Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
phyus
/
linux-vybrid_public
8
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

[SCSI] libiscsi: fix senselen calculation

Yanling Qi, noted that when the sense data length of
a check-condition is greater than 0x7f (127), senselen = (data[0] << 8)
| data[1] will become negative. It causes different kinds of panics from
GPF, spin_lock deadlock to spin_lock recursion.

We were also swapping this value on big endien machines.

This patch fixes both issues by using be16_to_cpu().

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Mike Christie 18 gadi atpakaļ
vecāks
94cb3f822b
revīzija
9b80cb4be1
1 mainītis faili ar 3 papildinājumiem un 3 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 3 3
      drivers/scsi/libiscsi.c

+ 3 - 3
drivers/scsi/libiscsi.c
Parādīt failu 

@@ -260,7 +260,7 @@ static int iscsi_scsi_cmd_rsp(struct iscsi_conn *conn, struct iscsi_hdr *hdr,
 
 	}
 
 
 	if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) {
 
-		int senselen;
 
+		uint16_t senselen;
 
 
 		if (datalen < 2) {
 
 invalid_datalen:
 
@@ -270,12 +270,12 @@ invalid_datalen:
 
 			goto out;
 
 		}
 
 
-		senselen = (data[0] << 8) | data[1];
 
+		senselen = be16_to_cpu(*(uint16_t *)data);
 
 		if (datalen < senselen)
 
 			goto invalid_datalen;
 
 
 		memcpy(sc->sense_buffer, data + 2,
 
-		       min(senselen, SCSI_SENSE_BUFFERSIZE));
 
+		       min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
 
 		debug_scsi("copied %d bytes of sense\n",
 
 			   min(senselen, SCSI_SENSE_BUFFERSIZE));
 
 	}