Patchwork scsi-bus: fix endianness bug in store_lun()

login
register
mail settings
Submitter Alexey Kardashevskiy
Date March 16, 2013, 7:16 a.m.
Message ID <1363418170-3391-1-git-send-email-aik@ozlabs.ru>
Download mbox | patch
Permalink /patch/228199/
State New
Headers show

Comments

Alexey Kardashevskiy - March 16, 2013, 7:16 a.m.
SCSI protocol is defined as big endian. The SCSI command REPORT_LUNS
returns the list of LUNs, 8 bytes each.

The store_lun() function is called from scsi_target_emulate_report_luns()
to fill the LUNs list which is sent later to a guest a response. However
it puts the 2 bytes long big-endian value while it is 8 bytes long.

The patch fixes it. Tested on PPC64 platform.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
---
 hw/scsi-bus.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
Paolo Bonzini - March 16, 2013, 8:13 a.m.
Il 16/03/2013 08:16, Alexey Kardashevskiy ha scritto:
> SCSI protocol is defined as big endian. The SCSI command REPORT_LUNS
> returns the list of LUNs, 8 bytes each.
> 
> The store_lun() function is called from scsi_target_emulate_report_luns()
> to fill the LUNs list which is sent later to a guest a response. However
> it puts the 2 bytes long big-endian value while it is 8 bytes long.

No, LUNs are composed of four 2-byte big-endian values.

What bug are you trying to fix?

Paolo

> The patch fixes it. Tested on PPC64 platform.
> 
> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
> ---
>  hw/scsi-bus.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
> index a97f1cd..7059dc2 100644
> --- a/hw/scsi-bus.c
> +++ b/hw/scsi-bus.c
> @@ -310,11 +310,11 @@ struct SCSITargetReq {
>  static void store_lun(uint8_t *outbuf, int lun)
>  {
>      if (lun < 256) {
> -        outbuf[1] = lun;
> +        outbuf[7] = lun;
>          return;
>      }
> -    outbuf[1] = (lun & 255);
> -    outbuf[0] = (lun >> 8) | 0x40;
> +    outbuf[7] = (lun & 255);
> +    outbuf[6] = (lun >> 8) | 0x40;
>  }
>  
>  static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
>
Alexey Kardashevskiy - March 16, 2013, 12:11 p.m.
On 16/03/13 19:13, Paolo Bonzini wrote:
> Il 16/03/2013 08:16, Alexey Kardashevskiy ha scritto:
>> SCSI protocol is defined as big endian. The SCSI command REPORT_LUNS
>> returns the list of LUNs, 8 bytes each.
>>
>> The store_lun() function is called from scsi_target_emulate_report_luns()
>> to fill the LUNs list which is sent later to a guest a response. However
>> it puts the 2 bytes long big-endian value while it is 8 bytes long.
>
> No, LUNs are composed of four 2-byte big-endian values.

I cannot find it in "SCSI Commands References Manual"
(for example here - 
http://www.seagate.com/staticfiles/support/disc/manuals/Interface%20manuals/100293068c.pdf 
). It just says that it is 8 bytes per
LUN and SCSI itself is big endian. Could you please point me to
the correct spec?

> What bug are you trying to fix?

It is a ppc64 system firmware/bios (aka SLOF) which expects 8 bytes big
endian value and therefore cannot boot from SCSI devices with LUN!=0.
I can fix QEMU or SLOF but not sure which one.


>
> Paolo
>
>> The patch fixes it. Tested on PPC64 platform.
>>
>> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
>> ---
>>   hw/scsi-bus.c |    6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
>> index a97f1cd..7059dc2 100644
>> --- a/hw/scsi-bus.c
>> +++ b/hw/scsi-bus.c
>> @@ -310,11 +310,11 @@ struct SCSITargetReq {
>>   static void store_lun(uint8_t *outbuf, int lun)
>>   {
>>       if (lun < 256) {
>> -        outbuf[1] = lun;
>> +        outbuf[7] = lun;
>>           return;
>>       }
>> -    outbuf[1] = (lun & 255);
>> -    outbuf[0] = (lun >> 8) | 0x40;
>> +    outbuf[7] = (lun & 255);
>> +    outbuf[6] = (lun >> 8) | 0x40;
>>   }
>>
>>   static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
>>
>
Benjamin Herrenschmidt - March 16, 2013, 1:01 p.m.
On Sat, 2013-03-16 at 23:11 +1100, Alexey Kardashevskiy wrote:
> > No, LUNs are composed of four 2-byte big-endian values.
> 
> I cannot find it in "SCSI Commands References Manual"
> (for example here - 
> http://www.seagate.com/staticfiles/support/disc/manuals/Interface%
> 20manuals/100293068c.pdf 
> ). It just says that it is 8 bytes per
> LUN and SCSI itself is big endian. Could you please point me to
> the correct spec?

The confusion comes from the old SCSI protocol LUN as a 2 bytes number
identifying a unit for a given bus/device and the "new style" LUN as a
more generic concept such as used in SRP (ie vscsi is SRP) which
encompass the bus, ID and LUN in one big number.

The actual type of LUN returned by REPORT_LUN depends on the
SELECT_REPORT field (I don't remember the details, but the doco you
point to say to see what's in SAM-4) and the result is *variable* in
size, so it should be kosher for qemu to just return 2 bytes as long as
the LUN_LIST_LENGTH field of the reply is correct.

So it all needs a bit of double checking but I wouldn't be surprised if
at the end of the day the culprit was my SLOF code :-)

Cheers,
Ben.
Paolo Bonzini - March 16, 2013, 1:09 p.m.
Il 16/03/2013 14:01, Benjamin Herrenschmidt ha scritto:
> On Sat, 2013-03-16 at 23:11 +1100, Alexey Kardashevskiy wrote:
>>> No, LUNs are composed of four 2-byte big-endian values.
>>
>> I cannot find it in "SCSI Commands References Manual"
>> (for example here - 
>> http://www.seagate.com/staticfiles/support/disc/manuals/Interface%
>> 20manuals/100293068c.pdf 
>> ). It just says that it is 8 bytes per
>> LUN and SCSI itself is big endian. Could you please point me to
>> the correct spec?

Look at section 4.7 of SAM-5.  Most of it is useless, because the last
six bytes are almost never used.  Still, what matters for QEMU is 4.7.5
Single level LUN structure, 4.7.7 Peripheral device addressing method,
4.7.8 Flat space addressing method.

In particular, you can see the reference to four two-byte fields in
Table 11 — "Single level LUN structure using peripheral device
addressing method" and Table 12 — "Single level LUN structure using flat
space addressing method".

> The confusion comes from the old SCSI protocol LUN as a 2 bytes number
> identifying a unit for a given bus/device and the "new style" LUN as a
> more generic concept such as used in SRP (ie vscsi is SRP) which
> encompass the bus, ID and LUN in one big number.
> 
> The actual type of LUN returned by REPORT_LUN depends on the
> SELECT_REPORT field (I don't remember the details, but the doco you
> point to say to see what's in SAM-4) and the result is *variable* in
> size, so it should be kosher for qemu to just return 2 bytes as long as
> the LUN_LIST_LENGTH field of the reply is correct.

No, that's wrong.  Each LUN returned by REPORT LUNS is always 8 bytes.
The field tells you if you are reporting all LUNs, only well-known LUNs,
etc.

Paolo
Benjamin Herrenschmidt - March 17, 2013, 1:32 a.m.
On Sat, 2013-03-16 at 14:09 +0100, Paolo Bonzini wrote:

> > The confusion comes from the old SCSI protocol LUN as a 2 bytes number
> > identifying a unit for a given bus/device and the "new style" LUN as a
> > more generic concept such as used in SRP (ie vscsi is SRP) which
> > encompass the bus, ID and LUN in one big number.
> > 
> > The actual type of LUN returned by REPORT_LUN depends on the
> > SELECT_REPORT field (I don't remember the details, but the doco you
> > point to say to see what's in SAM-4) and the result is *variable* in
> > size, so it should be kosher for qemu to just return 2 bytes as long as
> > the LUN_LIST_LENGTH field of the reply is correct.
> 
> No, that's wrong.  Each LUN returned by REPORT LUNS is always 8 bytes.
> The field tells you if you are reporting all LUNs, only well-known LUNs,
> etc.

Ok, my bad then, I misread the spec even more badly than Alexey did ;-)
Anyway, the fix needs to be in SLOF.

Cheers,
Ben.

Patch

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index a97f1cd..7059dc2 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -310,11 +310,11 @@  struct SCSITargetReq {
 static void store_lun(uint8_t *outbuf, int lun)
 {
     if (lun < 256) {
-        outbuf[1] = lun;
+        outbuf[7] = lun;
         return;
     }
-    outbuf[1] = (lun & 255);
-    outbuf[0] = (lun >> 8) | 0x40;
+    outbuf[7] = (lun & 255);
+    outbuf[6] = (lun >> 8) | 0x40;
 }
 
 static bool scsi_target_emulate_report_luns(SCSITargetReq *r)