| Message ID | 20220302053559.32147-5-martin.petersen@oracle.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [01/14] scsi: mpt3sas: Use cached ATA Information VPD page | expand |
On Wed, Mar 02, 2022 at 12:35:49AM -0500, Martin K. Petersen wrote: > Some devices hang when a buffer size larger than expected is passed in > the ALLOCATION LENGTH field. For REPORT SUPPORTED OPERATION CODES we > currently only request a single command descriptor at a time and > therefore the actual size of the command is known ahead of time. Limit > the ALLOCATION LENGTH to the header size plus the command length of > the opcode we are asking about. Looks good, Reviewed-by: Christoph Hellwig <hch@lst.de>
Looks good,
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
On 3/1/22 21:35, Martin K. Petersen wrote: > Some devices hang when a buffer size larger than expected is passed in > the ALLOCATION LENGTH field. For REPORT SUPPORTED OPERATION CODES we > currently only request a single command descriptor at a time and > therefore the actual size of the command is known ahead of time. Limit > the ALLOCATION LENGTH to the header size plus the command length of > the opcode we are asking about. Reviewed-by: Bart Van Assche <bvanassche@acm.org>
On 3/2/22 06:35, Martin K. Petersen wrote: > Some devices hang when a buffer size larger than expected is passed in > the ALLOCATION LENGTH field. For REPORT SUPPORTED OPERATION CODES we > currently only request a single command descriptor at a time and > therefore the actual size of the command is known ahead of time. Limit > the ALLOCATION LENGTH to the header size plus the command length of > the opcode we are asking about. > > Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> > --- > drivers/scsi/scsi.c | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) > Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index af896d0647a7..c6221a2ca04e 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -508,21 +508,30 @@ int scsi_report_opcode(struct scsi_device *sdev, unsigned char *buffer, { unsigned char cmd[16]; struct scsi_sense_hdr sshdr; - int result; + int result, request_len; if (sdev->no_report_opcodes || sdev->scsi_level < SCSI_SPC_3) return -EINVAL; + /* RSOC header + size of command we are asking about */ + request_len = 4 + COMMAND_SIZE(opcode); + if (request_len > len) { + dev_warn_once(&sdev->sdev_gendev, + "%s: len %u bytes, opcode 0x%02x needs %u\n", + __func__, len, opcode, request_len); + return -EINVAL; + } + memset(cmd, 0, 16); cmd[0] = MAINTENANCE_IN; cmd[1] = MI_REPORT_SUPPORTED_OPERATION_CODES; cmd[2] = 1; /* One command format */ cmd[3] = opcode; - put_unaligned_be32(len, &cmd[6]); + put_unaligned_be32(request_len, &cmd[6]); memset(buffer, 0, len); - result = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buffer, len, - &sshdr, 30 * HZ, 3, NULL); + result = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buffer, + request_len, &sshdr, 30 * HZ, 3, NULL); if (result < 0) return result;
Some devices hang when a buffer size larger than expected is passed in the ALLOCATION LENGTH field. For REPORT SUPPORTED OPERATION CODES we currently only request a single command descriptor at a time and therefore the actual size of the command is known ahead of time. Limit the ALLOCATION LENGTH to the header size plus the command length of the opcode we are asking about. Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> --- drivers/scsi/scsi.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)