From: Damien Le Moal <dlemoal@kernel.org>
To: Hannes Reinecke <hare@suse.de>,
linux-ide@vger.kernel.org, Niklas Cassel <cassel@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH] ata: libata-scsi: fix ata_scsi_security_inout_xlat() buffer length conversion
Date: Wed, 24 Jun 2026 18:24:57 +0900 [thread overview]
Message-ID: <baba29d7-16c0-4d8d-b275-064a562b5d09@kernel.org> (raw)
In-Reply-To: <bbd49b9f-f1a4-4685-b8f7-2049a61fd86e@suse.de>
On 6/24/26 6:22 PM, Hannes Reinecke wrote:
> On 6/24/26 11:09 AM, Damien Le Moal wrote:
>> ata_scsi_security_inout_xlat() converts the SCSI command buffer length
>> into the ATA sector size based size by aligning upward the length to 512B.
>> That is incorrect as that can lead to specifying a buffer size that is
>> larger than the memory allocated for the command buffer, resulting in all
>> sorts of possible command failures and/or memory corruptions.
>>
>> Ideally, we should bounce the buffer to a large enough size to fit
>> the entire SCSI command buffer, but we do not have anything in place to do
>> that cleanly. So for now, fix this by converting the command buffer length
>> downward with a simple division of the buffer length by ATA_SECT_SIZE.
>>
>> Fixes: 818831c8b22f ("libata: implement SECURITY PROTOCOL IN/OUT")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
>> ---
>> drivers/ata/libata-scsi.c | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
>> index d54ec1631e9a..e78801e7ea8c 100644
>> --- a/drivers/ata/libata-scsi.c
>> +++ b/drivers/ata/libata-scsi.c
>> @@ -4330,7 +4330,13 @@ static unsigned int
>> ata_scsi_security_inout_xlat(struct ata_queued_cmd *qc)
>> }
>> /* convert to the sector-based ATA addressing */
>> - len = (len + 511) / 512;
>> + if (len) {
>> + len = len / ATA_SECT_SIZE;
>> + if (!len) {
>> + ata_scsi_set_invalid_field(qc->dev, scmd, 6, 0);
>> + return 1;
>> + }
>> + }
>> }
>> tf->protocol = dma ? ATA_PROT_DMA : ATA_PROT_PIO;
>
> round_down(), maybe?
> To make the intention clear?
Nope. We do not want a number of bytes but a number of ATA 512B sector count :)
>
> Cheers,
>
> Hannes
--
Damien Le Moal
Western Digital Research
next prev parent reply other threads:[~2026-06-24 9:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 9:09 [PATCH] ata: libata-scsi: fix ata_scsi_security_inout_xlat() buffer length conversion Damien Le Moal
2026-06-24 9:22 ` Hannes Reinecke
2026-06-24 9:24 ` Damien Le Moal [this message]
2026-06-24 9:34 ` Hannes Reinecke
2026-06-24 11:51 ` Niklas Cassel
2026-06-24 12:09 ` Niklas Cassel
2026-06-24 13:18 ` Damien Le Moal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=baba29d7-16c0-4d8d-b275-064a562b5d09@kernel.org \
--to=dlemoal@kernel.org \
--cc=cassel@kernel.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=linux-ide@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.