From c8dcb531bcd37a4a81d2cc08a89fcd19c34348f9 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 10 Oct 2012 12:18:03 +0200 Subject: scsi: do not return short responses for emulated commands The inquiry command, for the case of VPD=1, was returning short responses; the number of returned bytes was just the number of bytes in the request, without padding to the specified allocation length with zero bytes. This is usually harmless, but it is a violation of the SCSI specification. To fix this, always pad with zero bytes to r->cmd.xfer in scsi_disk_emulate_command, and return at most r->buflen bytes (the size of the buffer for command data) rather than at most buflen bytes (the number of bytes that was filled in). Before this patch, "strace sg_inq -p0x83 /dev/sda" would report a non-zero resid value. After this patch, it reports resid=0. Signed-off-by: Paolo Bonzini --- hw/scsi-disk.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) (limited to 'hw/scsi-disk.c') diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c index 1b0afa6..098558d 100644 --- a/hw/scsi-disk.c +++ b/hw/scsi-disk.c @@ -652,7 +652,6 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf) if (buflen > SCSI_MAX_INQUIRY_LEN) { buflen = SCSI_MAX_INQUIRY_LEN; } - memset(outbuf, 0, buflen); outbuf[0] = s->qdev.type & 0x1f; outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0; @@ -1596,24 +1595,26 @@ static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf) break; } + /* + * FIXME: we shouldn't return anything bigger than 4k, but the code + * requires the buffer to be as big as req->cmd.xfer in several + * places. So, do not allow CDBs with a very large ALLOCATION + * LENGTH. The real fix would be to modify scsi_read_data and + * dma_buf_read, so that they return data beyond the buflen + * as all zeros. + */ + if (req->cmd.xfer > 65536) { + goto illegal_request; + } + r->buflen = MAX(4096, req->cmd.xfer); + if (!r->iov.iov_base) { - /* - * FIXME: we shouldn't return anything bigger than 4k, but the code - * requires the buffer to be as big as req->cmd.xfer in several - * places. So, do not allow CDBs with a very large ALLOCATION - * LENGTH. The real fix would be to modify scsi_read_data and - * dma_buf_read, so that they return data beyond the buflen - * as all zeros. - */ - if (req->cmd.xfer > 65536) { - goto illegal_request; - } - r->buflen = MAX(4096, req->cmd.xfer); r->iov.iov_base = qemu_blockalign(s->qdev.conf.bs, r->buflen); } buflen = req->cmd.xfer; outbuf = r->iov.iov_base; + memset(outbuf, 0, r->buflen); switch (req->cmd.buf[0]) { case TEST_UNIT_READY: assert(!s->tray_open && bdrv_is_inserted(s->qdev.conf.bs)); @@ -1694,12 +1695,14 @@ static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf) outbuf[5] = 0; outbuf[6] = s->qdev.blocksize >> 8; outbuf[7] = 0; - buflen = 8; break; case REQUEST_SENSE: /* Just return "NO SENSE". */ buflen = scsi_build_sense(NULL, 0, outbuf, r->buflen, (req->cmd.buf[1] & 1) == 0); + if (buflen < 0) { + goto illegal_request; + } break; case MECHANISM_STATUS: buflen = scsi_emulate_mechanism_status(s, outbuf); @@ -1770,7 +1773,6 @@ static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf) } /* Protection, exponent and lowest lba field left blank. */ - buflen = req->cmd.xfer; break; } DPRINTF("Unsupported Service Action In\n"); @@ -1827,7 +1829,7 @@ static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf) return 0; } assert(!r->req.aiocb); - r->iov.iov_len = MIN(buflen, req->cmd.xfer); + r->iov.iov_len = MIN(r->buflen, req->cmd.xfer); if (r->iov.iov_len == 0) { scsi_req_complete(&r->req, GOOD); } -- cgit v1.1 From b5232e904fadac8af239306719be4a554f9e9263 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 8 Oct 2012 16:46:54 +0200 Subject: scsi: remove superfluous call to scsi_device_set_ua Suggested by Laszlo Ersek. Signed-off-by: Paolo Bonzini --- hw/scsi-disk.c | 1 - 1 file changed, 1 deletion(-) (limited to 'hw/scsi-disk.c') diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c index 098558d..d15f891 100644 --- a/hw/scsi-disk.c +++ b/hw/scsi-disk.c @@ -1964,7 +1964,6 @@ static void scsi_disk_resize_cb(void *opaque) * direct-access devices. */ if (s->qdev.type == TYPE_DISK) { - scsi_device_set_ua(&s->qdev, SENSE_CODE(CAPACITY_CHANGED)); scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED)); } } -- cgit v1.1 From accfeb2dd32ece73350b06cee1b2403f47e86fe3 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 31 Oct 2012 17:14:41 +0100 Subject: scsi-disk: flush cache after disabling it SBC says that "if an application client changes the WCE bit from one to zero via a MODE SELECT command, then the device server shall write any data in volatile cache to non-volatile medium before completing the command". Signed-off-by: Paolo Bonzini --- hw/scsi-disk.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'hw/scsi-disk.c') diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c index d15f891..49b5686 100644 --- a/hw/scsi-disk.c +++ b/hw/scsi-disk.c @@ -1387,6 +1387,7 @@ invalid_param_len: static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) { + SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev); uint8_t *p = inbuf; int cmd = r->req.cmd.buf[0]; int len = r->req.cmd.xfer; @@ -1423,6 +1424,14 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) return; } } + if (!bdrv_enable_write_cache(s->qdev.conf.bs)) { + /* The request is used as the AIO opaque value, so add a ref. */ + scsi_req_ref(&r->req); + bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH); + r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_aio_complete, r); + return; + } + scsi_req_complete(&r->req, GOOD); return; -- cgit v1.1