From patchwork Mon Nov 1 18:35:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Cave-Ayland X-Patchwork-Id: 1549317 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Hjk9W6vLcz9sVc for ; Tue, 2 Nov 2021 06:48:30 +1100 (AEDT) Received: from localhost ([::1]:41894 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhdIA-0000ZP-Ph for incoming@patchwork.ozlabs.org; Mon, 01 Nov 2021 15:48:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54420) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9x-0004wL-AH for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:53 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:43248 helo=mail.default.ilande.bv.iomart.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9u-0007K2-3i for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:53 -0400 Received: from [2a00:23c4:8b9d:f500:9396:df17:737c:b32c] (helo=kentang.home) by mail.default.ilande.bv.iomart.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mhc9L-0002So-Vr; Mon, 01 Nov 2021 18:35:20 +0000 From: Mark Cave-Ayland To: pbonzini@redhat.com, fam@euphon.net, thuth@redhat.com, lvivier@redhat.com, qemu-devel@nongnu.org Date: Mon, 1 Nov 2021 18:35:15 +0000 Message-Id: <20211101183516.8455-2-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> References: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a00:23c4:8b9d:f500:9396:df17:737c:b32c X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH 1/2] esp: ensure in-flight SCSI requests are always cancelled X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.bv.iomart.io) Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.bv.iomart.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" There is currently a check in esp_select() to cancel any in-flight SCSI requests to ensure that issuing multiple select commands without continuing through the rest of the ESP state machine ignores all but the last SCSI request. This is also enforced through the addition of assert()s in esp_transfer_data() and scsi_read_data(). The get_cmd() function does not call esp_select() when TC == 0 which means it is possible for a fuzzer to trigger these assert()s by sending a select command when TC == 0 immediately after a valid SCSI CDB has been submitted. Since esp_select() is only called from get_cmd(), hoist the check to cancel in-flight SCSI requests from esp_select() into get_cmd() to ensure it is always called when executing a select command to initiate a new SCSI request. Signed-off-by: Mark Cave-Ayland Closes: https://gitlab.com/qemu-project/qemu/-/issues/662 Closes: https://gitlab.com/qemu-project/qemu/-/issues/663 --- hw/scsi/esp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 8454ed1773..84f935b549 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -204,11 +204,6 @@ static int esp_select(ESPState *s) s->ti_size = 0; fifo8_reset(&s->fifo); - if (s->current_req) { - /* Started a new command before the old one finished. Cancel it. */ - scsi_req_cancel(s->current_req); - } - s->current_dev = scsi_device_find(&s->bus, 0, target, 0); if (!s->current_dev) { /* No such drive */ @@ -235,6 +230,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen) uint32_t dmalen, n; int target; + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. */ + scsi_req_cancel(s->current_req); + } + target = s->wregs[ESP_WBUSID] & BUSID_DID; if (s->dma) { dmalen = MIN(esp_get_tc(s), maxlen); From patchwork Mon Nov 1 18:35:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mark Cave-Ayland X-Patchwork-Id: 1549316 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Hjk3M6vCBz9sVc for ; Tue, 2 Nov 2021 06:43:11 +1100 (AEDT) Received: from localhost ([::1]:33646 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhdD2-0002gY-NL for incoming@patchwork.ozlabs.org; Mon, 01 Nov 2021 15:43:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54408) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9w-0004rz-0z for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:52 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:43256 helo=mail.default.ilande.bv.iomart.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhc9t-0007KD-JV for qemu-devel@nongnu.org; Mon, 01 Nov 2021 14:35:51 -0400 Received: from [2a00:23c4:8b9d:f500:9396:df17:737c:b32c] (helo=kentang.home) by mail.default.ilande.bv.iomart.io with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mhc9Q-0002So-81; Mon, 01 Nov 2021 18:35:23 +0000 From: Mark Cave-Ayland To: pbonzini@redhat.com, fam@euphon.net, thuth@redhat.com, lvivier@redhat.com, qemu-devel@nongnu.org Date: Mon, 1 Nov 2021 18:35:16 +0000 Message-Id: <20211101183516.8455-3-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> References: <20211101183516.8455-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a00:23c4:8b9d:f500:9396:df17:737c:b32c X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH 2/2] qtest/am53c974-test: add test for cancelling in-flight requests X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.default.ilande.bv.iomart.io) Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.default.ilande.bv.iomart.io X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" Based upon the qtest reproducer posted to Gitlab issue #663 at https://gitlab.com/qemu-project/qemu/-/issues/663. Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daudé --- tests/qtest/am53c974-test.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c index d996866cd4..9b1e4211bd 100644 --- a/tests/qtest/am53c974-test.c +++ b/tests/qtest/am53c974-test.c @@ -189,6 +189,40 @@ static void test_cancelled_request_ok(void) qtest_quit(s); } +static void test_inflight_cancel_ok(void) +{ + QTestState *s = qtest_init( + "-device am53c974,id=scsi " + "-device scsi-hd,drive=disk0 -drive " + "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001000); + qtest_inw(s, 0xcfc); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xffffffff); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_inl(s, 0xcfc); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc001); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_inw(s, 0xcfc); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x7); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_inw(s, 0xcfc); + qtest_inb(s, 0xc000); + qtest_outb(s, 0xc008, 0x8); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outb(s, 0xc009, 0x0); + qtest_outb(s, 0xc009, 0x0); + qtest_outw(s, 0xc00b, 0xc212); + qtest_outl(s, 0xc042, 0x2c2c5a88); + qtest_outw(s, 0xc00b, 0xc212); + qtest_outw(s, 0xc00b, 0x415a); + qtest_outl(s, 0xc03f, 0x3060303); + qtest_outl(s, 0xc00b, 0x5afa9054); + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch = qtest_get_arch(); @@ -212,6 +246,8 @@ int main(int argc, char **argv) test_fifo_underflow_on_write_ok); qtest_add_func("am53c974/test_cancelled_request_ok", test_cancelled_request_ok); + qtest_add_func("am53c974/test_inflight_cancel_ok", + test_inflight_cancel_ok); } return g_test_run();