qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] ff4a1d: esp: fix setting of ESPState mig_vers


From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] ff4a1d: esp: fix setting of ESPState mig_version_id when l...
Date: Tue, 13 Apr 2021 05:05:10 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: ff4a1daba6adc8811efb5046483feb3af6bd8d83
      
https://github.com/qemu/qemu/commit/ff4a1daba6adc8811efb5046483feb3af6bd8d83
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp-pci.c
    M hw/scsi/esp.c
    M include/hw/scsi/esp.h

  Log Message:
  -----------
  esp: fix setting of ESPState mig_version_id when launching QEMU with -S option

If QEMU is launched with the -S option then the ESPState mig_version_id property
is left unset due to the ordering of the VMState fields in the 
VMStateDescription
for sysbusespscsi and pciespscsi. If the VM is migrated and restored in this
stopped state, the version tests in the vmstate_esp VMStateDescription and
esp_post_load() become confused causing the migration to fail.

Fix the ordering problem by moving the setting of mig_version_id to a common
esp_pre_save() function which is invoked first by both sysbusespscsi and
pciespscsi rather than at the point where ESPState is itself serialised into the
migration stream.

Buglink: https://bugs.launchpad.net/qemu/+bug/1922611
Fixes: 0bd005be78 ("esp: add vmstate_esp version to embedded ESPState")
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20210407124842.32695-1-mark.cave-ayland@ilande.co.uk>


  Commit: 0db895361b8a82e1114372ff9f4857abea605701
      
https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: always check current_req is not NULL before use in DMA callbacks

After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
callback which resets both current_req and current_dev to NULL. If any data
is left in the transfer buffer (async_len != 0) then the next TI (Transfer
Information) command will attempt to reference the NULL pointer causing a
segfault.

Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>


  Commit: e392255766071c8cac480da3a9ae4f94e56d7cbc
      
https://github.com/qemu/qemu/commit/e392255766071c8cac480da3a9ae4f94e56d7cbc
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: rework write_response() to avoid using the FIFO for DMA transactions

The code for write_response() has always used the FIFO to store the data for
the status/message in phases, even for DMA transactions. Switch to using a
separate buffer that can be used directly for DMA transactions and restrict
the FIFO use to the non-DMA case.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-3-mark.cave-ayland@ilande.co.uk>


  Commit: e5455b8c1c6170c788f3c0fd577cc3be53539a99
      
https://github.com/qemu/qemu/commit/e5455b8c1c6170c788f3c0fd577cc3be53539a99
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: consolidate esp_cmdfifo_push() into esp_fifo_push()

Each FIFO currently has its own push functions with the only difference being
the capacity check. The original reason for this was that the fifo8
implementation doesn't have a formal API for retrieving the FIFO capacity,
however there are multiple examples within QEMU where the capacity field is
accessed directly.

Change esp_fifo_push() to access the FIFO capacity directly and then consolidate
esp_cmdfifo_push() into esp_fifo_push().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-4-mark.cave-ayland@ilande.co.uk>


  Commit: c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
      
https://github.com/qemu/qemu/commit/c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop()

Each FIFO currently has its own pop functions with the only difference being
the capacity check. The original reason for this was that the fifo8
implementation doesn't have a formal API for retrieving the FIFO capacity,
however there are multiple examples within QEMU where the capacity field is
accessed directly.

Change esp_fifo_pop() to access the FIFO capacity directly and then consolidate
esp_cmdfifo_pop() into esp_fifo_pop().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-5-mark.cave-ayland@ilande.co.uk>


  Commit: 7b320a8e67a534925048cbabfa51431e0349dafd
      
https://github.com/qemu/qemu/commit/7b320a8e67a534925048cbabfa51431e0349dafd
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf()

The const pointer returned by fifo8_pop_buf() lies directly within the array 
used
to model the FIFO. Building with address sanitizers enabled shows that if the
caller expects a minimum number of bytes present then if the FIFO is nearly 
full,
the caller may unexpectedly access past the end of the array.

Introduce esp_fifo_pop_buf() which takes a destination buffer and performs a
memcpy() in it to guarantee that the caller cannot overwrite the FIFO array and
update all callers to use it. Similarly add underflow protection similar to
esp_fifo_push() and esp_fifo_pop() so that instead of triggering an assert()
the operation becomes a no-op.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20210407195801.685-6-mark.cave-ayland@ilande.co.uk>


  Commit: 99545751734035b76bd372c4e7215bb337428d89
      
https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: ensure cmdfifo is not empty and current_dev is non-NULL

When about to execute a SCSI command, ensure that cmdfifo is not empty and
current_dev is non-NULL. This can happen if the guest tries to execute a TI
(Transfer Information) command without issuing one of the select commands
first.

Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>


  Commit: fa7505c154d4d00ad89a747be2eda556643ce00e
      
https://github.com/qemu/qemu/commit/fa7505c154d4d00ad89a747be2eda556643ce00e
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: don't underflow cmdfifo in do_cmd()

If the guest tries to execute a CDB when cmdfifo is not empty before the start
of the message out phase then clearing the message out phase data will cause
cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount of
data within.

Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited to
the size of the data within cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-8-mark.cave-ayland@ilande.co.uk>


  Commit: fbc6510e3379fa8f8370bf71198f0ce733bf07f9
      
https://github.com/qemu/qemu/commit/fbc6510e3379fa8f8370bf71198f0ce733bf07f9
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: don't overflow cmdfifo in get_cmd()

If the guest tries to read a CDB using DMA and cmdfifo is not empty then it is
possible to overflow cmdfifo.

Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of the CDB transferred to cmdfifo is
limited to the available free space within cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-9-mark.cave-ayland@ilande.co.uk>


  Commit: 0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
      
https://github.com/qemu/qemu/commit/0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: don't overflow cmdfifo if TC is larger than the cmdfifo size

If a guest transfers the message out/command phase data using DMA with a TC
that is larger than the cmdfifo size then the cmdfifo overflows triggering
an assert. Limit the size of the transfer to the free space available in
cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1919036
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-10-mark.cave-ayland@ilande.co.uk>


  Commit: 324c8809897c8c53ad05c3a7147d272f1711cd5e
      
https://github.com/qemu/qemu/commit/324c8809897c8c53ad05c3a7147d272f1711cd5e
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: don't reset async_len directly in esp_select() if cancelling request

Instead let the SCSI layer invoke the .cancel callback itself to cancel and
reset the request state.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk>


  Commit: 607206948cacda4a80be5b976dba490970a18a76
      
https://github.com/qemu/qemu/commit/607206948cacda4a80be5b976dba490970a18a76
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M hw/scsi/esp.c

  Log Message:
  -----------
  esp: ensure that do_cmd is set to zero before submitting an ESP select command

When a CDB has been received and is about to be submitted to the SCSI layer
via one of the ESP select commands, ensure that do_cmd is set to zero before
executing the command.

Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI
.transfer_data callback again before do_cmd is set to zero by the callback
function triggering an assert at the start of esp_transfer_data().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk>


  Commit: ce94fa7aa646a18e9b9105a32eea2152b202b431
      
https://github.com/qemu/qemu/commit/ce94fa7aa646a18e9b9105a32eea2152b202b431
  Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
  Date:   2021-04-12 (Mon, 12 Apr 2021)

  Changed paths:
    M MAINTAINERS
    A tests/qtest/am53c974-test.c
    M tests/qtest/meson.build

  Log Message:
  -----------
  tests/qtest: add tests for am53c974 device

Use the autogenerated fuzzer test cases as the basis for a set of am53c974
regression tests.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-13-mark.cave-ayland@ilande.co.uk>


  Commit: 1a66dab9ddabc6e88ccdf7dbc6379f89e9af2581
      
https://github.com/qemu/qemu/commit/1a66dab9ddabc6e88ccdf7dbc6379f89e9af2581
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2021-04-13 (Tue, 13 Apr 2021)

  Changed paths:
    M MAINTAINERS
    M hw/scsi/esp-pci.c
    M hw/scsi/esp.c
    M include/hw/scsi/esp.h
    A tests/qtest/am53c974-test.c
    M tests/qtest/meson.build

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-20210412' into 
staging

qemu-sparc queue

# gpg: Signature made Mon 12 Apr 2021 23:13:12 BST
# gpg:                using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F
# gpg:                issuer "mark.cave-ayland@ilande.co.uk"
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" 
[full]
# Primary key fingerprint: CC62 1AB9 8E82 200D 915C  C9C4 5BC2 C56F AE0F 321F

* remotes/mcayland/tags/qemu-sparc-20210412:
  tests/qtest: add tests for am53c974 device
  esp: ensure that do_cmd is set to zero before submitting an ESP select command
  esp: don't reset async_len directly in esp_select() if cancelling request
  esp: don't overflow cmdfifo if TC is larger than the cmdfifo size
  esp: don't overflow cmdfifo in get_cmd()
  esp: don't underflow cmdfifo in do_cmd()
  esp: ensure cmdfifo is not empty and current_dev is non-NULL
  esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf()
  esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop()
  esp: consolidate esp_cmdfifo_push() into esp_fifo_push()
  esp: rework write_response() to avoid using the FIFO for DMA transactions
  esp: always check current_req is not NULL before use in DMA callbacks
  esp: fix setting of ESPState mig_version_id when launching QEMU with -S option

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/c1e90def01bd...1a66dab9ddab



reply via email to

[Prev in Thread] Current Thread [Next in Thread]