aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/scsi/iscsi_tcp.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/scsi/iscsi_tcp.c')
-rw-r--r--drivers/scsi/iscsi_tcp.c21
1 files changed, 12 insertions, 9 deletions
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 17fc79c408a2..b2827d112cb0 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -216,6 +216,7 @@ iscsi_data_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
216 struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data; 216 struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data;
217 struct iscsi_data_rsp *rhdr = (struct iscsi_data_rsp *)tcp_conn->in.hdr; 217 struct iscsi_data_rsp *rhdr = (struct iscsi_data_rsp *)tcp_conn->in.hdr;
218 struct iscsi_session *session = conn->session; 218 struct iscsi_session *session = conn->session;
219 struct scsi_cmnd *sc = ctask->sc;
219 int datasn = be32_to_cpu(rhdr->datasn); 220 int datasn = be32_to_cpu(rhdr->datasn);
220 221
221 rc = iscsi_check_assign_cmdsn(session, (struct iscsi_nopin*)rhdr); 222 rc = iscsi_check_assign_cmdsn(session, (struct iscsi_nopin*)rhdr);
@@ -238,12 +239,14 @@ iscsi_data_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
238 tcp_ctask->exp_datasn++; 239 tcp_ctask->exp_datasn++;
239 240
240 tcp_ctask->data_offset = be32_to_cpu(rhdr->offset); 241 tcp_ctask->data_offset = be32_to_cpu(rhdr->offset);
241 if (tcp_ctask->data_offset + tcp_conn->in.datalen > ctask->total_length) 242 if (tcp_ctask->data_offset + tcp_conn->in.datalen > sc->request_bufflen) {
243 debug_tcp("%s: data_offset(%d) + data_len(%d) > total_length_in(%d)\n",
244 __FUNCTION__, tcp_ctask->data_offset,
245 tcp_conn->in.datalen, sc->request_bufflen);
242 return ISCSI_ERR_DATA_OFFSET; 246 return ISCSI_ERR_DATA_OFFSET;
247 }
243 248
244 if (rhdr->flags & ISCSI_FLAG_DATA_STATUS) { 249 if (rhdr->flags & ISCSI_FLAG_DATA_STATUS) {
245 struct scsi_cmnd *sc = ctask->sc;
246
247 conn->exp_statsn = be32_to_cpu(rhdr->statsn) + 1; 250 conn->exp_statsn = be32_to_cpu(rhdr->statsn) + 1;
248 if (rhdr->flags & ISCSI_FLAG_DATA_UNDERFLOW) { 251 if (rhdr->flags & ISCSI_FLAG_DATA_UNDERFLOW) {
249 int res_count = be32_to_cpu(rhdr->residual_count); 252 int res_count = be32_to_cpu(rhdr->residual_count);
@@ -405,11 +408,11 @@ iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
405 r2t->data_length, session->max_burst); 408 r2t->data_length, session->max_burst);
406 409
407 r2t->data_offset = be32_to_cpu(rhdr->data_offset); 410 r2t->data_offset = be32_to_cpu(rhdr->data_offset);
408 if (r2t->data_offset + r2t->data_length > ctask->total_length) { 411 if (r2t->data_offset + r2t->data_length > ctask->sc->request_bufflen) {
409 spin_unlock(&session->lock); 412 spin_unlock(&session->lock);
410 printk(KERN_ERR "iscsi_tcp: invalid R2T with data len %u at " 413 printk(KERN_ERR "iscsi_tcp: invalid R2T with data len %u at "
411 "offset %u and total length %d\n", r2t->data_length, 414 "offset %u and total length %d\n", r2t->data_length,
412 r2t->data_offset, ctask->total_length); 415 r2t->data_offset, ctask->sc->request_bufflen);
413 return ISCSI_ERR_DATALEN; 416 return ISCSI_ERR_DATALEN;
414 } 417 }
415 418
@@ -604,7 +607,7 @@ iscsi_ctask_copy(struct iscsi_tcp_conn *tcp_conn, struct iscsi_cmd_task *ctask,
604{ 607{
605 struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data; 608 struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data;
606 int buf_left = buf_size - (tcp_conn->data_copied + offset); 609 int buf_left = buf_size - (tcp_conn->data_copied + offset);
607 int size = min(tcp_conn->in.copy, buf_left); 610 unsigned size = min(tcp_conn->in.copy, buf_left);
608 int rc; 611 int rc;
609 612
610 size = min(size, ctask->data_count); 613 size = min(size, ctask->data_count);
@@ -613,7 +616,7 @@ iscsi_ctask_copy(struct iscsi_tcp_conn *tcp_conn, struct iscsi_cmd_task *ctask,
613 size, tcp_conn->in.offset, tcp_conn->in.copied); 616 size, tcp_conn->in.offset, tcp_conn->in.copied);
614 617
615 BUG_ON(size <= 0); 618 BUG_ON(size <= 0);
616 BUG_ON(tcp_ctask->sent + size > ctask->total_length); 619 BUG_ON(tcp_ctask->sent + size > ctask->sc->request_bufflen);
617 620
618 rc = skb_copy_bits(tcp_conn->in.skb, tcp_conn->in.offset, 621 rc = skb_copy_bits(tcp_conn->in.skb, tcp_conn->in.offset,
619 (char*)buf + (offset + tcp_conn->data_copied), size); 622 (char*)buf + (offset + tcp_conn->data_copied), size);
@@ -1292,7 +1295,7 @@ iscsi_tcp_cmd_init(struct iscsi_cmd_task *ctask)
1292 1295
1293 if (sc->sc_data_direction == DMA_TO_DEVICE) { 1296 if (sc->sc_data_direction == DMA_TO_DEVICE) {
1294 tcp_ctask->xmstate = XMSTATE_W_HDR; 1297 tcp_ctask->xmstate = XMSTATE_W_HDR;
1295 BUG_ON(ctask->total_length == 0); 1298 BUG_ON(sc->request_bufflen == 0);
1296 1299
1297 if (sc->use_sg) { 1300 if (sc->use_sg) {
1298 struct scatterlist *sg = sc->request_buffer; 1301 struct scatterlist *sg = sc->request_buffer;
@@ -1309,7 +1312,7 @@ iscsi_tcp_cmd_init(struct iscsi_cmd_task *ctask)
1309 } 1312 }
1310 debug_scsi("cmd [itt 0x%x total %d imm_data %d " 1313 debug_scsi("cmd [itt 0x%x total %d imm_data %d "
1311 "unsol count %d, unsol offset %d]\n", 1314 "unsol count %d, unsol offset %d]\n",
1312 ctask->itt, ctask->total_length, ctask->imm_count, 1315 ctask->itt, sc->request_bufflen, ctask->imm_count,
1313 ctask->unsol_count, ctask->unsol_offset); 1316 ctask->unsol_count, ctask->unsol_offset);
1314 } else 1317 } else
1315 tcp_ctask->xmstate = XMSTATE_R_HDR; 1318 tcp_ctask->xmstate = XMSTATE_R_HDR;