Re: [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing

From:	Mark Cave-Ayland
Subject:	Re: [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS
Date:	Mon, 25 Mar 2024 12:57:00 +0000
User-agent:	Mozilla Thunderbird

On 25/03/2024 10:49, Philippe Mathieu-Daudé wrote:

On 24/3/24 20:16, Mark Cave-Ayland wrote:

The current logic assumes that at least 1 byte is present in the FIFO when
executing a non-DMA SELATNS command, but this may not be the case if the
guest executes an invalid ESP command sequence.


What is real hardware behavior here?

I don't know for sure, but my guess is that if you ask to transfer a single byte fromthe FIFO to the SCSI bus and the FIFO is empty, you'll either end up with all zerosor a NOOP.

Reported-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
  hw/scsi/esp.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 1aac8f5564..f3aa5364cf 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -762,7 +762,8 @@ static void esp_do_nodma(ESPState *s)
          case CMD_SELATNS:


Alternatively logging the guest abuse:

               len = fifo8_num_used(&s->fifo);
               if (len < 1) {
                   qemu_log_mask(LOG_GUEST_ERROR, ...
                   break;
               }

              /* Copy one byte from FIFO into cmdfifo */
-            len = esp_fifo_pop_buf(s, buf, 1);
+            len = esp_fifo_pop_buf(s, buf,
+                                   MIN(fifo8_num_used(&s->fifo), 1));

This is similar to your previous comment in that it's an artifact of theimplementation: when popping data using esp_fifo_pop_buf() I've always allowed theinternal Fifo8 assert() if too much data is requested. This was a deliberate designchoice that allowed me to catch several memory issues when working on the ESPemulation: it just so happened I missed a case in the last big ESP rework that wasfound by fuzzing.

It's also worth noting that it's a Fifo8 internal protective assert() that fires herewhich is different from the previous case whereby an overflow of the internal Fifo8data buffer actually did occur.

              len = MIN(fifo8_num_free(&s->cmdfifo), len);
              fifo8_push_all(&s->cmdfifo, buf, len);



ATB,

Mark.

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3 03/17] esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_message_phase(), (continued)
- [PATCH v3 03/17] esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_message_phase(), Mark Cave-Ayland, 2024/03/24
  - Re: [PATCH v3 03/17] esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_message_phase(), Philippe Mathieu-Daudé, 2024/03/25
- [PATCH v3 04/17] esp.c: replace cmdfifo use of esp_fifo_pop() in do_message_phase(), Mark Cave-Ayland, 2024/03/24
- [PATCH v3 05/17] esp.c: change esp_fifo_push() to take ESPState, Mark Cave-Ayland, 2024/03/24
- [PATCH v3 07/17] esp.c: use esp_fifo_push() instead of fifo8_push(), Mark Cave-Ayland, 2024/03/24
- [PATCH v3 06/17] esp.c: change esp_fifo_pop() to take ESPState, Mark Cave-Ayland, 2024/03/24
- [PATCH v3 08/17] esp.c: change esp_fifo_pop_buf() to take ESPState, Mark Cave-Ayland, 2024/03/24
- [PATCH v3 09/17] esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFO, Mark Cave-Ayland, 2024/03/24
- [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS, Mark Cave-Ayland, 2024/03/24
  - Re: [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS, Philippe Mathieu-Daudé, 2024/03/25
    - Re: [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS, Mark Cave-Ayland <=
- [PATCH v3 11/17] esp.c: rework esp_cdb_length() into esp_cdb_ready(), Mark Cave-Ayland, 2024/03/24
- [PATCH v3 12/17] esp.c: prevent cmdfifo overflow in esp_cdb_ready(), Mark Cave-Ayland, 2024/03/24
  - Re: [PATCH v3 12/17] esp.c: prevent cmdfifo overflow in esp_cdb_ready(), Philippe Mathieu-Daudé, 2024/03/25
    - Re: [PATCH v3 12/17] esp.c: prevent cmdfifo overflow in esp_cdb_ready(), Mark Cave-Ayland, 2024/03/25
- [PATCH v3 13/17] esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file, Mark Cave-Ayland, 2024/03/24
- [PATCH v3 14/17] esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to use it, Mark Cave-Ayland, 2024/03/24
- [PATCH v3 15/17] esp.c: update esp_fifo_{push, pop}() to call esp_update_drq(), Mark Cave-Ayland, 2024/03/24
- [PATCH v3 16/17] esp.c: ensure esp_pdma_write() always calls esp_fifo_push(), Mark Cave-Ayland, 2024/03/24
- [PATCH v3 17/17] esp.c: remove explicit setting of DRQ within ESP state machine, Mark Cave-Ayland, 2024/03/24

Prev by Date: Re: [PATCH] qapi: document leftover members in qapi/run-state.json
Next by Date: Re: [PATCH] qapi/block-core: improve Qcow2OverlapCheckFlags documentation
Previous by thread: Re: [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS
Next by thread: [PATCH v3 11/17] esp.c: rework esp_cdb_length() into esp_cdb_ready()
Index(es):
- Date
- Thread