From: Damien Le Moal <dlemoal@kernel.org>
To: Hannes Reinecke <hare@suse.de>,
linux-ide@vger.kernel.org, Niklas Cassel <cassel@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH] ata: libata-scsi: fix ata_scsi_security_inout_xlat() buffer length conversion
Date: Wed, 24 Jun 2026 18:24:57 +0900 [thread overview]
Message-ID: <baba29d7-16c0-4d8d-b275-064a562b5d09@kernel.org> (raw)
In-Reply-To: <bbd49b9f-f1a4-4685-b8f7-2049a61fd86e@suse.de>
On 6/24/26 6:22 PM, Hannes Reinecke wrote:
> On 6/24/26 11:09 AM, Damien Le Moal wrote:
>> ata_scsi_security_inout_xlat() converts the SCSI command buffer length
>> into the ATA sector size based size by aligning upward the length to 512B.
>> That is incorrect as that can lead to specifying a buffer size that is
>> larger than the memory allocated for the command buffer, resulting in all
>> sorts of possible command failures and/or memory corruptions.
>>
>> Ideally, we should bounce the buffer to a large enough size to fit
>> the entire SCSI command buffer, but we do not have anything in place to do
>> that cleanly. So for now, fix this by converting the command buffer length
>> downward with a simple division of the buffer length by ATA_SECT_SIZE.
>>
>> Fixes: 818831c8b22f ("libata: implement SECURITY PROTOCOL IN/OUT")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
>> ---
>> drivers/ata/libata-scsi.c | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
>> index d54ec1631e9a..e78801e7ea8c 100644
>> --- a/drivers/ata/libata-scsi.c
>> +++ b/drivers/ata/libata-scsi.c
>> @@ -4330,7 +4330,13 @@ static unsigned int
>> ata_scsi_security_inout_xlat(struct ata_queued_cmd *qc)
>> }
>> /* convert to the sector-based ATA addressing */
>> - len = (len + 511) / 512;
>> + if (len) {
>> + len = len / ATA_SECT_SIZE;
>> + if (!len) {
>> + ata_scsi_set_invalid_field(qc->dev, scmd, 6, 0);
>> + return 1;
>> + }
>> + }
>> }
>> tf->protocol = dma ? ATA_PROT_DMA : ATA_PROT_PIO;
>
> round_down(), maybe?
> To make the intention clear?
Nope. We do not want a number of bytes but a number of ATA 512B sector count :)
>
> Cheers,
>
> Hannes
--
Damien Le Moal
Western Digital Research
next prev parent reply other threads:[~2026-06-24 9:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 9:09 [PATCH] ata: libata-scsi: fix ata_scsi_security_inout_xlat() buffer length conversion Damien Le Moal
2026-06-24 9:22 ` Hannes Reinecke
2026-06-24 9:24 ` Damien Le Moal [this message]
2026-06-24 9:34 ` Hannes Reinecke
2026-06-24 11:51 ` Niklas Cassel
2026-06-24 12:09 ` Niklas Cassel
2026-06-24 13:18 ` Damien Le Moal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=baba29d7-16c0-4d8d-b275-064a562b5d09@kernel.org \
--to=dlemoal@kernel.org \
--cc=cassel@kernel.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=linux-ide@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox