From bcd49ec64d746abcfa7b857082ea12c5d2f7fcec Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 May 2025 08:01:01 +0200 Subject: [PATCH] 5.10-stable patches added patches: scsi-target-fix-write_same-no-data-buffer-crash.patch --- ...-fix-write_same-no-data-buffer-crash.patch | 71 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 72 insertions(+) create mode 100644 queue-5.10/scsi-target-fix-write_same-no-data-buffer-crash.patch diff --git a/queue-5.10/scsi-target-fix-write_same-no-data-buffer-crash.patch b/queue-5.10/scsi-target-fix-write_same-no-data-buffer-crash.patch new file mode 100644 index 0000000000..8722d5ea34 --- /dev/null +++ b/queue-5.10/scsi-target-fix-write_same-no-data-buffer-crash.patch @@ -0,0 +1,71 @@ +From ccd3f449052449a917a3e577d8ba0368f43b8f29 Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Mon, 27 Jun 2022 21:23:25 -0500 +Subject: scsi: target: Fix WRITE_SAME No Data Buffer crash + +From: Mike Christie + +commit ccd3f449052449a917a3e577d8ba0368f43b8f29 upstream. + +In newer version of the SBC specs, we have a NDOB bit that indicates there +is no data buffer that gets written out. If this bit is set using commands +like "sg_write_same --ndob" we will crash in target_core_iblock/file's +execute_write_same handlers when we go to access the se_cmd->t_data_sg +because its NULL. + +This patch adds a check for the NDOB bit in the common WRITE SAME code +because we don't support it. And, it adds a check for zero SG elements in +each handler in case the initiator tries to send a normal WRITE SAME with +no data buffer. + +Link: https://lore.kernel.org/r/20220628022325.14627-2-michael.christie@oracle.com +Reviewed-by: Christoph Hellwig +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_file.c | 3 +++ + drivers/target/target_core_iblock.c | 4 ++++ + drivers/target/target_core_sbc.c | 6 ++++++ + 3 files changed, 13 insertions(+) + +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -455,6 +455,9 @@ fd_execute_write_same(struct se_cmd *cmd + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + } + ++ if (!cmd->t_data_nents) ++ return TCM_INVALID_CDB_FIELD; ++ + if (cmd->t_data_nents > 1 || + cmd->t_data_sg[0].length != cmd->se_dev->dev_attrib.block_size) { + pr_err("WRITE_SAME: Illegal SGL t_data_nents: %u length: %u" +--- a/drivers/target/target_core_iblock.c ++++ b/drivers/target/target_core_iblock.c +@@ -458,6 +458,10 @@ iblock_execute_write_same(struct se_cmd + " backends not supported\n"); + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + } ++ ++ if (!cmd->t_data_nents) ++ return TCM_INVALID_CDB_FIELD; ++ + sg = &cmd->t_data_sg[0]; + + if (cmd->t_data_nents > 1 || +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -312,6 +312,12 @@ sbc_setup_write_same(struct se_cmd *cmd, + pr_warn("WRITE SAME with ANCHOR not supported\n"); + return TCM_INVALID_CDB_FIELD; + } ++ ++ if (flags & 0x01) { ++ pr_warn("WRITE SAME with NDOB not supported\n"); ++ return TCM_INVALID_CDB_FIELD; ++ } ++ + /* + * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting + * translated into block discard requests within backend code. diff --git a/queue-5.10/series b/queue-5.10/series index b090e7ce4a..95f7237e19 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -38,3 +38,4 @@ irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get.patch usb-chipidea-ci_hdrc_imx-use-dev_err_probe.patch usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-erro.patch dm-fix-copying-after-src-array-boundaries.patch +scsi-target-fix-write_same-no-data-buffer-crash.patch -- 2.47.3