NULL. If any data is left in the transfer buffer (async_len !=3D 0) then the next TI (Transfer Information) command will attempt to reference the NULL pointer causing a segfault. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 507ab363bc..bafea0d4e6 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -496,6 +496,10 @@ static void do_dma_pdma_cb(ESPState *s) return; } =20 + if (!s->current_req) { + return; + } + if (to_device) { /* Copy FIFO data to device */ len =3D MIN(s->async_len, ESP_FIFO_SZ); @@ -527,11 +531,9 @@ static void do_dma_pdma_cb(ESPState *s) return; } else { if (s->async_len =3D=3D 0) { - if (s->current_req) { - /* Defer until the scsi layer has completed */ - scsi_req_continue(s->current_req); - s->data_in_ready =3D false; - } + /* Defer until the scsi layer has completed */ + scsi_req_continue(s->current_req); + s->data_in_ready =3D false; return; } =20 @@ -604,6 +606,9 @@ static void esp_do_dma(ESPState *s) } return; } + if (!s->current_req) { + return; + } if (s->async_len =3D=3D 0) { /* Defer until data is available. */ return; @@ -713,6 +718,10 @@ static void esp_do_nodma(ESPState *s) return; } =20 + if (!s->current_req) { + return; + } + if (s->async_len =3D=3D 0) { /* Defer until data is available. */ return; --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617826020; cv=none; d=zohomail.com; s=zohoarc; b=HQgpJ2xe1qq6BqiWqyYZBtjLSv2nXNgDlCd0ee2K1hDbkg5szr84pjgE2wpTJpzQYnPJ2U3ZZl68u+R4w7z0E5F5n1PzDQi6VrKfe8FGy3HEyiarNpf1iYBK27BhZ8yNO21tsmjJyO9DIlKj5emxOIV+SNitEZ7ExR7tELjkqnE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617826020; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=+kpTMo5x3yFteSwQ850vD5N0TiBsFxE/6ew6+Ldi2CM=; b=FnnF+e4T7WpvgKzIsOzZUMmT/MhR4ANFtEHl2DqYKxKfkhJauCwoNBrdy8yxuLWSZd8br5AmjuylzvXuIZBwJ+i5AZl1I88IG+CnaUNn6YU8ao3ldrodTOfi5zNPmkGNDR1AvZSfve5XvPZi8GeP57GPGDll2ugzEYI2KEonp5Q= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617826020174565.9236181679609; Wed, 7 Apr 2021 13:07:00 -0700 (PDT) Received: from localhost ([::1]:58060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUES3-0005fM-1b for importer@patchew.org; Wed, 07 Apr 2021 16:06:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51542) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJn-0006mo-6z for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:27 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37730 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJl-0007DY-Oz for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:26 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEJr-00073W-Dg; Wed, 07 Apr 2021 20:58:37 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:51 +0100 Message-Id: <20210407195801.685-3-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 02/12] esp: rework write_response() to avoid using the FIFO for DMA transactions X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The code for write_response() has always used the FIFO to store the data for the status/message in phases, even for DMA transactions. Switch to using a separate buffer that can be used directly for DMA transactions and restrict the FIFO use to the non-DMA case. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/scsi/esp.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index bafea0d4e6..26fe1dcb9d 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -445,18 +445,16 @@ static void write_response_pdma_cb(ESPState *s) =20 static void write_response(ESPState *s) { - uint32_t n; + uint8_t buf[2]; =20 trace_esp_write_response(s->status); =20 - fifo8_reset(&s->fifo); - esp_fifo_push(s, s->status); - esp_fifo_push(s, 0); + buf[0] =3D s->status; + buf[1] =3D 0; =20 if (s->dma) { if (s->dma_memory_write) { - s->dma_memory_write(s->dma_opaque, - (uint8_t *)fifo8_pop_buf(&s->fifo, 2, &n),= 2); + s->dma_memory_write(s->dma_opaque, buf, 2); s->rregs[ESP_RSTAT] =3D STAT_TC | STAT_ST; s->rregs[ESP_RINTR] |=3D INTR_BS | INTR_FC; s->rregs[ESP_RSEQ] =3D SEQ_CD; @@ -466,7 +464,8 @@ static void write_response(ESPState *s) return; } } else { - s->ti_size =3D 2; + fifo8_reset(&s->fifo); + fifo8_push_all(&s->fifo, buf, 2); s->rregs[ESP_RFLAGS] =3D 2; } esp_raise_irq(s); --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617826110; cv=none; d=zohomail.com; s=zohoarc; b=brljY4t58K6jTxU8Vlh28RufFNXuReuTKuIg1pihAAtdpIScDXxVTCk4Z/2/dn6RSGj/B9f17pPnyFH3UpfggEINmf3tBL/RIA3Ofsz4oL9CeKtkevQGU7fb3mLma/aT3bZ+bNg4c1L1BD+V+6tZycFRSbdCFFsMgi43+bDhUCg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617826110; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Drn3pFwPMwDoyRFN/txHJoOp9F4GYc4UgarI8nm677s=; b=kRODTa4RGpshludSVI9PIVat/PUri7S6pOpuDMqiycoEuefYLtIePO3Kz55azyy8sDBZ/0qkdgW17a2Y2RQ+zAH+RwHnUkQMOLthx/d/Gyu4wUmZqohs6LArAr+3LOo8hcnm8ANpm1zGwhguOMQ2IKA35+UZNcKdjQMFKkfJB0M= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617826110995258.0591001425488; Wed, 7 Apr 2021 13:08:30 -0700 (PDT) Received: from localhost ([::1]:36298 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUETV-0008Mp-U5 for importer@patchew.org; Wed, 07 Apr 2021 16:08:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51564) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJr-0006rB-1s for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:31 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37740 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJp-0007FR-Ei for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:30 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEJy-00073W-6V; Wed, 07 Apr 2021 20:58:43 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:52 +0100 Message-Id: <20210407195801.685-4-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 03/12] esp: consolidate esp_cmdfifo_push() into esp_fifo_push() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Each FIFO currently has its own push functions with the only difference bei= ng the capacity check. The original reason for this was that the fifo8 implementation doesn't have a formal API for retrieving the FIFO capacity, however there are multiple examples within QEMU where the capacity field is accessed directly. Change esp_fifo_push() to access the FIFO capacity directly and then consol= idate esp_cmdfifo_push() into esp_fifo_push(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 26fe1dcb9d..16aaf8be93 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -98,16 +98,15 @@ void esp_request_cancelled(SCSIRequest *req) } } =20 -static void esp_fifo_push(ESPState *s, uint8_t val) +static void esp_fifo_push(Fifo8 *fifo, uint8_t val) { - if (fifo8_num_used(&s->fifo) =3D=3D ESP_FIFO_SZ) { + if (fifo8_num_used(fifo) =3D=3D fifo->capacity) { trace_esp_error_fifo_overrun(); return; } =20 - fifo8_push(&s->fifo, val); + fifo8_push(fifo, val); } - static uint8_t esp_fifo_pop(ESPState *s) { if (fifo8_is_empty(&s->fifo)) { @@ -117,16 +116,6 @@ static uint8_t esp_fifo_pop(ESPState *s) return fifo8_pop(&s->fifo); } =20 -static void esp_cmdfifo_push(ESPState *s, uint8_t val) -{ - if (fifo8_num_used(&s->cmdfifo) =3D=3D ESP_CMDFIFO_SZ) { - trace_esp_error_fifo_overrun(); - return; - } - - fifo8_push(&s->cmdfifo, val); -} - static uint8_t esp_cmdfifo_pop(ESPState *s) { if (fifo8_is_empty(&s->cmdfifo)) { @@ -187,9 +176,9 @@ static void esp_pdma_write(ESPState *s, uint8_t val) } =20 if (s->do_cmd) { - esp_cmdfifo_push(s, val); + esp_fifo_push(&s->cmdfifo, val); } else { - esp_fifo_push(s, val); + esp_fifo_push(&s->fifo, val); } =20 dmalen--; @@ -645,7 +634,7 @@ static void esp_do_dma(ESPState *s) */ if (len < esp_get_tc(s) && esp_get_tc(s) <=3D ESP_FIFO_SZ) { while (fifo8_num_used(&s->fifo) < ESP_FIFO_SZ) { - esp_fifo_push(s, 0); + esp_fifo_push(&s->fifo, 0); len++; } } @@ -947,9 +936,9 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_= t val) break; case ESP_FIFO: if (s->do_cmd) { - esp_cmdfifo_push(s, val); + esp_fifo_push(&s->cmdfifo, val); } else { - esp_fifo_push(s, val); + esp_fifo_push(&s->fifo, val); } =20 /* Non-DMA transfers raise an interrupt after every byte */ --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617825604; cv=none; d=zohomail.com; s=zohoarc; b=c1dcCnQVoFzJBfLu9hACTJ3Kl/TvqzwJN1sSst0BiPjt2yBm+oiuS6VySucI2RYONd8SJePk1V8nADoLRmdSexAI/loww7T8/krsaFytHWKtQq6dZoTCuNgvd0Xf/l77UwOhd9V0ifq76PbtrRw+30L8IF5nSBeXiCorhdqLAAg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617825604; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=U+24BBxFS8t17aCj2wIpITtoqkijy0KRIu5OfbF0xdw=; b=KLEoZRr9OhnPswmbMXH9UjwO1ENX79LaHOnhWhZo96q398jZjG5ANX3uao2is/LYwBchoLIJrI0FzCvp0KaWDmKY829+FQH3RNVgBK9ihNuJLx0Th+PNgFk1nQS6XixJ6hgm+UhS+TzwSGeWu7iAj5VyPtiyhQqytP7w28/lAEY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617825604244175.44843516274886; Wed, 7 Apr 2021 13:00:04 -0700 (PDT) Received: from localhost ([::1]:44936 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUELK-0008WN-K3 for importer@patchew.org; Wed, 07 Apr 2021 16:00:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51580) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJz-0006wF-JR for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:39 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37752 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEJv-0007JA-Uv for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:39 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEK3-00073W-6K; Wed, 07 Apr 2021 20:58:49 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:53 +0100 Message-Id: <20210407195801.685-5-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 04/12] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Each FIFO currently has its own pop functions with the only difference being the capacity check. The original reason for this was that the fifo8 implementation doesn't have a formal API for retrieving the FIFO capacity, however there are multiple examples within QEMU where the capacity field is accessed directly. Change esp_fifo_pop() to access the FIFO capacity directly and then consoli= date esp_cmdfifo_pop() into esp_fifo_pop(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 16aaf8be93..ff8fa73de9 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -107,22 +107,14 @@ static void esp_fifo_push(Fifo8 *fifo, uint8_t val) =20 fifo8_push(fifo, val); } -static uint8_t esp_fifo_pop(ESPState *s) -{ - if (fifo8_is_empty(&s->fifo)) { - return 0; - } - - return fifo8_pop(&s->fifo); -} =20 -static uint8_t esp_cmdfifo_pop(ESPState *s) +static uint8_t esp_fifo_pop(Fifo8 *fifo) { - if (fifo8_is_empty(&s->cmdfifo)) { + if (fifo8_is_empty(fifo)) { return 0; } =20 - return fifo8_pop(&s->cmdfifo); + return fifo8_pop(fifo); } =20 static uint32_t esp_get_tc(ESPState *s) @@ -159,9 +151,9 @@ static uint8_t esp_pdma_read(ESPState *s) uint8_t val; =20 if (s->do_cmd) { - val =3D esp_cmdfifo_pop(s); + val =3D esp_fifo_pop(&s->cmdfifo); } else { - val =3D esp_fifo_pop(s); + val =3D esp_fifo_pop(&s->fifo); } =20 return val; @@ -887,7 +879,7 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr) qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n= "); s->rregs[ESP_FIFO] =3D 0; } else { - s->rregs[ESP_FIFO] =3D esp_fifo_pop(s); + s->rregs[ESP_FIFO] =3D esp_fifo_pop(&s->fifo); } val =3D s->rregs[ESP_FIFO]; break; --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617825613; cv=none; d=zohomail.com; s=zohoarc; b=er5khvVrEU+zFwt9TeFGor9GJc49QXHa7NohHAsAsYHyYdpXZcRA5psH1BWzIK7BL+jt0PIsvRW9M/vt4nhrQavqPY3vqiYGeJlRErkSI9YMcM0nPGQU3v/uQcjIVYdAvb+RfVRtMuKfRZRJnmmJ0oSe6BJzKJJEQOPP6DcXE8U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617825613; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=g1rqCOcZvOC+ZQNLSa9riuuZsnzChbhFlknqakwl62g=; b=XKfK7jttyEJMQQjkntrpjZ2wBrXpdzP12zjWSyaI49gJdaigUEtJ07MZL3Ag3jGqv/onvc28BwUAWS0q2LUMiRuR8TSjMuLUV/pir6jCOqLFeqKJF50/w0zAMWRQp43Ml82RUIREAzGPkfUaa0gsm03m+BNsmSG8uo8fneNi7hY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617825613416125.33332156492361; Wed, 7 Apr 2021 13:00:13 -0700 (PDT) Received: from localhost ([::1]:45312 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUELT-0000EL-N5 for importer@patchew.org; Wed, 07 Apr 2021 16:00:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51606) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEK3-00071u-6D for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:43 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37760 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEK1-0007M1-5k for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:42 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEK9-00073W-HY; Wed, 07 Apr 2021 20:58:54 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:54 +0100 Message-Id: <20210407195801.685-6-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 05/12] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" The const pointer returned by fifo8_pop_buf() lies directly within the arra= y used to model the FIFO. Building with address sanitizers enabled shows that if t= he caller expects a minimum number of bytes present then if the FIFO is nearly= full, the caller may unexpectedly access past the end of the array. Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a memcpy() in it to guarantee that the caller cannot overwrite the FIFO array= and update all callers to use it. Similarly add underflow protection similar to esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert() the operation becomes a no-op. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Reviewed-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/scsi/esp.c | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index ff8fa73de9..1aa2caf57d 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -117,6 +117,23 @@ static uint8_t esp_fifo_pop(Fifo8 *fifo) return fifo8_pop(fifo); } =20 +static uint32_t esp_fifo_pop_buf(Fifo8 *fifo, uint8_t *dest, int maxlen) +{ + const uint8_t *buf; + uint32_t n; + + if (maxlen =3D=3D 0) { + return 0; + } + + buf =3D fifo8_pop_buf(fifo, maxlen, &n); + if (dest) { + memcpy(dest, buf, n); + } + + return n; +} + static uint32_t esp_get_tc(ESPState *s) { uint32_t dmalen; @@ -241,11 +258,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) if (dmalen =3D=3D 0) { return 0; } - memcpy(buf, fifo8_pop_buf(&s->fifo, dmalen, &n), dmalen); - if (dmalen >=3D 3) { + n =3D esp_fifo_pop_buf(&s->fifo, buf, dmalen); + if (n >=3D 3) { buf[0] =3D buf[2] >> 5; } - fifo8_push_all(&s->cmdfifo, buf, dmalen); + fifo8_push_all(&s->cmdfifo, buf, n); } trace_esp_get_cmd(dmalen, target); =20 @@ -258,16 +275,16 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) =20 static void do_busid_cmd(ESPState *s, uint8_t busid) { - uint32_t n, cmdlen; + uint32_t cmdlen; int32_t datalen; int lun; SCSIDevice *current_lun; - uint8_t *buf; + uint8_t buf[ESP_CMDFIFO_SZ]; =20 trace_esp_do_busid_cmd(busid); lun =3D busid & 7; cmdlen =3D fifo8_num_used(&s->cmdfifo); - buf =3D (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); + esp_fifo_pop_buf(&s->cmdfifo, buf, cmdlen); =20 current_lun =3D scsi_device_find(&s->bus, 0, s->current_dev->id, lun); s->current_req =3D scsi_req_new(current_lun, 0, lun, buf, s); @@ -300,13 +317,12 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) static void do_cmd(ESPState *s) { uint8_t busid =3D fifo8_pop(&s->cmdfifo); - uint32_t n; =20 s->cmdfifo_cdb_offset--; =20 /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - fifo8_pop_buf(&s->cmdfifo, s->cmdfifo_cdb_offset, &n); + esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); s->cmdfifo_cdb_offset =3D 0; } =20 @@ -484,7 +500,7 @@ static void do_dma_pdma_cb(ESPState *s) /* Copy FIFO data to device */ len =3D MIN(s->async_len, ESP_FIFO_SZ); len =3D MIN(len, fifo8_num_used(&s->fifo)); - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + n =3D esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D n; s->async_len -=3D n; s->ti_size +=3D n; @@ -492,7 +508,7 @@ static void do_dma_pdma_cb(ESPState *s) if (n < len) { /* Unaligned accesses can cause FIFO wraparound */ len =3D len - n; - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + n =3D esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D n; s->async_len -=3D n; s->ti_size +=3D n; @@ -668,7 +684,7 @@ static void esp_do_dma(ESPState *s) static void esp_do_nodma(ESPState *s) { int to_device =3D ((s->rregs[ESP_RSTAT] & 7) =3D=3D STAT_DO); - uint32_t cmdlen, n; + uint32_t cmdlen; int len; =20 if (s->do_cmd) { @@ -709,7 +725,7 @@ static void esp_do_nodma(ESPState *s) =20 if (to_device) { len =3D MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D len; s->async_len -=3D len; s->ti_size +=3D len; --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617825638; cv=none; d=zohomail.com; s=zohoarc; b=R5xgpSeceK1uiEQJv4sImKnFEBjlQEu5HAh0N9vTBijtl2YIWOTAFFeNYLthZPmyJ5ArxiztvUWg/w7KpvY5G/EV0udnlDIN9X4c+EIxIuYnBnAezeXO3pYClBcopNSIl87EW/VnuA7agp0poExGkqIKS7bbXmkGQVIx8ae9aq4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617825638; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=CjcDoUvIY5OD08BxEhSBOgPLOELJISA50MdWl0ZhcO4=; b=eUOn+mnMUAc6dPmW99fvi5omi62YBEKlNECSy9SaqSQvMAz0pztFoAGI5kDc++qlP/+zv2Pr2CpUAqVrOnYPdlmrHV6K9YNfFeJ5eh7JSehOmO4qAnoIgH1s/WcHM/kfkvtg9vsUTgxG6sxP8Nlie6glWXev7+ZFM+LIxlZcAvU= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617825638728923.7411453698596; Wed, 7 Apr 2021 13:00:38 -0700 (PDT) Received: from localhost ([::1]:45896 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUELp-0000TZ-Rv for importer@patchew.org; Wed, 07 Apr 2021 16:00:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51660) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKD-0007E9-Cv for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:53 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37772 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEK7-0007QV-Vp for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:53 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEKF-00073W-Cl; Wed, 07 Apr 2021 20:59:01 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:55 +0100 Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 06/12] esp: ensure cmdfifo is not empty and current_dev is non-NULL X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" When about to execute a SCSI command, ensure that cmdfifo is not empty and current_dev is non-NULL. This can happen if the guest tries to execute a TI (Transfer Information) command without issuing one of the select commands first. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 1aa2caf57d..4decbbfc29 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -284,6 +284,9 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) trace_esp_do_busid_cmd(busid); lun =3D busid & 7; cmdlen =3D fifo8_num_used(&s->cmdfifo); + if (!cmdlen || !s->current_dev) { + return; + } esp_fifo_pop_buf(&s->cmdfifo, buf, cmdlen); =20 current_lun =3D scsi_device_find(&s->bus, 0, s->current_dev->id, lun); --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617825909; cv=none; d=zohomail.com; s=zohoarc; b=WQt1LyOm6UEb/c2p3ETsMSkPFZVH/xcn5IyhRcD/9C4qijEHUaW05WTNskza9gbwzjiyGFpS0gLBRysec6kfQL8vEykaYGG+1TC5I7dwYHDuqhUwM6/vVEBmaWr/Bl+/rOASnufF8wOfAYwb/us4WHMAKBIWVL3iCibl1e4v29s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617825909; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=tQIJf/F3QDSi9Flx49N1VCHl+9oTTwRP0VggpER8jWQ=; b=dJOafykUnAUJZrNNhEFzdRMKkA76ha/J4FiFuOKY4mZ7xGlBljdb0L2BFpxVkZNcw+jV4QFfqQfR+2V0anQZcA4X3Jw9/FR6c8z+5NRBuWnVOrEJlK/CmzWwbzxiDgY8KFT78fjQL6ha3qsWRZDtycrQjIikRhzeJN3Lw0WYiqU= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617825909970999.4077374665055; Wed, 7 Apr 2021 13:05:09 -0700 (PDT) Received: from localhost ([::1]:53578 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUEQG-0003oV-PL for importer@patchew.org; Wed, 07 Apr 2021 16:05:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51672) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKE-0007GQ-CA for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:54 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37782 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKC-0007Rt-Mf for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:54 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEKM-00073W-Ed; Wed, 07 Apr 2021 20:59:06 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:56 +0100 Message-Id: <20210407195801.685-8-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 07/12] esp: don't underflow cmdfifo in do_cmd() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" If the guest tries to execute a CDB when cmdfifo is not empty before the st= art of the message out phase then clearing the message out phase data will cause cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount= of data within. Since this can only occur by issuing deliberately incorrect instruction sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited = to the size of the data within cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 4decbbfc29..7f49522e1d 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -319,13 +319,15 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) =20 static void do_cmd(ESPState *s) { - uint8_t busid =3D fifo8_pop(&s->cmdfifo); + uint8_t busid =3D esp_fifo_pop(&s->cmdfifo); + int len; =20 s->cmdfifo_cdb_offset--; =20 /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); + len =3D MIN(s->cmdfifo_cdb_offset, fifo8_num_used(&s->cmdfifo)); + esp_fifo_pop_buf(&s->cmdfifo, NULL, len); s->cmdfifo_cdb_offset =3D 0; } =20 --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617826231; cv=none; d=zohomail.com; s=zohoarc; b=jD7NNhmHJA/xELGx1ouvAV6uIhP2pxCQ+I0p8SBMh2z+4sLCliPg+/ABnaBm2mSGTsmyCRFTJyMQu28DKjE8gk0rfoQs7TB6xIJY1utXiSC3Fp5My/YcGFNOSzepL3wgYzL00xTXSJNKzN1B39rWEQchPYMUkIcY5K9vBq0lUko= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617826231; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7JiafRRHoVTuqD4qBq0x4yzDDTpHk3PREksC0/xIKK0=; b=U+E1cMV67sqLyrA+7xos0JBPQYLvhMqe5hkPhTK1TE/RBsIQkNmTtE4URhHiir8KPOx1S4myOD0uPcQ4nFuQl4mW5ZawgmSE4z34Ugf2ehGK85JXvJt4DGctwYDgAfX0GCnCtYuRmKD59c3R6xiipMhrjAPujCAlP94hyD9Bu4M= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617826231548241.93771647791584; Wed, 7 Apr 2021 13:10:31 -0700 (PDT) Received: from localhost ([::1]:40632 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUEVS-0001j7-Ci for importer@patchew.org; Wed, 07 Apr 2021 16:10:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51706) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKI-0007RI-EJ for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:58 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37790 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKG-0007U4-OP for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:58:58 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEKQ-00073W-5U; Wed, 07 Apr 2021 20:59:10 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:57 +0100 Message-Id: <20210407195801.685-9-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 08/12] esp: don't overflow cmdfifo in get_cmd() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" If the guest tries to read a CDB using DMA and cmdfifo is not empty then it= is possible to overflow cmdfifo. Since this can only occur by issuing deliberately incorrect instruction sequences, ensure that the maximum length of the CDB transferred to cmdfifo= is limited to the available free space within cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 7f49522e1d..53cc569e8a 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -243,6 +243,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) } if (s->dma_memory_read) { s->dma_memory_read(s->dma_opaque, buf, dmalen); + dmalen =3D MIN(fifo8_num_free(&s->cmdfifo), dmalen); fifo8_push_all(&s->cmdfifo, buf, dmalen); } else { if (esp_select(s) < 0) { @@ -262,6 +263,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) if (n >=3D 3) { buf[0] =3D buf[2] >> 5; } + n =3D MIN(fifo8_num_free(&s->cmdfifo), n); fifo8_push_all(&s->cmdfifo, buf, n); } trace_esp_get_cmd(dmalen, target); --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617825954; cv=none; d=zohomail.com; s=zohoarc; b=X+1e3M3OH3Sx3Ln9lpXTQmh/Q5j+Cy2NWM0XGHLGuXL6ZZlqrBZ+H1R5DWaDRzFnjINaZF5N3ry1xhFPP/2dBks7URsoOmbWYpBrDEYMmKCowiZMruXA5UCLn5+2x3RaWYLk8YvJdZVr5M/tTBpr2VojsoG9EIKHHUeKZI2loK8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617825954; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ZJ9qLzsf3BNOgcWFUf3GkLfe3YCgxyFbhkbWAXCoPh4=; b=axR8GKojCNClC2tsNfCiLNG2mn4gCIm4egVk3jKiiuRNl/NI8Xd2yK4GoJkUy2hSxTU/sIay6KfOVb2jE4JrHu687yKfiZ145dKeAfzeIDk/g1qRsKJUV4WlMoYNH7dPVY9DEl20je0qbgE1iX5J3w1S1+Lu3MgoxPyBxvwzLsQ= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617825954425444.16279519463706; Wed, 7 Apr 2021 13:05:54 -0700 (PDT) Received: from localhost ([::1]:54504 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUEQz-0004Bk-2F for importer@patchew.org; Wed, 07 Apr 2021 16:05:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51722) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKQ-0007e0-Me for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:06 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37800 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKL-0007XA-EL for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:06 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEKU-00073W-Rw; Wed, 07 Apr 2021 20:59:15 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:58 +0100 Message-Id: <20210407195801.685-10-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 09/12] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" If a guest transfers the message out/command phase data using DMA with a TC that is larger than the cmdfifo size then the cmdfifo overflows triggering an assert. Limit the size of the transfer to the free space available in cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1919036 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov --- hw/scsi/esp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 53cc569e8a..782c6ee357 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -578,6 +578,7 @@ static void esp_do_dma(ESPState *s) cmdlen =3D fifo8_num_used(&s->cmdfifo); trace_esp_do_dma(cmdlen, len); if (s->dma_memory_read) { + len =3D MIN(len, fifo8_num_free(&s->cmdfifo)); s->dma_memory_read(s->dma_opaque, buf, len); fifo8_push_all(&s->cmdfifo, buf, len); } else { --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617826339; cv=none; d=zohomail.com; s=zohoarc; b=iotuJVM7Nwvkq9IAQtmpcBTgjsdunGFwWUH+IOxYxtRXZXy+sThkTUyHXkkEncWg8iYQVzBr6KDztYNb35f94Z4NkvFdUzaqBjPbaWHmNU3QiqwFMFgpYu0CrO0oMHpfPy1LOIdR5NBcKxwb/Ce+PeVYIbPg3Aev3zMHHkfg608= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617826339; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=fxFMrY6RqKMntR8b9zOH3VRlF2Nwql2gYPwyiLHLmsY=; b=JoWKGgT7jbgMBTw/kAgGqWqcAUsuzHm3h0KDHqCuVTvpLT0VT59Ear0nauj++so13wXRFRxK7jyMsqhLIHna51hEDLrZh8mrrvIbhREfi/cRjLH22UHAEqR2oERzQ8UbdXF4VJl+iOA7Lijp4p/mR7b4eZtiJqZxSIUQBOHmzVw= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617826339151897.0740543498222; Wed, 7 Apr 2021 13:12:19 -0700 (PDT) Received: from localhost ([::1]:42922 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUEXC-0002mF-1k for importer@patchew.org; Wed, 07 Apr 2021 16:12:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51746) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKS-0007jk-Gs for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:08 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37814 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKQ-0007ZY-Dp for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:08 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEKZ-00073W-7S; Wed, 07 Apr 2021 20:59:19 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:57:59 +0100 Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 10/12] esp: don't reset async_len directly in esp_select() if cancelling request X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Instead let the SCSI layer invoke the .cancel callback itself to cancel and reset the request state. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/scsi/esp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 782c6ee357..3b9037e4f4 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -95,6 +95,7 @@ void esp_request_cancelled(SCSIRequest *req) scsi_req_unref(s->current_req); s->current_req =3D NULL; s->current_dev =3D NULL; + s->async_len =3D 0; } } =20 @@ -206,7 +207,6 @@ static int esp_select(ESPState *s) if (s->current_req) { /* Started a new command before the old one finished. Cancel it. = */ scsi_req_cancel(s->current_req); - s->async_len =3D 0; } =20 s->current_dev =3D scsi_device_find(&s->bus, 0, target, 0); --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617826452; cv=none; d=zohomail.com; s=zohoarc; b=WRxEzES7MSwP+/CaE46M8yUB58AviW3tnlLBPWEjyjpL6uYlb9LA2uL9/JDYXvRwNOTEbExMAQUcwBkpiVK9XuF7pnSRWc7xuWKzFjlGgM8PPeMgfdUsh1Iz9X9yc6RacpZRHsLBAlI+ZcL0vE2KvnfRGIPa1BGpEmjfoxYeM3E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617826452; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=6nPz63gughpoC6p99QCbDT0c1JmsmSS5rc1bpvVYr5I=; b=ZEd9GfinarL4r0JTyWXWPZNmAZycqvdFMg4BoakJiNe6zOStMwsC7XDCxwDLW/3Qssp4glLd0TSpNPF5veJrcXfjItT2x4Wf++QgEg3+uhCWUM/02NHEsBqG0Ig8wz6NXMGD0di7Ha6R6xlKVI/QA8tBuAgSzeCb1J0fzpUnMBI= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617826452710657.5314240775008; Wed, 7 Apr 2021 13:14:12 -0700 (PDT) Received: from localhost ([::1]:46046 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUEZ1-00045F-IA for importer@patchew.org; Wed, 07 Apr 2021 16:14:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51770) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKW-0007ud-L5 for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:12 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37820 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKV-0007br-2G for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:12 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEKe-00073W-0v; Wed, 07 Apr 2021 20:59:24 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:58:00 +0100 Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 11/12] esp: ensure that do_cmd is set to zero before submitting an ESP select command X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" When a CDB has been received and is about to be submitted to the SCSI layer via one of the ESP select commands, ensure that do_cmd is set to zero before executing the command. Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the S= CSI .transfer_data callback again before do_cmd is set to zero by the callback function triggering an assert at the start of esp_transfer_data(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/scsi/esp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 3b9037e4f4..326643aa39 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -357,6 +357,7 @@ static void handle_satn(ESPState *s) cmdlen =3D get_cmd(s, ESP_CMDFIFO_SZ); if (cmdlen > 0) { s->cmdfifo_cdb_offset =3D 1; + s->do_cmd =3D 0; do_cmd(s); } else if (cmdlen =3D=3D 0) { s->do_cmd =3D 1; @@ -390,6 +391,7 @@ static void handle_s_without_atn(ESPState *s) cmdlen =3D get_cmd(s, ESP_CMDFIFO_SZ); if (cmdlen > 0) { s->cmdfifo_cdb_offset =3D 0; + s->do_cmd =3D 0; do_busid_cmd(s, 0); } else if (cmdlen =3D=3D 0) { s->do_cmd =3D 1; --=20 2.20.1 From nobody Fri Apr 26 06:00:29 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1617826551; cv=none; d=zohomail.com; s=zohoarc; b=B9gJvHNTC5UQEoKhR6EgDuKiY/zlplWUqZ4PRCk4diqCef5NSvb98OL4xdMYqgYJDLZN9R6doT7n8BpZEZqPtEaiIrGdNC1TY3HylJ4ECGAEB6e2ebAhsV4oM2YN7t82nkGIMAR7iRD7vRMOSIPf9Qvnp79jSwcg2jykq9QtH5k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1617826551; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=wWIGTlWbIhlKbcgBmk36FvSHJrcz71l0D5imeUKK8f0=; b=dR2wkg3PFRSSex4/0KmyTvmLyNMuGeqTR/AoXLbgTPV+SDQYoZ0GHdPClvc8RSe10uC88+NO+2Y1NUOGeaga9/s+bmf2KKHDP3lNpq9fcDiwVmlimFnFSz9RLvFnhdPkVjH9MsxqVbOGlxs6gOnXutTcNC24BSdfryZP4Qh1qBg= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1617826551424898.8812891186772; Wed, 7 Apr 2021 13:15:51 -0700 (PDT) Received: from localhost ([::1]:49296 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUEac-0005Pt-9b for importer@patchew.org; Wed, 07 Apr 2021 16:15:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51810) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKf-00088j-Nc for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:21 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:37832 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUEKZ-0007eq-W0 for qemu-devel@nongnu.org; Wed, 07 Apr 2021 15:59:21 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUEKi-00073W-QT; Wed, 07 Apr 2021 20:59:29 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu, pbonzini@redhat.com Date: Wed, 7 Apr 2021 20:58:01 +0100 Message-Id: <20210407195801.685-13-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> References: <20210407195801.685-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH v4 for-6.0 12/12] tests/qtest: add tests for am53c974 device X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Use the autogenerated fuzzer test cases as the basis for a set of am53c974 regression tests. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov --- MAINTAINERS | 1 + tests/qtest/am53c974-test.c | 216 ++++++++++++++++++++++++++++++++++++ tests/qtest/meson.build | 1 + 3 files changed, 218 insertions(+) create mode 100644 tests/qtest/am53c974-test.c diff --git a/MAINTAINERS b/MAINTAINERS index 58f342108e..fa258b7a92 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1772,6 +1772,7 @@ F: include/hw/scsi/* F: hw/scsi/* F: tests/qtest/virtio-scsi-test.c F: tests/qtest/fuzz-virtio-scsi-test.c +F: tests/qtest/am53c974-test.c T: git https://github.com/bonzini/qemu.git scsi-next =20 SSI diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c new file mode 100644 index 0000000000..9b06f2cf45 --- /dev/null +++ b/tests/qtest/am53c974-test.c @@ -0,0 +1,216 @@ +/* + * QTest testcase for am53c974 + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + + +static void test_cmdfifo_underflow_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0x8a000000); + qtest_outl(s, 0x8a09, 0x42000000); + qtest_outl(s, 0x8a0d, 0x00); + qtest_outl(s, 0x8a0b, 0x1000); + qtest_quit(s); +} + +/* Reported as crash_1548bd10e7 */ +static void test_cmdfifo_underflow2_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00c, 0x41); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} + +static void test_cmdfifo_overflow_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0x0e000000); + qtest_outl(s, 0xe40, 0x03); + qtest_outl(s, 0xe0b, 0x4100); + qtest_outl(s, 0xe0b, 0x9000); + qtest_quit(s); +} + +/* Reported as crash_530ff2e211 */ +static void test_cmdfifo_overflow2_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc03f, 0x0300); + qtest_quit(s); +} + +/* Reported as crash_0900379669 */ +static void test_fifo_pop_buf(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outb(s, 0xc008, 0xa0); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} + +static void test_target_selected_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001001); + qtest_outl(s, 0xcfc, 0x01000000); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0xef800000); + qtest_outl(s, 0xef8b, 0x4100); + qtest_outw(s, 0xef80, 0x01); + qtest_outl(s, 0xefc0, 0x03); + qtest_outl(s, 0xef8b, 0xc100); + qtest_outl(s, 0xef8b, 0x9000); + qtest_quit(s); +} + +static void test_fifo_underflow_on_write_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc008, 0x0a); + qtest_outl(s, 0xc009, 0x41000000); + qtest_outl(s, 0xc009, 0x41000000); + qtest_outl(s, 0xc00b, 0x1000); + qtest_quit(s); +} + +static void test_cancelled_request_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x05); + qtest_outb(s, 0xc046, 0x02); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outl(s, 0xc040, 0x03); + qtest_outl(s, 0xc040, 0x03); + qtest_bufwrite(s, 0x0, "\x41", 0x1); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outw(s, 0xc040, 0x02); + qtest_outw(s, 0xc040, 0x81); + qtest_outl(s, 0xc00b, 0x9000); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch =3D qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") =3D=3D 0) { + qtest_add_func("am53c974/test_cmdfifo_underflow_ok", + test_cmdfifo_underflow_ok); + qtest_add_func("am53c974/test_cmdfifo_underflow2_ok", + test_cmdfifo_underflow2_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow_ok", + test_cmdfifo_overflow_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow2_ok", + test_cmdfifo_overflow2_ok); + qtest_add_func("am53c974/test_fifo_pop_buf", + test_fifo_pop_buf); + qtest_add_func("am53c974/test_target_selected_ok", + test_target_selected_ok); + qtest_add_func("am53c974/test_fifo_underflow_on_write_ok", + test_fifo_underflow_on_write_ok); + qtest_add_func("am53c974/test_cancelled_request_ok", + test_cancelled_request_ok); + } + + return g_test_run(); +} diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 902cfef7cb..25f605cf1d 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -68,6 +68,7 @@ qtests_i386 =3D \ (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test= '] : []) + \ (config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : [= ]) + \ (config_all_devices.has_key('CONFIG_E1000E_PCI_EXPRESS') ? ['fuzz-e1000e= -test'] : []) + \ + (config_all_devices.has_key('CONFIG_ESP_PCI') ? ['am53c974-test'] : []) = + \ qtests_pci + = \ ['fdc-test', 'ide-test', --=20 2.20.1