[SCSI] libiscsi: fix senselen calculation

Yanling Qi, noted that when the sense data length of a check-condition is greater than 0x7f (127), senselen = (data[0] << 8) | data[1] will become negative. It causes different kinds of panics from GPF, spin_lock deadlock to spin_lock recursion. We were also swapping this value on big endien machines. This patch fixes both issues by using be16_to_cpu(). Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
author: Mike Christie <michaelc@cs.wisc.edu> 2006-12-17 13:10:28 -0500
committer: James Bottomley <jejb@mulgrave.il.steeleye.com> 2007-01-06 10:02:09 -0500
commit: 9b80cb4be1f4181875e0cf274dc59f42964fdf1b (patch)
tree: 37587f07724c7382547f056e54e8a52e6e84a594
parent: 94cb3f822bb806a750e1e1c8457bee6e96671569 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index e11b23c641e2..d37048c96eab 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -260,7 +260,7 @@ static int iscsi_scsi_cmd_rsp(struct iscsi_conn *conn, struct iscsi_hdr *hdr,
        }
        if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) {
-                int senselen;
+                uint16_t senselen;
                if (datalen < 2) {
 invalid_datalen:
@@ -270,12 +270,12 @@ invalid_datalen:
                        goto out;
                }
-                senselen = (data[0] << 8) | data[1];
+                senselen = be16_to_cpu(*(uint16_t *)data);
                if (datalen < senselen)
                        goto invalid_datalen;
                memcpy(sc->sense_buffer, data + 2,
-                       min(senselen, SCSI_SENSE_BUFFERSIZE));
+                       min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
                debug_scsi("copied %d bytes of sense\n",
                           min(senselen, SCSI_SENSE_BUFFERSIZE));
        }
author	Mike Christie <michaelc@cs.wisc.edu>	2006-12-17 13:10:28 -0500
committer	James Bottomley <jejb@mulgrave.il.steeleye.com>	2007-01-06 10:02:09 -0500
commit	9b80cb4be1f4181875e0cf274dc59f42964fdf1b (patch)
tree	37587f07724c7382547f056e54e8a52e6e84a594
parent	94cb3f822bb806a750e1e1c8457bee6e96671569 (diff)

diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index e11b23c641e2..d37048c96eab 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c
@@ -260,7 +260,7 @@ static int iscsi_scsi_cmd_rsp(struct iscsi_conn conn, struct iscsi_hdr hdr,
260	}	260	}
261		261
262	if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) {	262	if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) {
263	int senselen;	263	uint16_t senselen;
264		264
265	if (datalen < 2) {	265	if (datalen < 2) {
266	invalid_datalen:	266	invalid_datalen:
@@ -270,12 +270,12 @@ invalid_datalen:
270	goto out;	270	goto out;
271	}	271	}
272		272
273	senselen = (data[0] << 8) \| data[1];	273	senselen = be16_to_cpu((uint16_t )data);
274	if (datalen < senselen)	274	if (datalen < senselen)
275	goto invalid_datalen;	275	goto invalid_datalen;
276		276
277	memcpy(sc->sense_buffer, data + 2,	277	memcpy(sc->sense_buffer, data + 2,
278	min(senselen, SCSI_SENSE_BUFFERSIZE));	278	min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
279	debug_scsi("copied %d bytes of sense\n",	279	debug_scsi("copied %d bytes of sense\n",
280	min(senselen, SCSI_SENSE_BUFFERSIZE));	280	min(senselen, SCSI_SENSE_BUFFERSIZE));
281	}	281	}