[ Sasha's backport helper bot ] Hi, The upstream commit SHA1 provided is correct: 17b49bcbf8351d3dbe57204468ac34f033ed60bc WARNING: Author mismatch between patch and upstream commit: Backport author: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx> Commit author: Damien Le Moal <damien.lemoal@xxxxxxx> Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.11.y | Present (exact SHA1) 6.6.y | Present (exact SHA1) 6.1.y | Present (exact SHA1) 5.15.y | Present (different SHA1: e15de347faf4) 5.10.y | Not found Note: The patch differs from the upstream commit: --- --- - 2024-11-22 14:28:14.472822873 -0500 +++ /tmp/tmp.ZvzLslfZma 2024-11-22 14:28:14.464095287 -0500 @@ -1,3 +1,5 @@ +commit 17b49bcbf8351d3dbe57204468ac34f033ed60bc upstream. + Several problems exist with scsi_mode_sense() buffer length handling: 1) The allocation length field of the MODE SENSE(10) command is 16-bits, @@ -36,15 +38,16 @@ Link: https://lore.kernel.org/r/20210820070255.682775-2-damien.lemoal@xxxxxxx Signed-off-by: Damien Le Moal <damien.lemoal@xxxxxxx> Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx> +Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx> --- drivers/scsi/scsi_lib.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 572673873ddf8..701d8e8480f22 100644 +index 64ae7bc2de604..0a9db3464fd48 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -2075,7 +2075,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select); +@@ -2068,7 +2068,7 @@ EXPORT_SYMBOL_GPL(scsi_mode_select); /** * scsi_mode_sense - issue a mode sense, falling back from 10 to six bytes if necessary. * @sdev: SCSI device to be queried @@ -53,7 +56,7 @@ * @modepage: mode page being requested * @buffer: request buffer (may not be smaller than eight bytes) * @len: length of request buffer. -@@ -2110,18 +2110,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage, +@@ -2103,18 +2103,18 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage, sshdr = &my_sshdr; retry: @@ -77,7 +80,7 @@ cmd[0] = MODE_SENSE; cmd[4] = len; -@@ -2145,9 +2145,15 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage, +@@ -2139,8 +2139,14 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage, if ((sshdr->sense_key == ILLEGAL_REQUEST) && (sshdr->asc == 0x20) && (sshdr->ascq == 0)) { /* @@ -88,24 +91,26 @@ + * too large for MODE SENSE single byte + * allocation length field. */ - if (use_10_for_ms) { -+ if (len > 255) -+ return -EIO; - sdev->use_10_for_ms = 0; - goto retry; - } -@@ -2171,12 +2177,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage, - data->longlba = 0; - data->block_descriptor_length = 0; - } else if (use_10_for_ms) { -- data->length = buffer[0]*256 + buffer[1] + 2; -+ data->length = get_unaligned_be16(&buffer[0]) + 2; - data->medium_type = buffer[2]; - data->device_specific = buffer[3]; - data->longlba = buffer[4] & 0x01; -- data->block_descriptor_length = buffer[6]*256 -- + buffer[7]; -+ data->block_descriptor_length = get_unaligned_be16(&buffer[6]); - } else { - data->length = buffer[0] + 1; - data->medium_type = buffer[1]; ++ if (len > 255) ++ return -EIO; + sdev->use_10_for_ms = 0; + goto retry; + } +@@ -2158,12 +2164,11 @@ scsi_mode_sense(struct scsi_device *sdev, int dbd, int modepage, + data->longlba = 0; + data->block_descriptor_length = 0; + } else if (use_10_for_ms) { +- data->length = buffer[0]*256 + buffer[1] + 2; ++ data->length = get_unaligned_be16(&buffer[0]) + 2; + data->medium_type = buffer[2]; + data->device_specific = buffer[3]; + data->longlba = buffer[4] & 0x01; +- data->block_descriptor_length = buffer[6]*256 +- + buffer[7]; ++ data->block_descriptor_length = get_unaligned_be16(&buffer[6]); + } else { + data->length = buffer[0] + 1; + data->medium_type = buffer[1]; +-- +2.33.8 + --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.10.y | Success | Success |
