summaryrefslogtreecommitdiffstats
path: root/drivers/scsi/sd.c
diff options
context:
space:
mode:
authorBart Van Assche <bvanassche@acm.org>2019-01-23 20:12:37 +0100
committerMartin K. Petersen <martin.petersen@oracle.com>2019-01-29 06:49:23 +0100
commitdb5db4b91cabcf57f3efd98d92d24ab875cde8ae (patch)
treee9f7a50d213e0ff5022aa8080fea26c144290341 /drivers/scsi/sd.c
parentscsi: libsas: Remove scsi_to_u32() (diff)
downloadlinux-db5db4b91cabcf57f3efd98d92d24ab875cde8ae.tar.xz
linux-db5db4b91cabcf57f3efd98d92d24ab875cde8ae.zip
scsi: sd: Protect against READ(6) or WRITE(6) with zero block transfer length
Since the READ(6) and WRITE(6) commands interpret a zero in the transfer length field in the CDB as 256 logical blocks, avoid submitting such commands. Cc: Douglas Gilbert <dgilbert@interlog.com> Cc: Hannes Reinecke <hare@suse.com> Cc: Christoph Hellwig <hch@lst.de> Reported-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Douglas Gilbert <dgilbert@interlog.com> Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/sd.c')
-rw-r--r--drivers/scsi/sd.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 7a1cf6c80f6a..4fbb8310e268 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1128,6 +1128,10 @@ static blk_status_t sd_setup_rw6_cmnd(struct scsi_cmnd *cmd, bool write,
sector_t lba, unsigned int nr_blocks,
unsigned char flags)
{
+ /* Avoid that 0 blocks gets translated into 256 blocks. */
+ if (WARN_ON_ONCE(nr_blocks == 0))
+ return BLK_STS_IOERR;
+
if (unlikely(flags & 0x8)) {
/*
* This happens only if this drive failed 10byte rw