Currently the vendor, model, and revision members of struct scsi_device
are pointers to fixed-length strings that are not NUL-terminated.
Fixed-precision format specifiers (e.g., "%.8s") are required whenever
they are printed and strncmp() must be used to compare these fields.
This is error-prone.
Convert these fields to fixed-size character arrays within struct
scsi_device. Remove an !sdev->model check because sdev->model is now
guaranteed not to be NULL.
This patch fixes a bug in the qla2xxx driver. It makes the following
code safe:
if (state_flags & BIT_4)
scmd_printk(KERN_WARNING, cp,
"Unsupported device '%s' found.\n",
cp->device->vendor);
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Brian Bunker <brian@purestorage.com>
Link: https://patch.msgid.link/20260515205222.1754621-4-bvanassche@acm.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
struct scsi_device *sdev = st->sdev;
unsigned int ctr;
- if (!sdev->model)
- return false;
-
/*
* The "model" field contains just the raw SCSI INQUIRY response
* "product identification" field, which has a width of 16 bytes.
- * This field is space-filled, but is NOT NULL-terminated.
+ * This field is space-filled and NUL-terminated.
*/
for (ctr = 0; ctr < ARRAY_SIZE(sct_avoid_models); ctr++)
if (!strncmp(sdev->model, sct_avoid_models[ctr],
if (!sdev)
goto out;
- sdev->vendor = scsi_null_device_strs;
- sdev->model = scsi_null_device_strs;
- sdev->rev = scsi_null_device_strs;
+ strscpy(sdev->vendor, scsi_null_device_strs);
+ strscpy(sdev->model, scsi_null_device_strs);
+ strscpy(sdev->rev, scsi_null_device_strs);
sdev->host = shost;
sdev->queue_ramp_up_period = SCSI_DEFAULT_RAMP_UP_PERIOD;
sdev->id = starget->id;
if (sdev->inquiry == NULL)
return SCSI_SCAN_NO_RESPONSE;
- sdev->vendor = (char *) (sdev->inquiry + 8);
- sdev->model = (char *) (sdev->inquiry + 16);
- sdev->rev = (char *) (sdev->inquiry + 32);
+ strscpy(sdev->vendor, sdev->inquiry + INQUIRY_VENDOR_OFFSET);
+ strscpy(sdev->model, sdev->inquiry + INQUIRY_MODEL_OFFSET);
+ /*
+ * memcpy() instead of strscpy() because strscpy() would read past
+ * the end of sdev->inquiry if its length is exactly 36 bytes.
+ */
+ memcpy(sdev->rev, sdev->inquiry + INQUIRY_REVISION_OFFSET,
+ INQUIRY_REVISION_LEN);
+ sdev->rev[INQUIRY_REVISION_LEN] = '\0';
sdev->is_ata = strncmp(sdev->vendor, "ATA ", 8) == 0;
if (sdev->is_ata) {
#include <linux/workqueue.h>
#include <linux/blk-mq.h>
#include <scsi/scsi.h>
+#include <scsi/scsi_common.h>
#include <linux/atomic.h>
#include <linux/sbitmap.h>
struct mutex inquiry_mutex;
unsigned char inquiry_len; /* valid bytes in 'inquiry' */
unsigned char * inquiry; /* INQUIRY response data */
- const char * vendor; /* [back_compat] point into 'inquiry' ... */
- const char * model; /* ... after scan; point to static string */
- const char * rev; /* ... "nullnullnullnull" before scan */
+ char vendor[INQUIRY_VENDOR_LEN + 1];
+ char model[INQUIRY_MODEL_LEN + 1];
+ char rev[INQUIRY_REVISION_LEN + 1];
#define SCSI_DEFAULT_VPD_LEN 255 /* default SCSI VPD page size (max) */
struct scsi_vpd __rcu *vpd_pg0;
projects / thirdparty / kernel / linux.git / commitdiff
