From nobody Tue Feb 10 06:08:29 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1635952749314757.844833561832; Wed, 3 Nov 2021 08:19:09 -0700 (PDT) Received: from localhost ([::1]:52102 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1miI2e-0005K8-AT for importer@patchew.org; Wed, 03 Nov 2021 11:19:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52196) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1miHpA-0003Ug-Kh for qemu-devel@nongnu.org; Wed, 03 Nov 2021 11:05:13 -0400 Received: from mail-wm1-x32c.google.com ([2a00:1450:4864:20::32c]:51854) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1miHp6-0000lJ-IG for qemu-devel@nongnu.org; Wed, 03 Nov 2021 11:05:12 -0400 Received: by mail-wm1-x32c.google.com with SMTP id z200so2222550wmc.1 for ; Wed, 03 Nov 2021 08:05:06 -0700 (PDT) Received: from avogadro.lan ([2001:b07:6468:f312:c8dd:75d4:99ab:290a]) by smtp.gmail.com with ESMTPSA id h16sm2488797wrm.27.2021.11.03.08.05.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Nov 2021 08:05:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7cWNpBnywY+l7pKZXWN6LNoB6JNOQy205F166UqLIg4=; b=ATevcCaj401p3vjjS3oFhtcOkFHGsFN7SWj+aGpvj4pOb0SAFMXBAQvb0EKcC0Z9pI +iRE9VV3mUfCdUcUdkqmfyKWqAMVONcYTDP2ZbhuoaJH+kHOK5X0G7OpD5BLjmGzss/6 KFWzN0VKxTP+KRfOfbFY2Zc8lSyomiyiYgbPMjlA5yry8CosmCYXu6NvgRDGbYw8iwRy 95++Z6n9waS7hzFPPgk761FViuSkHgHzOsTtpfZtJetWCszeYRINYOe4yEFkbfUhq50l mCh6Z0+WwBZpsP+eJWSGvWFyOEjyK/XfWeLDkyfKk5Fp4uk1dwgafWPZLG+/lTuG09Ui pdJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=7cWNpBnywY+l7pKZXWN6LNoB6JNOQy205F166UqLIg4=; b=nXK0cS4zUkB7LjWQlbPFhWfpTmMAZbCT6qvUm0/yiUBp2UauMhou0Gg+eE28dJ8CDs Qqb6t6xPqr/cWj16+Lhoc7FIqmyfJ8Kc1rMw+1luf1fwrjin/FcNaKhYxyb7nvVc9unF DudDFV725E6zYa3U+GcRQLF109pF5DXVakmj+0Gnft84NTVUI9UOrDslLgQjnh7PiXln r9rjJKJAUxdqIrOFhFGXDxl8ReXy8GFNSN3jf12QxoKsL8iNvMVdXCz1F2X/uJGRwimb PpVL2wqbZoRMbR58X+M9gGi11ViAHIkkEsqQgNWQkWonG7x8XAkDGAET245tuF2uVwRm Gqzg== X-Gm-Message-State: AOAM533hp7VlEQKhNYOU2de3Q8dp8F77tlFa8L4sLconKqXUttIzji98 XiHpNmmuZKRJ8fDnSlf+V9vtIekRfVQ= X-Google-Smtp-Source: ABdhPJxDjpnKVuKXmmM2ztuQtbUsEwRYYUknGez7xVDHdmUHxuzFN2D3tEQvOKmiFgqpPb8Wq0B8zA== X-Received: by 2002:a1c:f219:: with SMTP id s25mr16372682wmc.31.1635951905557; Wed, 03 Nov 2021 08:05:05 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Subject: [PULL 19/27] esp: ensure in-flight SCSI requests are always cancelled Date: Wed, 3 Nov 2021 16:04:34 +0100 Message-Id: <20211103150442.387121-20-pbonzini@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211103150442.387121-1-pbonzini@redhat.com> References: <20211103150442.387121-1-pbonzini@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::32c; envelope-from=paolo.bonzini@gmail.com; helo=mail-wm1-x32c.google.com X-Spam_score_int: -14 X-Spam_score: -1.5 X-Spam_bar: - X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Cave-Ayland Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1635952751754100001 Content-Type: text/plain; charset="utf-8" From: Mark Cave-Ayland There is currently a check in esp_select() to cancel any in-flight SCSI req= uests to ensure that issuing multiple select commands without continuing through = the rest of the ESP state machine ignores all but the last SCSI request. This is also enforced through the addition of assert()s in esp_transfer_data() and scsi_read_data(). The get_cmd() function does not call esp_select() when TC =3D=3D 0 which me= ans it is possible for a fuzzer to trigger these assert()s by sending a select comman= d when TC =3D=3D 0 immediately after a valid SCSI CDB has been submitted. Since esp_select() is only called from get_cmd(), hoist the check to cancel in-flight SCSI requests from esp_select() into get_cmd() to ensure it is al= ways called when executing a select command to initiate a new SCSI request. Signed-off-by: Mark Cave-Ayland Closes: https://gitlab.com/qemu-project/qemu/-/issues/662 Closes: https://gitlab.com/qemu-project/qemu/-/issues/663 Message-Id: <20211101183516.8455-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini --- hw/scsi/esp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 8454ed1773..84f935b549 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -204,11 +204,6 @@ static int esp_select(ESPState *s) s->ti_size =3D 0; fifo8_reset(&s->fifo); =20 - if (s->current_req) { - /* Started a new command before the old one finished. Cancel it. = */ - scsi_req_cancel(s->current_req); - } - s->current_dev =3D scsi_device_find(&s->bus, 0, target, 0); if (!s->current_dev) { /* No such drive */ @@ -235,6 +230,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) uint32_t dmalen, n; int target; =20 + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. = */ + scsi_req_cancel(s->current_req); + } + target =3D s->wregs[ESP_WBUSID] & BUSID_DID; if (s->dma) { dmalen =3D MIN(esp_get_tc(s), maxlen); --=20 2.31.1