From: Damien Le Moal <dlemoal@kernel.org>
To: linux-ide@vger.kernel.org, Niklas Cassel <cassel@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Subject: [PATCH] ata: libata-scsi: fix ata_scsi_security_inout_xlat() buffer length conversion
Date: Wed, 24 Jun 2026 18:09:31 +0900 [thread overview]
Message-ID: <20260624090931.1483644-1-dlemoal@kernel.org> (raw)
ata_scsi_security_inout_xlat() converts the SCSI command buffer length
into the ATA sector size based size by aligning upward the length to 512B.
That is incorrect as that can lead to specifying a buffer size that is
larger than the memory allocated for the command buffer, resulting in all
sorts of possible command failures and/or memory corruptions.
Ideally, we should bounce the buffer to a large enough size to fit
the entire SCSI command buffer, but we do not have anything in place to do
that cleanly. So for now, fix this by converting the command buffer length
downward with a simple division of the buffer length by ATA_SECT_SIZE.
Fixes: 818831c8b22f ("libata: implement SECURITY PROTOCOL IN/OUT")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
---
drivers/ata/libata-scsi.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index d54ec1631e9a..e78801e7ea8c 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -4330,7 +4330,13 @@ static unsigned int ata_scsi_security_inout_xlat(struct ata_queued_cmd *qc)
}
/* convert to the sector-based ATA addressing */
- len = (len + 511) / 512;
+ if (len) {
+ len = len / ATA_SECT_SIZE;
+ if (!len) {
+ ata_scsi_set_invalid_field(qc->dev, scmd, 6, 0);
+ return 1;
+ }
+ }
}
tf->protocol = dma ? ATA_PROT_DMA : ATA_PROT_PIO;
--
2.54.0
next reply other threads:[~2026-06-24 9:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 9:09 Damien Le Moal [this message]
2026-06-24 9:22 ` [PATCH] ata: libata-scsi: fix ata_scsi_security_inout_xlat() buffer length conversion Hannes Reinecke
2026-06-24 9:24 ` Damien Le Moal
2026-06-24 9:34 ` Hannes Reinecke
2026-06-24 11:51 ` Niklas Cassel
2026-06-24 12:09 ` Niklas Cassel
2026-06-24 13:18 ` Damien Le Moal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624090931.1483644-1-dlemoal@kernel.org \
--to=dlemoal@kernel.org \
--cc=cassel@kernel.org \
--cc=hch@lst.de \
--cc=linux-ide@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.