This is the fix for Gitlab issue #724 discovered by fuzzing which I think is
worth including in 6.2 for 2 reasons: firstly the fix is to zero out
an extra field during chip reset which normally only occurs during driver
initialisation and durring IO timeouts, and secondly the bug causes a stale
SCSI data buffer pointer dereference rather than triggering a FIFO assert.

The first patch contains the very simple fix, whilst the second patch adds a
qtest based upon the original Gitlab issue.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>


Mark Cave-Ayland (2):
  esp: ensure that async_len is reset to 0 during esp_hard_reset()
  qtest/am53c974-test: add test for reset before transfer

 hw/scsi/esp.c               |  1 +
 tests/qtest/am53c974-test.c | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

-- 
2.20.1

On 11/18/21 11:03, Mark Cave-Ayland wrote:
> This is the fix for Gitlab issue #724 discovered by fuzzing which I think is
> worth including in 6.2 for 2 reasons: firstly the fix is to zero out
> an extra field during chip reset which normally only occurs during driver
> initialisation and durring IO timeouts, and secondly the bug causes a stale
> SCSI data buffer pointer dereference rather than triggering a FIFO assert.
> 
> The first patch contains the very simple fix, whilst the second patch adds a
> qtest based upon the original Gitlab issue.
> 
> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
> 
> 
> Mark Cave-Ayland (2):
>    esp: ensure that async_len is reset to 0 during esp_hard_reset()
>    qtest/am53c974-test: add test for reset before transfer
> 
>   hw/scsi/esp.c               |  1 +
>   tests/qtest/am53c974-test.c | 30 ++++++++++++++++++++++++++++++
>   2 files changed, 31 insertions(+)
> 

Queued, thanks.

Paolo