On 11.05.23 15:10, Martin Wilck wrote:
On Thu, 2023-05-11 at 14:34 +0200, Juergen Gross wrote:Some callers of scsi_execute_cmd() (like e.g. sd_spinup_disk()) are passing an uninitialized struct sshdr and don't look at the return value of scsi_execute_cmd() before looking at the contents of that struct. This can result in false positives when looking for specific error conditions. In order to fix that let scsi_execute_cmd() zero sshdr-response_code,resulting in scsi_sense_valid() returning false. Cc: stable@xxxxxxxxxxxxxxx Fixes: 3949e2f04262 ("scsi: simplify scsi_execute_req_flags") Signed-off-by: Juergen Gross <jgross@xxxxxxxx> --- I'm not aware of any real error having happened due to this problem, but I thought it should be fixed anyway. I _think_ 3949e2f04262 was introducing the problem, but I'm not 100% sure it is really the commit to be blamed. --- drivers/scsi/scsi_lib.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)One nitpick below, otherwise it looks good to me.diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index b7c569a42aa4..923336620bff 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -209,11 +209,17 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, struct scsi_cmnd *scmd; int ret;- if (!args)+ if (!args) { args = &default_args; - else if (WARN_ON_ONCE(args->sense && - args->sense_len != SCSI_SENSE_BUFFERSIZE)) - return -EINVAL; + } else { + /* Mark sense data to be invalid. */ + if (args->sshdr) + args->sshdr->response_code = 0;We know for certain that sizeof(*sshdr) is 8 bytes, and will most probably remain so. Thus memset(sshdr, 0, sizeof(*sshdr)) would result in more efficient code.
I fail to see why zeroing a single byte would be less efficient than zeroing a possibly unaligned 8-byte area. Juergen
Attachment:
OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature