From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: Wed, 7 Apr 2021 19:57:59 +0000 (+0100)
Subject: esp: don't reset async_len directly in esp_select() if cancelling request
X-Git-Tag: upstream/4.2.1~42
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cb0a07fdd552233fde8f32e5f3968f6ad1572f9e;p=tools%2Fqemu-arm-static.git

esp: don't reset async_len directly in esp_select() if cancelling request

Git-commit: 324c8809897c8c53ad05c3a7147d272f1711cd5e
References: bsc#1180433, CVE-2020-35504
            bsc#1180434, CVE-2020-35505
            bsc#1180435, CVE-2020-35506

Instead let the SCSI layer invoke the .cancel callback itself to cancel and
reset the request state.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 0f88689eb..8445ebdb1 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -93,6 +93,7 @@ void esp_request_cancelled(SCSIRequest *req)
         scsi_req_unref(s->current_req);
         s->current_req = NULL;
         s->current_dev = NULL;
+        s->async_len = 0;
     }
 }
 
@@ -133,7 +134,6 @@ static int get_cmd_cb(ESPState *s)
     if (s->current_req) {
         /* Started a new command before the old one finished.  Cancel it.  */
         scsi_req_cancel(s->current_req);
-        s->async_len = 0;
     }
 
     s->current_dev = scsi_device_find(&s->bus, 0, target, 0);