From: Damien Le Moal damien.lemoal@wdc.com
mainline inclusion from mainline-v5.16-rc1 commit c749301ebee82eb5e97dec14b6ab31a4aabe37a6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNFK CVE: CVE-2021-47182
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
For devices that explicitly asked for MODE SENSE(10) use, make sure that scsi_mode_sense() is called with a buffer of at least 8 bytes so that the sense header fits.
Link: https://lore.kernel.org/r/20210820070255.682775-4-damien.lemoal@wdc.com Signed-off-by: Damien Le Moal damien.lemoal@wdc.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Fixes: 907ea672e30b ("scsi: core: Fix scsi_mode_sense() buffer length handling") Conflicts: drivers/scsi/sd.c [ Mianline commit 0610959fbbca ("scsi: sd: Allow user to configure command retries") use 'sdkp->device' intead of 'sdp'. ] Signed-off-by: Li Nan linan122@huawei.com --- drivers/scsi/sd.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 45d6174d3458..f618726bbe70 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -2612,6 +2612,13 @@ sd_do_mode_sense(struct scsi_device *sdp, int dbd, int modepage, unsigned char *buffer, int len, struct scsi_mode_data *data, struct scsi_sense_hdr *sshdr) { + /* + * If we must use MODE SENSE(10), make sure that the buffer length + * is at least 8 bytes so that the mode sense header fits. + */ + if (sdp->use_10_for_ms && len < 8) + len = 8; + return scsi_mode_sense(sdp, dbd, modepage, buffer, len, SD_TIMEOUT, SD_MAX_RETRIES, data, sshdr);