Comment 2 for bug 1919036

Thanks for the test case - looks like the problem occurs because a command hasn't been submitted before initiating a DMA transfer, and TC is set to a value higher than the size of cmdfifo. Can you confirm that the following fix works for you?

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 507ab363bc..0a26ee1dfd 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -573,6 +573,7 @@ static void esp_do_dma(ESPState *s)
         cmdlen = fifo8_num_used(&s->cmdfifo);
         trace_esp_do_dma(cmdlen, len);
         if (s->dma_memory_read) {
+ len = MIN(len, fifo8_num_free(&s->cmdfifo));
             s->dma_memory_read(s->dma_opaque, buf, len);
             fifo8_push_all(&s->cmdfifo, buf, len);
         } else {

ATB,

Mark.