From: Bart Van Assche <bart.vanassche@gmail.com>
Date: Wed, 9 Dec 2009 18:52:19 +0000 (+0100)
Subject: [SCSI] libsrp: fix bug in ADDITIONAL CDB LENGTH interpretation
X-Git-Tag: firefly_0821_release~9833^2~3106^2~2
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=78d85019ba8c13e1094cad0ea9bb4f61caad8320;p=firefly-linux-kernel-4.4.55.git

[SCSI] libsrp: fix bug in ADDITIONAL CDB LENGTH interpretation

Fix a bug in the interpretation of the ADDITIONAL CDB LENGTH (add_cdb_len)
field of SRP_CMD requests. According to the SRP specification, the layout
of this single-byte field is as follows:
* Bits 0 and 1 are reserved.
* Bits 2 to 7 represent the ADDITIONAL CDB LENGTH field, symbolically
  represented as n.
* Still according to the SRP specification, the ADDITIONAL CDB section
  takes 4*n bytes.

Currently libsrp is only used by the ibmvscsi driver. Since the ibmvscsi
driver doesn't support large CDB's, this bug hasn't caused any problems yet.

[jejb: use & ~3 to mask the bits]
Signed-off-by: Bart Van Assche <bart.vanassche@gmail.com>
Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
---

diff --git a/drivers/scsi/libsrp.c b/drivers/scsi/libsrp.c
index f79602f28ba7..22775165bf6a 100644
--- a/drivers/scsi/libsrp.c
+++ b/drivers/scsi/libsrp.c
@@ -328,7 +328,7 @@ int srp_transfer_data(struct scsi_cmnd *sc, struct srp_cmd *cmd,
 	int offset, err = 0;
 	u8 format;
 
-	offset = cmd->add_cdb_len * 4;
+	offset = cmd->add_cdb_len & ~3;
 
 	dir = srp_cmd_direction(cmd);
 	if (dir == DMA_FROM_DEVICE)
@@ -366,7 +366,7 @@ static int vscsis_data_length(struct srp_cmd *cmd, enum dma_data_direction dir)
 {
 	struct srp_direct_buf *md;
 	struct srp_indirect_buf *id;
-	int len = 0, offset = cmd->add_cdb_len * 4;
+	int len = 0, offset = cmd->add_cdb_len & ~3;
 	u8 fmt;
 
 	if (dir == DMA_TO_DEVICE)