From: Bart Van Assche Date: Wed, 9 Dec 2009 18:52:19 +0000 (+0100) Subject: [SCSI] libsrp: fix bug in ADDITIONAL CDB LENGTH interpretation X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=78d85019ba8c13e1094cad0ea9bb4f61caad8320;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git [SCSI] libsrp: fix bug in ADDITIONAL CDB LENGTH interpretation Fix a bug in the interpretation of the ADDITIONAL CDB LENGTH (add_cdb_len) field of SRP_CMD requests. According to the SRP specification, the layout of this single-byte field is as follows: * Bits 0 and 1 are reserved. * Bits 2 to 7 represent the ADDITIONAL CDB LENGTH field, symbolically represented as n. * Still according to the SRP specification, the ADDITIONAL CDB section takes 4*n bytes. Currently libsrp is only used by the ibmvscsi driver. Since the ibmvscsi driver doesn't support large CDB's, this bug hasn't caused any problems yet. [jejb: use & ~3 to mask the bits] Signed-off-by: Bart Van Assche Acked-by: FUJITA Tomonori Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/libsrp.c b/drivers/scsi/libsrp.c index f79602f28ba7..22775165bf6a 100644 --- a/drivers/scsi/libsrp.c +++ b/drivers/scsi/libsrp.c @@ -328,7 +328,7 @@ int srp_transfer_data(struct scsi_cmnd *sc, struct srp_cmd *cmd, int offset, err = 0; u8 format; - offset = cmd->add_cdb_len * 4; + offset = cmd->add_cdb_len & ~3; dir = srp_cmd_direction(cmd); if (dir == DMA_FROM_DEVICE) @@ -366,7 +366,7 @@ static int vscsis_data_length(struct srp_cmd *cmd, enum dma_data_direction dir) { struct srp_direct_buf *md; struct srp_indirect_buf *id; - int len = 0, offset = cmd->add_cdb_len * 4; + int len = 0, offset = cmd->add_cdb_len & ~3; u8 fmt; if (dir == DMA_TO_DEVICE)