Skip to content

Commit

Permalink
scsi: core: Fix scsi_mode_select() buffer length handling
Browse files Browse the repository at this point in the history 
The MODE SELECT(6) command allows handling mode page buffers that are up to
255 bytes, including the 4 byte header needed in front of the page
buffer. For requests larger than this limit, automatically use the MODE
SELECT(10) command.

In both cases, since scsi_mode_select() adds the mode select page header,
checks on the buffer length value must include this header size to avoid
overflows of the command CDB allocation length field.

While at it, use put_unaligned_be16() for setting the header block
descriptor length and CDB allocation length when using MODE SELECT(10).

[mkp: fix MODE SENSE vs. MODE SELECT confusion]

Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Damien Le Moal <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
  • Loading branch information
@damien-lemoal @martinkpetersen
damien-lemoal authored and martinkpetersen committed Sep 29, 2021
1 parent 17b49bc commit a7d6840
Showing 1 changed file with 13 additions and 8 deletions.
21 changes: 13 additions & 8 deletions drivers/scsi/scsi_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2026,8 +2026,15 @@ scsi_mode_select(struct scsi_device *sdev, int pf, int sp, int modepage,
memset(cmd, 0, sizeof(cmd));
cmd[1] = (pf ? 0x10 : 0) | (sp ? 0x01 : 0);

if (sdev->use_10_for_ms) {
if (len > 65535)
/*
* Use MODE SELECT(10) if the device asked for it or if the mode page
* and the mode select header cannot fit within the maximumm 255 bytes
* of the MODE SELECT(6) command.
*/
if (sdev->use_10_for_ms ||
len + 4 > 255 ||
data->block_descriptor_length > 255) {
if (len > 65535 - 8)
return -EINVAL;
real_buffer = kmalloc(8 + len, GFP_KERNEL);
if (!real_buffer)
Expand All @@ -2040,15 +2047,13 @@ scsi_mode_select(struct scsi_device *sdev, int pf, int sp, int modepage,
real_buffer[3] = data->device_specific;
real_buffer[4] = data->longlba ? 0x01 : 0;
real_buffer[5] = 0;
real_buffer[6] = data->block_descriptor_length >> 8;
real_buffer[7] = data->block_descriptor_length;
put_unaligned_be16(data->block_descriptor_length,
&real_buffer[6]);

cmd[0] = MODE_SELECT_10;
cmd[7] = len >> 8;
cmd[8] = len;
put_unaligned_be16(len, &cmd[7]);
} else {
if (len > 255 || data->block_descriptor_length > 255 ||
data->longlba)
if (data->longlba)
return -EINVAL;

real_buffer = kmalloc(4 + len, GFP_KERNEL);
Expand Down

0 comments on commit a7d6840

Please sign in to comment.