From patchwork Mon Mar 29 13:41:41 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: QEMU 0.12.3 and SCSI boot
From: Gerd Hoffmann <kraxel@redhat.com>
X-Patchwork-Id: 48844
Message-Id: <4BB0AE15.6020303@redhat.com>
To: Kevin Wolf <kwolf@redhat.com>
Cc: Gerhard Wiesinger <lists@wiesinger.com>, qemu-devel@nongnu.org
Date: Mon, 29 Mar 2010 15:41:41 +0200

> Tried the same with current git master and it segfaults. This segfault
> was introduced in af12ac98 (lsi: have lsi_request for the whole life
> time of the request):
>
> #0  0x000000000052e2d3 in lsi_command_complete (bus=0xca22f8, reason=1,
> tag=0, arg=512) at /home/kwolf/source/qemu/hw/lsi53c895a.c:690
> #1  0x00000000004416e7 in qcow_aio_read_cb (opaque=0xc813f0, ret=0) at
> block/qcow2.c:480
> #2  0x0000000000433028 in posix_aio_process_queue (opaque=<value
> optimized out>) at posix-aio-compat.c:459
> #3  0x00000000004330cc in posix_aio_read (opaque=0xc4bb60) at
> posix-aio-compat.c:489
> #4  0x000000000040ac60 in main_loop_wait (timeout=0) at
> /home/kwolf/source/qemu/vl.c:3949
> #5  0x000000000040ce85 in main_loop (argc=<value optimized out>,
> argv=<value optimized out>, envp=<value optimized out>)
>      at /home/kwolf/source/qemu/vl.c:4172
> #6  main (argc=<value optimized out>, argv=<value optimized out>,
> envp=<value optimized out>) at /home/kwolf/source/qemu/vl.c:6147
>
> s->current is set to NULL by lsi_queue_command. I don't know the code
> well enough to say if lsi_queue_command is wrong in setting it to NULL
> or if lsi_command_complete shouldn't even try to access it (maybe it
> should search in the queue for the right tag?)

It actually searches the queue in case tag != s->current->tag, and it 
should most likely do the same for s->current == NULL ...

Attached patch makes the rom boot for me.

cheers,
   Gerd
>From 4b385e8b5c617f2e14261a609898afdb13c12062 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 29 Mar 2010 15:31:03 +0200
Subject: [PATCH] lsi: fix segfault in lsi_command_complete


Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

---
hw/lsi53c895a.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index a332401..525f3ca 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -679,7 +679,7 @@ static void lsi_command_complete(SCSIBus *bus, int reason, uint32_t tag,
         return;
     }
 
-    if (s->waiting == 1 || tag != s->current->tag ||
+    if (s->waiting == 1 || !s->current || tag != s->current->tag ||
         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
         if (lsi_queue_tag(s, tag, arg))
             return;