diff mbox

scsi: mptsas: infinite loop while fetching requests

Message ID 1464077264-25473-1-git-send-email-ppandit@redhat.com
State New
Headers show

Commit Message

Prasad Pandit May 24, 2016, 8:07 a.m. UTC 
From: Prasad J Pandit <pjp@fedoraproject.org>

The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
looks for requests and fetches them. A loop doing that in
mptsas_fetch_requests() could run infinitely if 's->state' was
not operational. Move check to avoid such a loop.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/scsi/mptsas.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

Comments

Prasad Pandit June 7, 2016, 6:42 a.m. UTC | #1 
+-- On Tue, 24 May 2016, P J P wrote --+
| diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
| index 499c146..be88e16 100644
| --- a/hw/scsi/mptsas.c
| +++ b/hw/scsi/mptsas.c
| @@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
|      hwaddr addr;
|      int size;
|  
| -    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
| -        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
| -        return;
| -    }
| -
|      /* Read the message header from the guest first. */
|      addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
|      pci_dma_read(pci, addr, req, sizeof(hdr));
| @@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
|  {
|      MPTSASState *s = opaque;
|  
| +    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
| +        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
| +        return;
| +    }
|      while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
|          mptsas_fetch_request(s);
|      }

Ping..!
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Paolo Bonzini June 7, 2016, 7:53 a.m. UTC | #2 
On 07/06/2016 08:42, P J P wrote:
> +-- On Tue, 24 May 2016, P J P wrote --+
> | diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
> | index 499c146..be88e16 100644
> | --- a/hw/scsi/mptsas.c
> | +++ b/hw/scsi/mptsas.c
> | @@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
> |      hwaddr addr;
> |      int size;
> |  
> | -    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
> | -        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
> | -        return;
> | -    }
> | -
> |      /* Read the message header from the guest first. */
> |      addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
> |      pci_dma_read(pci, addr, req, sizeof(hdr));
> | @@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
> |  {
> |      MPTSASState *s = opaque;
> |  
> | +    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
> | +        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
> | +        return;
> | +    }
> |      while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
> |          mptsas_fetch_request(s);
> |      }
> 
> Ping..!
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
> 
> 

This is commit 06630554ccbdd25780aa03c3548aaff1eb56dffd.

Paolo
Prasad Pandit June 7, 2016, 8:44 a.m. UTC | #3 
+-- On Tue, 7 Jun 2016, Paolo Bonzini wrote --+
| > | +    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
| > | +        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
| > | +        return;
| > | +    }
| > |      while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
| > |          mptsas_fetch_request(s);
| > |      }
| 
| This is commit 06630554ccbdd25780aa03c3548aaff1eb56dffd.

Okay, thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
diff mbox

Patch

diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 499c146..be88e16 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -754,11 +754,6 @@  static void mptsas_fetch_request(MPTSASState *s)
     hwaddr addr;
     int size;
 
-    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
-        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
-        return;
-    }
-
     /* Read the message header from the guest first. */
     addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
     pci_dma_read(pci, addr, req, sizeof(hdr));
@@ -789,6 +784,10 @@  static void mptsas_fetch_requests(void *opaque)
 {
     MPTSASState *s = opaque;
 
+    if (s->state != MPI_IOC_STATE_OPERATIONAL) {
+        mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
+        return;
+    }
     while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
         mptsas_fetch_request(s);
     }