[SCSI] libiscsi: fix senselen calculation
authorMike Christie <michaelc@cs.wisc.edu>
Sun, 17 Dec 2006 18:10:28 +0000 (12:10 -0600)
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>
Sat, 6 Jan 2007 15:02:09 +0000 (09:02 -0600)
Yanling Qi, noted that when the sense data length of
a check-condition is greater than 0x7f (127), senselen = (data[0] << 8)
| data[1] will become negative. It causes different kinds of panics from
GPF, spin_lock deadlock to spin_lock recursion.

We were also swapping this value on big endien machines.

This patch fixes both issues by using be16_to_cpu().

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
drivers/scsi/libiscsi.c

index e11b23c641e28e36506c272a626b8dc5cbfc01ce..d37048c96eab5163231f04917408a6c418c25b79 100644 (file)
@@ -260,7 +260,7 @@ static int iscsi_scsi_cmd_rsp(struct iscsi_conn *conn, struct iscsi_hdr *hdr,
        }
 
        if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) {
-               int senselen;
+               uint16_t senselen;
 
                if (datalen < 2) {
 invalid_datalen:
@@ -270,12 +270,12 @@ invalid_datalen:
                        goto out;
                }
 
-               senselen = (data[0] << 8) | data[1];
+               senselen = be16_to_cpu(*(uint16_t *)data);
                if (datalen < senselen)
                        goto invalid_datalen;
 
                memcpy(sc->sense_buffer, data + 2,
-                      min(senselen, SCSI_SENSE_BUFFERSIZE));
+                      min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
                debug_scsi("copied %d bytes of sense\n",
                           min(senselen, SCSI_SENSE_BUFFERSIZE));
        }