Re: [Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

[Blue Swirl]

Thanks, applied.

On Sun, Aug 14, 2011 at 9:05 PM, Paolo Bonzini <address@hidden> wrote:
> Other scsi_target_reqops commands were careful about not using r->cmd.xfer
> directly, and instead always cap it to a fixed length.  This was not done
> for REQUEST SENSE, and this patch fixes it.
>
> Reported-by: Blue Swirl <address@hidden>
> Signed-off-by: Paolo Bonzini <address@hidden>
> ---
>        The way you called REQUEST SENSE from OpenBIOS is correct, the
>        bug is clearly in QEMU.  However, I would like to stress that
>        you do not need to call it.  Sense data is automatically
>        overwritten by the next command, but it is only reported after
>        a command returned CHECK CONDITION.  So, REQUEST SENSE always
>        gets you information too late.  That's why in your case what
>        you want is TEST UNIT READY.  If you want, after each failed
>        TEST UNIT READY command you _can_ REQUEST SENSE and check that
>        indeed you're getting a unit attention and not another sense
>        key, but that's not really necessary.
>
>  hw/scsi-bus.c            |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
> index 559d5a4..80d6bf0 100644
> --- a/hw/scsi-bus.c
> +++ b/hw/scsi-bus.c
> @@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, 
> uint8_t *buf)
>         if (req->cmd.xfer < 4) {
>             goto illegal_request;
>         }
> -        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
> +        r->len = scsi_device_get_sense(r->req.dev, r->buf,
> +                                       MIN(req->cmd.xfer, sizeof r->buf),
>                                        (req->cmd.buf[1] & 1) == 0);
>         break;
>     default:
> --
> 1.7.6
>
>