mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-08-30 21:42:06 -06:00
megasas: do not read DCMD opcode more than once from frame
Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini
parent
24c0c77af5
commit
5104fac853
1 changed files with 11 additions and 14 deletions
|
|
@ -63,6 +63,7 @@ typedef struct MegasasCmd {
|
||||||
|
|
||||||
hwaddr pa;
|
hwaddr pa;
|
||||||
hwaddr pa_size;
|
hwaddr pa_size;
|
||||||
|
uint32_t dcmd_opcode;
|
||||||
union mfi_frame *frame;
|
union mfi_frame *frame;
|
||||||
SCSIRequest *req;
|
SCSIRequest *req;
|
||||||
QEMUSGList qsg;
|
QEMUSGList qsg;
|
||||||
|
|
@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
|
||||||
cmd->context &= (uint64_t)0xFFFFFFFF;
|
cmd->context &= (uint64_t)0xFFFFFFFF;
|
||||||
}
|
}
|
||||||
cmd->count = count;
|
cmd->count = count;
|
||||||
|
cmd->dcmd_opcode = -1;
|
||||||
s->busy++;
|
s->busy++;
|
||||||
|
|
||||||
if (s->consumer_pa) {
|
if (s->consumer_pa) {
|
||||||
|
|
@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t {
|
||||||
|
|
||||||
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||||
{
|
{
|
||||||
int opcode;
|
|
||||||
int retval = 0;
|
int retval = 0;
|
||||||
size_t len;
|
size_t len;
|
||||||
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
||||||
|
|
||||||
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
||||||
trace_megasas_handle_dcmd(cmd->index, opcode);
|
trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
|
||||||
if (megasas_map_dcmd(s, cmd) < 0) {
|
if (megasas_map_dcmd(s, cmd) < 0) {
|
||||||
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
||||||
}
|
}
|
||||||
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
|
while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
|
||||||
cmdptr++;
|
cmdptr++;
|
||||||
}
|
}
|
||||||
len = cmd->iov_size;
|
len = cmd->iov_size;
|
||||||
if (cmdptr->opcode == -1) {
|
if (cmdptr->opcode == -1) {
|
||||||
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
|
trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
|
||||||
retval = megasas_dcmd_dummy(s, cmd);
|
retval = megasas_dcmd_dummy(s, cmd);
|
||||||
} else {
|
} else {
|
||||||
trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
|
trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
|
||||||
|
|
@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||||
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
|
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
|
||||||
SCSIRequest *req)
|
SCSIRequest *req)
|
||||||
{
|
{
|
||||||
int opcode;
|
|
||||||
int retval = MFI_STAT_OK;
|
int retval = MFI_STAT_OK;
|
||||||
int lun = req->lun;
|
int lun = req->lun;
|
||||||
|
|
||||||
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
|
||||||
trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
|
switch (cmd->dcmd_opcode) {
|
||||||
switch (opcode) {
|
|
||||||
case MFI_DCMD_PD_GET_INFO:
|
case MFI_DCMD_PD_GET_INFO:
|
||||||
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
|
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
|
||||||
break;
|
break;
|
||||||
|
|
@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
|
||||||
retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
|
retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
|
trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
|
||||||
retval = MFI_STAT_INVALID_DCMD;
|
retval = MFI_STAT_INVALID_DCMD;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
|
||||||
{
|
{
|
||||||
MegasasCmd *cmd = req->hba_private;
|
MegasasCmd *cmd = req->hba_private;
|
||||||
uint8_t *buf;
|
uint8_t *buf;
|
||||||
uint32_t opcode;
|
|
||||||
|
|
||||||
trace_megasas_io_complete(cmd->index, len);
|
trace_megasas_io_complete(cmd->index, len);
|
||||||
|
|
||||||
|
|
@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
|
||||||
}
|
}
|
||||||
|
|
||||||
buf = scsi_req_get_buf(req);
|
buf = scsi_req_get_buf(req);
|
||||||
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
|
||||||
if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
|
|
||||||
struct mfi_pd_info *info = cmd->iov_buf;
|
struct mfi_pd_info *info = cmd->iov_buf;
|
||||||
|
|
||||||
if (info->inquiry_data[0] == 0x7f) {
|
if (info->inquiry_data[0] == 0x7f) {
|
||||||
|
|
@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
|
||||||
memcpy(info->vpd_page83, buf, len);
|
memcpy(info->vpd_page83, buf, len);
|
||||||
}
|
}
|
||||||
scsi_req_continue(req);
|
scsi_req_continue(req);
|
||||||
} else if (opcode == MFI_DCMD_LD_GET_INFO) {
|
} else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
|
||||||
struct mfi_ld_info *info = cmd->iov_buf;
|
struct mfi_ld_info *info = cmd->iov_buf;
|
||||||
|
|
||||||
if (cmd->iov_buf) {
|
if (cmd->iov_buf) {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue