| Message ID | 20210401074933.9923-3-mark.cave-ayland@ilande.co.uk |
|---|---|
| State | New |
| Headers | show |
| Series | esp: fix asserts/segfaults discovered by fuzzer | expand |
On 4/1/21 9:49 AM, Mark Cave-Ayland wrote: > The code for write_response() has always used the FIFO to store the data for > the status/message in phases, even for DMA transactions. Switch to using a > separate buffer that can be used directly for DMA transactions and restrict > the FIFO use to the non-DMA case. > > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 13 ++++++------- > 1 file changed, 6 insertions(+), 7 deletions(-) > > diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c > index bafea0d4e6..26fe1dcb9d 100644 > --- a/hw/scsi/esp.c > +++ b/hw/scsi/esp.c > @@ -445,18 +445,16 @@ static void write_response_pdma_cb(ESPState *s) > > static void write_response(ESPState *s) > { > - uint32_t n; > + uint8_t buf[2]; > > trace_esp_write_response(s->status); > > - fifo8_reset(&s->fifo); > - esp_fifo_push(s, s->status); > - esp_fifo_push(s, 0); > + buf[0] = s->status; > + buf[1] = 0; Slightly simplified: const uint8_t buf[2] = { s->status, 0 }; > if (s->dma) { uint32_t n; > if (s->dma_memory_write) { > - s->dma_memory_write(s->dma_opaque, > - (uint8_t *)fifo8_pop_buf(&s->fifo, 2, &n), 2); > + s->dma_memory_write(s->dma_opaque, buf, 2); > s->rregs[ESP_RSTAT] = STAT_TC | STAT_ST; > s->rregs[ESP_RINTR] |= INTR_BS | INTR_FC; > s->rregs[ESP_RSEQ] = SEQ_CD; > @@ -466,7 +464,8 @@ static void write_response(ESPState *s) > return; > } > } else { > - s->ti_size = 2; > + fifo8_reset(&s->fifo); > + fifo8_push_all(&s->fifo, buf, 2); > s->rregs[ESP_RFLAGS] = 2; > } > esp_raise_irq(s); > Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index bafea0d4e6..26fe1dcb9d 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -445,18 +445,16 @@ static void write_response_pdma_cb(ESPState *s) static void write_response(ESPState *s) { - uint32_t n; + uint8_t buf[2]; trace_esp_write_response(s->status); - fifo8_reset(&s->fifo); - esp_fifo_push(s, s->status); - esp_fifo_push(s, 0); + buf[0] = s->status; + buf[1] = 0; if (s->dma) { if (s->dma_memory_write) { - s->dma_memory_write(s->dma_opaque, - (uint8_t *)fifo8_pop_buf(&s->fifo, 2, &n), 2); + s->dma_memory_write(s->dma_opaque, buf, 2); s->rregs[ESP_RSTAT] = STAT_TC | STAT_ST; s->rregs[ESP_RINTR] |= INTR_BS | INTR_FC; s->rregs[ESP_RSEQ] = SEQ_CD; @@ -466,7 +464,8 @@ static void write_response(ESPState *s) return; } } else { - s->ti_size = 2; + fifo8_reset(&s->fifo); + fifo8_push_all(&s->fifo, buf, 2); s->rregs[ESP_RFLAGS] = 2; } esp_raise_irq(s);
The code for write_response() has always used the FIFO to store the data for the status/message in phases, even for DMA transactions. Switch to using a separate buffer that can be used directly for DMA transactions and restrict the FIFO use to the non-DMA case. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-)