diff options
Diffstat (limited to 'drivers/scsi/iscsi_tcp.c')
-rw-r--r-- | drivers/scsi/iscsi_tcp.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 17fc79c408a2..b2827d112cb0 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c | |||
@@ -216,6 +216,7 @@ iscsi_data_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask) | |||
216 | struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data; | 216 | struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data; |
217 | struct iscsi_data_rsp *rhdr = (struct iscsi_data_rsp *)tcp_conn->in.hdr; | 217 | struct iscsi_data_rsp *rhdr = (struct iscsi_data_rsp *)tcp_conn->in.hdr; |
218 | struct iscsi_session *session = conn->session; | 218 | struct iscsi_session *session = conn->session; |
219 | struct scsi_cmnd *sc = ctask->sc; | ||
219 | int datasn = be32_to_cpu(rhdr->datasn); | 220 | int datasn = be32_to_cpu(rhdr->datasn); |
220 | 221 | ||
221 | rc = iscsi_check_assign_cmdsn(session, (struct iscsi_nopin*)rhdr); | 222 | rc = iscsi_check_assign_cmdsn(session, (struct iscsi_nopin*)rhdr); |
@@ -238,12 +239,14 @@ iscsi_data_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask) | |||
238 | tcp_ctask->exp_datasn++; | 239 | tcp_ctask->exp_datasn++; |
239 | 240 | ||
240 | tcp_ctask->data_offset = be32_to_cpu(rhdr->offset); | 241 | tcp_ctask->data_offset = be32_to_cpu(rhdr->offset); |
241 | if (tcp_ctask->data_offset + tcp_conn->in.datalen > ctask->total_length) | 242 | if (tcp_ctask->data_offset + tcp_conn->in.datalen > sc->request_bufflen) { |
243 | debug_tcp("%s: data_offset(%d) + data_len(%d) > total_length_in(%d)\n", | ||
244 | __FUNCTION__, tcp_ctask->data_offset, | ||
245 | tcp_conn->in.datalen, sc->request_bufflen); | ||
242 | return ISCSI_ERR_DATA_OFFSET; | 246 | return ISCSI_ERR_DATA_OFFSET; |
247 | } | ||
243 | 248 | ||
244 | if (rhdr->flags & ISCSI_FLAG_DATA_STATUS) { | 249 | if (rhdr->flags & ISCSI_FLAG_DATA_STATUS) { |
245 | struct scsi_cmnd *sc = ctask->sc; | ||
246 | |||
247 | conn->exp_statsn = be32_to_cpu(rhdr->statsn) + 1; | 250 | conn->exp_statsn = be32_to_cpu(rhdr->statsn) + 1; |
248 | if (rhdr->flags & ISCSI_FLAG_DATA_UNDERFLOW) { | 251 | if (rhdr->flags & ISCSI_FLAG_DATA_UNDERFLOW) { |
249 | int res_count = be32_to_cpu(rhdr->residual_count); | 252 | int res_count = be32_to_cpu(rhdr->residual_count); |
@@ -405,11 +408,11 @@ iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask) | |||
405 | r2t->data_length, session->max_burst); | 408 | r2t->data_length, session->max_burst); |
406 | 409 | ||
407 | r2t->data_offset = be32_to_cpu(rhdr->data_offset); | 410 | r2t->data_offset = be32_to_cpu(rhdr->data_offset); |
408 | if (r2t->data_offset + r2t->data_length > ctask->total_length) { | 411 | if (r2t->data_offset + r2t->data_length > ctask->sc->request_bufflen) { |
409 | spin_unlock(&session->lock); | 412 | spin_unlock(&session->lock); |
410 | printk(KERN_ERR "iscsi_tcp: invalid R2T with data len %u at " | 413 | printk(KERN_ERR "iscsi_tcp: invalid R2T with data len %u at " |
411 | "offset %u and total length %d\n", r2t->data_length, | 414 | "offset %u and total length %d\n", r2t->data_length, |
412 | r2t->data_offset, ctask->total_length); | 415 | r2t->data_offset, ctask->sc->request_bufflen); |
413 | return ISCSI_ERR_DATALEN; | 416 | return ISCSI_ERR_DATALEN; |
414 | } | 417 | } |
415 | 418 | ||
@@ -604,7 +607,7 @@ iscsi_ctask_copy(struct iscsi_tcp_conn *tcp_conn, struct iscsi_cmd_task *ctask, | |||
604 | { | 607 | { |
605 | struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data; | 608 | struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data; |
606 | int buf_left = buf_size - (tcp_conn->data_copied + offset); | 609 | int buf_left = buf_size - (tcp_conn->data_copied + offset); |
607 | int size = min(tcp_conn->in.copy, buf_left); | 610 | unsigned size = min(tcp_conn->in.copy, buf_left); |
608 | int rc; | 611 | int rc; |
609 | 612 | ||
610 | size = min(size, ctask->data_count); | 613 | size = min(size, ctask->data_count); |
@@ -613,7 +616,7 @@ iscsi_ctask_copy(struct iscsi_tcp_conn *tcp_conn, struct iscsi_cmd_task *ctask, | |||
613 | size, tcp_conn->in.offset, tcp_conn->in.copied); | 616 | size, tcp_conn->in.offset, tcp_conn->in.copied); |
614 | 617 | ||
615 | BUG_ON(size <= 0); | 618 | BUG_ON(size <= 0); |
616 | BUG_ON(tcp_ctask->sent + size > ctask->total_length); | 619 | BUG_ON(tcp_ctask->sent + size > ctask->sc->request_bufflen); |
617 | 620 | ||
618 | rc = skb_copy_bits(tcp_conn->in.skb, tcp_conn->in.offset, | 621 | rc = skb_copy_bits(tcp_conn->in.skb, tcp_conn->in.offset, |
619 | (char*)buf + (offset + tcp_conn->data_copied), size); | 622 | (char*)buf + (offset + tcp_conn->data_copied), size); |
@@ -1292,7 +1295,7 @@ iscsi_tcp_cmd_init(struct iscsi_cmd_task *ctask) | |||
1292 | 1295 | ||
1293 | if (sc->sc_data_direction == DMA_TO_DEVICE) { | 1296 | if (sc->sc_data_direction == DMA_TO_DEVICE) { |
1294 | tcp_ctask->xmstate = XMSTATE_W_HDR; | 1297 | tcp_ctask->xmstate = XMSTATE_W_HDR; |
1295 | BUG_ON(ctask->total_length == 0); | 1298 | BUG_ON(sc->request_bufflen == 0); |
1296 | 1299 | ||
1297 | if (sc->use_sg) { | 1300 | if (sc->use_sg) { |
1298 | struct scatterlist *sg = sc->request_buffer; | 1301 | struct scatterlist *sg = sc->request_buffer; |
@@ -1309,7 +1312,7 @@ iscsi_tcp_cmd_init(struct iscsi_cmd_task *ctask) | |||
1309 | } | 1312 | } |
1310 | debug_scsi("cmd [itt 0x%x total %d imm_data %d " | 1313 | debug_scsi("cmd [itt 0x%x total %d imm_data %d " |
1311 | "unsol count %d, unsol offset %d]\n", | 1314 | "unsol count %d, unsol offset %d]\n", |
1312 | ctask->itt, ctask->total_length, ctask->imm_count, | 1315 | ctask->itt, sc->request_bufflen, ctask->imm_count, |
1313 | ctask->unsol_count, ctask->unsol_offset); | 1316 | ctask->unsol_count, ctask->unsol_offset); |
1314 | } else | 1317 | } else |
1315 | tcp_ctask->xmstate = XMSTATE_R_HDR; | 1318 | tcp_ctask->xmstate = XMSTATE_R_HDR; |