[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 10/41] megasas: do not read DCMD opcode more than onc
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PULL 10/41] megasas: do not read DCMD opcode more than once from frame |
|
Date: |
Thu, 15 Jun 2017 12:52:30 +0200 |
Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/megasas.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index c353118..a3f75c1 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -63,6 +63,7 @@ typedef struct MegasasCmd {
hwaddr pa;
hwaddr pa_size;
+ uint32_t dcmd_opcode;
union mfi_frame *frame;
SCSIRequest *req;
QEMUSGList qsg;
@@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
cmd->context &= (uint64_t)0xFFFFFFFF;
}
cmd->count = count;
+ cmd->dcmd_opcode = -1;
s->busy++;
if (s->consumer_pa) {
@@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t {
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
{
- int opcode;
int retval = 0;
size_t len;
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
+ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
+ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
if (megasas_map_dcmd(s, cmd) < 0) {
return MFI_STAT_MEMORY_NOT_AVAILABLE;
}
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
+ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
cmdptr++;
}
len = cmd->iov_size;
if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
+ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
retval = megasas_dcmd_dummy(s, cmd);
} else {
trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
@@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s,
MegasasCmd *cmd)
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
SCSIRequest *req)
{
- int opcode;
int retval = MFI_STAT_OK;
int lun = req->lun;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
- switch (opcode) {
+ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
+ switch (cmd->dcmd_opcode) {
case MFI_DCMD_PD_GET_INFO:
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
break;
@@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
break;
default:
- trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
+ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
retval = MFI_STAT_INVALID_DCMD;
break;
}
@@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req,
uint32_t len)
{
MegasasCmd *cmd = req->hba_private;
uint8_t *buf;
- uint32_t opcode;
trace_megasas_io_complete(cmd->index, len);
@@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req,
uint32_t len)
}
buf = scsi_req_get_buf(req);
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
+ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
struct mfi_pd_info *info = cmd->iov_buf;
if (info->inquiry_data[0] == 0x7f) {
@@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req,
uint32_t len)
memcpy(info->vpd_page83, buf, len);
}
scsi_req_continue(req);
- } else if (opcode == MFI_DCMD_LD_GET_INFO) {
+ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
struct mfi_ld_info *info = cmd->iov_buf;
if (cmd->iov_buf) {
--
1.8.3.1
- [Qemu-devel] [PULL 13/41] megasas: always store SCSIRequest* into MegasasCmd, (continued)
- [Qemu-devel] [PULL 13/41] megasas: always store SCSIRequest* into MegasasCmd, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 15/41] vl: Fix broken thread=xxx option of the --accel parameter, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 25/41] nbd: make nbd_drop public, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 23/41] accel: move kvm related accelerator files into accel/, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 26/41] nbd/server: get rid of nbd_negotiate_read and friends, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 28/41] nbd/server: refactor nbd_co_send_reply, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 27/41] nbd/server: get rid of ssize_t, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 19/41] qemu-nbd: Ignore SIGPIPE, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 29/41] nbd/server: get rid of EAGAIN dead code, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 35/41] nbd/server: refactor nbd_trip, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 10/41] megasas: do not read DCMD opcode more than once from frame,
Paolo Bonzini <=
- [Qemu-devel] [PULL 11/41] megasas: do not read command more than once from frame, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 05/41] ivshmem: use ram_from_fd(), Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 18/41] nbd: Fix regression on resiliency to port scan, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 07/41] megasas: add qtest, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 24/41] nbd: rename read_sync and friends, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 30/41] nbd/server: refactor nbd_co_receive_request, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 34/41] nbd/server: rename rc to ret, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 31/41] nbd/server: remove NBDClientNewData, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 32/41] nbd/server: nbd_negotiate: fix error path, Paolo Bonzini, 2017/06/15
- [Qemu-devel] [PULL 36/41] include/exec/poison: Add missing TARGET defines, Paolo Bonzini, 2017/06/15