[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ff4a1d: esp: fix setting of ESPState mig_vers
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] ff4a1d: esp: fix setting of ESPState mig_version_id when l... |
Date: |
Tue, 13 Apr 2021 05:05:10 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: ff4a1daba6adc8811efb5046483feb3af6bd8d83
https://github.com/qemu/qemu/commit/ff4a1daba6adc8811efb5046483feb3af6bd8d83
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp-pci.c
M hw/scsi/esp.c
M include/hw/scsi/esp.h
Log Message:
-----------
esp: fix setting of ESPState mig_version_id when launching QEMU with -S option
If QEMU is launched with the -S option then the ESPState mig_version_id property
is left unset due to the ordering of the VMState fields in the
VMStateDescription
for sysbusespscsi and pciespscsi. If the VM is migrated and restored in this
stopped state, the version tests in the vmstate_esp VMStateDescription and
esp_post_load() become confused causing the migration to fail.
Fix the ordering problem by moving the setting of mig_version_id to a common
esp_pre_save() function which is invoked first by both sysbusespscsi and
pciespscsi rather than at the point where ESPState is itself serialised into the
migration stream.
Buglink: https://bugs.launchpad.net/qemu/+bug/1922611
Fixes: 0bd005be78 ("esp: add vmstate_esp version to embedded ESPState")
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210407124842.32695-1-mark.cave-ayland@ilande.co.uk>
Commit: 0db895361b8a82e1114372ff9f4857abea605701
https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: always check current_req is not NULL before use in DMA callbacks
After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
callback which resets both current_req and current_dev to NULL. If any data
is left in the transfer buffer (async_len != 0) then the next TI (Transfer
Information) command will attempt to reference the NULL pointer causing a
segfault.
Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
Commit: e392255766071c8cac480da3a9ae4f94e56d7cbc
https://github.com/qemu/qemu/commit/e392255766071c8cac480da3a9ae4f94e56d7cbc
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: rework write_response() to avoid using the FIFO for DMA transactions
The code for write_response() has always used the FIFO to store the data for
the status/message in phases, even for DMA transactions. Switch to using a
separate buffer that can be used directly for DMA transactions and restrict
the FIFO use to the non-DMA case.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-3-mark.cave-ayland@ilande.co.uk>
Commit: e5455b8c1c6170c788f3c0fd577cc3be53539a99
https://github.com/qemu/qemu/commit/e5455b8c1c6170c788f3c0fd577cc3be53539a99
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: consolidate esp_cmdfifo_push() into esp_fifo_push()
Each FIFO currently has its own push functions with the only difference being
the capacity check. The original reason for this was that the fifo8
implementation doesn't have a formal API for retrieving the FIFO capacity,
however there are multiple examples within QEMU where the capacity field is
accessed directly.
Change esp_fifo_push() to access the FIFO capacity directly and then consolidate
esp_cmdfifo_push() into esp_fifo_push().
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-4-mark.cave-ayland@ilande.co.uk>
Commit: c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
https://github.com/qemu/qemu/commit/c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop()
Each FIFO currently has its own pop functions with the only difference being
the capacity check. The original reason for this was that the fifo8
implementation doesn't have a formal API for retrieving the FIFO capacity,
however there are multiple examples within QEMU where the capacity field is
accessed directly.
Change esp_fifo_pop() to access the FIFO capacity directly and then consolidate
esp_cmdfifo_pop() into esp_fifo_pop().
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-5-mark.cave-ayland@ilande.co.uk>
Commit: 7b320a8e67a534925048cbabfa51431e0349dafd
https://github.com/qemu/qemu/commit/7b320a8e67a534925048cbabfa51431e0349dafd
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf()
The const pointer returned by fifo8_pop_buf() lies directly within the array
used
to model the FIFO. Building with address sanitizers enabled shows that if the
caller expects a minimum number of bytes present then if the FIFO is nearly
full,
the caller may unexpectedly access past the end of the array.
Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a
memcpy() in it to guarantee that the caller cannot overwrite the FIFO array and
update all callers to use it. Similarly add underflow protection similar to
esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert()
the operation becomes a no-op.
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20210407195801.685-6-mark.cave-ayland@ilande.co.uk>
Commit: 99545751734035b76bd372c4e7215bb337428d89
https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: ensure cmdfifo is not empty and current_dev is non-NULL
When about to execute a SCSI command, ensure that cmdfifo is not empty and
current_dev is non-NULL. This can happen if the guest tries to execute a TI
(Transfer Information) command without issuing one of the select commands
first.
Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
Commit: fa7505c154d4d00ad89a747be2eda556643ce00e
https://github.com/qemu/qemu/commit/fa7505c154d4d00ad89a747be2eda556643ce00e
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: don't underflow cmdfifo in do_cmd()
If the guest tries to execute a CDB when cmdfifo is not empty before the start
of the message out phase then clearing the message out phase data will cause
cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount of
data within.
Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited to
the size of the data within cmdfifo.
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-8-mark.cave-ayland@ilande.co.uk>
Commit: fbc6510e3379fa8f8370bf71198f0ce733bf07f9
https://github.com/qemu/qemu/commit/fbc6510e3379fa8f8370bf71198f0ce733bf07f9
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: don't overflow cmdfifo in get_cmd()
If the guest tries to read a CDB using DMA and cmdfifo is not empty then it is
possible to overflow cmdfifo.
Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of the CDB transferred to cmdfifo is
limited to the available free space within cmdfifo.
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-9-mark.cave-ayland@ilande.co.uk>
Commit: 0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
https://github.com/qemu/qemu/commit/0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: don't overflow cmdfifo if TC is larger than the cmdfifo size
If a guest transfers the message out/command phase data using DMA with a TC
that is larger than the cmdfifo size then the cmdfifo overflows triggering
an assert. Limit the size of the transfer to the free space available in
cmdfifo.
Buglink: https://bugs.launchpad.net/qemu/+bug/1919036
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-10-mark.cave-ayland@ilande.co.uk>
Commit: 324c8809897c8c53ad05c3a7147d272f1711cd5e
https://github.com/qemu/qemu/commit/324c8809897c8c53ad05c3a7147d272f1711cd5e
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: don't reset async_len directly in esp_select() if cancelling request
Instead let the SCSI layer invoke the .cancel callback itself to cancel and
reset the request state.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk>
Commit: 607206948cacda4a80be5b976dba490970a18a76
https://github.com/qemu/qemu/commit/607206948cacda4a80be5b976dba490970a18a76
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: ensure that do_cmd is set to zero before submitting an ESP select command
When a CDB has been received and is about to be submitted to the SCSI layer
via one of the ESP select commands, ensure that do_cmd is set to zero before
executing the command.
Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI
.transfer_data callback again before do_cmd is set to zero by the callback
function triggering an assert at the start of esp_transfer_data().
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk>
Commit: ce94fa7aa646a18e9b9105a32eea2152b202b431
https://github.com/qemu/qemu/commit/ce94fa7aa646a18e9b9105a32eea2152b202b431
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2021-04-12 (Mon, 12 Apr 2021)
Changed paths:
M MAINTAINERS
A tests/qtest/am53c974-test.c
M tests/qtest/meson.build
Log Message:
-----------
tests/qtest: add tests for am53c974 device
Use the autogenerated fuzzer test cases as the basis for a set of am53c974
regression tests.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-13-mark.cave-ayland@ilande.co.uk>
Commit: 1a66dab9ddabc6e88ccdf7dbc6379f89e9af2581
https://github.com/qemu/qemu/commit/1a66dab9ddabc6e88ccdf7dbc6379f89e9af2581
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2021-04-13 (Tue, 13 Apr 2021)
Changed paths:
M MAINTAINERS
M hw/scsi/esp-pci.c
M hw/scsi/esp.c
M include/hw/scsi/esp.h
A tests/qtest/am53c974-test.c
M tests/qtest/meson.build
Log Message:
-----------
Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-20210412' into
staging
qemu-sparc queue
# gpg: Signature made Mon 12 Apr 2021 23:13:12 BST
# gpg: using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F
# gpg: issuer "mark.cave-ayland@ilande.co.uk"
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>"
[full]
# Primary key fingerprint: CC62 1AB9 8E82 200D 915C C9C4 5BC2 C56F AE0F 321F
* remotes/mcayland/tags/qemu-sparc-20210412:
tests/qtest: add tests for am53c974 device
esp: ensure that do_cmd is set to zero before submitting an ESP select command
esp: don't reset async_len directly in esp_select() if cancelling request
esp: don't overflow cmdfifo if TC is larger than the cmdfifo size
esp: don't overflow cmdfifo in get_cmd()
esp: don't underflow cmdfifo in do_cmd()
esp: ensure cmdfifo is not empty and current_dev is non-NULL
esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf()
esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop()
esp: consolidate esp_cmdfifo_push() into esp_fifo_push()
esp: rework write_response() to avoid using the FIFO for DMA transactions
esp: always check current_req is not NULL before use in DMA callbacks
esp: fix setting of ESPState mig_version_id when launching QEMU with -S option
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/c1e90def01bd...1a66dab9ddab