From: Kery Qi <qikeyu2017@gmail.com>
To: bootc@bootc.net, martin.petersen@oracle.com
Cc: nab@linux-iscsi.org, stefanr@s5r6.in-berlin.de,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org,
linux1394-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, Kery Qi <qikeyu2017@gmail.com>
Subject: [PATCH] firewire: sbp-target: fix integer type overflow in sbp_make_tpg()
Date: Wed, 21 Jan 2026 19:45:15 +0800 [thread overview]
Message-ID: <20260121114515.1829-2-qikeyu2017@gmail.com> (raw)
The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type
of "tpg->tport_tpgt" is u16. This causes a type truncation issue.
When a user creates a TPG via configfs mkdir, for example:
mkdir /sys/kernel/config/target/sbp/<wwn>/tpgt_70000
The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far
less than 4294967295. However, when assigned to the u16 field
tpg->tport_tpgt, the value is silently truncated to 4464 (70000 &
0xFFFF). This causes the value the user specified to differ from what
is actually stored, leading to confusion and potential unexpected
behavior.
Fix this by changing the type of "tpgt" to u16 and using kstrtou16()
which will properly reject values outside the u16 range.
Fixes: a511ce3397803 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
drivers/target/sbp/sbp_target.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
index 9f167ff8da7b..09120a538a40 100644
--- a/drivers/target/sbp/sbp_target.c
+++ b/drivers/target/sbp/sbp_target.c
@@ -1960,12 +1960,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn,
container_of(wwn, struct sbp_tport, tport_wwn);
struct sbp_tpg *tpg;
- unsigned long tpgt;
+ u16 tpgt;
int ret;
if (strstr(name, "tpgt_") != name)
return ERR_PTR(-EINVAL);
- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
+ if (kstrtou16(name + 5, 10, &tpgt))
return ERR_PTR(-EINVAL);
if (tport->tpg) {
--
2.34.1
next reply other threads:[~2026-01-21 11:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-21 11:45 Kery Qi [this message]
2026-01-24 3:53 ` [PATCH] firewire: sbp-target: fix integer type overflow in sbp_make_tpg() Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260121114515.1829-2-qikeyu2017@gmail.com \
--to=qikeyu2017@gmail.com \
--cc=bootc@bootc.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=martin.petersen@oracle.com \
--cc=nab@linux-iscsi.org \
--cc=stefanr@s5r6.in-berlin.de \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox