aboutsummaryrefslogtreecommitdiff
path: root/hw/scsi
diff options
context:
space:
mode:
authorAlexey Kardashevskiy <aik@ozlabs.ru>2013-07-29 14:48:39 +1000
committerAnthony Liguori <aliguori@us.ibm.com>2013-07-29 10:37:09 -0500
commitdbd94f8e4a0a3c4164af7be5bbf6d4e907f3cc03 (patch)
treee7789d1c9d46a88a3c38a24bdee106d70cf54df1 /hw/scsi
parentc04d6cfa3f17a335942f430a3d40e6041100f0c2 (diff)
downloadqemu-dbd94f8e4a0a3c4164af7be5bbf6d4e907f3cc03.zip
qemu-dbd94f8e4a0a3c4164af7be5bbf6d4e907f3cc03.tar.gz
qemu-dbd94f8e4a0a3c4164af7be5bbf6d4e907f3cc03.tar.bz2
spapr-vscsi: fix SOLNT bit in SRP_RSP
The driver calculates SOLNT bit from UCSOLNT and SCSOLNT bits from the request. The iu pointer has a type of srp_iu* which points to a union, so cmd and rsp overlap. As the vscsi_send_rsp function calls memset(iu, 0, sizeof(rsp)), it clears first 36 bytes of both cmd and rsp so cmd.sol_not is always zero at the moment of calculating rsp.sol_not. This fixes the bug. Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Message-id: 1375073319-17488-1-git-send-email-aik@ozlabs.ru Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'hw/scsi')
-rw-r--r--hw/scsi/spapr_vscsi.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/scsi/spapr_vscsi.c b/hw/scsi/spapr_vscsi.c
index 46f4455..3f4c53f 100644
--- a/hw/scsi/spapr_vscsi.c
+++ b/hw/scsi/spapr_vscsi.c
@@ -216,6 +216,7 @@ static int vscsi_send_rsp(VSCSIState *s, vscsi_req *req,
union viosrp_iu *iu = &req->iu;
uint64_t tag = iu->srp.rsp.tag;
int total_len = sizeof(iu->srp.rsp);
+ uint8_t sol_not = iu->srp.cmd.sol_not;
dprintf("VSCSI: Sending resp status: 0x%x, "
"res_in: %d, res_out: %d\n", status, res_in, res_out);
@@ -248,7 +249,7 @@ static int vscsi_send_rsp(VSCSIState *s, vscsi_req *req,
/* Handle success vs. failure */
iu->srp.rsp.status = status;
if (status) {
- iu->srp.rsp.sol_not = (iu->srp.cmd.sol_not & 0x04) >> 2;
+ iu->srp.rsp.sol_not = (sol_not & 0x04) >> 2;
if (req->senselen) {
req->iu.srp.rsp.flags |= SRP_RSP_FLAG_SNSVALID;
req->iu.srp.rsp.sense_data_len = cpu_to_be32(req->senselen);
@@ -256,7 +257,7 @@ static int vscsi_send_rsp(VSCSIState *s, vscsi_req *req,
total_len += req->senselen;
}
} else {
- iu->srp.rsp.sol_not = (iu->srp.cmd.sol_not & 0x02) >> 1;
+ iu->srp.rsp.sol_not = (sol_not & 0x02) >> 1;
}
vscsi_send_iu(s, req, total_len, VIOSRP_SRP_FORMAT);