diff options
| author | Karuna Ramkumar <rkaruna@google.com> | 2026-07-02 02:01:42 +0000 |
|---|---|---|
| committer | Damien Le Moal <dlemoal@kernel.org> | 2026-07-03 13:44:18 +0900 |
| commit | cd64be0ecd399fa2b1ab60b3aaf2b2b744243467 (patch) | |
| tree | 6782d8e4aafad82e17f06555adb6e1cb935d3fe6 /arch/c6x/lib/git@git.tavy.me:linux.git | |
| parent | fcaf242e7fc406e78f444a35441e3b58f5e28781 (diff) | |
ata: libata-scsi: limit simulated SCSI command copy to response length
The function ata_scsi_rbuf_fill() is used to copy the response of
emulated SCSI commands from ata_scsi_rbuf to the SCSI command's
scatterlist.
Currently, sg_copy_from_buffer() is called with the size argument
set to ATA_SCSI_RBUF_SIZE (2048 bytes). Since ata_scsi_rbuf is
zeroed out before the simulation actor is invoked, copying the
full buffer size causes the remainder of the SCSI command's
transfer buffer (beyond the actual response length 'len') to be
overwritten with zeroes. This clobbers any pre-existing sentinel
values or data in the caller's buffer tail, even though the
correct residual count is reported via scsi_set_resid().
Fix this by passing the actual response length 'len' as the copy
size to sg_copy_from_buffer(), ensuring that the tail of the
caller's buffer remains untouched. Also, add a defensive check
to ensure that the actor does not return a length exceeding the
static buffer capacity. If this occurs, trigger a WARN_ON(),
fail the command with an aborted command error, and return
immediately without copying any data.
The fix was tested by invoking an SCSI SG_IO INQUIRY on
an ATA disk on vanilla build, and build with the fix. Confirmed
that the input buffer's tail end remains unmodified with the fix.
Fixes: 5251ae224d8d ("ata: libata-scsi: Return residual for emulated SCSI commands")
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Karuna Ramkumar <rkaruna@google.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Diffstat (limited to 'arch/c6x/lib/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
