From 4dde1b25ea098fc7f4128313a4ee358a2f70818e Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Wed, 22 Feb 2012 14:12:31 +0100 Subject: [PATCH 075/109] scsi: fix parsing of allocation length field RH-Author: Paolo Bonzini Message-id: <1329919979-20948-75-git-send-email-pbonzini@redhat.com> Patchwork-id: 37557 O-Subject: [RHEL 6.3 qemu-kvm PATCH v2 074/102] scsi: fix parsing of allocation length field Bugzilla: 782029 RH-Acked-by: Laszlo Ersek RH-Acked-by: Orit Wasserman RH-Acked-by: Gerd Hoffmann - several MMC commands were parsed wrong by QEMU because their allocation length/parameter list length is placed in a non-standard position in the CDB (i.e. it is different from most commands with the same value in bits 5-7). - SEND VOLUME TAG length was multiplied by 40 which is not in SMC. The parameter list length is between 32 and 40 bytes. Same for MEDIUM SCAN (spec found at http://ldkelley.com/SCSI2/SCSI2-16.html but not in any of the PDFs I have here). - READ_POSITION (SSC) conflicts with PRE_FETCH (SBC). READ_POSITION's transfer length is not hardcoded to 20 in SSC; for PRE_FETCH cmd->xfer should be 0. Both fixed. - FORMAT MEDIUM (the SSC name for FORMAT UNIT) was missing. The FORMAT UNIT command is still somewhat broken for block devices because its parameter list length is not in the CDB. However it works for CD/DVD drives, which mandate the length of the payload. - fixed wrong sign-extensions for 32-bit fields (for the LBA field, this affects disks >1 TB). - several other SBC or SSC commands were missing or parsed wrong. - some commands were not in the list of "write" commands. Upstream used ld*_be_p functions, which are not available to common code in RHEL6 qemu. Reported-by: Thomas Schmitt Tested-by: Thomas Schmitt (MMC bits only) Signed-off-by: Paolo Bonzini Signed-off-by: Kevin Wolf (cherry picked from 06b863577e960413466560d44e2e38eaaca1257e) Conflicts: hw/scsi-bus.c (due to different patches earlier in the series) --- hw/scsi-bus.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 85 insertions(+), 7 deletions(-) Signed-off-by: Michal Novotny --- hw/scsi-bus.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 85 insertions(+), 7 deletions(-) diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c index 7addda4..ed37c50 100644 --- a/hw/scsi-bus.c +++ b/hw/scsi-bus.c @@ -652,6 +652,31 @@ static void scsi_req_dequeue(SCSIRequest *req) } } +static int scsi_get_performance_length(int num_desc, int type, int data_type) +{ + /* MMC-6, paragraph 6.7. */ + switch (type) { + case 0: + if ((data_type & 3) == 0) { + /* Each descriptor is as in Table 295 - Nominal performance. */ + return 16 * num_desc + 8; + } else { + /* Each descriptor is as in Table 296 - Exceptions. */ + return 6 * num_desc + 8; + } + case 1: + case 4: + case 5: + return 8 * num_desc + 8; + case 2: + return 2048 * num_desc + 8; + case 3: + return 16 * num_desc + 8; + default: + return 8; + } +} + static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf) { switch (buf[0] >> 5) { @@ -688,6 +713,7 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf) case START_STOP: case SET_CAPACITY: case WRITE_FILEMARKS: + case WRITE_FILEMARKS_16: case SPACE: case RESERVE: case RELEASE: @@ -696,6 +722,8 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf) case VERIFY_10: case SEEK_10: case SYNCHRONIZE_CACHE: + case SYNCHRONIZE_CACHE_16: + case LOCATE_16: case LOCK_UNLOCK_CACHE: case LOAD_UNLOAD: case SET_CD_SPEED: @@ -703,6 +731,11 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf) case WRITE_LONG_10: case MOVE_MEDIUM: case UPDATE_BLOCK: + case RESERVE_TRACK: + case SET_READ_AHEAD: + case PRE_FETCH: + case PRE_FETCH_16: + case ALLOW_OVERWRITE: cmd->xfer = 0; break; case MODE_SENSE: @@ -716,14 +749,13 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf) case READ_BLOCK_LIMITS: cmd->xfer = 6; break; - case READ_POSITION: - cmd->xfer = 20; - break; case SEND_VOLUME_TAG: - cmd->xfer *= 40; - break; - case MEDIUM_SCAN: - cmd->xfer *= 8; + /* GPCMD_SET_STREAMING from multimedia commands. */ + if (dev->type == TYPE_ROM) { + cmd->xfer = buf[10] | (buf[9] << 8); + } else { + cmd->xfer = buf[9] | (buf[8] << 8); + } break; case WRITE_10: case WRITE_VERIFY_10: @@ -742,9 +774,40 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf) case READ_16: cmd->xfer *= dev->blocksize; break; + case FORMAT_UNIT: + /* MMC mandates the parameter list to be 12-bytes long. Parameters + * for block devices are restricted to the header right now. */ + if (dev->type == TYPE_ROM && (buf[1] & 16)) { + cmd->xfer = 12; + } else { + cmd->xfer = (buf[1] & 16) == 0 ? 0 : (buf[1] & 32 ? 8 : 4); + } + break; case INQUIRY: + case RECEIVE_DIAGNOSTIC: + case SEND_DIAGNOSTIC: cmd->xfer = buf[4] | (buf[3] << 8); break; + case READ_CD: + case READ_BUFFER: + case WRITE_BUFFER: + case SEND_CUE_SHEET: + cmd->xfer = buf[8] | (buf[7] << 8) | (buf[6] << 16); + break; + case PERSISTENT_RESERVE_OUT: + cmd->xfer = (uint64_t) buf[8] | ((uint64_t) buf[7] << 8) | + ((uint64_t) buf[6] << 16) | ((uint64_t) buf[5] << 24); + break; + case ERASE_12: + if (dev->type == TYPE_ROM) { + /* MMC command GET PERFORMANCE. */ + cmd->xfer = scsi_get_performance_length(buf[9] | (buf[8] << 8), + buf[10], buf[1] & 0x1f); + } + break; + case MECHANISM_STATUS: + case READ_DVD_STRUCTURE: + case SEND_DVD_STRUCTURE: case MAINTENANCE_OUT: case MAINTENANCE_IN: if (dev->type == TYPE_ROM) { @@ -760,6 +823,10 @@ static int scsi_req_stream_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *bu { switch (buf[0]) { /* stream commands */ + case ERASE_12: + case ERASE_16: + cmd->xfer = 0; + break; case READ_6: case READ_REVERSE: case RECOVER_BUFFERED_DATA: @@ -775,6 +842,15 @@ static int scsi_req_stream_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *bu cmd->len = 6; cmd->xfer = 0; break; + case SPACE_16: + cmd->xfer = buf[13] | (buf[12] << 8); + break; + case READ_POSITION: + cmd->xfer = buf[8] | (buf[7] << 8); + break; + case FORMAT_UNIT: + cmd->xfer = buf[4] | (buf[3] << 8); + break; /* generic commands */ default: return scsi_req_length(cmd, dev, buf); @@ -814,6 +890,8 @@ static void scsi_cmd_xfer_mode(SCSICommand *cmd) case SEARCH_LOW_12: case MEDIUM_SCAN: case SEND_VOLUME_TAG: + case SEND_CUE_SHEET: + case SEND_DVD_STRUCTURE: case PERSISTENT_RESERVE_OUT: case MAINTENANCE_OUT: cmd->mode = SCSI_XFER_TO_DEV; -- 1.7.7.6