* [Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer
@ 2011-08-14 21:05 Paolo Bonzini
2011-08-16 19:35 ` Blue Swirl
0 siblings, 1 reply; 2+ messages in thread
From: Paolo Bonzini @ 2011-08-14 21:05 UTC (permalink / raw)
To: qemu-devel; +Cc: blauwirbel
Other scsi_target_reqops commands were careful about not using r->cmd.xfer
directly, and instead always cap it to a fixed length. This was not done
for REQUEST SENSE, and this patch fixes it.
Reported-by: Blue Swirl <blauwirdel@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
The way you called REQUEST SENSE from OpenBIOS is correct, the
bug is clearly in QEMU. However, I would like to stress that
you do not need to call it. Sense data is automatically
overwritten by the next command, but it is only reported after
a command returned CHECK CONDITION. So, REQUEST SENSE always
gets you information too late. That's why in your case what
you want is TEST UNIT READY. If you want, after each failed
TEST UNIT READY command you _can_ REQUEST SENSE and check that
indeed you're getting a unit attention and not another sense
key, but that's not really necessary.
hw/scsi-bus.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 559d5a4..80d6bf0 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
if (req->cmd.xfer < 4) {
goto illegal_request;
}
- r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+ r->len = scsi_device_get_sense(r->req.dev, r->buf,
+ MIN(req->cmd.xfer, sizeof r->buf),
(req->cmd.buf[1] & 1) == 0);
break;
default:
--
1.7.6
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer
2011-08-14 21:05 [Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer Paolo Bonzini
@ 2011-08-16 19:35 ` Blue Swirl
0 siblings, 0 replies; 2+ messages in thread
From: Blue Swirl @ 2011-08-16 19:35 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: qemu-devel
Thanks, applied.
On Sun, Aug 14, 2011 at 9:05 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Other scsi_target_reqops commands were careful about not using r->cmd.xfer
> directly, and instead always cap it to a fixed length. This was not done
> for REQUEST SENSE, and this patch fixes it.
>
> Reported-by: Blue Swirl <blauwirdel@gmail.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> The way you called REQUEST SENSE from OpenBIOS is correct, the
> bug is clearly in QEMU. However, I would like to stress that
> you do not need to call it. Sense data is automatically
> overwritten by the next command, but it is only reported after
> a command returned CHECK CONDITION. So, REQUEST SENSE always
> gets you information too late. That's why in your case what
> you want is TEST UNIT READY. If you want, after each failed
> TEST UNIT READY command you _can_ REQUEST SENSE and check that
> indeed you're getting a unit attention and not another sense
> key, but that's not really necessary.
>
> hw/scsi-bus.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
> index 559d5a4..80d6bf0 100644
> --- a/hw/scsi-bus.c
> +++ b/hw/scsi-bus.c
> @@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
> if (req->cmd.xfer < 4) {
> goto illegal_request;
> }
> - r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
> + r->len = scsi_device_get_sense(r->req.dev, r->buf,
> + MIN(req->cmd.xfer, sizeof r->buf),
> (req->cmd.buf[1] & 1) == 0);
> break;
> default:
> --
> 1.7.6
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-08-16 19:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-08-14 21:05 [Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer Paolo Bonzini
2011-08-16 19:35 ` Blue Swirl
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.