[Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Alexey Kardashevskiy]

SCSI protocol is defined as big endian. The SCSI command REPORT_LUNS
returns the list of LUNs, 8 bytes each.

The store_lun() function is called from scsi_target_emulate_report_luns()
to fill the LUNs list which is sent later to a guest a response. However
it puts the 2 bytes long big-endian value while it is 8 bytes long.

The patch fixes it. Tested on PPC64 platform.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
---
 hw/scsi-bus.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index a97f1cd..7059dc2 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -310,11 +310,11 @@ struct SCSITargetReq {
 static void store_lun(uint8_t *outbuf, int lun)
 {
     if (lun < 256) {
-        outbuf[1] = lun;
+        outbuf[7] = lun;
         return;
     }
-    outbuf[1] = (lun & 255);
-    outbuf[0] = (lun >> 8) | 0x40;
+    outbuf[7] = (lun & 255);
+    outbuf[6] = (lun >> 8) | 0x40;
 }
 
 static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
-- 
1.7.10.4

Re: [Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Paolo Bonzini]

Il 16/03/2013 08:16, Alexey Kardashevskiy ha scritto:
> SCSI protocol is defined as big endian. The SCSI command REPORT_LUNS
> returns the list of LUNs, 8 bytes each.
> 
> The store_lun() function is called from scsi_target_emulate_report_luns()
> to fill the LUNs list which is sent later to a guest a response. However
> it puts the 2 bytes long big-endian value while it is 8 bytes long.

No, LUNs are composed of four 2-byte big-endian values.

What bug are you trying to fix?

Paolo

> The patch fixes it. Tested on PPC64 platform.
> 
> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
> ---
>  hw/scsi-bus.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
> index a97f1cd..7059dc2 100644
> --- a/hw/scsi-bus.c
> +++ b/hw/scsi-bus.c
> @@ -310,11 +310,11 @@ struct SCSITargetReq {
>  static void store_lun(uint8_t *outbuf, int lun)
>  {
>      if (lun < 256) {
> -        outbuf[1] = lun;
> +        outbuf[7] = lun;
>          return;
>      }
> -    outbuf[1] = (lun & 255);
> -    outbuf[0] = (lun >> 8) | 0x40;
> +    outbuf[7] = (lun & 255);
> +    outbuf[6] = (lun >> 8) | 0x40;
>  }
>  
>  static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
> 

Re: [Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Alexey Kardashevskiy]

On 16/03/13 19:13, Paolo Bonzini wrote:
> Il 16/03/2013 08:16, Alexey Kardashevskiy ha scritto:
>> SCSI protocol is defined as big endian. The SCSI command REPORT_LUNS
>> returns the list of LUNs, 8 bytes each.
>>
>> The store_lun() function is called from scsi_target_emulate_report_luns()
>> to fill the LUNs list which is sent later to a guest a response. However
>> it puts the 2 bytes long big-endian value while it is 8 bytes long.
>
> No, LUNs are composed of four 2-byte big-endian values.

I cannot find it in "SCSI Commands References Manual"
(for example here - 
http://www.seagate.com/staticfiles/support/disc/manuals/Interface%20manuals/100293068c.pdf 
). It just says that it is 8 bytes per
LUN and SCSI itself is big endian. Could you please point me to
the correct spec?

> What bug are you trying to fix?

It is a ppc64 system firmware/bios (aka SLOF) which expects 8 bytes big
endian value and therefore cannot boot from SCSI devices with LUN!=0.
I can fix QEMU or SLOF but not sure which one.


>
> Paolo
>
>> The patch fixes it. Tested on PPC64 platform.
>>
>> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
>> ---
>>   hw/scsi-bus.c |    6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
>> index a97f1cd..7059dc2 100644
>> --- a/hw/scsi-bus.c
>> +++ b/hw/scsi-bus.c
>> @@ -310,11 +310,11 @@ struct SCSITargetReq {
>>   static void store_lun(uint8_t *outbuf, int lun)
>>   {
>>       if (lun < 256) {
>> -        outbuf[1] = lun;
>> +        outbuf[7] = lun;
>>           return;
>>       }
>> -    outbuf[1] = (lun & 255);
>> -    outbuf[0] = (lun >> 8) | 0x40;
>> +    outbuf[7] = (lun & 255);
>> +    outbuf[6] = (lun >> 8) | 0x40;
>>   }
>>
>>   static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
>>
>


-- 
Alexey

Re: [Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Benjamin Herrenschmidt]

On Sat, 2013-03-16 at 23:11 +1100, Alexey Kardashevskiy wrote:
> > No, LUNs are composed of four 2-byte big-endian values.
> 
> I cannot find it in "SCSI Commands References Manual"
> (for example here - 
> http://www.seagate.com/staticfiles/support/disc/manuals/Interface%
> 20manuals/100293068c.pdf 
> ). It just says that it is 8 bytes per
> LUN and SCSI itself is big endian. Could you please point me to
> the correct spec?

The confusion comes from the old SCSI protocol LUN as a 2 bytes number
identifying a unit for a given bus/device and the "new style" LUN as a
more generic concept such as used in SRP (ie vscsi is SRP) which
encompass the bus, ID and LUN in one big number.

The actual type of LUN returned by REPORT_LUN depends on the
SELECT_REPORT field (I don't remember the details, but the doco you
point to say to see what's in SAM-4) and the result is *variable* in
size, so it should be kosher for qemu to just return 2 bytes as long as
the LUN_LIST_LENGTH field of the reply is correct.

So it all needs a bit of double checking but I wouldn't be surprised if
at the end of the day the culprit was my SLOF code :-)

Cheers,
Ben.

Re: [Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Paolo Bonzini]

Il 16/03/2013 14:01, Benjamin Herrenschmidt ha scritto:
> On Sat, 2013-03-16 at 23:11 +1100, Alexey Kardashevskiy wrote:
>>> No, LUNs are composed of four 2-byte big-endian values.
>>
>> I cannot find it in "SCSI Commands References Manual"
>> (for example here - 
>> http://www.seagate.com/staticfiles/support/disc/manuals/Interface%
>> 20manuals/100293068c.pdf 
>> ). It just says that it is 8 bytes per
>> LUN and SCSI itself is big endian. Could you please point me to
>> the correct spec?

Look at section 4.7 of SAM-5.  Most of it is useless, because the last
six bytes are almost never used.  Still, what matters for QEMU is 4.7.5
Single level LUN structure, 4.7.7 Peripheral device addressing method,
4.7.8 Flat space addressing method.

In particular, you can see the reference to four two-byte fields in
Table 11 — "Single level LUN structure using peripheral device
addressing method" and Table 12 — "Single level LUN structure using flat
space addressing method".

> The confusion comes from the old SCSI protocol LUN as a 2 bytes number
> identifying a unit for a given bus/device and the "new style" LUN as a
> more generic concept such as used in SRP (ie vscsi is SRP) which
> encompass the bus, ID and LUN in one big number.
> 
> The actual type of LUN returned by REPORT_LUN depends on the
> SELECT_REPORT field (I don't remember the details, but the doco you
> point to say to see what's in SAM-4) and the result is *variable* in
> size, so it should be kosher for qemu to just return 2 bytes as long as
> the LUN_LIST_LENGTH field of the reply is correct.

No, that's wrong.  Each LUN returned by REPORT LUNS is always 8 bytes.
The field tells you if you are reporting all LUNs, only well-known LUNs,
etc.

Paolo

Re: [Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Benjamin Herrenschmidt]

On Sat, 2013-03-16 at 14:09 +0100, Paolo Bonzini wrote:

> > The confusion comes from the old SCSI protocol LUN as a 2 bytes number
> > identifying a unit for a given bus/device and the "new style" LUN as a
> > more generic concept such as used in SRP (ie vscsi is SRP) which
> > encompass the bus, ID and LUN in one big number.
> > 
> > The actual type of LUN returned by REPORT_LUN depends on the
> > SELECT_REPORT field (I don't remember the details, but the doco you
> > point to say to see what's in SAM-4) and the result is *variable* in
> > size, so it should be kosher for qemu to just return 2 bytes as long as
> > the LUN_LIST_LENGTH field of the reply is correct.
> 
> No, that's wrong.  Each LUN returned by REPORT LUNS is always 8 bytes.
> The field tells you if you are reporting all LUNs, only well-known LUNs,
> etc.

Ok, my bad then, I misread the spec even more badly than Alexey did ;-)
Anyway, the fix needs to be in SLOF.

Cheers,
Ben.
 

Re: [Qemu-devel] [PATCH] scsi-bus: fix endianness bug in store_lun()

[Alexey Kardashevskiy]

On 17/03/13 00:01, Benjamin Herrenschmidt wrote:
> On Sat, 2013-03-16 at 23:11 +1100, Alexey Kardashevskiy wrote:
>>> No, LUNs are composed of four 2-byte big-endian values.
>>
>> I cannot find it in "SCSI Commands References Manual"
>> (for example here -
>> http://www.seagate.com/staticfiles/support/disc/manuals/Interface%
>> 20manuals/100293068c.pdf
>> ). It just says that it is 8 bytes per
>> LUN and SCSI itself is big endian. Could you please point me to
>> the correct spec?
>
> The confusion comes from the old SCSI protocol LUN as a 2 bytes number
> identifying a unit for a given bus/device and the "new style" LUN as a
> more generic concept such as used in SRP (ie vscsi is SRP) which
> encompass the bus, ID and LUN in one big number.

> The actual type of LUN returned by REPORT_LUN depends on the
> SELECT_REPORT field (I don't remember the details, but the doco you
> point to say to see what's in SAM-4) and the result is *variable* in
> size, so it should be kosher for qemu to just return 2 bytes as long as
> the LUN_LIST_LENGTH field of the reply is correct.

No, it is always 8 bytes long. Does not say anywhere that it can be of 
another size.

> So it all needs a bit of double checking but I wouldn't be surprised if
> at the end of the day the culprit was my SLOF code :-)


The patch below fixes the issue on the SLOF side. Your job? :)
So, I revert the QEMU patch then and will post this. I just
wonder if other 6 bytes are used (or can be used) anyhow by someone
but I need to find SAM-5 spec first, does not seem very easy :-/

btw why was it x@ but not x@-be? I mean yes, is it the same on ppc
but would help a lot in reading this write-only language :)


diff --git a/board-qemu/slof/vio-vscsi.fs b/board-qemu/slof/vio-vscsi.fs
index 8a150ea..88d4085 100644
--- a/board-qemu/slof/vio-vscsi.fs
+++ b/board-qemu/slof/vio-vscsi.fs
@@ -606,7 +606,7 @@ CREATE sector d# 512 allot
          dup rot 0 fill                ( devarray devcur ndev lunarray 
size mem )
          dup >r swap move r>           ( devarray devcur ndev mem )
          dup sector l@ 3 >> 0 DO       ( devarray devcur ndev mem memcur )
-           dup dup x@ j 8 << 8000 or or 30 << swap x! 8 +
+           dup dup w@-be j 8 << 8000 or or 30 << swap x! 8 +
          LOOP drop
         rot                           ( devarray ndev mem devcur )
          dup >r x! r> 8 +              ( devarray ndev devcur )



-- 
Alexey