From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AAFD0219301; Wed, 4 Feb 2026 14:49:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770216584; cv=none; b=VlaRiffWNISRP5XW3e0H9D53TQYQHWDj1KzWqtN2N0oEz7lK9BFcrDuAGXmYBcTYcjx1DfhUdDFk6nFCe72QgzyxqWoFCceV5xHO1mRt7Ww3QS8L5N1zkKkly7i9abydFJTDwBjaqKbhJXW63UuEl4ggMbVkvl+zjexEA0Nf9IU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770216584; c=relaxed/simple; bh=xtb4Yg1NQnFbabo4vF5AjqgyHVuG4VbZzV/4zpZxE5E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=t723G7NCI6RHJPl8cPdNMWahm/renvvSSPCjtJIX46gUg7MroHZMgTJMKGdxfKGP23BWdmL8sHCInxs/cvVlW1OATpxrVjRYorx+xQ6jDSKgOcPgNFX9rDxT5nalnGI+8NmIOkf+fJ8W9zQ6T5MNfd7c3Ckrb6p0Ob5tbcYb5Ro= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=puXoj6hF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="puXoj6hF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 294E0C4CEF7; Wed, 4 Feb 2026 14:49:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1770216584; bh=xtb4Yg1NQnFbabo4vF5AjqgyHVuG4VbZzV/4zpZxE5E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=puXoj6hFIpYDnKlMHC5aksz8Y249EEcYPUM8qc0IpmRF7QIm9hSbdeIKWliIFEaJU ZFfHg3dTJ3wusx+UUtQmfRTqxrpl+/M03JPrGPyc7R5KfcY3coPlEkyOc7bZWKNdLi PEMk8fydizmW3tLw+bzmWO3K4SmHzTg6y2Xn/V2M= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Kery Qi , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.10 130/161] scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() Date: Wed, 4 Feb 2026 15:39:53 +0100 Message-ID: <20260204143856.419562830@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260204143851.755002596@linuxfoundation.org> References: <20260204143851.755002596@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kery Qi [ Upstream commit b2d6b1d443009ed4da2d69f5423ab38e5780505a ] The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of "tpg->tport_tpgt" is u16. This causes a type truncation issue. When a user creates a TPG via configfs mkdir, for example: mkdir /sys/kernel/config/target/sbp//tpgt_70000 The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt, the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the value the user specified to differ from what is actually stored, leading to confusion and potential unexpected behavior. Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which will properly reject values outside the u16 range. Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support") Signed-off-by: Kery Qi Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/target/sbp/sbp_target.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c index e4a9b9fe3dfb0..9445bf3409fd1 100644 --- a/drivers/target/sbp/sbp_target.c +++ b/drivers/target/sbp/sbp_target.c @@ -1989,12 +1989,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, container_of(wwn, struct sbp_tport, tport_wwn); struct sbp_tpg *tpg; - unsigned long tpgt; + u16 tpgt; int ret; if (strstr(name, "tpgt_") != name) return ERR_PTR(-EINVAL); - if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) + if (kstrtou16(name + 5, 10, &tpgt)) return ERR_PTR(-EINVAL); if (tport->tpg) { -- 2.51.0