From 42667fe80d65edca4f97431b3d8dfcb9bed41fab Mon Sep 17 00:00:00 2001
From: Gleb Chesnokov <gleb.chesnokov@scst.dev>
Date: Fri, 21 Oct 2022 10:40:54 +0300
Subject: [PATCH] scst_lib: Fix handling of a SENSE with buffer size 0

Sending a REQUEST_SENSE with a buffer size 0 to the LUN that does not
exist causes the following kernel panic:

RIP: 0010:sg_init_table+0x1e/0x30
Call Trace:
  scst_alloc_sg+0xc3/0x270 [scst]
  scst_set_cmd_error+0x803/0xa40 [scst]
  __scst_init_cmd+0x5c3/0xb80 [scst]
  scst_cmd_init_done+0x142/0xae0 [scst]
  cmnd_rx_start+0x7f5/0x13d0 [iscsi_scst]
  isert_pdu_rx+0x54/0x140 [isert_scst]
  isert_recv_completion_handler+0x498/0x580 [isert_scst]
  isert_poll_cq+0x396/0x800 [isert_scst]
  isert_cq_comp_work_cb+0x4a/0x120 [isert_scst]
  process_one_work+0x1d1/0x410
  worker_thread+0x2b/0x3d0
  kthread+0x11a/0x130
  ret_from_fork+0x1f/0x40

Hence set bufflen to 18 if a buffer size 0 was passed to avoid the
crash.

Reported-by: Lev Vainblat <lev@zadarastorage.com>
---
 scst/src/scst_lib.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/scst/src/scst_lib.c b/scst/src/scst_lib.c
index 43afed44c..582739e5d 100644
--- a/scst/src/scst_lib.c
+++ b/scst/src/scst_lib.c
@@ -1855,9 +1855,9 @@ EXPORT_SYMBOL(scst_set_cmd_error_status);
 static int scst_set_lun_not_supported_request_sense(struct scst_cmd *cmd,
 	int key, int asc, int ascq)
 {
-	int res;
 	int sense_len, len;
 	struct scatterlist *sg;
+	int res = 0;
 
 	TRACE_ENTRY();
 
@@ -1875,6 +1875,12 @@ static int scst_set_lun_not_supported_request_sense(struct scst_cmd *cmd,
 	}
 
 	if (cmd->sg == NULL) {
+		if (cmd->bufflen == 0) {
+			int bufflen = cmd->cdb[4];
+
+			cmd->bufflen = bufflen ?: 18;
+		}
+
 		/*
 		 * If target driver preparing data buffer using tgt_alloc_data_buf()
 		 * callback, it is responsible to copy the sense to its buffer
@@ -1887,9 +1893,6 @@ static int scst_set_lun_not_supported_request_sense(struct scst_cmd *cmd,
 			goto go;
 		}
 
-		if (cmd->bufflen == 0)
-			cmd->bufflen = cmd->cdb[4];
-
 		cmd->sg = scst_alloc_sg(cmd->bufflen, GFP_ATOMIC, &cmd->sg_cnt);
 		if (cmd->sg == NULL) {
 			PRINT_ERROR("Unable to alloc sg for REQUEST SENSE"
@@ -1916,12 +1919,12 @@ go:
 	cmd->data_direction = SCST_DATA_READ;
 	scst_set_resp_data_len(cmd, sense_len);
 
-	res = 0;
 	cmd->completed = 1;
 	cmd->resid_possible = 1;
 
 out:
 	TRACE_EXIT_RES(res);
+
 	return res;
 }