scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length

Since the READ(6) and WRITE(6) commands interpret a zero in the transfer length field in the CDB as 256 logical blocks, avoid submitting such commands. Cc: Douglas Gilbert <dgilbert@interlog.com> Cc: Hannes Reinecke <hare@suse.com> Cc: Christoph Hellwig <hch@lst.de> Reported-by: N Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: N Bart Van Assche <bvanassche@acm.org> Reviewed-by: N Douglas Gilbert <dgilbert@interlog.com> Reviewed-by: N Hannes Reinecke <hare@suse.com> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com>

scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length
Since the READ(6) and WRITE(6) commands interpret a zero in the transfer length field in the CDB as 256 logical blocks, avoid submitting such commands. Cc: Douglas Gilbert <dgilbert@interlog.com> Cc: Hannes Reinecke <hare@suse.com> Cc: Christoph Hellwig <hch@lst.de> Reported-by: N Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: N Bart Van Assche <bvanassche@acm.org> Reviewed-by: N Douglas Gilbert <dgilbert@interlog.com> Reviewed-by: N Hannes Reinecke <hare@suse.com> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com>
db5db4b9 · Bart Van Assche · Martin K. Petersen · 59abc8cc · db5db4b9
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

drivers/scsi/sd.c drivers/scsi/sd.c +4 -0

未找到文件。
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1128,6 +1128,10 @@ static blk_status_t sd_setup_rw6_cmnd(struct scsi_cmnd *cmd, bool write,
 				      sector_t lba, unsigned int nr_blocks,
 				      unsigned char flags)
 {
+	/* Avoid that 0 blocks gets translated into 256 blocks. */
+	if (WARN_ON_ONCE(nr_blocks == 0))
+		return BLK_STS_IOERR;
 	if (unlikely(flags & 0x8)) {
 		/*
 		 * This happens only if this drive failed 10byte rw