From: Mike Christie <michaelc@xxxxxxxxxxx>
Yanling Qi, noted that when the sense data length of
a check-condition is greater than 0x7f (127), senselen = (data[0] << 8)
| data[1] will become negative. It causes different kinds of panics from
GPF, spin_lock deadlock to spin_lock recursion.
We were also swapping this value on big endien machines.
This patch fixes both issues by using be16_to_cpu().
Signed-off-by: Mike Christie <michaelc@xxxxxxxxxxx>
---
drivers/scsi/libiscsi.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 5d88621..c58ae3b 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -260,7 +260,7 @@ static int iscsi_scsi_cmd_rsp(struct isc
}
if (rhdr->cmd_status == SAM_STAT_CHECK_CONDITION) {
- int senselen;
+ uint16_t senselen;
if (datalen < 2) {
invalid_datalen:
@@ -270,12 +270,12 @@ invalid_datalen:
goto out;
}
- senselen = (data[0] << 8) | data[1];
+ senselen = be16_to_cpu(*(uint16_t *)data);
if (datalen < senselen)
goto invalid_datalen;
memcpy(sc->sense_buffer, data + 2,
- min(senselen, SCSI_SENSE_BUFFERSIZE));
+ min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
debug_scsi("copied %d bytes of sense\n",
min(senselen, SCSI_SENSE_BUFFERSIZE));
}
--
1.4.1.1
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
