Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

On Tuesday, 3 October 2023 John Snow wrote: > Simon, can you confirm that Fiona's patches are appropriate for your > reproducer? In the meantime I'll do my > own audit for the problem as you described it (thank you very much for that) > and see if there's anything else > that needs to be

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

On Tue, Oct 3, 2023, 10:07 AM Niklas Cassel wrote: > On Mon, Sep 25, 2023 at 03:53:23PM -0400, John Snow wrote: > > Niklas, I'm sorry to lean on you here a little bit - You've been > > working on the SATA side of this a bit more often, can you let me know > > if you think this patch is safe? > >

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

On Mon, Sep 25, 2023 at 03:53:23PM -0400, John Snow wrote: > Niklas, I'm sorry to lean on you here a little bit - You've been > working on the SATA side of this a bit more often, can you let me know > if you think this patch is safe? FWIW, I prefer Fiona's patch series which calls

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

On Monday, 2 October 2023 John Snow wrote: > Which reset pathway are you testing that causes the problem? The test centres on a VM-initiated bus reset because a DMA write has stalled (I deliberately discard the iSCSI response). > I'm not fully clear on why checking for DRQ is legitimate here.

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

On Mon, Oct 2, 2023 at 5:09 AM Simon Rowe wrote: > > On Thursday, 28 September 2023 Fiona Ebner wrote: > > > > > AFAICT, yes, because the DMA callback is invoked before resetting the > > state now. But not 100% sure if it can't be triggered in some other way, > > maybe Simon knows more? I don't

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

On Thursday, 28 September 2023 Fiona Ebner wrote: > AFAICT, yes, because the DMA callback is invoked before resetting the > state now. But not 100% sure if it can't be triggered in some other way, > maybe Simon knows more? I don't have a reproducer for the CVE either, > but the second patch

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

Am 26.09.23 um 16:45 schrieb John Snow: > > > On Tue, Sep 26, 2023, 3:11 AM Fiona Ebner > wrote: > > Am 25.09.23 um 21:53 schrieb John Snow: > > On Thu, Sep 21, 2023 at 12:07 PM Simon Rowe > mailto:simon.r...@nutanix.com>> wrote: > >> > >> When

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

On Tue, Sep 26, 2023, 3:11 AM Fiona Ebner wrote: > Am 25.09.23 um 21:53 schrieb John Snow: > > On Thu, Sep 21, 2023 at 12:07 PM Simon Rowe > wrote: > >> > >> When an IDE controller is reset, its internal state is being cleared > >> before any outstanding I/O is cancelled. If a response to DMA

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

Am 25.09.23 um 21:53 schrieb John Snow: > On Thu, Sep 21, 2023 at 12:07 PM Simon Rowe wrote: >> >> When an IDE controller is reset, its internal state is being cleared >> before any outstanding I/O is cancelled. If a response to DMA is >> received in this window, the aio callback will incorrectly

Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

Niklas, I'm sorry to lean on you here a little bit - You've been working on the SATA side of this a bit more often, can you let me know if you think this patch is safe? I'm not immediately sure what the impact of applying it is, but I have some questions about it: (1) When does ide_dma_cb get

[PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset

When an IDE controller is reset, its internal state is being cleared before any outstanding I/O is cancelled. If a response to DMA is received in this window, the aio callback will incorrectly continue with the next part of the transfer (now using sector 0 from the cleared controller state). For