|
 |
335584 |
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
335584 |
Date: Thu, 1 Jun 2017 17:18:23 +0200
|
|
|
335584 |
Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame
|
|
|
335584 |
|
|
|
335584 |
Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd
|
|
|
335584 |
|
|
|
335584 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
335584 |
(cherry picked from commit 5104fac8539eaf155fc6de93e164be43e1e62242)
|
|
|
335584 |
---
|
|
|
335584 |
hw/scsi/megasas.c | 25 +++++++++++--------------
|
|
|
335584 |
1 file changed, 11 insertions(+), 14 deletions(-)
|
|
|
335584 |
|
|
|
335584 |
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
|
|
335584 |
index c353118882..a3f75c1650 100644
|
|
|
335584 |
--- a/hw/scsi/megasas.c
|
|
|
335584 |
+++ b/hw/scsi/megasas.c
|
|
|
335584 |
@@ -63,6 +63,7 @@ typedef struct MegasasCmd {
|
|
|
335584 |
|
|
|
335584 |
hwaddr pa;
|
|
|
335584 |
hwaddr pa_size;
|
|
|
335584 |
+ uint32_t dcmd_opcode;
|
|
|
335584 |
union mfi_frame *frame;
|
|
|
335584 |
SCSIRequest *req;
|
|
|
335584 |
QEMUSGList qsg;
|
|
|
335584 |
@@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
|
|
|
335584 |
cmd->context &= (uint64_t)0xFFFFFFFF;
|
|
|
335584 |
}
|
|
|
335584 |
cmd->count = count;
|
|
|
335584 |
+ cmd->dcmd_opcode = -1;
|
|
|
335584 |
s->busy++;
|
|
|
335584 |
|
|
|
335584 |
if (s->consumer_pa) {
|
|
|
335584 |
@@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t {
|
|
|
335584 |
|
|
|
335584 |
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
|
|
335584 |
{
|
|
|
335584 |
- int opcode;
|
|
|
335584 |
int retval = 0;
|
|
|
335584 |
size_t len;
|
|
|
335584 |
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
|
|
335584 |
|
|
|
335584 |
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
|
|
335584 |
- trace_megasas_handle_dcmd(cmd->index, opcode);
|
|
|
335584 |
+ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
|
|
335584 |
+ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
|
|
|
335584 |
if (megasas_map_dcmd(s, cmd) < 0) {
|
|
|
335584 |
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
|
|
335584 |
}
|
|
|
335584 |
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
|
|
|
335584 |
+ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
|
|
|
335584 |
cmdptr++;
|
|
|
335584 |
}
|
|
|
335584 |
len = cmd->iov_size;
|
|
|
335584 |
if (cmdptr->opcode == -1) {
|
|
|
335584 |
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
|
|
|
335584 |
+ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
|
|
|
335584 |
retval = megasas_dcmd_dummy(s, cmd);
|
|
|
335584 |
} else {
|
|
|
335584 |
trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
|
|
|
335584 |
@@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
|
|
335584 |
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
|
|
|
335584 |
SCSIRequest *req)
|
|
|
335584 |
{
|
|
|
335584 |
- int opcode;
|
|
|
335584 |
int retval = MFI_STAT_OK;
|
|
|
335584 |
int lun = req->lun;
|
|
|
335584 |
|
|
|
335584 |
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
|
|
335584 |
- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
|
|
|
335584 |
- switch (opcode) {
|
|
|
335584 |
+ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
|
|
|
335584 |
+ switch (cmd->dcmd_opcode) {
|
|
|
335584 |
case MFI_DCMD_PD_GET_INFO:
|
|
|
335584 |
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
|
|
|
335584 |
break;
|
|
|
335584 |
@@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
|
|
|
335584 |
retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
|
|
|
335584 |
break;
|
|
|
335584 |
default:
|
|
|
335584 |
- trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
|
|
|
335584 |
+ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
|
|
|
335584 |
retval = MFI_STAT_INVALID_DCMD;
|
|
|
335584 |
break;
|
|
|
335584 |
}
|
|
|
335584 |
@@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
|
|
|
335584 |
{
|
|
|
335584 |
MegasasCmd *cmd = req->hba_private;
|
|
|
335584 |
uint8_t *buf;
|
|
|
335584 |
- uint32_t opcode;
|
|
|
335584 |
|
|
|
335584 |
trace_megasas_io_complete(cmd->index, len);
|
|
|
335584 |
|
|
|
335584 |
@@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
|
|
|
335584 |
}
|
|
|
335584 |
|
|
|
335584 |
buf = scsi_req_get_buf(req);
|
|
|
335584 |
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
|
|
335584 |
- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
|
|
|
335584 |
+ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
|
|
|
335584 |
struct mfi_pd_info *info = cmd->iov_buf;
|
|
|
335584 |
|
|
|
335584 |
if (info->inquiry_data[0] == 0x7f) {
|
|
|
335584 |
@@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
|
|
|
335584 |
memcpy(info->vpd_page83, buf, len);
|
|
|
335584 |
}
|
|
|
335584 |
scsi_req_continue(req);
|
|
|
335584 |
- } else if (opcode == MFI_DCMD_LD_GET_INFO) {
|
|
|
335584 |
+ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
|
|
|
335584 |
struct mfi_ld_info *info = cmd->iov_buf;
|
|
|
335584 |
|
|
|
335584 |
if (cmd->iov_buf) {
|