git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Kery Qi <qikeyu2017@gmail.com>
	Wed, 21 Jan 2026 11:45:15 +0000 (19:45 +0800)
committer	Martin K. Petersen <martin.petersen@oracle.com>
	Sat, 24 Jan 2026 03:41:21 +0000 (22:41 -0500)
commit	b2d6b1d443009ed4da2d69f5423ab38e5780505a
tree	654ac99db1dbe749d6a10f2198c0f6f27cf29b05	tree \| snapshot
parent	4747bafaa50115d9667ece446b1d2d4aba83dc7f	commit \| diff

scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg()

The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of
"tpg->tport_tpgt" is u16. This causes a type truncation issue.

When a user creates a TPG via configfs mkdir, for example:

mkdir /sys/kernel/config/target/sbp/<wwn>/tpgt_70000

The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less
than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt,
the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the
value the user specified to differ from what is actually stored, leading to
confusion and potential unexpected behavior.

Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which
will properly reject values outside the u16 range.

Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>