scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length

mainline inclusion
from mainline-5.1-rc1
commit db5db4b91cabcf57f3efd98d92d24ab875cde8ae
category: bugfix
bugzilla: 12185
CVE: NA
---------------------------

Since the READ(6) and WRITE(6) commands interpret a zero in the transfer
length field in the CDB as 256 logical blocks, avoid submitting such
commands.

conflicts:
    drivers/scsi/sd.c

Cc: Douglas Gilbert <dgilbert@interlog.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Reported-by: NDouglas Gilbert <dgilbert@interlog.com>
Signed-off-by: NBart Van Assche <bvanassche@acm.org>
Reviewed-by: NDouglas Gilbert <dgilbert@interlog.com>
Reviewed-by: NHannes Reinecke <hare@suse.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NYufen Yu <yuyufen@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>

drivers/scsi/sd.c

@@ -1026,6 +1026,7 @@ static int sd_setup_read_write_cmnd(struct scsi_cmnd *SCpnt)
 	sector_t block = blk_rq_pos(rq);
 	sector_t threshold;
 	unsigned int this_count = blk_rq_sectors(rq);
+	unsigned int nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq));
 	unsigned int dif, dix;
 	int ret;
 	unsigned char protect;
@@ -1216,6 +1217,10 @@ static int sd_setup_read_write_cmnd(struct scsi_cmnd *SCpnt)
 		SCpnt->cmnd[7] = (unsigned char) (this_count >> 8) & 0xff;
 		SCpnt->cmnd[8] = (unsigned char) this_count & 0xff;
 	} else {
+		/* Avoid that 0 blocks gets translated into 256 blocks. */
+		if (WARN_ON_ONCE(nr_blocks == 0))
+			return BLK_STS_IOERR;
+
 		if (unlikely(rq->cmd_flags & REQ_FUA)) {
 			/*
 			 * This happens only if this drive failed