In usbg_submit_command(), which handles the UAS protocol, the 'data_len'
member of the 'usbg_cmd' structure was left uninitialized by the
logic, relying instead on the zeroing performed by usbg_get_cmd().
In contrast, the BOT path (bot_submit_command) explicitly initializes
this field from the Command Block Wrapper (CBW). This discrepancy is
evident in error handling paths where __target_init_cmd() is called
using cmd->data_len.
Explicitly initialize cmd->data_len to 0 in the UAS path and use this
variable when calling target_submit_cmd(). This ensures architectural
consistency between the UAS and BOT protocols within the driver and
avoids reliance on implicit memory state during error transitions.
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20260107190622.26070-1-jiashengjiangcool@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
goto out;
target_submit_cmd(se_cmd, tv_nexus->tvn_se_sess, cmd->cmd_buf,
- cmd->sense_iu.sense, cmd->unpacked_lun, 0,
+ cmd->sense_iu.sense, cmd->unpacked_lun, cmd->data_len,
cmd->prio_attr, dir, flags);
return;
cmd->tmr_func = 0;
cmd->tmr_rsp = RC_RESPONSE_UNKNOWN;
cmd->flags = 0;
+ cmd->data_len = 0;
cmd_iu = (struct command_iu *)iu;