From patchwork Thu Nov 15 05:47:27 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [3.5.yuz, extended, stable] Patch "target: fix truncation of mode data, support zero allocation" has been added to staging queue From: Herton Ronaldo Krzesinski X-Patchwork-Id: 199139 Message-Id: <1352958447-14884-1-git-send-email-herton.krzesinski@canonical.com> To: Paolo Bonzini Cc: kernel-team@lists.ubuntu.com, Nicholas Bellinger Date: Thu, 15 Nov 2012 03:47:27 -0200 This is a note to let you know that I have just added a patch titled target: fix truncation of mode data, support zero allocation to the linux-3.5.y-queue branch of the 3.5.yuz extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.yuz tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Herton ------ >From 6ab72bb6e88fda121249a59c2ec41169287d2cf8 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 7 Sep 2012 17:30:39 +0200 Subject: [PATCH] target: fix truncation of mode data, support zero allocation length commit 7a3f369ce31694017996524a1cdb08208a839077 upstream. The offset was not bumped back to the full size after writing the header of the MODE SENSE response, so the last 1 or 2 bytes were not copied. On top of this, support zero-length requests by checking for the return value of transport_kmap_data_sg. Testcase: sg_raw -r20 /dev/sdb 5a 00 0a 00 00 00 00 00 14 00 last byte should be 0x1e it is 0x00 without the patch it is correct with the patch Signed-off-by: Paolo Bonzini Signed-off-by: Nicholas Bellinger [ herton: backported, code to be patched is on target_core_cdb.c, target_emulate_modesense, the function was moved/renamed later ] Signed-off-by: Herton Ronaldo Krzesinski --- drivers/target/target_core_cdb.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) -- 1.7.9.5 diff --git a/drivers/target/target_core_cdb.c b/drivers/target/target_core_cdb.c index 5b20579..3dc3393 100644 --- a/drivers/target/target_core_cdb.c +++ b/drivers/target/target_core_cdb.c @@ -856,7 +856,7 @@ int target_emulate_modesense(struct se_cmd *cmd) unsigned char *rbuf; int type = dev->transport->get_device_type(dev); int ten = (cmd->t_task_cdb[0] == MODE_SENSE_10); - int offset = ten ? 8 : 4; + u32 offset = ten ? 8 : 4; int length = 0; unsigned char buf[SE_MODE_PAGE_BUF]; @@ -889,6 +889,7 @@ int target_emulate_modesense(struct se_cmd *cmd) offset -= 2; buf[0] = (offset >> 8) & 0xff; buf[1] = offset & 0xff; + offset += 2; if ((cmd->se_lun->lun_access & TRANSPORT_LUNFLAGS_READ_ONLY) || (cmd->se_deve && @@ -898,13 +899,10 @@ int target_emulate_modesense(struct se_cmd *cmd) if ((dev->se_sub_dev->se_dev_attrib.emulate_write_cache > 0) && (dev->se_sub_dev->se_dev_attrib.emulate_fua_write > 0)) target_modesense_dpofua(&buf[3], type); - - if ((offset + 2) > cmd->data_length) - offset = cmd->data_length; - } else { offset -= 1; buf[0] = offset & 0xff; + offset += 1; if ((cmd->se_lun->lun_access & TRANSPORT_LUNFLAGS_READ_ONLY) || (cmd->se_deve && @@ -914,14 +912,13 @@ int target_emulate_modesense(struct se_cmd *cmd) if ((dev->se_sub_dev->se_dev_attrib.emulate_write_cache > 0) && (dev->se_sub_dev->se_dev_attrib.emulate_fua_write > 0)) target_modesense_dpofua(&buf[2], type); - - if ((offset + 1) > cmd->data_length) - offset = cmd->data_length; } rbuf = transport_kmap_data_sg(cmd); - memcpy(rbuf, buf, offset); - transport_kunmap_data_sg(cmd); + if (rbuf) { + memcpy(rbuf, buf, min(offset, cmd->data_length)); + transport_kunmap_data_sg(cmd); + } target_complete_cmd(cmd, GOOD); return 0;