This is a note to let you know that I've just added the patch titled
target: Add missing WRITE_SAME end-of-device sanity check
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
target-add-missing-write_same-end-of-device-sanity-check.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 8e575c50a171f2579e367a7f778f86477dfdaf49 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Date: Fri, 13 Feb 2015 22:09:47 +0000
Subject: target: Add missing WRITE_SAME end-of-device sanity check
From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
commit 8e575c50a171f2579e367a7f778f86477dfdaf49 upstream.
This patch adds a check to sbc_setup_write_same() to verify
the incoming WRITE_SAME LBA + number of blocks does not exceed
past the end-of-device.
Also check for potential LBA wrap-around as well.
Reported-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx>
Cc: Martin Petersen <martin.petersen@xxxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/target/target_core_sbc.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -266,6 +266,8 @@ static inline unsigned long long transpo
static sense_reason_t
sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
{
+ struct se_device *dev = cmd->se_dev;
+ sector_t end_lba = dev->transport->get_blocks(dev) + 1;
unsigned int sectors = sbc_get_write_same_sectors(cmd);
if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
@@ -279,6 +281,16 @@ sbc_setup_write_same(struct se_cmd *cmd,
sectors, cmd->se_dev->dev_attrib.max_write_same_len);
return TCM_INVALID_CDB_FIELD;
}
+ /*
+ * Sanity check for LBA wrap and request past end of device.
+ */
+ if (((cmd->t_task_lba + sectors) < cmd->t_task_lba) ||
+ ((cmd->t_task_lba + sectors) > end_lba)) {
+ pr_err("WRITE_SAME exceeds last lba %llu (lba %llu, sectors %u)\n",
+ (unsigned long long)end_lba, cmd->t_task_lba, sectors);
+ return TCM_ADDRESS_OUT_OF_RANGE;
+ }
+
/* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
if (flags[0] & 0x10) {
pr_warn("WRITE SAME with ANCHOR not supported\n");
Patches currently in stable-queue which might be from nab@xxxxxxxxxxxxxxx are
queue-3.14/target-add-missing-write_same-end-of-device-sanity-check.patch
queue-3.14/target-check-for-lba-sectors-wrap-around-in-sbc_parse_cdb.patch
queue-3.14/target-fix-pr_aptpl_buf_len-buffer-size-limitation.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html