From 72ce39b89d87906f9388ab2d369fba02c11a440b Mon Sep 17 00:00:00 2001 From: Gleb Chesnokov Date: Wed, 19 Oct 2022 19:06:29 +0300 Subject: [PATCH] scst_lib: Fix handling of an INQUIRY with buffer size 0 Sending an INQUIRY with a buffer size 0 to the LUN that does not exist causes the following kernel panic: RIP: 0010:sg_init_table+0x1e/0x30 Call Trace: scst_alloc_sg+0xc3/0x270 [scst] scst_set_cmd_error+0x8c9/0xa80 [scst] __scst_init_cmd+0x5c3/0xb80 [scst] scst_cmd_init_done+0x142/0xae0 [scst] cmnd_rx_start+0x7f5/0x13d0 [iscsi_scst] isert_pdu_rx+0x54/0x140 [isert_scst] isert_recv_completion_handler+0x498/0x580 [isert_scst] isert_poll_cq+0x396/0x800 [isert_scst] isert_cq_comp_work_cb+0x4a/0x120 [isert_scst] process_one_work+0x1d1/0x410 worker_thread+0x2b/0x3d0 kthread+0x11a/0x130 ret_from_fork+0x1f/0x40 Hence set bufflen to 36 if a buffer size 0 was passed to avoid the crash. Reported-by: Lev Vainblat --- scst/src/scst_lib.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/scst/src/scst_lib.c b/scst/src/scst_lib.c index 868f982ff..43afed44c 100644 --- a/scst/src/scst_lib.c +++ b/scst/src/scst_lib.c @@ -1927,10 +1927,10 @@ out: static int scst_set_lun_not_supported_inquiry(struct scst_cmd *cmd) { - int res; uint8_t *buf; struct scatterlist *sg; int len; + int res = 0; TRACE_ENTRY(); @@ -1942,8 +1942,11 @@ static int scst_set_lun_not_supported_inquiry(struct scst_cmd *cmd) } if (cmd->sg == NULL) { - if (cmd->bufflen == 0) - cmd->bufflen = min_t(int, 36, get_unaligned_be16(&cmd->cdb[3])); + if (cmd->bufflen == 0) { + int bufflen = get_unaligned_be16(&cmd->cdb[3]); + + cmd->bufflen = bufflen ? min_t(int, 36, bufflen) : 36; + } /* * If target driver preparing data buffer using tgt_alloc_data_buf() @@ -1990,12 +1993,12 @@ go: cmd->data_direction = SCST_DATA_READ; scst_set_resp_data_len(cmd, len); - res = 0; cmd->completed = 1; cmd->resid_possible = 1; out: TRACE_EXIT_RES(res); + return res; }