From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618266306; cv=none; d=zohomail.com; s=zohoarc; b=bH9z6/sOpc+F5dFc9ZGcP9AzXFvSNu9iPLjnshqSUfBZVwM/M0ewp87g9x2UKvQUk0vFDK/btfbYjlQo3eS6eg8EuHPOQCDjfiPGo8nlGnMDHTgpGdKdTK7gx1Hwei7b5JeiGVHRpL+yq5yZ7PDKB8u47JHwr6Nv+Im+5rZF3iY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618266306; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=OeRiUB3FlpBA3UEHwxsR8PURFgIm4N5gKQCd1xu3dBk=; b=DmFmuBu8gwwsCpMmrwms6qxV/RNGmqRhsy6O4EhYt8XZTxlru/x1WWiF4/MGfzTljaHMdIivZMw+Y+HvBOK/d1hgLnk8DEyONgvfg5bjVArtIPdj3Ztvc/2oErfeuL0r7Xx3wQAp0cWLNts3xQT49/5rAqT4M2E2AKlaj4ZtlCo= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618266306593216.30315672752727; Mon, 12 Apr 2021 15:25:06 -0700 (PDT) Received: from localhost ([::1]:45880 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW4zR-0004jc-9p for importer@patchew.org; Mon, 12 Apr 2021 18:25:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38520) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vp-0002yK-IS for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:21 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44046 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4ve-0002fW-Km for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:21 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4vi-0004Dc-Jk; Mon, 12 Apr 2021 23:21:19 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:36 +0100 Message-Id: <20210412222048.22818-2-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 01/13] esp: fix setting of ESPState mig_version_id when launching QEMU with -S option X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" If QEMU is launched with the -S option then the ESPState mig_version_id pro= perty is left unset due to the ordering of the VMState fields in the VMStateDescr= iption for sysbusespscsi and pciespscsi. If the VM is migrated and restored in this stopped state, the version tests in the vmstate_esp VMStateDescription and esp_post_load() become confused causing the migration to fail. Fix the ordering problem by moving the setting of mig_version_id to a common esp_pre_save() function which is invoked first by both sysbusespscsi and pciespscsi rather than at the point where ESPState is itself serialised int= o the migration stream. Buglink: https://bugs.launchpad.net/qemu/+bug/1922611 Fixes: 0bd005be78 ("esp: add vmstate_esp version to embedded ESPState") Signed-off-by: Mark Cave-Ayland Reviewed-by: Thomas Huth Message-Id: <20210407124842.32695-1-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp-pci.c | 1 + hw/scsi/esp.c | 7 ++++--- include/hw/scsi/esp.h | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c index c3d3dab05e..9db10b1a48 100644 --- a/hw/scsi/esp-pci.c +++ b/hw/scsi/esp-pci.c @@ -332,6 +332,7 @@ static const VMStateDescription vmstate_esp_pci_scsi = =3D { .name =3D "pciespscsi", .version_id =3D 2, .minimum_version_id =3D 1, + .pre_save =3D esp_pre_save, .fields =3D (VMStateField[]) { VMSTATE_PCI_DEVICE(parent_obj, PCIESPState), VMSTATE_BUFFER_UNSAFE(dma_regs, PCIESPState, 0, 8 * sizeof(uint32_= t)), diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 507ab363bc..d87e1a63db 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -1076,9 +1076,10 @@ static bool esp_is_version_5(void *opaque, int versi= on_id) return version_id =3D=3D 5; } =20 -static int esp_pre_save(void *opaque) +int esp_pre_save(void *opaque) { - ESPState *s =3D ESP(opaque); + ESPState *s =3D ESP(object_resolve_path_component( + OBJECT(opaque), "esp")); =20 s->mig_version_id =3D vmstate_esp.version_id; return 0; @@ -1114,7 +1115,6 @@ const VMStateDescription vmstate_esp =3D { .name =3D "esp", .version_id =3D 5, .minimum_version_id =3D 3, - .pre_save =3D esp_pre_save, .post_load =3D esp_post_load, .fields =3D (VMStateField[]) { VMSTATE_BUFFER(rregs, ESPState), @@ -1304,6 +1304,7 @@ static const VMStateDescription vmstate_sysbus_esp_sc= si =3D { .name =3D "sysbusespscsi", .version_id =3D 2, .minimum_version_id =3D 1, + .pre_save =3D esp_pre_save, .fields =3D (VMStateField[]) { VMSTATE_UINT8_V(esp.mig_version_id, SysBusESPState, 2), VMSTATE_STRUCT(esp, SysBusESPState, 0, vmstate_esp, ESPState), diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h index 95088490aa..aada3680b7 100644 --- a/include/hw/scsi/esp.h +++ b/include/hw/scsi/esp.h @@ -157,5 +157,6 @@ void esp_hard_reset(ESPState *s); uint64_t esp_reg_read(ESPState *s, uint32_t saddr); void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val); extern const VMStateDescription vmstate_esp; +int esp_pre_save(void *opaque); =20 #endif --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618266475; cv=none; d=zohomail.com; s=zohoarc; b=jnDX4IpQ6bkPYBfg8kRbAqigSIgoZ3yW3Qt19dlwKTgtM5Y3Hvp6zXB0VU+GCE1x/YF1L+A3UCOA92ayT0+FXQEmRcph5FxoMPfYMa+rB6FWeaZziSDR6XtgV6RV5YcYSqYd2zOPJrigpABfiE9tSnC587IV7NOF5dcCCwpXt8Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618266475; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=y0jWH8ArOZk4isJIomGAsZd2L0Aihx9fU+F0zklnDnQ=; b=ikf/nrFcj8kcjN5+mGGS5Kj5LcuBCe3EFbVLSXUZSvQdfq520hEVXexOvmS3B8cVQopWb/5Ytoc23PnwLG347xiDJ9xeumsJprq7gGYe4/AsKpuZsUfNUg9uY+4Wms8tsRwLv3VxSJD4+Ynzy9XlnqRvRYwd5Zd7CW2uOLMmsvA= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618266475858809.8788119502434; Mon, 12 Apr 2021 15:27:55 -0700 (PDT) Received: from localhost ([::1]:51266 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW529-00072s-Og for importer@patchew.org; Mon, 12 Apr 2021 18:27:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38502) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vn-0002xe-DT for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:21 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44050 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4ve-0002gE-Kc for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:19 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4vn-0004Dc-Kg; Mon, 12 Apr 2021 23:21:23 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:37 +0100 Message-Id: <20210412222048.22818-3-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 02/13] esp: always check current_req is not NULL before use in DMA callbacks X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel callback which resets both current_req and current_dev to NULL. If any data is left in the transfer buffer (async_len !=3D 0) then the next TI (Transfer Information) command will attempt to reference the NULL pointer causing a segfault. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index d87e1a63db..a79196f3f3 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -496,6 +496,10 @@ static void do_dma_pdma_cb(ESPState *s) return; } =20 + if (!s->current_req) { + return; + } + if (to_device) { /* Copy FIFO data to device */ len =3D MIN(s->async_len, ESP_FIFO_SZ); @@ -527,11 +531,9 @@ static void do_dma_pdma_cb(ESPState *s) return; } else { if (s->async_len =3D=3D 0) { - if (s->current_req) { - /* Defer until the scsi layer has completed */ - scsi_req_continue(s->current_req); - s->data_in_ready =3D false; - } + /* Defer until the scsi layer has completed */ + scsi_req_continue(s->current_req); + s->data_in_ready =3D false; return; } =20 @@ -604,6 +606,9 @@ static void esp_do_dma(ESPState *s) } return; } + if (!s->current_req) { + return; + } if (s->async_len =3D=3D 0) { /* Defer until data is available. */ return; @@ -713,6 +718,10 @@ static void esp_do_nodma(ESPState *s) return; } =20 + if (!s->current_req) { + return; + } + if (s->async_len =3D=3D 0) { /* Defer until data is available. */ return; --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618266305; cv=none; d=zohomail.com; s=zohoarc; b=ZSTafJa17tlAY0wJDOgY97mnc6DX0KFcf8HPxHDliVLBx0j09j9A66gRBNL661ABG10rF7Xq4Wj4q9IRgFWuFkNgFb4tcwkTITuu5sawV8If7ZFEifeS2PZsWrTttnIxdIa+JajndByaq/v/RGXPbzN6DlqAxkq/r3IkxuPdop8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618266305; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=yd8Lnl+QQTpLGTVTHdQ7ZHG5lFKoBDXEWPwKxyh1xDE=; b=crfjmLXwgY5pai086AZ0lVLmDPWj4qdE36+ZjlbniPjVRc3cU06KD9DLgsVLy19gaAtRMcWfWB11uTI5WpOKi29UWKoAWiDrnIrVosfxzEuI+a33J0QybkPOWbjD5oRthdysnyIaIzPRNLuYG90y9qs/wZxbc2KmVJipjVR8NKg= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618266305213614.4835027152117; Mon, 12 Apr 2021 15:25:05 -0700 (PDT) Received: from localhost ([::1]:45780 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW4zQ-0004hI-7a for importer@patchew.org; Mon, 12 Apr 2021 18:25:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38498) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vm-0002xG-5U for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:19 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44058 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vg-0002iB-NT for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:17 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4vr-0004Dc-Bk; Mon, 12 Apr 2021 23:21:28 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:38 +0100 Message-Id: <20210412222048.22818-4-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 03/13] esp: rework write_response() to avoid using the FIFO for DMA transactions X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" The code for write_response() has always used the FIFO to store the data for the status/message in phases, even for DMA transactions. Switch to using a separate buffer that can be used directly for DMA transactions and restrict the FIFO use to the non-DMA case. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20210407195801.685-3-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index a79196f3f3..2584ec6fb1 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -445,18 +445,16 @@ static void write_response_pdma_cb(ESPState *s) =20 static void write_response(ESPState *s) { - uint32_t n; + uint8_t buf[2]; =20 trace_esp_write_response(s->status); =20 - fifo8_reset(&s->fifo); - esp_fifo_push(s, s->status); - esp_fifo_push(s, 0); + buf[0] =3D s->status; + buf[1] =3D 0; =20 if (s->dma) { if (s->dma_memory_write) { - s->dma_memory_write(s->dma_opaque, - (uint8_t *)fifo8_pop_buf(&s->fifo, 2, &n),= 2); + s->dma_memory_write(s->dma_opaque, buf, 2); s->rregs[ESP_RSTAT] =3D STAT_TC | STAT_ST; s->rregs[ESP_RINTR] |=3D INTR_BS | INTR_FC; s->rregs[ESP_RSEQ] =3D SEQ_CD; @@ -466,7 +464,8 @@ static void write_response(ESPState *s) return; } } else { - s->ti_size =3D 2; + fifo8_reset(&s->fifo); + fifo8_push_all(&s->fifo, buf, 2); s->rregs[ESP_RFLAGS] =3D 2; } esp_raise_irq(s); --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618266811; cv=none; d=zohomail.com; s=zohoarc; b=Ldk+K6QCt67XyjQ5ZW9LO4LcrRoTcCulonrT0kXN1UCf/9eswXh3nFeiEx+XoYgr5NYjb01vqS5nMNCAolVq6l02DXX1WomI2sJE0/RnQ2LyW5pmxRkjiqrLyYhpdQIsWeN3kdpZudgcwp7e8mWteuLj7J1trdUTkd8RwbN/lM0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618266811; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9xf3NnD/gBkKwbeegf3aNm6T3exWbZ50sNhnawFIFn8=; b=ImIyjZLlaR1q0VUfSduyfHj5p48g0NaNVBxCkrwMvDxoFG6Mh37bVIDb789UcvlZ+qgBweT/tWfqhRlHLkC/MPQQEn7MWmIIek7J8Y4mRFe9mKxpFkXh0pdnpibk2mIaGh3uqhDqDx1isgh/P+ySLz7a5hIWaGj0dR8MkQQNvZM= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 161826681108556.56020281944109; Mon, 12 Apr 2021 15:33:31 -0700 (PDT) Received: from localhost ([::1]:60888 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW57Z-00033A-Mo for importer@patchew.org; Mon, 12 Apr 2021 18:33:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38534) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vr-00030H-Gg for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:23 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44066 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vn-0002kX-8e for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:23 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4vw-0004Dc-Ld; Mon, 12 Apr 2021 23:21:33 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:39 +0100 Message-Id: <20210412222048.22818-5-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 04/13] esp: consolidate esp_cmdfifo_push() into esp_fifo_push() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Each FIFO currently has its own push functions with the only difference bei= ng the capacity check. The original reason for this was that the fifo8 implementation doesn't have a formal API for retrieving the FIFO capacity, however there are multiple examples within QEMU where the capacity field is accessed directly. Change esp_fifo_push() to access the FIFO capacity directly and then consol= idate esp_cmdfifo_push() into esp_fifo_push(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-4-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 2584ec6fb1..b3471e0333 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -98,16 +98,15 @@ void esp_request_cancelled(SCSIRequest *req) } } =20 -static void esp_fifo_push(ESPState *s, uint8_t val) +static void esp_fifo_push(Fifo8 *fifo, uint8_t val) { - if (fifo8_num_used(&s->fifo) =3D=3D ESP_FIFO_SZ) { + if (fifo8_num_used(fifo) =3D=3D fifo->capacity) { trace_esp_error_fifo_overrun(); return; } =20 - fifo8_push(&s->fifo, val); + fifo8_push(fifo, val); } - static uint8_t esp_fifo_pop(ESPState *s) { if (fifo8_is_empty(&s->fifo)) { @@ -117,16 +116,6 @@ static uint8_t esp_fifo_pop(ESPState *s) return fifo8_pop(&s->fifo); } =20 -static void esp_cmdfifo_push(ESPState *s, uint8_t val) -{ - if (fifo8_num_used(&s->cmdfifo) =3D=3D ESP_CMDFIFO_SZ) { - trace_esp_error_fifo_overrun(); - return; - } - - fifo8_push(&s->cmdfifo, val); -} - static uint8_t esp_cmdfifo_pop(ESPState *s) { if (fifo8_is_empty(&s->cmdfifo)) { @@ -187,9 +176,9 @@ static void esp_pdma_write(ESPState *s, uint8_t val) } =20 if (s->do_cmd) { - esp_cmdfifo_push(s, val); + esp_fifo_push(&s->cmdfifo, val); } else { - esp_fifo_push(s, val); + esp_fifo_push(&s->fifo, val); } =20 dmalen--; @@ -645,7 +634,7 @@ static void esp_do_dma(ESPState *s) */ if (len < esp_get_tc(s) && esp_get_tc(s) <=3D ESP_FIFO_SZ) { while (fifo8_num_used(&s->fifo) < ESP_FIFO_SZ) { - esp_fifo_push(s, 0); + esp_fifo_push(&s->fifo, 0); len++; } } @@ -947,9 +936,9 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_= t val) break; case ESP_FIFO: if (s->do_cmd) { - esp_cmdfifo_push(s, val); + esp_fifo_push(&s->cmdfifo, val); } else { - esp_fifo_push(s, val); + esp_fifo_push(&s->fifo, val); } =20 /* Non-DMA transfers raise an interrupt after every byte */ --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618266785; cv=none; d=zohomail.com; s=zohoarc; b=d3Me6+0Nwupq4zseKT+yObbc6P+AJULgLHEylqmZ3ZCLMa1Sdk5GX7xxF8Ky6VJ0dIRQRai3Y/DBbiIEWE26UveIPy0BiwbNnAPv6+hRkXZvk2I+niHB4YT+KQSme6iqst1vrJpEfD+MXV/No+NtOOtfEZxl7LfbfotHeRjama0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618266785; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=T+7Q5jaV1LMZvj22LotGyTv7tcFKaI5wY0iB82zVBrQ=; b=bVvVMeR2P1NVzq4iZWgShDPOGowLAyj1Yvb+dPRmzvvGjcLSJoFcVC1WHN4jXezOEXy1yjTooGLsv0WgQ/WCWr3NcRNC6364ERCEP8vwoJAnzZbUsMPX/oT10RjrVN5iwcuH2DrnOiQQbAcd6IEZBN1VcKcy8qNjWL4u23x2JfM= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618266785125233.96771449743835; Mon, 12 Apr 2021 15:33:05 -0700 (PDT) Received: from localhost ([::1]:59560 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW57A-0002I8-0t for importer@patchew.org; Mon, 12 Apr 2021 18:33:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38554) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vu-000347-09 for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:26 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44068 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vs-0002op-8N for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:25 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4w1-0004Dc-IH; Mon, 12 Apr 2021 23:21:40 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:40 +0100 Message-Id: <20210412222048.22818-6-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 05/13] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Each FIFO currently has its own pop functions with the only difference being the capacity check. The original reason for this was that the fifo8 implementation doesn't have a formal API for retrieving the FIFO capacity, however there are multiple examples within QEMU where the capacity field is accessed directly. Change esp_fifo_pop() to access the FIFO capacity directly and then consoli= date esp_cmdfifo_pop() into esp_fifo_pop(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-5-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index b3471e0333..89cc795960 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -107,22 +107,14 @@ static void esp_fifo_push(Fifo8 *fifo, uint8_t val) =20 fifo8_push(fifo, val); } -static uint8_t esp_fifo_pop(ESPState *s) -{ - if (fifo8_is_empty(&s->fifo)) { - return 0; - } - - return fifo8_pop(&s->fifo); -} =20 -static uint8_t esp_cmdfifo_pop(ESPState *s) +static uint8_t esp_fifo_pop(Fifo8 *fifo) { - if (fifo8_is_empty(&s->cmdfifo)) { + if (fifo8_is_empty(fifo)) { return 0; } =20 - return fifo8_pop(&s->cmdfifo); + return fifo8_pop(fifo); } =20 static uint32_t esp_get_tc(ESPState *s) @@ -159,9 +151,9 @@ static uint8_t esp_pdma_read(ESPState *s) uint8_t val; =20 if (s->do_cmd) { - val =3D esp_cmdfifo_pop(s); + val =3D esp_fifo_pop(&s->cmdfifo); } else { - val =3D esp_fifo_pop(s); + val =3D esp_fifo_pop(&s->fifo); } =20 return val; @@ -887,7 +879,7 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr) qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n= "); s->rregs[ESP_FIFO] =3D 0; } else { - s->rregs[ESP_FIFO] =3D esp_fifo_pop(s); + s->rregs[ESP_FIFO] =3D esp_fifo_pop(&s->fifo); } val =3D s->rregs[ESP_FIFO]; break; --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618267059; cv=none; d=zohomail.com; s=zohoarc; b=l3wJDWP3jW7Az1EY5VxySbVELj1tSKLG5SNG/yfFVq/GMRwsspQiX5yoej8+qNDPVchKtuwax6MyAi55JmY9cGlTzPDZF+RMTBZr7pd3L0S2oQ4mzH7c3ZXiUrrVzk/S4Ft7XDOVAUgbR0Zmg/Avg7Fh32Zgp3PMNwA7Sxq/LR0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618267059; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=J4aJl2i0/qGmyaIdN9p3HSxeHGOS7tl630NpRNfaYjs=; b=DegcMHuhOUeJGI78qe1Erlmjfy8e4QHx+vf/PKSccw3FoMrC5Cjj8SLxNWGE5x8KGlSTjACCRmotB4w6XEdKrtsgrZGCcXq/Sx4hd1khksUl77wu+t20Y5LP6fA6cmMvveD6eQfXBSNgQ41PKVjTwUjidDwQES3ZUSrIIV9FudY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618267059458792.8007420810061; Mon, 12 Apr 2021 15:37:39 -0700 (PDT) Received: from localhost ([::1]:38418 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW5Ba-0005Y3-Du for importer@patchew.org; Mon, 12 Apr 2021 18:37:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38594) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4w6-00036l-1C for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:45 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44074 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4vx-0002ti-VC for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:36 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4w8-0004Dc-59; Mon, 12 Apr 2021 23:21:44 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:41 +0100 Message-Id: <20210412222048.22818-7-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 06/13] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" The const pointer returned by fifo8_pop_buf() lies directly within the arra= y used to model the FIFO. Building with address sanitizers enabled shows that if t= he caller expects a minimum number of bytes present then if the FIFO is nearly= full, the caller may unexpectedly access past the end of the array. Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a memcpy() in it to guarantee that the caller cannot overwrite the FIFO array= and update all callers to use it. Similarly add underflow protection similar to esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert() the operation becomes a no-op. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Peter Maydell Message-Id: <20210407195801.685-6-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 89cc795960..bf22785b79 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -117,6 +117,23 @@ static uint8_t esp_fifo_pop(Fifo8 *fifo) return fifo8_pop(fifo); } =20 +static uint32_t esp_fifo_pop_buf(Fifo8 *fifo, uint8_t *dest, int maxlen) +{ + const uint8_t *buf; + uint32_t n; + + if (maxlen =3D=3D 0) { + return 0; + } + + buf =3D fifo8_pop_buf(fifo, maxlen, &n); + if (dest) { + memcpy(dest, buf, n); + } + + return n; +} + static uint32_t esp_get_tc(ESPState *s) { uint32_t dmalen; @@ -241,11 +258,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) if (dmalen =3D=3D 0) { return 0; } - memcpy(buf, fifo8_pop_buf(&s->fifo, dmalen, &n), dmalen); - if (dmalen >=3D 3) { + n =3D esp_fifo_pop_buf(&s->fifo, buf, dmalen); + if (n >=3D 3) { buf[0] =3D buf[2] >> 5; } - fifo8_push_all(&s->cmdfifo, buf, dmalen); + fifo8_push_all(&s->cmdfifo, buf, n); } trace_esp_get_cmd(dmalen, target); =20 @@ -258,16 +275,16 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) =20 static void do_busid_cmd(ESPState *s, uint8_t busid) { - uint32_t n, cmdlen; + uint32_t cmdlen; int32_t datalen; int lun; SCSIDevice *current_lun; - uint8_t *buf; + uint8_t buf[ESP_CMDFIFO_SZ]; =20 trace_esp_do_busid_cmd(busid); lun =3D busid & 7; cmdlen =3D fifo8_num_used(&s->cmdfifo); - buf =3D (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); + esp_fifo_pop_buf(&s->cmdfifo, buf, cmdlen); =20 current_lun =3D scsi_device_find(&s->bus, 0, s->current_dev->id, lun); s->current_req =3D scsi_req_new(current_lun, 0, lun, buf, s); @@ -300,13 +317,12 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) static void do_cmd(ESPState *s) { uint8_t busid =3D fifo8_pop(&s->cmdfifo); - uint32_t n; =20 s->cmdfifo_cdb_offset--; =20 /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - fifo8_pop_buf(&s->cmdfifo, s->cmdfifo_cdb_offset, &n); + esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); s->cmdfifo_cdb_offset =3D 0; } =20 @@ -484,7 +500,7 @@ static void do_dma_pdma_cb(ESPState *s) /* Copy FIFO data to device */ len =3D MIN(s->async_len, ESP_FIFO_SZ); len =3D MIN(len, fifo8_num_used(&s->fifo)); - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + n =3D esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D n; s->async_len -=3D n; s->ti_size +=3D n; @@ -492,7 +508,7 @@ static void do_dma_pdma_cb(ESPState *s) if (n < len) { /* Unaligned accesses can cause FIFO wraparound */ len =3D len - n; - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + n =3D esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D n; s->async_len -=3D n; s->ti_size +=3D n; @@ -668,7 +684,7 @@ static void esp_do_dma(ESPState *s) static void esp_do_nodma(ESPState *s) { int to_device =3D ((s->rregs[ESP_RSTAT] & 7) =3D=3D STAT_DO); - uint32_t cmdlen, n; + uint32_t cmdlen; int len; =20 if (s->do_cmd) { @@ -709,7 +725,7 @@ static void esp_do_nodma(ESPState *s) =20 if (to_device) { len =3D MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); - memcpy(s->async_buf, fifo8_pop_buf(&s->fifo, len, &n), len); + esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf +=3D len; s->async_len -=3D len; s->ti_size +=3D len; --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618266566; cv=none; d=zohomail.com; s=zohoarc; b=EjUprngmbefFzMoPQgmRzUbmbH8h7EIO8VsvcOp2ci7J57/0jayfr2l59iVfzReNFFRuKqPwKXvA/5e6BeG/mdfWFUjdqD6gSWMPJ0Cw1SGq0UkxeXoa6GgwJcQjUg++EAO7qKJIeOYLnuXU22cZNPzQ2lKDRG5cruXwh+jSugY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618266566; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7x3/bOHF2eY/QIZi63a2YfphQCoSyFBzQ0n81b5NhD4=; b=IQFzjbgTE5ZojIKYQiGHEWI2Q31hKQ6DeDXG/emowcoNHzcoeDEHdN38KRF+bq2Vs9sFVL0t+R1+c1G2p5insqTVLQxQ327/9bpEMp6X6TfhMWvqtKil6MVrdCGG03USeVAMAWPPFuQwt7gI4eVLvk2AFr/1oNOsT/40Fsi3EEY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618266566699286.82852723760436; Mon, 12 Apr 2021 15:29:26 -0700 (PDT) Received: from localhost ([::1]:54286 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW53d-0008J2-LZ for importer@patchew.org; Mon, 12 Apr 2021 18:29:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38596) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4w8-00036p-TX for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:48 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44080 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4w3-0002vh-Io for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:39 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4wD-0004Dc-2B; Mon, 12 Apr 2021 23:21:50 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:42 +0100 Message-Id: <20210412222048.22818-8-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 07/13] esp: ensure cmdfifo is not empty and current_dev is non-NULL X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" When about to execute a SCSI command, ensure that cmdfifo is not empty and current_dev is non-NULL. This can happen if the guest tries to execute a TI (Transfer Information) command without issuing one of the select commands first. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index bf22785b79..904fa3179c 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -284,6 +284,9 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) trace_esp_do_busid_cmd(busid); lun =3D busid & 7; cmdlen =3D fifo8_num_used(&s->cmdfifo); + if (!cmdlen || !s->current_dev) { + return; + } esp_fifo_pop_buf(&s->cmdfifo, buf, cmdlen); =20 current_lun =3D scsi_device_find(&s->bus, 0, s->current_dev->id, lun); --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618267024; cv=none; d=zohomail.com; s=zohoarc; b=GIVgzASVskgwYIzd4BIVRZXNFlPZbVoo2EfsCflGF/TTkbuP/UNvraghZ0JFLrB+rjXOd5pymhU0zfOZZyUObguZkg5jccjPG/8yce/1wI/8OqZeZprdqJ7fAwY7RXdFWPdtxMfGasjgiY5CK65TJJ8Tn/5oy01Yti4IrZHXBkU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618267024; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=8+43B4e8aKf3/3Zi7lGygLcznDHy69rJCs4jyEJ2OIs=; b=QJH8sZBfhG2vGoaCtqgoDvv3BBf7RiqkD0yaIYCFs2qrvAwCIDHc7289aVgqqLM2qb8VHm7SfHW9L42VwRdBDKaFsIYHrkRmmxp51ZV+h4PqtInSUVHpUK9fFveA6LXQX7LEGEXG3EMVFyqe2Ao5j2oPJAfYbh+Rjv1BgIX4EaQ= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618267024670547.9806503835594; Mon, 12 Apr 2021 15:37:04 -0700 (PDT) Received: from localhost ([::1]:37514 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW5B1-0005Aq-M8 for importer@patchew.org; Mon, 12 Apr 2021 18:37:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38610) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wE-00036y-RD for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:48 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44088 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wA-0002yL-IL for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:46 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4wI-0004Dc-TM; Mon, 12 Apr 2021 23:21:57 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:43 +0100 Message-Id: <20210412222048.22818-9-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 08/13] esp: don't underflow cmdfifo in do_cmd() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" If the guest tries to execute a CDB when cmdfifo is not empty before the st= art of the message out phase then clearing the message out phase data will cause cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount= of data within. Since this can only occur by issuing deliberately incorrect instruction sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited = to the size of the data within cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-8-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 904fa3179c..d3b105b703 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -319,13 +319,15 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) =20 static void do_cmd(ESPState *s) { - uint8_t busid =3D fifo8_pop(&s->cmdfifo); + uint8_t busid =3D esp_fifo_pop(&s->cmdfifo); + int len; =20 s->cmdfifo_cdb_offset--; =20 /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); + len =3D MIN(s->cmdfifo_cdb_offset, fifo8_num_used(&s->cmdfifo)); + esp_fifo_pop_buf(&s->cmdfifo, NULL, len); s->cmdfifo_cdb_offset =3D 0; } =20 --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618267331; cv=none; d=zohomail.com; s=zohoarc; b=BE6VhVQ4+R//FePsdGVbPgwKOeFtssecu7P9csY8cAXf7UGdx3oh9woYD3bAjqg4yRB1r8V8kW1u1mqFCYraJjRxbBKuVFNsPzXvysovpTQxZQI7wyVEh6HDLUuQFod//VO5yoQgS2jEildlcNIPh4RY/SixsUo/gdILb8ZChZI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618267331; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=r6o1fQcKFW1r4S29XakkMBx3upc6V6dY+aM6AiG41UY=; b=NWOn73XHgDU096Jpo6r+Sqh+/xxHtc29JYwvUhkL6Fp6/osyx9VKmSyTDvmJTAHpv/uiZxTlSIKb3dLra2NeW7Agd0MhSJWT+xlz9UpqaEcds8x8HckUg8OkWSwVYK0cFRSTOp+8eOv0FlEOBCvA/atqnzR5BCLEcmXHAR83ZgI= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618267331837152.76321275350483; Mon, 12 Apr 2021 15:42:11 -0700 (PDT) Received: from localhost ([::1]:43918 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW5Fy-0007ym-RH for importer@patchew.org; Mon, 12 Apr 2021 18:42:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38626) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wJ-00037e-Fi for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:54 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44094 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wG-00032H-Kd for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:51 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4wP-0004Dc-9S; Mon, 12 Apr 2021 23:22:03 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:44 +0100 Message-Id: <20210412222048.22818-10-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 09/13] esp: don't overflow cmdfifo in get_cmd() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" If the guest tries to read a CDB using DMA and cmdfifo is not empty then it= is possible to overflow cmdfifo. Since this can only occur by issuing deliberately incorrect instruction sequences, ensure that the maximum length of the CDB transferred to cmdfifo= is limited to the available free space within cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-9-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index d3b105b703..9d3fdb4398 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -243,6 +243,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) } if (s->dma_memory_read) { s->dma_memory_read(s->dma_opaque, buf, dmalen); + dmalen =3D MIN(fifo8_num_free(&s->cmdfifo), dmalen); fifo8_push_all(&s->cmdfifo, buf, dmalen); } else { if (esp_select(s) < 0) { @@ -262,6 +263,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) if (n >=3D 3) { buf[0] =3D buf[2] >> 5; } + n =3D MIN(fifo8_num_free(&s->cmdfifo), n); fifo8_push_all(&s->cmdfifo, buf, n); } trace_esp_get_cmd(dmalen, target); --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618266855; cv=none; d=zohomail.com; s=zohoarc; b=XZnwuGQR7Plf2EBosr4ONKs35lNT7fc/LTMqFjPWvxgoz4za/fOGU3A6u2M87AR+mLKZ9KFvTjWUQ0AqTCQk7k/6Dopqz4Fazz7a9J5u4XJM0ZO22KxRTl3ELQxRtlqCiPS4RNqpYX1zI1PQ9inn2QZ/max41HgK1bdrrK8yf8s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618266855; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ZKky5pL7qYwxtEYI0sRCKI/vvg3oqxAA01a8ZxXqwWs=; b=JYwG/56UrzcGHpWsk9i9HD1o3HVgYiw+Ymp5yRwRGxqoBnrIpq5ps6Ags/og4FzHMPLS3AnZewEKtTO8jRhSEk3sAuA4JQynBOYUyLBA+AkOptlrfsZSO0lYTLzpOCvaUmUQaZLUnu/u0yJTEbl3Io7UKVs8bK83Cr71mJAexuc= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 161826685557119.51268993237659; Mon, 12 Apr 2021 15:34:15 -0700 (PDT) Received: from localhost ([::1]:33542 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW58I-0003Oa-HQ for importer@patchew.org; Mon, 12 Apr 2021 18:34:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38648) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wM-00037r-BS for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:56 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44100 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wK-000345-6j for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:54 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4wV-0004Dc-KS; Mon, 12 Apr 2021 23:22:08 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:45 +0100 Message-Id: <20210412222048.22818-11-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 10/13] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" If a guest transfers the message out/command phase data using DMA with a TC that is larger than the cmdfifo size then the cmdfifo overflows triggering an assert. Limit the size of the transfer to the free space available in cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1919036 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-10-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 9d3fdb4398..a26a109166 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -578,6 +578,7 @@ static void esp_do_dma(ESPState *s) cmdlen =3D fifo8_num_used(&s->cmdfifo); trace_esp_do_dma(cmdlen, len); if (s->dma_memory_read) { + len =3D MIN(len, fifo8_num_free(&s->cmdfifo)); s->dma_memory_read(s->dma_opaque, buf, len); fifo8_push_all(&s->cmdfifo, buf, len); } else { --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618267469; cv=none; d=zohomail.com; s=zohoarc; b=O8QZIzx/2vD6y2NUDrnXDZZyEccmwg+GG6XL2BwDF08iryayTPflW9MDLFv3NOkzEsf2nrkG9qzdjtWAx5lAy+lTkOkCL/HvahAvDE4gKUeLxnDCGVFyZ41yXoG850XnRoE/G1RqOTvNHsVY9yGHdNILEid08Gx/mFTTde5/aGU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618267469; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=+gR7v1UjP0B9olkS4krMlh1I3GKPOCRTaIN3ypfvgAI=; b=mwi38enIlgXOtMw5/apLH+rlpe8JhqpGq90awOy0O0QfFkXtj9+YBxqzg9DWSj7uVCAYp8P9nmYY0hAR/4zSSu6wlsymN+zJpWGASq5jVmRkYv3sI22Zuf6pfBI6jpazgg1hD7XSj/u6WLImjmxS3+i3zHJxDEzKbQhwApPO9sg= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618267469402104.7169371225018; Mon, 12 Apr 2021 15:44:29 -0700 (PDT) Received: from localhost ([::1]:49292 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW5IB-0001nw-C6 for importer@patchew.org; Mon, 12 Apr 2021 18:44:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38664) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wQ-00039X-6u for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:58 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44106 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wO-00036d-RG for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:21:57 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4wa-0004Dc-4j; Mon, 12 Apr 2021 23:22:12 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:46 +0100 Message-Id: <20210412222048.22818-12-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 11/13] esp: don't reset async_len directly in esp_select() if cancelling request X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Instead let the SCSI layer invoke the .cancel callback itself to cancel and reset the request state. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index a26a109166..0037197bdb 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -95,6 +95,7 @@ void esp_request_cancelled(SCSIRequest *req) scsi_req_unref(s->current_req); s->current_req =3D NULL; s->current_dev =3D NULL; + s->async_len =3D 0; } } =20 @@ -206,7 +207,6 @@ static int esp_select(ESPState *s) if (s->current_req) { /* Started a new command before the old one finished. Cancel it. = */ scsi_req_cancel(s->current_req); - s->async_len =3D 0; } =20 s->current_dev =3D scsi_device_find(&s->bus, 0, target, 0); --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618267285; cv=none; d=zohomail.com; s=zohoarc; b=V6g2lXicIvomvHiEESH61KPn9i1tNOihpHEQ571AXGD2x/gLqiCtQ8qLKTfpyh5A4oMcpqQIMcnWYBfGYU5FaFKKqRp+Rb2MY6EC5CbFAtkViRuvy3P9gwmGRoMere4KrW1TRupqXCArcEw1FLTi4g63D5VoDvmUBYJR+rlH2lQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618267285; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ufOtUndqeaULyD18wQwSoqB8tMNvubJoWSN9P6LxPOM=; b=VYv1VMZNWjXQgYad/N0xcIGL+GSY9Sc/jvWWkk5W/Wbx5yk3MN/KgVVbKtLAe3fCNENS8atXoaT4JY3000hiKqxakGcVboqRDDZHx+duDAdugC5ZMz1Ikuv7Xzx1/2sX+Jp8D9L2KdlRI6ejdE0bwdLfNTfjkG9294qt79llvMk= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618267285708196.0827300045902; Mon, 12 Apr 2021 15:41:25 -0700 (PDT) Received: from localhost ([::1]:42500 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW5FE-0007Gz-HU for importer@patchew.org; Mon, 12 Apr 2021 18:41:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38698) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wW-0003IZ-By for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:22:04 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44112 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wU-0003CM-2m for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:22:04 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4we-0004Dc-VW; Mon, 12 Apr 2021 23:22:17 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:47 +0100 Message-Id: <20210412222048.22818-13-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 12/13] esp: ensure that do_cmd is set to zero before submitting an ESP select command X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" When a CDB has been received and is about to be submitted to the SCSI layer via one of the ESP select commands, ensure that do_cmd is set to zero before executing the command. Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the S= CSI .transfer_data callback again before do_cmd is set to zero by the callback function triggering an assert at the start of esp_transfer_data(). Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 0037197bdb..b668acef82 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -357,6 +357,7 @@ static void handle_satn(ESPState *s) cmdlen =3D get_cmd(s, ESP_CMDFIFO_SZ); if (cmdlen > 0) { s->cmdfifo_cdb_offset =3D 1; + s->do_cmd =3D 0; do_cmd(s); } else if (cmdlen =3D=3D 0) { s->do_cmd =3D 1; @@ -390,6 +391,7 @@ static void handle_s_without_atn(ESPState *s) cmdlen =3D get_cmd(s, ESP_CMDFIFO_SZ); if (cmdlen > 0) { s->cmdfifo_cdb_offset =3D 0; + s->do_cmd =3D 0; do_busid_cmd(s, 0); } else if (cmdlen =3D=3D 0) { s->do_cmd =3D 1; --=20 2.20.1 From nobody Tue May 14 00:09:38 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1618267431; cv=none; d=zohomail.com; s=zohoarc; b=EwtJEz8NjBdsAYFbxtzLgIPq9R31X9O3/4f/eZmDEVhRuXZQvcW69d9l5PDLKDiDhA5VH1R6QKqHOXgU9T7uo/feXUR6gv83Un2aiIm1t6I0bHdlaR7ZBP06Uv/rZjP+r0IxcrP7IabZOwPhhpTlh8XWZg6vC5U4v5QHL6wFkKw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618267431; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=U79pZJwRU3nIe3GqiK49qhJ0bBpzMdVs5d8PdD+aVZg=; b=AZzHQ62Xe0IsH6Nf0+UZxMnwUoj1VvmI/wMUSc6midUHVj+/I88NKjmuuetkSnVmDP8ufHzXxXBk5yHyDFhl3+tuq7m/G+lldLpcIVS11YiJA5of61Jsi508i+7P3zIUNEu+JWrbKzTVIYVa7hC0wrQAyUJ7ZPteKok/my9H0jE= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1618267431959780.1432171750342; Mon, 12 Apr 2021 15:43:51 -0700 (PDT) Received: from localhost ([::1]:48412 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lW5Ha-0001SM-6T for importer@patchew.org; Mon, 12 Apr 2021 18:43:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38738) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wb-0003TD-C5 for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:22:09 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:44118 helo=mail.default.ilande.uk0.bigv.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lW4wZ-0003Hx-2D for qemu-devel@nongnu.org; Mon, 12 Apr 2021 18:22:09 -0400 Received: from host86-148-103-9.range86-148.btcentralplus.com ([86.148.103.9] helo=kentang.home) by mail.default.ilande.uk0.bigv.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lW4wj-0004Dc-QT; Mon, 12 Apr 2021 23:22:22 +0100 From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Mon, 12 Apr 2021 23:20:48 +0100 Message-Id: <20210412222048.22818-14-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> References: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 86.148.103.9 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 13/13] tests/qtest: add tests for am53c974 device X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.uk0.bigv.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.uk0.bigv.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Use the autogenerated fuzzer test cases as the basis for a set of am53c974 regression tests. Signed-off-by: Mark Cave-Ayland Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-13-mark.cave-ayland@ilande.co.uk> --- MAINTAINERS | 1 + tests/qtest/am53c974-test.c | 218 ++++++++++++++++++++++++++++++++++++ tests/qtest/meson.build | 1 + 3 files changed, 220 insertions(+) create mode 100644 tests/qtest/am53c974-test.c diff --git a/MAINTAINERS b/MAINTAINERS index 04beb34e7e..36055f14c5 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1772,6 +1772,7 @@ F: include/hw/scsi/* F: hw/scsi/* F: tests/qtest/virtio-scsi-test.c F: tests/qtest/fuzz-virtio-scsi-test.c +F: tests/qtest/am53c974-test.c T: git https://github.com/bonzini/qemu.git scsi-next =20 SSI diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c new file mode 100644 index 0000000000..d996866cd4 --- /dev/null +++ b/tests/qtest/am53c974-test.c @@ -0,0 +1,218 @@ +/* + * QTest testcase for am53c974 + * + * Copyright (c) 2021 Mark Cave-Ayland + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + + +static void test_cmdfifo_underflow_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0x8a000000); + qtest_outl(s, 0x8a09, 0x42000000); + qtest_outl(s, 0x8a0d, 0x00); + qtest_outl(s, 0x8a0b, 0x1000); + qtest_quit(s); +} + +/* Reported as crash_1548bd10e7 */ +static void test_cmdfifo_underflow2_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00c, 0x41); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} + +static void test_cmdfifo_overflow_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0x0e000000); + qtest_outl(s, 0xe40, 0x03); + qtest_outl(s, 0xe0b, 0x4100); + qtest_outl(s, 0xe0b, 0x9000); + qtest_quit(s); +} + +/* Reported as crash_530ff2e211 */ +static void test_cmdfifo_overflow2_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc03f, 0x0300); + qtest_quit(s); +} + +/* Reported as crash_0900379669 */ +static void test_fifo_pop_buf(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outb(s, 0xc008, 0xa0); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} + +static void test_target_selected_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001001); + qtest_outl(s, 0xcfc, 0x01000000); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0xef800000); + qtest_outl(s, 0xef8b, 0x4100); + qtest_outw(s, 0xef80, 0x01); + qtest_outl(s, 0xefc0, 0x03); + qtest_outl(s, 0xef8b, 0xc100); + qtest_outl(s, 0xef8b, 0x9000); + qtest_quit(s); +} + +static void test_fifo_underflow_on_write_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc008, 0x0a); + qtest_outl(s, 0xc009, 0x41000000); + qtest_outl(s, 0xc009, 0x41000000); + qtest_outl(s, 0xc00b, 0x1000); + qtest_quit(s); +} + +static void test_cancelled_request_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x05); + qtest_outb(s, 0xc046, 0x02); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outl(s, 0xc040, 0x03); + qtest_outl(s, 0xc040, 0x03); + qtest_bufwrite(s, 0x0, "\x41", 0x1); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outw(s, 0xc040, 0x02); + qtest_outw(s, 0xc040, 0x81); + qtest_outl(s, 0xc00b, 0x9000); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch =3D qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") =3D=3D 0) { + qtest_add_func("am53c974/test_cmdfifo_underflow_ok", + test_cmdfifo_underflow_ok); + qtest_add_func("am53c974/test_cmdfifo_underflow2_ok", + test_cmdfifo_underflow2_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow_ok", + test_cmdfifo_overflow_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow2_ok", + test_cmdfifo_overflow2_ok); + qtest_add_func("am53c974/test_fifo_pop_buf", + test_fifo_pop_buf); + qtest_add_func("am53c974/test_target_selected_ok", + test_target_selected_ok); + qtest_add_func("am53c974/test_fifo_underflow_on_write_ok", + test_fifo_underflow_on_write_ok); + qtest_add_func("am53c974/test_cancelled_request_ok", + test_cancelled_request_ok); + } + + return g_test_run(); +} diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index 420cd9986e..0c76738921 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -65,6 +65,7 @@ qtests_i386 =3D \ (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test= '] : []) + \ (config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : [= ]) + \ (config_all_devices.has_key('CONFIG_E1000E_PCI_EXPRESS') ? ['fuzz-e1000e= -test'] : []) + \ + (config_all_devices.has_key('CONFIG_ESP_PCI') ? ['am53c974-test'] : []) = + \ qtests_pci + = \ ['fdc-test', 'ide-test', --=20 2.20.1