github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e15de347fa
linux/drivers
History
Damien Le Moal e15de347fa scsi: core: Fix scsi_mode_sense() buffer length handling 
[ Upstream commit 17b49bcbf8 ]

Several problems exist with scsi_mode_sense() buffer length handling:

 1) The allocation length field of the MODE SENSE(10) command is 16-bits,
    occupying bytes 7 and 8 of the CDB. With this command, access to mode
    pages larger than 255 bytes is thus possible. However, the CDB
    allocation length field is set by assigning len to byte 8 only, thus
    truncating buffer length larger than 255.

 2) If scsi_mode_sense() is called with len smaller than 8 with
    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length
    is increased to 8 and 4 respectively, and the buffer is zero filled
    with these increased values, thus corrupting the memory following the
    buffer.

Fix these 2 problems by using put_unaligned_be16() to set the allocation
length field of MODE SENSE(10) CDB and by returning an error when len is
too small.

Furthermore, if len is larger than 255B, always try MODE SENSE(10) first,
even if the device driver did not set sdev->use_10_for_ms. In case of
invalid opcode error for MODE SENSE(10), access to mode pages larger than
255 bytes are not retried using MODE SENSE(6). To avoid buffer length
overflows for the MODE_SENSE(10) case, check that len is smaller than 65535
bytes.

While at it, also fix the folowing:

 * Use get_unaligned_be16() to retrieve the mode data length and block
   descriptor length fields of the mode sense reply header instead of using
   an open coded calculation.

 * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable
   Block Descriptor, which is the opposite of what the dbd argument
   description was.

Link: https://lore.kernel.org/r/20210820070255.682775-2-damien.lemoal@wdc.com
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-25 09:48:26 +01:00
..
accessibility
acpi Revert "ACPI: scan: Release PM resources blocked by unused objects" 2021-11-21 13:44:14 +01:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:13:31 +01:00
android binder: don't detect sender/target during buffer cleanup 2021-11-12 15:05:49 +01:00
ata libata: fix checking of DMA state 2021-11-18 19:16:00 +01:00
atm
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 19:17:02 +01:00
base PM: sleep: Avoid calling put_device() under dpm_list_mtx 2021-11-18 19:17:17 +01:00
bcma Driver core update for 5.15-rc1 2021-09-01 08:44:42 -07:00
block loop: Use blk_validate_block_size() to validate block size 2021-11-21 13:44:13 +01:00
bluetooth Bluetooth: btusb: Add support for TP-Link UB500 Adapter 2021-11-21 13:44:13 +01:00
bus bus: ti-sysc: Use context lost quirk for otg 2021-11-25 09:48:25 +01:00
cdrom
char ipmi: kcs_bmc: Fix a memory leak in the error handling path of 'kcs_bmc_serio_add_device()' 2021-11-18 19:16:44 +01:00
clk clk: sunxi-ng: Unregister clocks/resets when unbinding 2021-11-25 09:48:23 +01:00
clocksource clocksource/drivers/timer-ti-dm: Select TIMER_OF 2021-11-18 19:16:39 +01:00
comedi comedi: vmk80xx: fix bulk and interrupt message timeouts 2021-11-12 15:05:51 +01:00
connector
counter
cpufreq cpufreq: intel_pstate: Clear HWP desired on suspend/shutdown and offline 2021-11-18 19:17:08 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 19:16:29 +01:00
crypto crypto: octeontx2 - set assoclen in aead_do_fallback() 2021-11-18 19:16:33 +01:00
cxl cxl/pci: Fix NULL vs ERR_PTR confusion 2021-11-18 19:16:04 +01:00
dax libnvdimm for v5.15 2021-09-09 11:39:57 -07:00
dca
devfreq devfreq: use HZ macros 2021-09-08 11:50:26 -07:00
dio
dma dmaengine: bestcomm: fix system boot lockups 2021-11-18 19:17:16 +01:00
dma-buf dma-buf: WARN on dmabuf release with pending attachments 2021-11-18 19:16:08 +01:00
edac EDAC/amd64: Handle three rank interleaving mode 2021-11-18 19:16:30 +01:00
eisa
extcon
firewire FireWire (IEEE 1394) subsystem updates: 2021-09-11 09:47:33 -07:00
firmware firmware: qcom_scm: Fix error retval in __qcom_scm_is_call_available() 2021-11-18 19:16:55 +01:00
fpga fpga: ice40-spi: Add SPI device ID table 2021-09-27 14:00:41 -07:00
fsi
gnss
gpio gpio: realtek-otto: fix GPIO line IRQ offset 2021-11-18 19:17:04 +01:00
gpu Revert "drm: fb_helper: fix CONFIG_FB dependency" 2021-11-21 13:44:12 +01:00
greybus
hid HID: u2fzero: properly handle timeouts in usb_submit_urb 2021-11-18 19:16:56 +01:00
hsi
hv hyperv-fixes for 5.15 2021-10-22 10:31:32 -10:00
hwmon hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff 2021-11-18 19:16:32 +01:00
hwspinlock
hwtracing coresight: trbe: Defer the probe on offline CPUs 2021-11-18 19:16:06 +01:00
i2c i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()' 2021-11-18 19:17:04 +01:00
i3c
idle
iio iio: adis: do not disabe IRQs in 'adis_init()' 2021-11-18 19:16:54 +01:00
infiniband RDMA/rxe: Separate HW and SW l/rkeys 2021-11-25 09:48:26 +01:00
input Input: st1232 - increase "wait ready" timeout 2021-11-18 19:17:01 +01:00
interconnect interconnect: qcom: sdm660: Add missing a2noc qos clocks 2021-09-13 15:49:55 +03:00
iommu iommu/dma: Fix incorrect error return on iommu deferred attach 2021-11-18 19:16:57 +01:00
ipack ipack: ipoctal: fix module reference leak 2021-09-27 17:38:49 +02:00
irqchip irqchip/sifive-plic: Fixup EOI failed when masked 2021-11-18 19:17:14 +01:00
isdn mISDN: Fix return values of the probe function 2021-10-19 13:09:28 +01:00
leds
macintosh memblock: introduce saner 'memblock_free_ptr()' interface 2021-09-14 13:23:22 -07:00
mailbox mailbox: mtk-cmdq: Fix local clock ID usage 2021-11-18 19:16:35 +01:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-14 11:22:26 +02:00
md bcache: Revert "bcache: use bvec_virt" 2021-11-18 19:17:17 +01:00
media media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference 2021-11-18 19:17:21 +01:00
memory memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe 2021-11-18 19:16:51 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 19:16:32 +01:00
message
mfd mfd: dln2: Add cell for initializing DLN2 ADC 2021-11-18 19:17:17 +01:00
misc eeprom: 93xx46: fix MODULE_DEVICE_TABLE 2021-10-15 10:54:02 +02:00
mmc mmc: moxart: Fix null pointer dereference on pointer host 2021-11-18 19:17:20 +01:00
most most: fix control-message timeouts 2021-11-18 19:16:08 +01:00
mtd mtd: rawnand: au1550nd: Keep the driver compatible with on-die ECC engines 2021-11-18 19:17:19 +01:00
mux
net ath10k: fix invalid dma_addr_t token assignment 2021-11-18 19:17:20 +01:00
nfc nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-18 19:17:10 +01:00
ntb Bug fixes and clean-ups for Linux v5.15 2021-09-07 13:05:02 -07:00
nubus
nvdimm nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned 2021-11-18 19:17:07 +01:00
nvme nvme-rdma: fix error code in nvme_rdma_setup_ctrl 2021-11-18 19:16:38 +01:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-13 15:09:58 +02:00
of of: unittest: fix EXPECT text for gpio hog errors 2021-11-18 19:16:45 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 19:17:00 +01:00
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-09 12:44:31 +02:00
parport parisc architecture updates for kernel 5.15: 2021-09-02 13:16:00 -07:00
pci PCI: Add MSI masking quirk for Nvidia ION AHCI 2021-11-21 13:44:14 +01:00
pcmcia
perf KVM: arm64: Fix PMU probe ordering 2021-09-20 12:43:34 +01:00
phy phy: Sparx5 Eth SerDes: Fix return value check in sparx5_serdes_probe() 2021-11-18 19:16:56 +01:00
pinctrl pinctrl: equilibrium: Fix function addition in multiple groups 2021-11-18 19:16:55 +01:00
platform platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning 2021-11-18 19:16:34 +01:00
pnp
power power: supply: bq27xxx: Fix kernel crash on IRQ handler register error 2021-11-18 19:16:58 +01:00
powercap powercap: Add Power Limit4 support for Alder Lake SoC 2021-08-25 20:12:16 +02:00
pps
ps3
ptp ptp: free 'vclock_index' in ptp_clock_release() 2021-10-21 12:50:38 +01:00
pwm pwm: mtk-disp: Implement atomic API .get_state() 2021-09-02 22:27:46 +02:00
rapidio
ras
regulator regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled 2021-11-18 19:15:57 +01:00
remoteproc remoteproc: imx_rproc: Fix rsc-table name 2021-11-18 19:17:18 +01:00
reset reset: socfpga: add empty driver allowing consumers to probe 2021-10-05 12:23:16 +02:00
rpmsg
rtc rtc: rv3032: fix error handling in rv3032_clkout_set_rate() 2021-11-18 19:17:01 +01:00
s390 s390/cio: make ccw_device_dma_* more robust 2021-11-18 19:17:18 +01:00
sbus
scsi scsi: core: Fix scsi_mode_sense() buffer length handling 2021-11-25 09:48:26 +01:00
sh
siox
slimbus Driver core update for 5.15-rc1 2021-09-01 08:44:42 -07:00
soc soc: fsl: dpaa2-console: free buffer before returning from dpaa2_console_read 2021-11-18 19:17:02 +01:00
soundwire soundwire: bus: stop dereferencing invalid slave pointer 2021-11-18 19:16:54 +01:00
spi spi: spi-rpc-if: Check return value of rpcif_sw_init() 2021-11-18 19:16:42 +01:00
spmi
ssb
staging staging: rtl8723bs: remove a third possible deadlock 2021-11-25 09:48:25 +01:00
target scsi: target: core: Remove from tmr_list during LUN unlink 2021-11-18 19:17:03 +01:00
tc
tee tee: optee: Fix missing devices unregister during optee_remove 2021-10-12 13:24:39 +02:00
thermal thermal: Fix NULL pointer dereferences in of_thermal_ functions 2021-11-21 13:44:14 +01:00
thunderbolt thunderbolt: build kunit tests without structleak plugin 2021-10-06 17:53:49 -06:00
tty serial: cpm_uart: Protect udbg definitions by CONFIG_SERIAL_CPM_CONSOLE 2021-11-18 19:16:57 +01:00
uio
usb usb: typec: tipd: Remove WARN_ON in tps6598x_block_read 2021-11-25 09:48:25 +01:00
vdpa vdpa/mlx5: Fix clearing of VIRTIO_NET_F_MAC feature bit 2021-11-18 19:16:58 +01:00
vfio vfio/pci: add missing identifier name in argument of function prototype 2021-09-23 14:12:36 -06:00
vhost virtio,vdpa: fixes 2021-10-17 18:17:19 -10:00
video video: backlight: Drop maximum brightness override for brightness zero 2021-11-18 19:17:17 +01:00
virt
virtio virtio_ring: check desc == NULL when using indirect with packed 2021-11-18 19:16:58 +01:00
visorbus
vlynq
vme
w1
watchdog ar7: fix kernel builds for compiler test 2021-11-18 19:17:03 +01:00
xen xen-pciback: Fix return in pm_ctrl_init() 2021-11-18 19:17:05 +01:00
zorro
Kconfig firmware: include drivers/firmware/Kconfig unconditionally 2021-10-07 16:51:26 +02:00
Makefile