diff options
author | Bart Van Assche <bart.vanassche@gmail.com> | 2009-12-09 13:52:19 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2010-02-19 12:11:07 -0500 |
commit | 78d85019ba8c13e1094cad0ea9bb4f61caad8320 (patch) | |
tree | 354b5a78854011757aef654080d8db3c72bbdb13 /drivers/scsi | |
parent | 22963a37b3437a25812cc856afa5a84ad4a3f541 (diff) |
[SCSI] libsrp: fix bug in ADDITIONAL CDB LENGTH interpretation
Fix a bug in the interpretation of the ADDITIONAL CDB LENGTH (add_cdb_len)
field of SRP_CMD requests. According to the SRP specification, the layout
of this single-byte field is as follows:
* Bits 0 and 1 are reserved.
* Bits 2 to 7 represent the ADDITIONAL CDB LENGTH field, symbolically
represented as n.
* Still according to the SRP specification, the ADDITIONAL CDB section
takes 4*n bytes.
Currently libsrp is only used by the ibmvscsi driver. Since the ibmvscsi
driver doesn't support large CDB's, this bug hasn't caused any problems yet.
[jejb: use & ~3 to mask the bits]
Signed-off-by: Bart Van Assche <bart.vanassche@gmail.com>
Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'drivers/scsi')
-rw-r--r-- | drivers/scsi/libsrp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/scsi/libsrp.c b/drivers/scsi/libsrp.c index f79602f28ba7..22775165bf6a 100644 --- a/drivers/scsi/libsrp.c +++ b/drivers/scsi/libsrp.c | |||
@@ -328,7 +328,7 @@ int srp_transfer_data(struct scsi_cmnd *sc, struct srp_cmd *cmd, | |||
328 | int offset, err = 0; | 328 | int offset, err = 0; |
329 | u8 format; | 329 | u8 format; |
330 | 330 | ||
331 | offset = cmd->add_cdb_len * 4; | 331 | offset = cmd->add_cdb_len & ~3; |
332 | 332 | ||
333 | dir = srp_cmd_direction(cmd); | 333 | dir = srp_cmd_direction(cmd); |
334 | if (dir == DMA_FROM_DEVICE) | 334 | if (dir == DMA_FROM_DEVICE) |
@@ -366,7 +366,7 @@ static int vscsis_data_length(struct srp_cmd *cmd, enum dma_data_direction dir) | |||
366 | { | 366 | { |
367 | struct srp_direct_buf *md; | 367 | struct srp_direct_buf *md; |
368 | struct srp_indirect_buf *id; | 368 | struct srp_indirect_buf *id; |
369 | int len = 0, offset = cmd->add_cdb_len * 4; | 369 | int len = 0, offset = cmd->add_cdb_len & ~3; |
370 | u8 fmt; | 370 | u8 fmt; |
371 | 371 | ||
372 | if (dir == DMA_TO_DEVICE) | 372 | if (dir == DMA_TO_DEVICE) |