Index: /trunk/src/VBox/Devices/Storage/DevVirtioSCSI.cpp
===================================================================
--- /trunk/src/VBox/Devices/Storage/DevVirtioSCSI.cpp	(revision 83573)
+++ /trunk/src/VBox/Devices/Storage/DevVirtioSCSI.cpp	(revision 83574)
@@ -1030,4 +1030,5 @@
     size_t cbRemain = pReq->cbDataIn;
 
+    /* Skip past the REQ_RESP_HDR_T and sense code if we're at the start of the buffer. */
     if (!pSgPhysReturn->idxSeg && pSgPhysReturn->cbSegLeft == pSgPhysReturn->paSegs[0].cbSeg)
         virtioCoreSgBufAdvance(pSgPhysReturn, pReq->uDataInOff);
@@ -1035,10 +1036,11 @@
     while (cbRemain)
     {
-        PVIRTIOSGSEG paSeg = &pSgPhysReturn->paSegs[pSgPhysReturn->idxSeg];
-        uint64_t dstSgStart = (uint64_t)paSeg->gcPhys;
-        uint64_t dstSgLen   = (uint64_t)paSeg->cbSeg;
-        uint64_t dstSgCur   = (uint64_t)pSgPhysReturn->gcPhysCur;
-        cbCopied = RT_MIN((uint64_t)pSgBuf->cbSegLeft, dstSgLen - (dstSgCur - dstSgStart));
-        PDMDevHlpPCIPhysWrite(pDevIns, (RTGCPHYS)pSgPhysReturn->gcPhysCur, pSgBuf->pvSegCur, cbCopied);
+        PVIRTIOSGSEG pSeg = &pSgPhysReturn->paSegs[pSgPhysReturn->idxSeg];
+        /** @todo r=bird: add inline function for getting number of bytes left in the
+         *        current segment.  Actually, shouldn't pSgPhysReturn->cbSegLeft have
+         *        this value? */
+        cbCopied = RT_MIN(pSgBuf->cbSegLeft, pSeg->cbSeg - (size_t)(pSgPhysReturn->gcPhysCur - pSeg->gcPhys));
+        Assert(cbCopied > 0);
+        PDMDevHlpPCIPhysWrite(pDevIns, pSgPhysReturn->gcPhysCur, pSgBuf->pvSegCur, cbCopied);
         RTSgBufAdvance(pSgBuf, cbCopied);
         virtioCoreSgBufAdvance(pSgPhysReturn, cbCopied);
@@ -1048,5 +1050,5 @@
 
     Log3Func((".... Copied %lu bytes from %lu byte guest buffer, residual=%lu\n",
-         cbCopy, pReq->pDescChain->cbPhysReturn, pReq->pDescChain->cbPhysReturn - cbCopy));
+              cbCopy, pReq->pDescChain->cbPhysReturn, pReq->pDescChain->cbPhysReturn - cbCopy));
 
     return VINF_SUCCESS;
@@ -1076,11 +1078,11 @@
     while (cbRemain)
     {
-        PVIRTIOSGSEG paSeg  = &pSgPhysSend->paSegs[pSgPhysSend->idxSeg];
-        uint64_t srcSgStart = (uint64_t)paSeg->gcPhys;
-        uint64_t srcSgLen   = (uint64_t)paSeg->cbSeg;
-        uint64_t srcSgCur   = (uint64_t)pSgPhysSend->gcPhysCur;
-        cbCopied = RT_MIN((uint64_t)pSgBuf->cbSegLeft, srcSgLen - (srcSgCur - srcSgStart));
-        PDMDevHlpPCIPhysRead(pDevIns,
-                          (RTGCPHYS)pSgPhysSend->gcPhysCur, pSgBuf->pvSegCur, cbCopied);
+        PVIRTIOSGSEG const pSeg = &pSgPhysSend->paSegs[pSgPhysSend->idxSeg];
+        /** @todo r=bird: add inline function for getting number of bytes left in the
+         *        current segment.  Actually, shouldn't pSgPhysSend->cbSegLeft have
+         *        this value? */
+        cbCopied = RT_MIN(pSgBuf->cbSegLeft, pSeg->cbSeg - (size_t)(pSgPhysSend->gcPhysCur - pSeg->gcPhys));
+        Assert(cbCopied > 0);
+        PDMDevHlpPCIPhysRead(pDevIns, pSgPhysSend->gcPhysCur, pSgBuf->pvSegCur, cbCopied);
         RTSgBufAdvance(pSgBuf, cbCopied);
         virtioCoreSgBufAdvance(pSgPhysSend, cbCopied);
@@ -1089,5 +1091,5 @@
 
     Log2Func((".... Copied %lu bytes to %lu byte guest buffer, residual=%lu\n",
-         cbCopy, pReq->pDescChain->cbPhysReturn, pReq->pDescChain->cbPhysReturn - cbCopy));
+              cbCopy, pReq->pDescChain->cbPhysReturn, pReq->pDescChain->cbPhysReturn - cbCopy));
 
     return VINF_SUCCESS;