[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 19/27] esp: ensure in-flight SCSI requests are always cancelled
|
From: |
Paolo Bonzini |
|
Subject: |
[PULL 19/27] esp: ensure in-flight SCSI requests are always cancelled |
|
Date: |
Wed, 3 Nov 2021 16:04:34 +0100 |
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
There is currently a check in esp_select() to cancel any in-flight SCSI requests
to ensure that issuing multiple select commands without continuing through the
rest of the ESP state machine ignores all but the last SCSI request. This is
also enforced through the addition of assert()s in esp_transfer_data() and
scsi_read_data().
The get_cmd() function does not call esp_select() when TC == 0 which means it is
possible for a fuzzer to trigger these assert()s by sending a select command
when
TC == 0 immediately after a valid SCSI CDB has been submitted.
Since esp_select() is only called from get_cmd(), hoist the check to cancel
in-flight SCSI requests from esp_select() into get_cmd() to ensure it is always
called when executing a select command to initiate a new SCSI request.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Closes: https://gitlab.com/qemu-project/qemu/-/issues/662
Closes: https://gitlab.com/qemu-project/qemu/-/issues/663
Message-Id: <20211101183516.8455-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/esp.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8454ed1773..84f935b549 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -204,11 +204,6 @@ static int esp_select(ESPState *s)
s->ti_size = 0;
fifo8_reset(&s->fifo);
- if (s->current_req) {
- /* Started a new command before the old one finished. Cancel it. */
- scsi_req_cancel(s->current_req);
- }
-
s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
if (!s->current_dev) {
/* No such drive */
@@ -235,6 +230,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
uint32_t dmalen, n;
int target;
+ if (s->current_req) {
+ /* Started a new command before the old one finished. Cancel it. */
+ scsi_req_cancel(s->current_req);
+ }
+
target = s->wregs[ESP_WBUSID] & BUSID_DID;
if (s->dma) {
dmalen = MIN(esp_get_tc(s), maxlen);
--
2.31.1
- [PULL 07/27] target/i386: move linuxboot_dma_enabled to X86MachineState, (continued)
- [PULL 07/27] target/i386: move linuxboot_dma_enabled to X86MachineState, Paolo Bonzini, 2021/11/03
- [PULL 12/27] hvf: Avoid mapping regions < PAGE_SIZE as ram, Paolo Bonzini, 2021/11/03
- [PULL 15/27] vl: deprecate -watchdog, Paolo Bonzini, 2021/11/03
- [PULL 17/27] hw/i386: fix vmmouse registration, Paolo Bonzini, 2021/11/03
- [PULL 26/27] configure: Remove the check for the __thread keyword, Paolo Bonzini, 2021/11/03
- [PULL 27/27] configure: fix --audio-drv-list help message, Paolo Bonzini, 2021/11/03
- [PULL 14/27] watchdog: add information from -watchdog help to -device help, Paolo Bonzini, 2021/11/03
- [PULL 22/27] meson.build: Allow to disable OSS again, Paolo Bonzini, 2021/11/03
- [PULL 23/27] meson: remove pointless warnings, Paolo Bonzini, 2021/11/03
- [PULL 24/27] meson: remove unnecessary coreaudio test program, Paolo Bonzini, 2021/11/03
- [PULL 19/27] esp: ensure in-flight SCSI requests are always cancelled,
Paolo Bonzini <=
- [PULL 20/27] qtest/am53c974-test: add test for cancelling in-flight requests, Paolo Bonzini, 2021/11/03
- [PULL 16/27] watchdog: remove select_watchdog_action, Paolo Bonzini, 2021/11/03
- [PULL 13/27] hw/i386: Rename default_bus_bypass_iommu, Paolo Bonzini, 2021/11/03
- [PULL 18/27] KVM: SVM: add migration support for nested TSC scaling, Paolo Bonzini, 2021/11/03
- [PULL 21/27] meson: bump submodule to 0.59.3, Paolo Bonzini, 2021/11/03
- [PULL 25/27] Move the l2tpv3 test from configure to meson.build, Paolo Bonzini, 2021/11/03
- Re: [PULL 00/27] Misc patches for QEMU 6.2 soft freeze, Richard Henderson, 2021/11/04