From patchwork Sun Aug 14 21:05:49 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Bonzini X-Patchwork-Id: 109968 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [140.186.70.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id B2E04B6F76 for ; Mon, 15 Aug 2011 07:06:06 +1000 (EST) Received: from localhost ([::1]:39591 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qshsf-0000ee-3u for incoming@patchwork.ozlabs.org; Sun, 14 Aug 2011 17:06:01 -0400 Received: from eggs.gnu.org ([140.186.70.92]:59757) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qshsa-0000eX-Gt for qemu-devel@nongnu.org; Sun, 14 Aug 2011 17:05:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QshsZ-00080X-GF for qemu-devel@nongnu.org; Sun, 14 Aug 2011 17:05:56 -0400 Received: from mail-qw0-f45.google.com ([209.85.216.45]:45514) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QshsZ-00080L-D7 for qemu-devel@nongnu.org; Sun, 14 Aug 2011 17:05:55 -0400 Received: by qwj8 with SMTP id 8so2765928qwj.4 for ; Sun, 14 Aug 2011 14:05:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:from:to:cc:subject:date:message-id:x-mailer; bh=xYDOr7GrPBDs+9gm/n5di+hwmVOVsIX0WbXC5lqMVUM=; b=f4ejmXqWg7w2BM6FMOgkiZg/v4wgtbQAwBtzgJ5iJvb9b++tJtBqOKP2ikCRw55kBy 0qnJOVmPAbtO4jCBA82UPp8+ULxxsA1KmIN1gJ2vRSXkY8DWfVBfCQQV2Wy4CwZ2dqnH TGdlqQtgT4rlLr+UWSWylHD48434Gk7OIdHfo= Received: by 10.229.50.71 with SMTP id y7mr2085505qcf.180.1313355954545; Sun, 14 Aug 2011 14:05:54 -0700 (PDT) Received: from localhost.localdomain ([216.123.155.199]) by mx.google.com with ESMTPS id r2sm3128912qcv.10.2011.08.14.14.05.52 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 14 Aug 2011 14:05:53 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Sun, 14 Aug 2011 14:05:49 -0700 Message-Id: <1313355949-14368-1-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.7.6 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 209.85.216.45 Cc: blauwirbel@gmail.com Subject: [Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Other scsi_target_reqops commands were careful about not using r->cmd.xfer directly, and instead always cap it to a fixed length. This was not done for REQUEST SENSE, and this patch fixes it. Reported-by: Blue Swirl Signed-off-by: Paolo Bonzini --- The way you called REQUEST SENSE from OpenBIOS is correct, the bug is clearly in QEMU. However, I would like to stress that you do not need to call it. Sense data is automatically overwritten by the next command, but it is only reported after a command returned CHECK CONDITION. So, REQUEST SENSE always gets you information too late. That's why in your case what you want is TEST UNIT READY. If you want, after each failed TEST UNIT READY command you _can_ REQUEST SENSE and check that indeed you're getting a unit attention and not another sense key, but that's not really necessary. hw/scsi-bus.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c index 559d5a4..80d6bf0 100644 --- a/hw/scsi-bus.c +++ b/hw/scsi-bus.c @@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf) if (req->cmd.xfer < 4) { goto illegal_request; } - r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer, + r->len = scsi_device_get_sense(r->req.dev, r->buf, + MIN(req->cmd.xfer, sizeof r->buf), (req->cmd.buf[1] & 1) == 0); break; default: