qemu/hw/scsi
Mark Cave-Ayland de7e2cb155 esp: ensure in-flight SCSI requests are always cancelled
There is currently a check in esp_select() to cancel any in-flight SCSI requests
to ensure that issuing multiple select commands without continuing through the
rest of the ESP state machine ignores all but the last SCSI request. This is
also enforced through the addition of assert()s in esp_transfer_data() and
scsi_read_data().

The get_cmd() function does not call esp_select() when TC == 0 which means it is
possible for a fuzzer to trigger these assert()s by sending a select command when
TC == 0 immediately after a valid SCSI CDB has been submitted.

Since esp_select() is only called from get_cmd(), hoist the check to cancel
in-flight SCSI requests from esp_select() into get_cmd() to ensure it is always
called when executing a select command to initiate a new SCSI request.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Closes: https://gitlab.com/qemu-project/qemu/-/issues/662
Closes: https://gitlab.com/qemu-project/qemu/-/issues/663
Message-Id: <20211101183516.8455-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-11-02 15:57:27 +01:00
..
emulation.c
esp-pci.c scsi: Replace scsi_bus_new() with scsi_bus_init(), scsi_bus_init_named() 2021-09-30 13:42:10 +01:00
esp.c esp: ensure in-flight SCSI requests are always cancelled 2021-11-02 15:57:27 +01:00
Kconfig
lsi53c895a.c scsi: Replace scsi_bus_new() with scsi_bus_init(), scsi_bus_init_named() 2021-09-30 13:42:10 +01:00
megasas.c scsi: Replace scsi_bus_new() with scsi_bus_init(), scsi_bus_init_named() 2021-09-30 13:42:10 +01:00
meson.build meson: convert hw/scsi 2020-08-21 06:30:28 -04:00
mfi.h
mpi.h
mptconfig.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptendian.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptsas.c scsi: Replace scsi_bus_new() with scsi_bus_init(), scsi_bus_init_named() 2021-09-30 13:42:10 +01:00
mptsas.h mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392) 2021-04-19 15:48:12 +01:00
scsi-bus.c qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
scsi-disk.c hw/scsi: Fix sector translation bug in scsi_unmap_complete_noio 2021-05-26 14:50:05 +02:00
scsi-generic.c block: introduce max_hw_iov for use in scsi-generic 2021-10-06 10:25:55 +02:00
spapr_vscsi.c scsi: Replace scsi_bus_new() with scsi_bus_init(), scsi_bus_init_named() 2021-09-30 13:42:10 +01:00
srp.h
trace-events esp: store lun coming from the MESSAGE OUT phase 2021-06-15 17:17:09 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vhost-scsi-common.c vhost-scsi: support inflight io track 2020-09-30 19:09:20 +02:00
vhost-scsi.c vhost-scsi: Plug memory leak on migrate_add_blocker() failure 2021-08-26 17:15:28 +02:00
vhost-user-scsi.c vhost: Add Error parameter to vhost_dev_init() 2021-06-30 13:15:44 +02:00
viosrp.h hw/scsi/spapr_vscsi: Do not mix SRP IU size with DMA buffer size 2020-03-17 15:08:50 +11:00
virtio-scsi-dataplane.c virtio: Clarify MR transaction optimization 2021-07-02 11:13:39 -04:00
virtio-scsi.c scsi: Replace scsi_bus_new() with scsi_bus_init(), scsi_bus_init_named() 2021-09-30 13:42:10 +01:00
vmw_pvscsi.c scsi: Replace scsi_bus_new() with scsi_bus_init(), scsi_bus_init_named() 2021-09-30 13:42:10 +01:00
vmw_pvscsi.h