If a guest sends a TI (Transfer Information) command without previously sending any message out/command phase data then cmdfifo will underflow triggering an assert reading the IDENTIFY byte.
Buglink: https://bugs.launchpad.net/qemu/+bug/1919035 Signed-off-by: Mark Cave-Ayland <mark.cave-ayl...@ilande.co.uk> --- hw/scsi/esp.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 507ab363bc..5d3f1ccbc8 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -318,18 +318,24 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) static void do_cmd(ESPState *s) { - uint8_t busid = fifo8_pop(&s->cmdfifo); + uint8_t busid; uint32_t n; - s->cmdfifo_cdb_offset--; + if (fifo8_num_used(&s->cmdfifo)) { + busid = fifo8_pop(&s->cmdfifo); - /* Ignore extended messages for now */ - if (s->cmdfifo_cdb_offset) { - fifo8_pop_buf(&s->cmdfifo, s->cmdfifo_cdb_offset, &n); - s->cmdfifo_cdb_offset = 0; - } + if (s->cmdfifo_cdb_offset) { + s->cmdfifo_cdb_offset--; + + /* Ignore extended messages for now */ + if (s->cmdfifo_cdb_offset) { + fifo8_pop_buf(&s->cmdfifo, s->cmdfifo_cdb_offset, &n); + s->cmdfifo_cdb_offset = 0; + } + } - do_busid_cmd(s, busid); + do_busid_cmd(s, busid); + } } static void satn_pdma_cb(ESPState *s) -- 2.20.1