Re: [Qemu-devel] [PATCH 04/17] scsi: fixup lba calculation for 6 byte CDBs

[Hannes Reinecke]

On 10/29/2014 10:16 AM, Paolo Bonzini wrote:
> On 10/29/2014 08:53 AM, Hannes Reinecke wrote:
> > 6 byte CDBs do not have a dedicated area for LBAs, and even if
> > it certainly won't be at byte 0.
> >
> > Signed-off-by: Hannes Reinecke <address@hidden>
> > ---
> >   hw/scsi/scsi-bus.c | 3 ---
> >   1 file changed, 3 deletions(-)
> >
> > diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
> > index 919a86c..64d0880 100644
> > --- a/hw/scsi/scsi-bus.c
> > +++ b/hw/scsi/scsi-bus.c
> > @@ -1195,9 +1195,6 @@ static uint64_t scsi_cmd_lba(SCSICommand *cmd)
> >       uint64_t lba;
> >
> >       switch (buf[0] >> 5) {
> > -    case 0:
> > -        lba = ldl_be_p(&buf[0]) & 0x1fffff;
>
> These are bits 0-20 of the first big endian u32, which means the low
> five bits of byte 1, together with byte 2 and byte 3.
>
> The patch as is breaks (obsolete) commands such as READ(6) and WRITE(6).
>   Why did you need it?
Because without this patch we end up with having a (basically random) 
value in cmd.lba, and we're ending up here:

if (cmd.lba != -1) {
  trace_scsi_req_parsed_lba(d->id, d->lun, tag, buf[0], cmd.lba); 
 } 


and causing a buffer overflow when printing out the cdb.

Cheers,

Hannes