[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 02/13] esp: always check current_req is not NULL before use in DMA
From: |
Mark Cave-Ayland |
Subject: |
[PULL 02/13] esp: always check current_req is not NULL before use in DMA callbacks |
Date: |
Mon, 12 Apr 2021 23:20:37 +0100 |
After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
callback which resets both current_req and current_dev to NULL. If any data
is left in the transfer buffer (async_len != 0) then the next TI (Transfer
Information) command will attempt to reference the NULL pointer causing a
segfault.
Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
---
hw/scsi/esp.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index d87e1a63db..a79196f3f3 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -496,6 +496,10 @@ static void do_dma_pdma_cb(ESPState *s)
return;
}
+ if (!s->current_req) {
+ return;
+ }
+
if (to_device) {
/* Copy FIFO data to device */
len = MIN(s->async_len, ESP_FIFO_SZ);
@@ -527,11 +531,9 @@ static void do_dma_pdma_cb(ESPState *s)
return;
} else {
if (s->async_len == 0) {
- if (s->current_req) {
- /* Defer until the scsi layer has completed */
- scsi_req_continue(s->current_req);
- s->data_in_ready = false;
- }
+ /* Defer until the scsi layer has completed */
+ scsi_req_continue(s->current_req);
+ s->data_in_ready = false;
return;
}
@@ -604,6 +606,9 @@ static void esp_do_dma(ESPState *s)
}
return;
}
+ if (!s->current_req) {
+ return;
+ }
if (s->async_len == 0) {
/* Defer until data is available. */
return;
@@ -713,6 +718,10 @@ static void esp_do_nodma(ESPState *s)
return;
}
+ if (!s->current_req) {
+ return;
+ }
+
if (s->async_len == 0) {
/* Defer until data is available. */
return;
--
2.20.1
- [PULL 00/13] qemu-sparc queue 20210412, Mark Cave-Ayland, 2021/04/12
- [PULL 03/13] esp: rework write_response() to avoid using the FIFO for DMA transactions, Mark Cave-Ayland, 2021/04/12
- [PULL 02/13] esp: always check current_req is not NULL before use in DMA callbacks,
Mark Cave-Ayland <=
- [PULL 01/13] esp: fix setting of ESPState mig_version_id when launching QEMU with -S option, Mark Cave-Ayland, 2021/04/12
- [PULL 04/13] esp: consolidate esp_cmdfifo_push() into esp_fifo_push(), Mark Cave-Ayland, 2021/04/12
- [PULL 05/13] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop(), Mark Cave-Ayland, 2021/04/12
- [PULL 06/13] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf(), Mark Cave-Ayland, 2021/04/12
- [PULL 07/13] esp: ensure cmdfifo is not empty and current_dev is non-NULL, Mark Cave-Ayland, 2021/04/12
- [PULL 08/13] esp: don't underflow cmdfifo in do_cmd(), Mark Cave-Ayland, 2021/04/12
- [PULL 09/13] esp: don't overflow cmdfifo in get_cmd(), Mark Cave-Ayland, 2021/04/12
- [PULL 11/13] esp: don't reset async_len directly in esp_select() if cancelling request, Mark Cave-Ayland, 2021/04/12
- [PULL 10/13] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size, Mark Cave-Ayland, 2021/04/12
- [PULL 12/13] esp: ensure that do_cmd is set to zero before submitting an ESP select command, Mark Cave-Ayland, 2021/04/12