From: Roman Kisel <romank@linux.microsoft.com>
To: longli@linuxonhyperv.com, "K. Y. Srinivasan" <kys@microsoft.com>,
Haiyang Zhang <haiyangz@microsoft.com>,
Wei Liu <wei.liu@kernel.org>, Dexuan Cui <decui@microsoft.com>,
"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
James Bottomley <JBottomley@Odin.com>,
linux-hyperv@vger.kernel.org, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: Long Li <longli@microsoft.com>,
stable@kernel.org,
"benhill@microsoft.com" <benhill@microsoft.com>
Subject: Re: [PATCH] scsi: storvsc: Set correct data length for sending SCSI command without payload
Date: Fri, 17 Jan 2025 11:11:34 -0800 [thread overview]
Message-ID: <c3e23b3f-d83f-431e-b19d-691fae0041cf@linux.microsoft.com> (raw)
In-Reply-To: <1737071998-4566-1-git-send-email-longli@linuxonhyperv.com>
On 1/16/2025 3:59 PM, longli@linuxonhyperv.com wrote:
> From: Long Li <longli@microsoft.com>
>
> In StorVSC, payload->range.len is used to indicate if this SCSI command
> carries payload. This data is allocated as part of the private driver
> data by the upper layer and may get passed to lower driver uninitialized.
>
> If a SCSI command doesn't carry payload, the driver may use this value as
> is for communicating with host, resulting in possible corruption.
>
> Fix this by always initializing this value.
Awesome that you've caught that elusive critter, thank you! :)
Tested-by: Roman Kisel <romank@linux.microsoft.com>
Reviewed-by: Roman Kisel <romank@linux.microsoft.com>
>
> Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by the host")
> Cc: stable@kernel.org
> Signed-off-by: Long Li <longli@microsoft.com>
> ---
> drivers/scsi/storvsc_drv.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
> index 7ceb982040a5..ca5e5c0aeabf 100644
> --- a/drivers/scsi/storvsc_drv.c
> +++ b/drivers/scsi/storvsc_drv.c
> @@ -1789,6 +1789,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
>
> length = scsi_bufflen(scmnd);
> payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
> + payload->range.len = 0;
> payload_sz = 0;
>
> if (scsi_sg_count(scmnd)) {
--
Thank you,
Roman
next prev parent reply other threads:[~2025-01-17 19:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-16 23:59 [PATCH] scsi: storvsc: Set correct data length for sending SCSI command without payload longli
2025-01-17 19:11 ` Roman Kisel [this message]
2025-01-18 23:35 ` Michael Kelley
2025-01-20 23:20 ` Long Li
2025-01-21 4:22 ` Michael Kelley
2025-01-23 3:08 ` Long Li
2025-01-23 3:34 ` Michael Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c3e23b3f-d83f-431e-b19d-691fae0041cf@linux.microsoft.com \
--to=romank@linux.microsoft.com \
--cc=JBottomley@Odin.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=benhill@microsoft.com \
--cc=decui@microsoft.com \
--cc=haiyangz@microsoft.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=longli@linuxonhyperv.com \
--cc=longli@microsoft.com \
--cc=martin.petersen@oracle.com \
--cc=stable@kernel.org \
--cc=wei.liu@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox