[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ed7835: ide: Fix incorrect handling of some P
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] ed7835: ide: Fix incorrect handling of some PRDTs in ide_d... |
|
Date: |
Thu, 30 Jan 2020 03:45:14 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: ed78352a59ea7acf7520d4d47a96b9911bae7fc3
https://github.com/qemu/qemu/commit/ed78352a59ea7acf7520d4d47a96b9911bae7fc3
Author: Alexander Popov <address@hidden>
Date: 2020-01-27 (Mon, 27 Jan 2020)
Changed paths:
M hw/ide/core.c
Log Message:
-----------
ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
The commit a718978ed58a from July 2015 introduced the assertion which
implies that the size of successful DMA transfers handled in ide_dma_cb()
should be multiple of 512 (the size of a sector). But guest systems can
initiate DMA transfers that don't fit this requirement.
For fixing that let's check the number of bytes prepared for the transfer
by the prepare_buf() handler. The code in ide_dma_cb() must behave
according to the Programming Interface for Bus Master IDE Controller
(Revision 1.0 5/16/94):
1. If PRDs specified a smaller size than the IDE transfer
size, then the Interrupt and Active bits in the Controller
status register are not set (Error Condition).
2. If the size of the physical memory regions was equal to
the IDE device transfer size, the Interrupt bit in the
Controller status register is set to 1, Active bit is set to 0.
3. If PRDs specified a larger size than the IDE transfer size,
the Interrupt and Active bits in the Controller status register
are both set to 1.
Signed-off-by: Alexander Popov <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>
Commit: 59805ae92dfe4f67105e36b539d567caec4f8304
https://github.com/qemu/qemu/commit/59805ae92dfe4f67105e36b539d567caec4f8304
Author: Alexander Popov <address@hidden>
Date: 2020-01-27 (Mon, 27 Jan 2020)
Changed paths:
M tests/qtest/ide-test.c
Log Message:
-----------
tests/ide-test: Create a single unit-test covering more PRDT cases
Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu
using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in
ide_dma_cb() introduced in the commit a718978ed58a in July 2015.
Currently this bug is not reproduced by the unit tests.
Let's improve the ide-test to cover more PRDT cases including one
that causes this particular qemu crash.
The test is developed according to the Programming Interface for
Bus Master IDE Controller (Revision 1.0 5/16/94).
Signed-off-by: Alexander Popov <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>
Commit: bddff6f6787c916b0e9d63ef9e4d442114257739
https://github.com/qemu/qemu/commit/bddff6f6787c916b0e9d63ef9e4d442114257739
Author: Peter Maydell <address@hidden>
Date: 2020-01-28 (Tue, 28 Jan 2020)
Changed paths:
M hw/ide/core.c
M tests/qtest/ide-test.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into
staging
Pull request
# gpg: Signature made Tue 28 Jan 2020 01:05:19 GMT
# gpg: using RSA key F9B7ABDBBCACDF95BE76CBD07DEF8106AAFC390E
# gpg: Good signature from "John Snow (John Huston) <address@hidden>" [full]
# Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB
# Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E
* remotes/jnsnow/tags/ide-pull-request:
tests/ide-test: Create a single unit-test covering more PRDT cases
ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/4c60e3289875...bddff6f6787c
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] ed7835: ide: Fix incorrect handling of some PRDTs in ide_d...,
Peter Maydell <=