qsgl->size is the size of the data field after the request or response header (virtio-scsi currently supports only one such field; bidirectional requests are not supported). However, the used ring's len field is not concerned about the field after the request header, so do not count it unless req->mode signals the request was a read.
Also, do not report that anything was written if the request failed, and subtract any residual bytes in case of buffer underrun. Signed-off-by: Paolo Bonzini <[email protected]> --- hw/scsi/virtio-scsi.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c index c9bea06..4995f6e 100644 --- a/hw/scsi/virtio-scsi.c +++ b/hw/scsi/virtio-scsi.c @@ -65,6 +65,19 @@ void virtio_scsi_free_req(VirtIOSCSIReq *req) g_slice_free1(sizeof(*req) + vs->cdb_size, req); } +static size_t virtio_scsi_written_length(VirtIODevice *vdev, VirtIOSCSIReq *req) +{ + size_t sz = req->resp_iov.size; + + if (req->sreq && + req->mode == SCSI_XFER_FROM_DEV && + req->resp.cmd.response == VIRTIO_SCSI_S_OK) { + sz += req->qsgl.size - virtio_tswap32(vdev, req->resp.cmd.resid); + } + + return sz; +} + static void virtio_scsi_complete_req(VirtIOSCSIReq *req) { VirtIOSCSI *s = req->dev; @@ -76,7 +89,7 @@ static void virtio_scsi_complete_req(VirtIOSCSIReq *req) assert(req->vq == NULL); virtio_scsi_vring_push_notify(req); } else { - virtqueue_push(vq, &req->elem, req->qsgl.size + req->resp_iov.size); + virtqueue_push(vq, &req->elem, virtio_scsi_written_length(vdev, req)); virtio_notify(vdev, vq); } -- 2.3.5
