summaryrefslogtreecommitdiff
path: root/hw/scsi
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2013-05-21 14:08:53 +0200
committerPaolo Bonzini <pbonzini@redhat.com>2013-06-18 12:43:03 +0200
commit53254e569f8e07501f3e0098bd57d2b780e52faa (patch)
tree301ee8a4609481df7cd5e19620c2a87213bbd184 /hw/scsi
parent7721c7f7c272fd2ed9d58500b7e99c33ab8a1af1 (diff)
scsi-generic: fix sign extension of READ CAPACITY(10) data
Issuing the READ CAPACITY(10) command in the guest will cause QEMU to update its knowledge of the maximum accessible LBA in the disk. The recorded maximum LBA will be wrong if the disk is bigger than 1TB, because ldl_be_p returns a signed int. When this is fixed, a latent bug will be unmasked. If the READ CAPACITY(10) command reported an overflow (0xFFFFFFFF), we must not overwrite the previously-known maximum accessible LBA, or the guest will fail to access the disk above the first 2TB. Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/scsi')
-rw-r--r--hw/scsi/scsi-generic.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 2a9a561127..19bd36cd54 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -198,9 +198,10 @@ static void scsi_read_complete(void * opaque, int ret)
scsi_command_complete(r, 0);
} else {
/* Snoop READ CAPACITY output to set the blocksize. */
- if (r->req.cmd.buf[0] == READ_CAPACITY_10) {
+ if (r->req.cmd.buf[0] == READ_CAPACITY_10 &&
+ (ldl_be_p(&r->buf[0]) != 0xffffffffU || s->max_lba == 0)) {
s->blocksize = ldl_be_p(&r->buf[4]);
- s->max_lba = ldl_be_p(&r->buf[0]);
+ s->max_lba = ldl_be_p(&r->buf[0]) & 0xffffffffULL;
} else if (r->req.cmd.buf[0] == SERVICE_ACTION_IN_16 &&
(r->req.cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
s->blocksize = ldl_be_p(&r->buf[8]);