28.10.2025 20:34, Paolo Bonzini wrote:
From: Mark Cave-Ayland <[email protected]>The original calculation in commit 3cc70889a3 ("esp.c: prevent cmdfifo overflow in esp_cdb_ready()") subtracted cmdfifo_cdb_offset from fifo8_num_used() to calculate the outstanding cmdfifo length, but this is incorrect because fifo8_num_used() can also include wraparound data. Instead calculate the maximum offset used by scsi_cdb_length() which is just the first byte after cmdfifo_cdb_offset, and then peek the entire content of the cmdfifo. The fifo8_peek_bufptr() result will then return the maximum length of remaining data up to the end of the internal cmdfifo array, which can then be used for the overflow check. Signed-off-by: Mark Cave-Ayland <[email protected]> Fixes: 3cc70889a3 ("esp.c: prevent cmdfifo overflow in esp_cdb_ready()") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3082 Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]>
This smells like a qemu-stable material (this and the subsequent patch adding the test). Please let me know if it is not. Thanks, /mjt
