All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
To: peter.maydell@linaro.org, qemu-devel@nongnu.org
Subject: [PULL 02/13] esp: always check current_req is not NULL before use in DMA callbacks
Date: Mon, 12 Apr 2021 23:20:37 +0100	[thread overview]
Message-ID: <20210412222048.22818-3-mark.cave-ayland@ilande.co.uk> (raw)
In-Reply-To: <20210412222048.22818-1-mark.cave-ayland@ilande.co.uk>

After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
callback which resets both current_req and current_dev to NULL. If any data
is left in the transfer buffer (async_len != 0) then the next TI (Transfer
Information) command will attempt to reference the NULL pointer causing a
segfault.

Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
---
 hw/scsi/esp.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index d87e1a63db..a79196f3f3 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -496,6 +496,10 @@ static void do_dma_pdma_cb(ESPState *s)
         return;
     }
 
+    if (!s->current_req) {
+        return;
+    }
+
     if (to_device) {
         /* Copy FIFO data to device */
         len = MIN(s->async_len, ESP_FIFO_SZ);
@@ -527,11 +531,9 @@ static void do_dma_pdma_cb(ESPState *s)
         return;
     } else {
         if (s->async_len == 0) {
-            if (s->current_req) {
-                /* Defer until the scsi layer has completed */
-                scsi_req_continue(s->current_req);
-                s->data_in_ready = false;
-            }
+            /* Defer until the scsi layer has completed */
+            scsi_req_continue(s->current_req);
+            s->data_in_ready = false;
             return;
         }
 
@@ -604,6 +606,9 @@ static void esp_do_dma(ESPState *s)
         }
         return;
     }
+    if (!s->current_req) {
+        return;
+    }
     if (s->async_len == 0) {
         /* Defer until data is available.  */
         return;
@@ -713,6 +718,10 @@ static void esp_do_nodma(ESPState *s)
         return;
     }
 
+    if (!s->current_req) {
+        return;
+    }
+
     if (s->async_len == 0) {
         /* Defer until data is available.  */
         return;
-- 
2.20.1



  parent reply	other threads:[~2021-04-12 22:27 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-12 22:20 [PULL 00/13] qemu-sparc queue 20210412 Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 01/13] esp: fix setting of ESPState mig_version_id when launching QEMU with -S option Mark Cave-Ayland
2021-04-12 22:20 ` Mark Cave-Ayland [this message]
2021-04-12 22:20 ` [PULL 03/13] esp: rework write_response() to avoid using the FIFO for DMA transactions Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 04/13] esp: consolidate esp_cmdfifo_push() into esp_fifo_push() Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 05/13] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop() Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 06/13] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf() Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 07/13] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 08/13] esp: don't underflow cmdfifo in do_cmd() Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 09/13] esp: don't overflow cmdfifo in get_cmd() Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 10/13] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 11/13] esp: don't reset async_len directly in esp_select() if cancelling request Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 12/13] esp: ensure that do_cmd is set to zero before submitting an ESP select command Mark Cave-Ayland
2021-04-12 22:20 ` [PULL 13/13] tests/qtest: add tests for am53c974 device Mark Cave-Ayland
2021-04-13 12:04 ` [PULL 00/13] qemu-sparc queue 20210412 Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210412222048.22818-3-mark.cave-ayland@ilande.co.uk \
    --to=mark.cave-ayland@ilande.co.uk \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.