| Message ID | 20211123111732.83137-2-philmd@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/scsi/lsi53c895a: Fix guest-triggerable assert() in lsi_do_dma() | expand |
On 23/11/2021 12:17, Philippe Mathieu-Daudé wrote: > If asked for DMA request and no data is available, simply wait > for data to be queued, do not abort. This fixes: > > $ cat << EOF | \ > qemu-system-i386 -nographic -M q35,accel=qtest -serial none \ > -monitor none -qtest stdio -trace lsi* \ > -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \ > -device lsi53c895a,id=scsi0 -device scsi-hd,drive=drive0,bus=scsi0.0,channel=0,scsi-id=0,lun=0 > lsi_reset Reset > lsi_reg_write Write reg DSP2 0x2e = 0xff > lsi_reg_write Write reg DSP3 0x2f = 0xff > lsi_execute_script SCRIPTS dsp=0xffff0000 opcode 0x184a3900 arg 0x4a8b2d75 > qemu-system-i386: hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed. > > (gdb) bt > #5 0x00007ffff4e8a3a6 in __GI___assert_fail > (assertion=0x5555560accbc "s->current", file=0x5555560acc28 "hw/scsi/lsi53c895a.c", line=624, function=0x5555560adb18 "lsi_do_dma") at assert.c:101 > #6 0x0000555555aa33b9 in lsi_do_dma (s=0x555557805ac0, out=1) at hw/scsi/lsi53c895a.c:624 > #7 0x0000555555aa5042 in lsi_execute_script (s=0x555557805ac0) at hw/scsi/lsi53c895a.c:1250 > #8 0x0000555555aa757a in lsi_reg_writeb (s=0x555557805ac0, offset=47, val=255 '\377') at hw/scsi/lsi53c895a.c:1984 > #9 0x0000555555aa875b in lsi_mmio_write (opaque=0x555557805ac0, addr=47, val=255, size=1) at hw/scsi/lsi53c895a.c:2095 > > Cc: qemu-stable@nongnu.org > Cc: Gerd Hoffmann <kraxel@redhat.com> > Cc: Vadim Rozenfeld <vrozenfe@redhat.com> > Cc: Stefan Hajnoczi <stefanha@redhat.com> > Reported-by: Jérôme Poulin <jeromepoulin@gmail.com> > Reported-by: Ruhr-University <bugs-syssec@rub.de> > Reported-by: Gaoning Pan <pgn@zju.edu.cn> > Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> > Fixes: b96a0da06bd ("lsi: move dma_len+dma_buf into lsi_request") > BugLink: https://bugs.launchpad.net/qemu/+bug/697510 > BugLink: https://bugs.launchpad.net/qemu/+bug/1905521 > BugLink: https://bugs.launchpad.net/qemu/+bug/1908515 > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/84 > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/305 > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/552 > Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > hw/scsi/lsi53c895a.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c > index 85e907a7854..4c431adb774 100644 > --- a/hw/scsi/lsi53c895a.c > +++ b/hw/scsi/lsi53c895a.c > @@ -621,8 +621,7 @@ static void lsi_do_dma(LSIState *s, int out) > dma_addr_t addr; > SCSIDevice *dev; > > - assert(s->current); > - if (!s->current->dma_len) { > + if (!s->current || !s->current->dma_len) { > /* Wait until data is available. */ > trace_lsi_do_dma_unavailable(); > return; > Reviewed-by: Laurent Vivier <lvivier@redhat.com>
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index 85e907a7854..4c431adb774 100644 --- a/hw/scsi/lsi53c895a.c +++ b/hw/scsi/lsi53c895a.c @@ -621,8 +621,7 @@ static void lsi_do_dma(LSIState *s, int out) dma_addr_t addr; SCSIDevice *dev; - assert(s->current); - if (!s->current->dma_len) { + if (!s->current || !s->current->dma_len) { /* Wait until data is available. */ trace_lsi_do_dma_unavailable(); return;
If asked for DMA request and no data is available, simply wait for data to be queued, do not abort. This fixes: $ cat << EOF | \ qemu-system-i386 -nographic -M q35,accel=qtest -serial none \ -monitor none -qtest stdio -trace lsi* \ -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \ -device lsi53c895a,id=scsi0 -device scsi-hd,drive=drive0,bus=scsi0.0,channel=0,scsi-id=0,lun=0 lsi_reset Reset lsi_reg_write Write reg DSP2 0x2e = 0xff lsi_reg_write Write reg DSP3 0x2f = 0xff lsi_execute_script SCRIPTS dsp=0xffff0000 opcode 0x184a3900 arg 0x4a8b2d75 qemu-system-i386: hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed. (gdb) bt #5 0x00007ffff4e8a3a6 in __GI___assert_fail (assertion=0x5555560accbc "s->current", file=0x5555560acc28 "hw/scsi/lsi53c895a.c", line=624, function=0x5555560adb18 "lsi_do_dma") at assert.c:101 #6 0x0000555555aa33b9 in lsi_do_dma (s=0x555557805ac0, out=1) at hw/scsi/lsi53c895a.c:624 #7 0x0000555555aa5042 in lsi_execute_script (s=0x555557805ac0) at hw/scsi/lsi53c895a.c:1250 #8 0x0000555555aa757a in lsi_reg_writeb (s=0x555557805ac0, offset=47, val=255 '\377') at hw/scsi/lsi53c895a.c:1984 #9 0x0000555555aa875b in lsi_mmio_write (opaque=0x555557805ac0, addr=47, val=255, size=1) at hw/scsi/lsi53c895a.c:2095 Cc: qemu-stable@nongnu.org Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Vadim Rozenfeld <vrozenfe@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Reported-by: Jérôme Poulin <jeromepoulin@gmail.com> Reported-by: Ruhr-University <bugs-syssec@rub.de> Reported-by: Gaoning Pan <pgn@zju.edu.cn> Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> Fixes: b96a0da06bd ("lsi: move dma_len+dma_buf into lsi_request") BugLink: https://bugs.launchpad.net/qemu/+bug/697510 BugLink: https://bugs.launchpad.net/qemu/+bug/1905521 BugLink: https://bugs.launchpad.net/qemu/+bug/1908515 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/84 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/305 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/552 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- hw/scsi/lsi53c895a.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)