diff mbox series

scsi: scsi_debug: Fix buffer size of REPORT ZONES command

Message ID 20211206122939.105942-1-shinichiro.kawasaki@wdc.com (mailing list archive)
State Superseded
Headers show
Series scsi: scsi_debug: Fix buffer size of REPORT ZONES command | expand

Commit Message

Shinichiro Kawasaki Dec. 6, 2021, 12:29 p.m. UTC
According to ZBC and SPC specifications, the unit of ALLOCATION LENGTH
field of REPORT ZONES command is byte. However, current scsi_debug
implementation handles it as number of zones to calculate buffer size to
report zones. When the ALLOCATION LENGTH has a large number, this
results in too large buffer size and causes memory allocation failure.
Fix the failure by handling ALLOCATION LENGTH as byte unit.

Fixes: f0d1cf9378bd ("scsi: scsi_debug: Add ZBC zone commands")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
---
 drivers/scsi/scsi_debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Damien Le Moal Dec. 6, 2021, 1:35 p.m. UTC | #1
On 2021/12/06 21:29, Shin'ichiro Kawasaki wrote:
> According to ZBC and SPC specifications, the unit of ALLOCATION LENGTH
> field of REPORT ZONES command is byte. However, current scsi_debug
> implementation handles it as number of zones to calculate buffer size to
> report zones. When the ALLOCATION LENGTH has a large number, this
> results in too large buffer size and causes memory allocation failure.
> Fix the failure by handling ALLOCATION LENGTH as byte unit.
> 
> Fixes: f0d1cf9378bd ("scsi: scsi_debug: Add ZBC zone commands")
> Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
> ---
>  drivers/scsi/scsi_debug.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> index 3c0da3770edf..74513129b36d 100644
> --- a/drivers/scsi/scsi_debug.c
> +++ b/drivers/scsi/scsi_debug.c
> @@ -4342,7 +4342,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
>  	rep_max_zones = min((alloc_len - 64) >> ilog2(RZONES_DESC_HD),
>  			    max_zones);
>  
> -	arr = kcalloc(RZONES_DESC_HD, alloc_len, GFP_ATOMIC);
> +	arr = kcalloc(1, alloc_len, GFP_ATOMIC);

Then maybe use kzalloc here ? No need for kcalloc...

>  	if (!arr) {
>  		mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
>  				INSUFF_RES_ASCQ);
>
Shinichiro Kawasaki Dec. 7, 2021, 12:54 a.m. UTC | #2
On Dec 06, 2021 / 22:35, Damien Le Moal wrote:
> On 2021/12/06 21:29, Shin'ichiro Kawasaki wrote:
> > According to ZBC and SPC specifications, the unit of ALLOCATION LENGTH
> > field of REPORT ZONES command is byte. However, current scsi_debug
> > implementation handles it as number of zones to calculate buffer size to
> > report zones. When the ALLOCATION LENGTH has a large number, this
> > results in too large buffer size and causes memory allocation failure.
> > Fix the failure by handling ALLOCATION LENGTH as byte unit.
> > 
> > Fixes: f0d1cf9378bd ("scsi: scsi_debug: Add ZBC zone commands")
> > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
> > ---
> >  drivers/scsi/scsi_debug.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
> > index 3c0da3770edf..74513129b36d 100644
> > --- a/drivers/scsi/scsi_debug.c
> > +++ b/drivers/scsi/scsi_debug.c
> > @@ -4342,7 +4342,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
> >  	rep_max_zones = min((alloc_len - 64) >> ilog2(RZONES_DESC_HD),
> >  			    max_zones);
> >  
> > -	arr = kcalloc(RZONES_DESC_HD, alloc_len, GFP_ATOMIC);
> > +	arr = kcalloc(1, alloc_len, GFP_ATOMIC);
> 
> Then maybe use kzalloc here ? No need for kcalloc...

Indeed. Will post v2.
diff mbox series

Patch

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 3c0da3770edf..74513129b36d 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -4342,7 +4342,7 @@  static int resp_report_zones(struct scsi_cmnd *scp,
 	rep_max_zones = min((alloc_len - 64) >> ilog2(RZONES_DESC_HD),
 			    max_zones);
 
-	arr = kcalloc(RZONES_DESC_HD, alloc_len, GFP_ATOMIC);
+	arr = kcalloc(1, alloc_len, GFP_ATOMIC);
 	if (!arr) {
 		mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
 				INSUFF_RES_ASCQ);