[Qemu-devel] [PATCH 10/15] scsi-disk: add data direction checking

[Hannes Reinecke <hare@suse.de>]

scsi_req_parse() already provides for a data direction setting,
so we should be using it to check for correct direction.
And we should return the sense code 'INVALID FIELD IN CDB'
in these cases.

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 hw/scsi-disk.c |   30 ++++++++++++++++++++++--------
 1 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 9a5cd8e..0ccb627 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -52,8 +52,6 @@ typedef struct SCSIDiskState SCSIDiskState;
 
 typedef struct SCSIDiskReq {
     SCSIRequest req;
-    /* ??? We should probably keep track of whether the data transfer is
-       a read or a write.  Currently we rely on the host getting it right.  */
     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
     uint64_t sector;
     uint32_t sector_count;
@@ -172,6 +170,12 @@ static void scsi_read_data(SCSIRequest *req)
     /* No data transfer may already be in progress */
     assert(r->req.aiocb == NULL);
 
+    if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
+        DPRINTF("Data transfer direction invalid\n");
+        scsi_read_complete(r, -EINVAL);
+        return;
+    }
+
     if (r->sector_count == (uint32_t)-1) {
         DPRINTF("Read buf_len=%zd\n", r->iov[0].iov_len);
         r->sector_count = 0;
@@ -227,12 +231,19 @@ static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type)
         if (type == SCSI_REQ_STATUS_RETRY_READ) {
             r->req.bus->complete(r->req.bus, SCSI_REASON_DATA, &r->req, 0);
         }
-        if (error == EBADR) {
+        switch (error) {
+            case EBADR:
                 scsi_command_complete(r, CHECK_CONDITION,
                                       SENSE_CODE(TARGET_FAILURE));
-        } else {
+                break;
+            case EINVAL:
+                scsi_command_complete(r, CHECK_CONDITION,
+                                      SENSE_CODE(INVALID_FIELD));
+                break;
+            default:
                 scsi_command_complete(r, CHECK_CONDITION,
                                       SENSE_CODE(IO_ERROR));
+                break;
         }
         bdrv_mon_event(s->bs, BDRV_ACTION_REPORT, is_read);
     }
@@ -284,6 +295,12 @@ static int scsi_write_data(SCSIRequest *req)
     /* No data transfer may already be in progress */
     assert(r->req.aiocb == NULL);
 
+    if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
+        DPRINTF("Data transfer direction invalid\n");
+        scsi_write_complete(r, -EINVAL);
+        return 0;
+    }
+
     n = iov_size(r->iov, r->iov_num) / 512;
     if (n) {
         qemu_iovec_init_external(&r->qiov, r->iov, r->iov_num);
@@ -970,11 +987,9 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
     ssize_t len = 0;
-    int is_write;
     uint8_t command;
 
     command = buf[0];
-    is_write = 0;
     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
 
     if (scsi_req_parse(&r->req, buf) != 0) {
@@ -1057,7 +1072,6 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
             goto illegal_lba;
         }
         r->sector = r->req.cmd.lba * s->cluster_size;
-        is_write = 1;
         break;
     case MODE_SELECT:
         DPRINTF("Mode Select(6) (len %lu)\n", (long)r->req.cmd.xfer);
@@ -1098,7 +1112,7 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
         scsi_command_complete(r, GOOD, SENSE_CODE(NO_SENSE));
     }
     len += r->sector_count * 512;
-    if (is_write) {
+    if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
         return -len;
     } else {
         if (!r->sector_count)
-- 
1.6.0.2