Patch "scsi: scsi_debug: Fix do_device_access() handling of unexpected SG copy length" has been added to the 6.11-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    scsi: scsi_debug: Fix do_device_access() handling of unexpected SG copy length

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-scsi_debug-fix-do_device_access-handling-of-une.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3c5b0af653c45c40b7e92d060006a2e7c93126f4
Author: John Garry <john.g.garry@xxxxxxxxxx>
Date:   Fri Oct 18 10:16:55 2024 +0000

    scsi: scsi_debug: Fix do_device_access() handling of unexpected SG copy length
    
    [ Upstream commit d28d17a845600dd9f7de241de9b1528a1b138716 ]
    
    If the sg_copy_buffer() call returns less than sdebug_sector_size, then
    we drop out of the copy loop. However, we still report that we copied
    the full expected amount, which is not proper.
    
    Fix by keeping a running total and return that value.
    
    Fixes: 84f3a3c01d70 ("scsi: scsi_debug: Atomic write support")
    Reported-by: Colin Ian King <colin.i.king@xxxxxxxxx>
    Suggested-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Signed-off-by: John Garry <john.g.garry@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20241018101655.4207-1-john.g.garry@xxxxxxxxxx
    Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Colin Ian King <colin.i.king@xxxxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index a9d8a9c62663e..e41698218e62f 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -3652,7 +3652,7 @@ static int do_device_access(struct sdeb_store_info *sip, struct scsi_cmnd *scp,
 	enum dma_data_direction dir;
 	struct scsi_data_buffer *sdb = &scp->sdb;
 	u8 *fsp;
-	int i;
+	int i, total = 0;
 
 	/*
 	 * Even though reads are inherently atomic (in this driver), we expect
@@ -3689,18 +3689,16 @@ static int do_device_access(struct sdeb_store_info *sip, struct scsi_cmnd *scp,
 		   fsp + (block * sdebug_sector_size),
 		   sdebug_sector_size, sg_skip, do_write);
 		sdeb_data_sector_unlock(sip, do_write);
-		if (ret != sdebug_sector_size) {
-			ret += (i * sdebug_sector_size);
+		total += ret;
+		if (ret != sdebug_sector_size)
 			break;
-		}
 		sg_skip += sdebug_sector_size;
 		if (++block >= sdebug_store_sectors)
 			block = 0;
 	}
-	ret = num * sdebug_sector_size;
 	sdeb_data_unlock(sip, atomic);
 
-	return ret;
+	return total;
 }
 
 /* Returns number of bytes copied or -1 if error. */