scst_lib: Fix handling of an INQUIRY with buffer size 0

Sending an INQUIRY with a buffer size 0 to the LUN that does not exist causes the following kernel panic: RIP: 0010:sg_init_table+0x1e/0x30 Call Trace: scst_alloc_sg+0xc3/0x270 [scst] scst_set_cmd_error+0x8c9/0xa80 [scst] __scst_init_cmd+0x5c3/0xb80 [scst] scst_cmd_init_done+0x142/0xae0 [scst] cmnd_rx_start+0x7f5/0x13d0 [iscsi_scst] isert_pdu_rx+0x54/0x140 [isert_scst] isert_recv_completion_handler+0x498/0x580 [isert_scst] isert_poll_cq+0x396/0x800 [isert_scst] isert_cq_comp_work_cb+0x4a/0x120 [isert_scst] process_one_work+0x1d1/0x410 worker_thread+0x2b/0x3d0 kthread+0x11a/0x130 ret_from_fork+0x1f/0x40 Hence set bufflen to 36 if a buffer size 0 was passed to avoid the crash. Reported-by: Lev Vainblat <lev@zadarastorage.com>
2026-05-14 09:11:27 +00:00 · 2022-10-19 19:06:29 +03:00
parent 9d83d8c28a
commit 54eeae329b
1 changed files with 7 additions and 4 deletions
--- a/scst/src/scst_lib.c
+++ b/scst/src/scst_lib.c
@@ -1848,10 +1848,10 @@ out:

 static int scst_set_lun_not_supported_inquiry(struct scst_cmd *cmd)
 {
-	int res;
 	uint8_t *buf;
 	struct scatterlist *sg;
 	int len;
+	int res = 0;

 	TRACE_ENTRY();

@@ -1863,8 +1863,11 @@ static int scst_set_lun_not_supported_inquiry(struct scst_cmd *cmd)
 	}

 	if (cmd->sg == NULL) {
-		if (cmd->bufflen == 0)
-			cmd->bufflen = min_t(int, 36, get_unaligned_be16(&cmd->cdb[3]));
+		if (cmd->bufflen == 0) {
+			int bufflen = get_unaligned_be16(&cmd->cdb[3]);
+
+			cmd->bufflen = bufflen ? min_t(int, 36, bufflen) : 36;
+		}

 		/*
 		 * If target driver preparing data buffer using tgt_alloc_data_buf()
@@ -1909,12 +1912,12 @@ go:
 	cmd->data_direction = SCST_DATA_READ;
 	scst_set_resp_data_len(cmd, len);

-	res = 0;
 	cmd->completed = 1;
 	cmd->resid_possible = 1;

 out:
 	TRACE_EXIT_RES(res);
+
 	return res;
 }