From nobody Tue Feb 10 00:02:02 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1635796197708413.83753451679104; Mon, 1 Nov 2021 12:49:57 -0700 (PDT) Received: from localhost ([::1]:45764 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhdJc-0003Il-DS for importer@patchew.org; Mon, 01 Nov 2021 15:49:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54420) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9x-0004wL-AH for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:53 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:43248 helo=mail.default.ilande.bv.iomart.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9u-0007K2-3i for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:53 -0400 Received: from [2a00:23c4:8b9d:f500:9396:df17:737c:b32c] (helo=kentang.home) by mail.default.ilande.bv.iomart.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mhc9L-0002So-Vr; Mon, 01 Nov 2021 18:35:20 +0000 From: Mark Cave-Ayland To: pbonzini@redhat.com, fam@euphon.net, thuth@redhat.com, lvivier@redhat.com, qemu-devel@nongnu.org Date: Mon, 1 Nov 2021 18:35:15 +0000 Message-Id: <20211101183516.8455-2-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> References: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 2a00:23c4:8b9d:f500:9396:df17:737c:b32c X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH 1/2] esp: ensure in-flight SCSI requests are always cancelled X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.bv.iomart.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.bv.iomart.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZM-MESSAGEID: 1635796199535100001 Content-Type: text/plain; charset="utf-8" There is currently a check in esp_select() to cancel any in-flight SCSI req= uests to ensure that issuing multiple select commands without continuing through = the rest of the ESP state machine ignores all but the last SCSI request. This is also enforced through the addition of assert()s in esp_transfer_data() and scsi_read_data(). The get_cmd() function does not call esp_select() when TC =3D=3D 0 which me= ans it is possible for a fuzzer to trigger these assert()s by sending a select comman= d when TC =3D=3D 0 immediately after a valid SCSI CDB has been submitted. Since esp_select() is only called from get_cmd(), hoist the check to cancel in-flight SCSI requests from esp_select() into get_cmd() to ensure it is al= ways called when executing a select command to initiate a new SCSI request. Signed-off-by: Mark Cave-Ayland Closes: https://gitlab.com/qemu-project/qemu/-/issues/662 Closes: https://gitlab.com/qemu-project/qemu/-/issues/663 --- hw/scsi/esp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 8454ed1773..84f935b549 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -204,11 +204,6 @@ static int esp_select(ESPState *s) s->ti_size =3D 0; fifo8_reset(&s->fifo); =20 - if (s->current_req) { - /* Started a new command before the old one finished. Cancel it. = */ - scsi_req_cancel(s->current_req); - } - s->current_dev =3D scsi_device_find(&s->bus, 0, target, 0); if (!s->current_dev) { /* No such drive */ @@ -235,6 +230,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) uint32_t dmalen, n; int target; =20 + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. = */ + scsi_req_cancel(s->current_req); + } + target =3D s->wregs[ESP_WBUSID] & BUSID_DID; if (s->dma) { dmalen =3D MIN(esp_get_tc(s), maxlen); --=20 2.20.1 From nobody Tue Feb 10 00:02:02 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1635795893847493.5660752317614; Mon, 1 Nov 2021 12:44:53 -0700 (PDT) Received: from localhost ([::1]:37556 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhdEi-0005hf-MH for importer@patchew.org; Mon, 01 Nov 2021 15:44:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54408) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9w-0004rz-0z for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:52 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:43256 helo=mail.default.ilande.bv.iomart.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9t-0007KD-JV for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:51 -0400 Received: from [2a00:23c4:8b9d:f500:9396:df17:737c:b32c] (helo=kentang.home) by mail.default.ilande.bv.iomart.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mhc9Q-0002So-81; Mon, 01 Nov 2021 18:35:23 +0000 From: Mark Cave-Ayland To: pbonzini@redhat.com, fam@euphon.net, thuth@redhat.com, lvivier@redhat.com, qemu-devel@nongnu.org Date: Mon, 1 Nov 2021 18:35:16 +0000 Message-Id: <20211101183516.8455-3-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> References: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 2a00:23c4:8b9d:f500:9396:df17:737c:b32c X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH 2/2] qtest/am53c974-test: add test for cancelling in-flight requests X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.bv.iomart.io) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.bv.iomart.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZM-MESSAGEID: 1635795895075100001 Content-Type: text/plain; charset="utf-8" Based upon the qtest reproducer posted to Gitlab issue #663 at https://gitlab.com/qemu-project/qemu/-/issues/663. Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- tests/qtest/am53c974-test.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c index d996866cd4..9b1e4211bd 100644 --- a/tests/qtest/am53c974-test.c +++ b/tests/qtest/am53c974-test.c @@ -189,6 +189,40 @@ static void test_cancelled_request_ok(void) qtest_quit(s); } =20 +static void test_inflight_cancel_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi " + "-device scsi-hd,drive=3Ddisk0 -drive " + "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001000); + qtest_inw(s, 0xcfc); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xffffffff); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_inl(s, 0xcfc); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc001); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_inw(s, 0xcfc); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x7); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_inw(s, 0xcfc); + qtest_inb(s, 0xc000); + qtest_outb(s, 0xc008, 0x8); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outb(s, 0xc009, 0x0); + qtest_outb(s, 0xc009, 0x0); + qtest_outw(s, 0xc00b, 0xc212); + qtest_outl(s, 0xc042, 0x2c2c5a88); + qtest_outw(s, 0xc00b, 0xc212); + qtest_outw(s, 0xc00b, 0x415a); + qtest_outl(s, 0xc03f, 0x3060303); + qtest_outl(s, 0xc00b, 0x5afa9054); + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch =3D qtest_get_arch(); @@ -212,6 +246,8 @@ int main(int argc, char **argv) test_fifo_underflow_on_write_ok); qtest_add_func("am53c974/test_cancelled_request_ok", test_cancelled_request_ok); + qtest_add_func("am53c974/test_inflight_cancel_ok", + test_inflight_cancel_ok); } =20 return g_test_run(); --=20 2.20.1