summaryrefslogtreecommitdiff
path: root/Documentation/laptops/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorKaruna Ramkumar <rkaruna@google.com>2026-07-02 02:01:42 +0000
committerDamien Le Moal <dlemoal@kernel.org>2026-07-03 13:44:18 +0900
commitcd64be0ecd399fa2b1ab60b3aaf2b2b744243467 (patch)
tree6782d8e4aafad82e17f06555adb6e1cb935d3fe6 /Documentation/laptops/git@git.tavy.me:linux.git
parentfcaf242e7fc406e78f444a35441e3b58f5e28781 (diff)
ata: libata-scsi: limit simulated SCSI command copy to response length
The function ata_scsi_rbuf_fill() is used to copy the response of emulated SCSI commands from ata_scsi_rbuf to the SCSI command's scatterlist. Currently, sg_copy_from_buffer() is called with the size argument set to ATA_SCSI_RBUF_SIZE (2048 bytes). Since ata_scsi_rbuf is zeroed out before the simulation actor is invoked, copying the full buffer size causes the remainder of the SCSI command's transfer buffer (beyond the actual response length 'len') to be overwritten with zeroes. This clobbers any pre-existing sentinel values or data in the caller's buffer tail, even though the correct residual count is reported via scsi_set_resid(). Fix this by passing the actual response length 'len' as the copy size to sg_copy_from_buffer(), ensuring that the tail of the caller's buffer remains untouched. Also, add a defensive check to ensure that the actor does not return a length exceeding the static buffer capacity. If this occurs, trigger a WARN_ON(), fail the command with an aborted command error, and return immediately without copying any data. The fix was tested by invoking an SCSI SG_IO INQUIRY on an ATA disk on vanilla build, and build with the fix. Confirmed that the input buffer's tail end remains unmodified with the fix. Fixes: 5251ae224d8d ("ata: libata-scsi: Return residual for emulated SCSI commands") Assisted-by: Antigravity:gemini-3.5-flash Signed-off-by: Karuna Ramkumar <rkaruna@google.com> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Diffstat (limited to 'Documentation/laptops/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions