[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-7.2.11 09/41] hw/scsi/lsi53c895a: add missing decrement of reent
|
From: |
Michael Tokarev |
|
Subject: |
[Stable-7.2.11 09/41] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter |
|
Date: |
Wed, 10 Apr 2024 08:43:30 +0300 |
From: Sven Schnelle <svens@stackframe.org>
When the maximum count of SCRIPTS instructions is reached, the code
stops execution and returns, but fails to decrement the reentrancy
counter. This effectively renders the SCSI controller unusable
because on next entry the reentrancy counter is still above the limit.
This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
loops.
Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
controller (CVE-2023-0330)")
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Message-ID: <20240128202214.2644768-1-svens@stackframe.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Helge Deller <deller@gmx.de>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 8b09b7fe47082c69295a0fc0cc01b041b6385025)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 905f5ef237..c7a3964b5f 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1167,6 +1167,7 @@ again:
lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
lsi_disconnect(s);
trace_lsi_execute_script_stop();
+ reentrancy_level--;
return;
}
insn = read_dword(s, s->dsp);
--
2.39.2
- [Stable-7.2.11 00/41] Patch Round-up for stable 7.2.11, freeze on 2024-04-20, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 01/41] gitlab: update FreeBSD Cirrus CI image to 13.3, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 02/41] ui/cocoa: Fix window clipping on macOS 14, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 04/41] tests/tcg/aarch64/sysregs.c: Use S syntax for id_aa64zfr0_el1 and id_aa64smfr0_el1, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 05/41] target/arm: Fix SME full tile indexing, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 06/41] hw/rtc/sun4v-rtc: Relicense to GPLv2-or-later, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 03/41] target/arm: align exposed ID registers with Linux, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 07/41] system/qdev-monitor: move drain_call_rcu call under if (!dev) in qmp_device_add(), Michael Tokarev, 2024/04/10
- [Stable-7.2.11 08/41] hw/scsi/lsi53c895a: stop script on phase mismatch, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 09/41] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter,
Michael Tokarev <=
- [Stable-7.2.11 10/41] hw/scsi/lsi53c895a: add timer to scripts processing, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 13/41] Avoid unaligned fetch in ladr_match(), Michael Tokarev, 2024/04/10
- [Stable-7.2.11 12/41] e1000e: fix link state on resume, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 11/41] make-release: switch to .xz format by default, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 15/41] hw/nvme: cleanup error reporting in nvme_init_pci(), Michael Tokarev, 2024/04/10
- [Stable-7.2.11 19/41] pcie: Introduce pcie_sriov_num_vfs, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 18/41] hw/nvme: add machine compatibility parameter to enable msix exclusive bar, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 20/41] hw/nvme: Use pcie_sriov_num_vfs(), Michael Tokarev, 2024/04/10
- [Stable-7.2.11 14/41] hw/nvme: clean up confusing use of errp/local_err, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 22/41] hmat acpi: Fix out of bounds access due to missing use of indirection, Michael Tokarev, 2024/04/10