scsi-disk: fix crash on VERIFY command

Message ID	601a7b61-d7b8-57b2-af41-c7c6d89bcef1@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> To: Zhang Qian <zhangqian@sangfor.com.cn> References: <ANQAnwAIAL-QXsc3JFgQSapS.3.1483431170238.Hmail.zhangqian@sangfor.com.cn> From: Paolo Bonzini <pbonzini@redhat.com> Message-ID: <601a7b61-d7b8-57b2-af41-c7c6d89bcef1@redhat.com> Date: Tue, 3 Jan 2017 10:38:49 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <ANQAnwAIAL-QXsc3JFgQSapS.3.1483431170238.Hmail.zhangqian@sangfor.com.cn> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] scsi-disk: fix crash on VERIFY command Precedence: list Cc: qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Message ID

601a7b61-d7b8-57b2-af41-c7c6d89bcef1@redhat.com

State

New

Headers

To: Zhang Qian <zhangqian@sangfor.com.cn>
References: <ANQAnwAIAL-QXsc3JFgQSapS.3.1483431170238.Hmail.zhangqian@sangfor.com.cn>
From: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <601a7b61-d7b8-57b2-af41-c7c6d89bcef1@redhat.com>
Date: Tue, 3 Jan 2017 10:38:49 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <ANQAnwAIAL-QXsc3JFgQSapS.3.1483431170238.Hmail.zhangqian@sangfor.com.cn>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] scsi-disk: fix crash on VERIFY command
Precedence: list
Cc: qemu-devel@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Commit Message

Paolo Bonzini Jan. 3, 2017, 9:38 a.m. UTC

On 03/01/2017 09:12, Zhang Qian wrote:
> yes, you are right.
> The scenarios of problem is
> a scsi-disk object receives VERIFY command with BYTCHK bit being zero,
> scsi_block_is_passthrough returns false and finally scsi-block uses
> scsi_disk_dma_command for
> VERIFY. So the mode is set to SCSI_XFER_NONE.
> In scsi_req_continue, scsi_read_data function is called.

Uhm, is the fix simply


then?

Thanks,

Paolo

Comments

Zhang Qian Jan. 3, 2017, 9:58 a.m. UTC | #1

At 2017-01-03 17:38:49, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
>
>On 03/01/2017 09:12, Zhang Qian wrote:
>> yes, you are right.
>> The scenarios of problem is
>> a scsi-disk object receives VERIFY command with BYTCHK bit being zero,
>> scsi_block_is_passthrough returns false and finally scsi-block uses
>> scsi_disk_dma_command for
>> VERIFY. So the mode is set to SCSI_XFER_NONE.
>> In scsi_req_continue, scsi_read_data function is called.
>
>Uhm, is the fix simply
>
>diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
>index bdd1e5f..c080888 100644
>--- a/hw/scsi/scsi-disk.c
>+++ b/hw/scsi/scsi-disk.c
>@@ -2701,7 +2701,7 @@ static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
>          * for the number of logical blocks specified in the length
>          * field).  For other modes, do not use scatter/gather operation.
>          */
>-        if ((buf[1] & 6) != 2) {
>+        if ((buf[1] & 6) == 2) {
>             return false;
>         }
>         break;
>
>then?


I verified your patch, it is ok.


but  why not use (buf[1] & 2) == 2  ?


>Thanks,
>
>Paolo

Paolo Bonzini Jan. 3, 2017, 5:18 p.m. UTC | #2

On 03/01/2017 10:58, Zhang Qian wrote:
> 
> At 2017-01-03 17:38:49, Paolo Bonzini <pbonzini@redhat.com> wrote:
>>
>>
>>On 03/01/2017 09:12, Zhang Qian wrote:
>>> yes, you are right.
>>> The scenarios of problem is
>>> a scsi-disk object receives VERIFY command with BYTCHK bit being zero,
>>> scsi_block_is_passthrough returns false and finally scsi-block uses
>>> scsi_disk_dma_command for
>>> VERIFY. So the mode is set to SCSI_XFER_NONE.
>>> In scsi_req_continue, scsi_read_data function is called.
>>
>>Uhm, is the fix simply
>>
>>diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
>>index bdd1e5f..c080888 100644
>>--- a/hw/scsi/scsi-disk.c
>>+++ b/hw/scsi/scsi-disk.c
>>@@ -2701,7 +2701,7 @@ static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
>>          * for the number of logical blocks specified in the length
>>          * field).  For other modes, do not use scatter/gather operation.
>>          */
>>-        if ((buf[1] & 6) != 2) {
>>+        if ((buf[1] & 6) == 2) {
>>             return false;
>>         }
>>         break;
>>
>>then?
> I verified your patch, it is ok.
> 
> but why not use (buf[1] & 2) == 2 ?

Isn't BYTCHK bits 1 and 2?

Paolo

diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index bdd1e5f..c080888 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -2701,7 +2701,7 @@  static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
          * for the number of logical blocks specified in the length
          * field).  For other modes, do not use scatter/gather operation.
          */
-        if ((buf[1] & 6) != 2) {
+        if ((buf[1] & 6) == 2) {
             return false;
         }
         break;

scsi-disk: fix crash on VERIFY command

Commit Message

Comments

Patch