libata: fix off-by-one error in ata_tf_read_block()

commit ac8672ea922bde59acf50eaa1eaa1640a6395fd2 upstream.

ata_tf_read_block() has off-by-one error when converting CHS address
to LBA.  The bug isn't very visible because ata_tf_read_block() is
used only when generating sense data for a failed RW command and CHS
addressing isn't used too often these days.

This problem was spotted by Atsushi Nemoto.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 2bcf350..5cdd821 100644 (file)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -565,7 +565,13 @@ u64 ata_tf_read_block(struct ata_taskfile *tf, struct ata_device *dev)
                head = tf->device & 0xf;
                sect = tf->lbal;
 
-               block = (cyl * dev->heads + head) * dev->sectors + sect;
+               if (!sect) {
+                       ata_dev_printk(dev, KERN_WARNING, "device reported "
+                                      "invalid CHS sector 0\n");
+                       sect = 1; /* oh well */
+               }
+
+               block = (cyl * dev->heads + head) * dev->sectors + sect - 1;
        }
 
        return block;