[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.2.2 14/60] hw/scsi/lsi53c895a: add missing decrement of reentr
From: |
Michael Tokarev |
Subject: |
[Stable-8.2.2 14/60] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter |
Date: |
Wed, 21 Feb 2024 11:20:02 +0300 |
From: Sven Schnelle <svens@stackframe.org>
When the maximum count of SCRIPTS instructions is reached, the code
stops execution and returns, but fails to decrement the reentrancy
counter. This effectively renders the SCSI controller unusable
because on next entry the reentrancy counter is still above the limit.
This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
loops.
Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
controller (CVE-2023-0330)")
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Message-ID: <20240128202214.2644768-1-svens@stackframe.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Helge Deller <deller@gmx.de>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 8b09b7fe47082c69295a0fc0cc01b041b6385025)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 634ed49c2e..afbea0fefa 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1159,6 +1159,7 @@ again:
lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
lsi_disconnect(s);
trace_lsi_execute_script_stop();
+ reentrancy_level--;
return;
}
insn = read_dword(s, s->dsp);
--
2.39.2
- [Stable-8.2.2 04/60] Make 'uri' optional for migrate QAPI, (continued)
- [Stable-8.2.2 04/60] Make 'uri' optional for migrate QAPI, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 05/60] qemu-docs: Update options for graphical frontends, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 07/60] target/arm: fix exception syndrome for AArch32 bkpt insn, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 03/60] vfio/pci: Clear MSI-X IRQ index always, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 06/60] block/blkio: Make s->mem_region_alignment be 64 bits, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 09/60] qemu-options.hx: Improve -serial option documentation, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 08/60] system/vl.c: Fix handling of '-serial none -serial something', Michael Tokarev, 2024/02/21
- [Stable-8.2.2 11/60] pci-host: designware: Limit value range of iATU viewport register, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 12/60] tcg/loongarch64: Set vector registers call clobbered, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 13/60] linux-user/aarch64: Add padding before __kernel_rt_sigreturn, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 14/60] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter,
Michael Tokarev <=
- [Stable-8.2.2 10/60] target/arm: Reinstate "vfp" property on AArch32 CPUs, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 16/60] iotests: give tempdir an identifying name, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 34/60] virtio-gpu: Correct virgl_renderer_resource_get_info() error check, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 38/60] hw/i386: Fix _STA return value for ACPI0017, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 39/60] tests/acpi: Update DSDT.cxl to reflect change _STA return value., Michael Tokarev, 2024/02/21
- [Stable-8.2.2 40/60] linux-user/aarch64: Choose SYNC as the preferred MTE mode, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 21/60] hw/riscv/virt-acpi-build.c: fix leak in build_rhct(), Michael Tokarev, 2024/02/21
- [Stable-8.2.2 28/60] tcg/arm: Fix goto_tb for large translation blocks, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 27/60] tcg: Increase width of temp_subindex, Michael Tokarev, 2024/02/21
- [Stable-8.2.2 20/60] migration: Fix logic of channels and transport compatibility check, Michael Tokarev, 2024/02/21