aboutsummaryrefslogtreecommitdiff
path: root/hw/scsi/scsi-bus.c
AgeCommit message (Collapse)Author
2015-11-04osdep: Rename qemu_{get, set}_version() to qemu_{, set_}hw_version()Eduardo Habkost
This makes the purpose of the function clearer: it is not about the version of QEMU that's running, but the version string exposed in the emulated hardware. Cc: Andrzej Zaborowski <balrogg@gmail.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: John Snow <jsnow@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <1446233769-7892-3-git-send-email-ehabkost@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-10-12scsi: switch from g_slice allocator to mallocPaolo Bonzini
Simplify memory allocation by sticking with a single API. GSlice is not that fast anyway (tcmalloc/jemalloc are better). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-08-14scsi: create restart bottom half in the right AioContextPaolo Bonzini
This matches commit 4407c1c (virtio-blk: Schedule BH in the right context, 2014-06-17), which did the same thing for virtio-blk. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-07-24scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)Paolo Bonzini
This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Reviewed-by: Fam Zheng <famz@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-12migration: Use normal VMStateDescriptions for SubsectionsJuan Quintela
We create optional sections with this patch. But we already have optional subsections. Instead of having two mechanism that do the same, we can just generalize it. For subsections we just change: - Add a needed function to VMStateDescription - Remove VMStateSubsection (after removal of the needed function it is just a VMStateDescription) - Adjust the whole tree, moving the needed function to the corresponding VMStateDescription Signed-off-by: Juan Quintela <quintela@redhat.com>
2015-03-10scsi: Improve error reporting for invalid drive propertyMarkus Armbruster
When setting "realized" fails, scsi_bus_legacy_add_drive() passes the error to qerror_report_err(), then returns an unspecific "Setting drive property failed" error, which is reported further up the call chain. Example: $ qemu-system-x86_64 -nodefaults -S -display none \ > -drive if=scsi,id=foo,file=tmp.qcow2 -global isa-fdc.driveA=foo qemu-system-x86_64: -drive if=scsi,id=foo,file=tmp.qcow2: Property 'scsi-disk.drive' can't take value 'foo', it's in use qemu-system-x86_64: Setting drive property failed qemu-system-x86_64: Initialization of device lsi53c895a failed: Device initialization failed Clean up the obvious way: simply return the original error to the caller. Gets rid of the second message in the above error cascade. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1425925048-15482-4-git-send-email-armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-10hw: Propagate errors through qdev_prop_set_drive()Markus Armbruster
Three kinds of callers: 1. On failure, report the error and abort Passing &error_abort does the job. No functional change. 2. On failure, report the error and exit() This is qdev_prop_set_drive_nofail(). Error reporting moves from qdev_prop_set_drive() to its caller. Because hiding away the error in the monitor right before exit() isn't helpful, replace qerror_report_err() by error_report_err(). Shouldn't make a difference, because qdev_prop_set_drive_nofail() should never be used in QMP context. 3. On failure, report the error and recover This is usb_msd_init() and scsi_bus_legacy_add_drive(). Error reporting and freeing the error object moves from qdev_prop_set_drive() to its callers. Because usb_msd_init() can't run in QMP context, replace qerror_report_err() by error_report_err() there. No functional change. scsi_bus_legacy_add_drive() calling qerror_report_err() is of course inappropriate, but this commit merely makes it more obvious. The next one will clean it up. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1425925048-15482-3-git-send-email-armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-10scsi: Clean up duplicated error in legacy if=scsi codeMarkus Armbruster
Commit a818a4b changed scsi_bus_legacy_handle_cmdline() to report errors from scsi_bus_legacy_add_drive() with error_report() in addition to returning them. That's inappropriate. Two kinds of callers: 1. realize methods (devices "esp", "virtio-scsi-device" and "spapr-vscsi") The error object gets passed up the call chain until it gets reported again and freed. Example: $ qemu-system-arm -M virt -S -display none \ > -drive if=scsi,id=foo,bus=1,file=tmp.qcow2 \ > -device nec-usb-xhci -device usb-storage,drive=foo \ > -device virtio-scsi-pci qemu-system-arm: -drive if=scsi,id=foo,bus=1,file=tmp.qcow2: Property 'scsi-disk.drive' can't take value 'foo', it's in use qemu-system-arm: -drive if=scsi,id=foo,bus=1,file=tmp.qcow2: Setting drive property failed qemu-system-arm: -device virtio-scsi-pci: Setting drive property failed qemu-system-arm: -device virtio-scsi-pci: Device initialization failed qemu-system-arm: -device virtio-scsi-pci: Device 'virtio-scsi-pci' could not be initialized The second message in this error cascade comes from scsi_bus_legacy_handle_cmdline(). The error object then gets passed up to the qdev_init() called from virtio_scsi_pci_init_pci(), which reports it again. 2. init methods (devices "am53c974", "dc390", "lsi53c895a", "lsi53c810", "megasas", "megasas-gen2") init methods need to report their errors with qerror_report(). These don't. The inappropriate error_report() papers over the bug. error_report() isn't the same as qerror_report() in QMP context, but this can't actually happen: QMP can still only hot-plug, and callers call scsi_bus_legacy_handle_cmdline() only on cold-plug. Except for sysbus_esp_realize(), but that can't be hot-plugged at all, as far as I can tell. Fix the init methods and drop the inappropriate error_report() in scsi_bus_legacy_handle_cmdline(). Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1425925048-15482-2-git-send-email-armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-27scsi: give device a parent before setting propertiesPaolo Bonzini
This mimics what is done in qdev_device_add, and lets the device be freed in case something goes wrong. Otherwise, object_unparent returns immediately without freeing the device, which is on the other hand left in the parent bus's list of children. scsi_bus_legacy_handle_cmdline then returns an error, and the HBA is destroyed as well with object_unparent. But the lingering device that was not removed in scsi_bus_legacy_add_drive cannot be removed now either, and bus_unparent gets stuck in an infinite loop trying to empty the list of children. The right fix of course would be to assert in bus_add_child that the device already has a bus, and remove the "safety net" that adds the drive to the QOM tree in device_set_realized. I am not yet sure whether that would entail changing all callers to qdev_create (as well as isa_create and usb_create and the corresponding _try_create versions). Reported-by: Markus Armbruster <armbru@redhat.com> Tested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-02-02scsi: Fix scsi_req_cancel_async for no aiocb reqFam Zheng
scsi_req_cancel_complete is responsible for releasing the request, so we shouldn't skip it in any case. This doesn't affect the only existing caller, virtio-scsi, but is useful for other devices once they use it. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-01-14scsi: fix cancellation when I/O was completed but DMA was not.Paolo Bonzini
Commit d577646 (scsi: Introduce scsi_req_cancel_complete, 2014-09-25) was supposed to have no semantic change, but it missed a case. When r->aiocb has already been NULLed, but DMA was not complete and the SCSI layer was waiting for scsi_req_continue, after the patch the SCSI layer will not call the .cancel callback of SCSIBusInfo. Fixes: d5776465ee9a55815792efa34d79de240f4ffd99 Cc: qemu-stable@nongnu.org Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-31scsi: devirtualize unrealize of SCSI devicesPaolo Bonzini
All implementations are the same. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-31megasas: Clear unit attention on initial resetHannes Reinecke
The EFI firmware doesn't handle unit attentions properly, so we need to clear the Power On/Reset unit attention upon initial reset. Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-31scsi: Rename scsi_*_length() to scsi_*_xfer(), add scsi_cdb_length()Hannes Reinecke
scsi_cdb_length() does not return the length of the cdb, but the transfersize encoded in the cdb. So rename it to scsi_cdb_xfer() and also rename all other related functions to end with _xfer. We can then add a new scsi_cdb_length() which actually does return the length of the cdb. With that DEBUG_SCSI can now display the correct CDB buffer. Signed-off-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-20hw: Convert from BlockDriverState to BlockBackend, mostlyMarkus Armbruster
Device models should access their block backends only through the block-backend.h API. Convert them, and drop direct includes of inappropriate headers. Just four uses of BlockDriverState are left: * The Xen paravirtual block device backend (xen_disk.c) opens images itself when set up via xenbus, bypassing blockdev.c. I figure it should go through qmp_blockdev_add() instead. * Device model "usb-storage" prompts for keys. No other device model does, and this one probably shouldn't do it, either. * ide_issue_trim_cb() uses bdrv_aio_discard() instead of blk_aio_discard() because it fishes its backend out of a BlockAIOCB, which has only the BlockDriverState. * PC87312State has an unused BlockDriverState[] member. The next two commits take care of the latter two. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-20block: Eliminate DriveInfo member bdrv, use blk_by_legacy_dinfo()Markus Armbruster
The patch is big, but all it really does is replacing dinfo->bdrv by blk_bs(blk_by_legacy_dinfo(dinfo)) The replacement is repetitive, but the conversion of device models to BlockBackend is imminent, and will shorten it to just blk_legacy_dinfo(dinfo). Line wrapping muddies the waters a bit. I also omit tests whether dinfo->bdrv is null, because it never is. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Benoît Canet <benoit.canet@nodalink.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-10-16Merge remote-tracking branch 'remotes/kraxel/tags/pull-bootindex-20141015-1' ↵Peter Maydell
into staging allow changing bootorder via monitor at runtime, by making bootindex a writable qom property. * remotes/kraxel/tags/pull-bootindex-20141015-1: (34 commits) bootindex: change fprintf to error_report bootindex: delete bootindex when device is removed bootindex: move calling add_boot_device_patch to bootindex setter function ide: add calling add_boot_device_patch in bootindex setter function nvma: ide: add bootindex to qom property usb-storage: add bootindex to qom property virtio-blk: alias bootindex property explicitly for virt-blk-pci/ccw/s390 block: remove bootindex property from qdev to qom virtio-blk: add bootindex to qom property ide: add bootindex to qom property scsi: add bootindex to qom property isa-fdc: remove bootindexA/B property from qdev to qom redirect: remove bootindex property from qdev to qom vfio: remove bootindex property from qdev to qom pci-assign: remove bootindex property from qdev to qom host-libusb: remove bootindex property from qdev to qom virtio-net: alias bootindex property explicitly for virt-net-pci/ccw/s390 net: remove bootindex property from qdev to qom usb-net: add bootindex to qom property vmxnet3: add bootindex to qom property ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-15block: remove bootindex property from qdev to qomGonglei
Remove bootindex form qdev property to qom, things will continue to work just fine, and we can use qom features which are not supported by qdev property. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-15scsi: add bootindex to qom propertyGonglei
Add a qom property with the same name 'bootindex', when we remove it form qdev property, things will continue to work just fine, and we can use qom features which are not supported by qdev property. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-15scsi: Cleanup not used anymore SCSIBusInfo{hotplug, hot_unplug} fieldsIgor Mammedov
SCSI subsytem was converted to hotplug handler API and doesn't use SCSIBusInfo{hotplug, hot_unplug} fields and related callbacks anymore. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-10-15scsi: Set SCSI BUS itself as default HotplugHandlerIgor Mammedov
That would allow to handle SCSI device unplug on HBAs without dedicated hot(un)plug handlers and avoid making such HBAs explicitly hotpluggable. Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-09-30scsi: Introduce scsi_req_cancel_asyncFam Zheng
Devices will call this function to start an asynchronous cancellation. The bus->info->cancel will be called after the request is canceled. Devices will probably need to track a separate TMF request that triggers this cancellation, and wait until the cancellation is done before completing it. So we store a notifier list in SCSIRequest and in scsi_req_cancel_complete we notify them. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-09-30scsi: Introduce scsi_req_cancel_completeFam Zheng
Let the aio cb do the clean up and notification job after scsi_req_cancel, in preparation for asynchronous cancellation. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-09-30scsi: Drop SCSIReqOps.cancel_ioFam Zheng
The only two implementations are identical to each other, with nothing specific to device: they only call bdrv_aio_cancel with the SCSIRequest.aiocb. Let's move it to scsi-bus. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-09-30scsi: Drop scsi_req_abortFam Zheng
The only user of this function is spapr_vscsi.c. We can convert to scsi_req_cancel plus adding a check in vscsi_request_cancelled. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> [Drop prototype. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-09-23scsi: Optimize scsi_req_allocFam Zheng
Zeroing sense buffer for each scsi request is not efficient, we can just leave it uninitialized because sense_len is set to 0. Move the implicitly zeroed fields to the end of the structure and use a partial memset. The explicitly initialized fields (by scsi_req_alloc or scsi_req_new) are moved to the beginning of the structure, before sense buffer, to skip the memset. Also change g_malloc0 to g_slice_alloc. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-08-26scsi-bus: Convert DeviceClass init to realizeFam Zheng
Replace "init/destroy" with "realize/unrealize" in SCSIDeviceClass, which has errp as a parameter. So all the implementations now use error_setg instead of error_report for reporting error. Also in scsi_bus_legacy_handle_cmdline, report the error when initializing the if=scsi devices, before returning it, because in the callee, error_report is changed to error_setg. And the callers don't have the right locations (e.g. "-drive if=scsi"). Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-07-29scsi-block, scsi-generic: implement parse_cdbPaolo Bonzini
The callback lets the bus provide the direction and transfer count for passthrough commands, enabling passthrough of vendor-specific commands. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-07-29scsi-bus: introduce parse_cdb in SCSIDeviceClass and SCSIBusInfoPaolo Bonzini
These callbacks will let devices do their own request parsing, or defer it to the bus. If the bus does not provide an implementation, in turn, fall back to the default parsing routine. Swap the first two arguments to scsi_req_parse, and rename it to scsi_req_parse_cdb, for consistency. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-07-29scsi-bus: prepare scsi_req_new for introduction of parse_cdbPaolo Bonzini
The per-SCSIDevice parse_cdb callback must not be called if the request will go through special SCSIReqOps, so detect the special cases early enough. Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-07-14scsi: Report error when lun number is in useFam Zheng
In the case that the lun number is taken by another scsi device, don't release the existing device siliently, but report an error to user. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-06-18scsi: Print command name in debugAlexey Kardashevskiy
This makes scsi_command_name() public. This makes use of scsi_command_name() in debug output for scsi-disk and spapr-vscsi host bus adapter. Before this, SCSI used to print hex numbers instead of human-friendly strings. This adds GET_EVENT_STATUS_NOTIFICATION and READ_DISC_INFORMATION to the list of SCSI commands supported by scsi_command_name(). Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-06-16savevm: Remove all the unneeded version_minimum_id_old (x86)Juan Quintela
After previous Peter patch, they are redundant. This way we don't assign them except when needed. Once there, there were lots of case where the ".fields" indentation was wrong: .fields = (VMStateField []) { and .fields = (VMStateField []) { Change all the combinations to: .fields = (VMStateField[]){ The biggest problem (appart from aesthetics) was that checkpatch complained when we copy&pasted the code from one place to another. Signed-off-by: Juan Quintela <quintela@redhat.com> Acked-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2014-05-22Merge remote-tracking branch 'remotes/bonzini/scsi-next' into stagingPeter Maydell
* remotes/bonzini/scsi-next: megasas: remove buildtime strings block: iscsi build fix if LIBISCSI_FEATURE_IOVECTOR is not defined virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path scsi: Document intentional fall through in scsi_req_length() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-16scsi: Document intentional fall through in scsi_req_length()Markus Armbruster
For clarity, and to hush up Coverity. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-05-07hw: Add missing 'static' attributesStefan Weil
This fixes warnings from the static code analysis (smatch). Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-04-02scsi-bus: remove bogus assertionPaolo Bonzini
This assertion is invalid, because get_sg_list can return an empty sg-list even for commands that transfer no data (such as SYNCHRONIZE CACHE). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-03-14scsi: Fix migration of scsi sense dataFam Zheng
c5f52875 changed the size of sense array in vmstate_scsi_device by mistake. This patch restores the old size, and add a subsection for the remaining part of the buffer size. So that migration is not broken. Signed-off-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-02-22scsi-bus: Fix transfer length for VERIFY with BYTCHK=11bMarkus Armbruster
The transfer length depends on field BYTCHK, which is encoded in byte 1, bits 1..2. However, the guard for for case BYTCHK=11b doesn't work, and we get case 01b instead. Fix it. Note that since emulated scsi-hd fails the command outright, it takes SCSI passthrough of a device that actually implements VERIFY with BYTCHK=11b to make the bug bite. Screwed up in commit d12ad44. Spotted by Coverity. Cc: qemu-stable@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-02-22scsi: report thin provisioning errors with werror=reportPaolo Bonzini
SCSI defines a status code for when a thin-provisioned LUNs would exceed the allocated space, map ENOSPC to it. Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-01-16scsi: Support TEST UNIT READY in the dummy LUN0Paolo Bonzini
SeaBIOS waits for LUN0 to respond to the TEST UNIT READY command in order to decide whether it should part of the boot sequence. If LUN0 does not respond to the command, boot is delayed by up to 5 seconds. This currently happens when there is no LUN0 on a target. Fix that by adding a trivial implementation of the command. Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-13Merge remote-tracking branch 'bonzini/scsi-next' into stagingAnthony Liguori
# By Paolo Bonzini (4) and Peter Lieven (1) # Via Paolo Bonzini * bonzini/scsi-next: help: add id suboption to -iscsi scsi-disk: fix WRITE SAME with large non-zero payload block/iscsi: introduce bdrv_co_{readv, writev, flush_to_disk} scsi-disk: fix VERIFY emulation scsi-bus: fix transfer length and direction for VERIFY command Message-id: 1386594157-17535-1-git-send-email-pbonzini@redhat.com Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-12-09scsi-bus: fix transfer length and direction for VERIFY commandPaolo Bonzini
The amount of bytes to transfer depends on the BYTCHK field. If any data is transferred, it is sent to the device. Cc: qemu-stable@nongnu.org Tested-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-11-26scsi: Add 2 new sense codes needed by uasHans de Goede
Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-11-05qdev: Drop misleading qdev_free() functionStefan Hajnoczi
The qdev_free() function name is misleading since all the function does is unlink the device from its parent. The device is not necessarily freed. The device will be freed when its QObject refcount reaches zero. It is usual for the parent (bus) to hold the final reference but there are cases where something else holds a reference so "free" is a misleading name. Call object_unparent(obj) directly instead of having a qdev wrapper function. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-10-09scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]Asias He
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at most. If more than 256 luns are specified by user, we have buffer overflow in scsi_target_emulate_report_luns. To fix, we allocate the buffer dynamically. Signed-off-by: Asias He <asias@redhat.com> Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-09-12scsi: Fix scsi_bus_legacy_add_drive() scsi-generic with serialMarkus Armbruster
scsi_bus_legacy_add_drive() creates either a scsi-disk or a scsi-generic device. It sets property "serial" to argument serial unless null. Crashes with scsi-generic, because it doesn't have such the property. Only usb_msd_initfn_storage() passes non-null serial. Reproducer: $ qemu-system-x86_64 -nodefaults -display none -S -usb \ -drive if=none,file=/dev/sg1,id=usb-drv0 \ -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123 qemu-system-x86_64: -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123: Property '.serial' not found Aborted (core dumped) Fix by handling exactly like "removable": set the property only when it exists. Cc: qemu-stable@nongnu.org Reviewed-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-08-30qdev: Pass size to qbus_create_inplace()Andreas Färber
To be passed to object_initialize(). Since commit 39355c3826f5d9a2eb1ce3dc9b4cdd68893769d6 the argument is void*, so drop some superfluous (BusState *) casts or direct parent field usages. Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-08-30scsi: Pass size to scsi_bus_new()Andreas Färber
To be passed to qbus_create_inplace(). Use DEVICE() casts instead of direct parent field access. Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-29devices: Associate devices to their logical categoryMarcel Apfelbaum
The category will be used to sort the devices displayed in the command line help. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>