aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/scsi/libsrp.c
diff options
context:
space:
mode:
authorBart Van Assche <bart.vanassche@gmail.com>2009-12-09 13:52:19 -0500
committerJames Bottomley <James.Bottomley@suse.de>2010-02-19 12:11:07 -0500
commit78d85019ba8c13e1094cad0ea9bb4f61caad8320 (patch)
tree354b5a78854011757aef654080d8db3c72bbdb13 /drivers/scsi/libsrp.c
parent22963a37b3437a25812cc856afa5a84ad4a3f541 (diff)
[SCSI] libsrp: fix bug in ADDITIONAL CDB LENGTH interpretation
Fix a bug in the interpretation of the ADDITIONAL CDB LENGTH (add_cdb_len) field of SRP_CMD requests. According to the SRP specification, the layout of this single-byte field is as follows: * Bits 0 and 1 are reserved. * Bits 2 to 7 represent the ADDITIONAL CDB LENGTH field, symbolically represented as n. * Still according to the SRP specification, the ADDITIONAL CDB section takes 4*n bytes. Currently libsrp is only used by the ibmvscsi driver. Since the ibmvscsi driver doesn't support large CDB's, this bug hasn't caused any problems yet. [jejb: use & ~3 to mask the bits] Signed-off-by: Bart Van Assche <bart.vanassche@gmail.com> Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'drivers/scsi/libsrp.c')
-rw-r--r--drivers/scsi/libsrp.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/scsi/libsrp.c b/drivers/scsi/libsrp.c
index f79602f28ba7..22775165bf6a 100644
--- a/drivers/scsi/libsrp.c
+++ b/drivers/scsi/libsrp.c
@@ -328,7 +328,7 @@ int srp_transfer_data(struct scsi_cmnd *sc, struct srp_cmd *cmd,
328 int offset, err = 0; 328 int offset, err = 0;
329 u8 format; 329 u8 format;
330 330
331 offset = cmd->add_cdb_len * 4; 331 offset = cmd->add_cdb_len & ~3;
332 332
333 dir = srp_cmd_direction(cmd); 333 dir = srp_cmd_direction(cmd);
334 if (dir == DMA_FROM_DEVICE) 334 if (dir == DMA_FROM_DEVICE)
@@ -366,7 +366,7 @@ static int vscsis_data_length(struct srp_cmd *cmd, enum dma_data_direction dir)
366{ 366{
367 struct srp_direct_buf *md; 367 struct srp_direct_buf *md;
368 struct srp_indirect_buf *id; 368 struct srp_indirect_buf *id;
369 int len = 0, offset = cmd->add_cdb_len * 4; 369 int len = 0, offset = cmd->add_cdb_len & ~3;
370 u8 fmt; 370 u8 fmt;
371 371
372 if (dir == DMA_TO_DEVICE) 372 if (dir == DMA_TO_DEVICE)