From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58960)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aik@ozlabs.ru>) id 1V3fOD-0004RL-2A
	for qemu-devel@nongnu.org; Mon, 29 Jul 2013 00:49:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <aik@ozlabs.ru>) id 1V3fO6-0003ys-HG
	for qemu-devel@nongnu.org; Mon, 29 Jul 2013 00:48:56 -0400
Received: from mail-pb0-f54.google.com ([209.85.160.54]:49126)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aik@ozlabs.ru>) id 1V3fO6-0003xQ-B7
	for qemu-devel@nongnu.org; Mon, 29 Jul 2013 00:48:50 -0400
Received: by mail-pb0-f54.google.com with SMTP id ro12so964884pbb.41
	for <qemu-devel@nongnu.org>; Sun, 28 Jul 2013 21:48:48 -0700 (PDT)
From: Alexey Kardashevskiy <aik@ozlabs.ru>
Date: Mon, 29 Jul 2013 14:48:39 +1000
Message-Id: <1375073319-17488-1-git-send-email-aik@ozlabs.ru>
Subject: [Qemu-devel] [PATCH] spapr-vscsi: fix SOLNT bit in SRP_RSP
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Anthony Liguori <aliguori@us.ibm.com>, Alexey Kardashevskiy <aik@ozlabs.ru>, Alexander Graf <agraf@suse.de>, qemu-trivial@nongnu.org, qemu-ppc@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>

The driver calculates SOLNT bit from UCSOLNT and  SCSOLNT bits from
the request. The iu pointer has a type of srp_iu* which points to a union,
so cmd and rsp overlap. As the vscsi_send_rsp function calls
memset(iu, 0, sizeof(rsp)), it clears first 36 bytes of both cmd and rsp
so cmd.sol_not is always zero at the moment of calculating rsp.sol_not.

This fixes the bug.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
---

Is that really trivial? I am not so sure but put qemu-trivial@ to copy :)

---

 hw/scsi/spapr_vscsi.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/scsi/spapr_vscsi.c b/hw/scsi/spapr_vscsi.c
index 55b44b9..541ffcc 100644
--- a/hw/scsi/spapr_vscsi.c
+++ b/hw/scsi/spapr_vscsi.c
@@ -217,6 +217,7 @@ static int vscsi_send_rsp(VSCSIState *s, vscsi_req *req,
     union viosrp_iu *iu = &req->iu;
     uint64_t tag = iu->srp.rsp.tag;
     int total_len = sizeof(iu->srp.rsp);
+    uint8_t sol_not = iu->srp.cmd.sol_not;
 
     dprintf("VSCSI: Sending resp status: 0x%x, "
             "res_in: %d, res_out: %d\n", status, res_in, res_out);
@@ -249,7 +250,7 @@ static int vscsi_send_rsp(VSCSIState *s, vscsi_req *req,
     /* Handle success vs. failure */
     iu->srp.rsp.status = status;
     if (status) {
-        iu->srp.rsp.sol_not = (iu->srp.cmd.sol_not & 0x04) >> 2;
+        iu->srp.rsp.sol_not = (sol_not & 0x04) >> 2;
         if (req->senselen) {
             req->iu.srp.rsp.flags |= SRP_RSP_FLAG_SNSVALID;
             req->iu.srp.rsp.sense_data_len = cpu_to_be32(req->senselen);
@@ -257,7 +258,7 @@ static int vscsi_send_rsp(VSCSIState *s, vscsi_req *req,
             total_len += req->senselen;
         }
     } else {
-        iu->srp.rsp.sol_not = (iu->srp.cmd.sol_not & 0x02) >> 1;
+        iu->srp.rsp.sol_not = (sol_not & 0x02) >> 1;
     }
 
     vscsi_send_iu(s, req, total_len, VIOSRP_SRP_FORMAT);
-- 
1.8.3.2