tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[PATCH] SCSI core: always store >= 36 bytes of INQUIRY data

This patch (as810c) copies a minimum of 36 bytes of INQUIRY data, even if
the device claims that not all of them are valid. Often badly behaved
devices put plausible data in the Vendor, Product, and Revision strings but
set the Additional Length byte to a small value. Using potentially valid
data is certainly better than allocating a short buffer and then reading
beyond the end of it, which is what we do now.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by Alan Stern and committed by Linus Torvalds 09123d23 f72fa707

+15 -5
unified split
+15 -5
drivers/scsi/scsi_scan.c
··· 631 631 * scanning run at their own risk, or supply a user level program 632 632 * that can correctly scan. 633 633 */ 634 - sdev->inquiry = kmalloc(sdev->inquiry_len, GFP_ATOMIC); 635 - if (sdev->inquiry == NULL) { 636 - return SCSI_SCAN_NO_RESPONSE; 637 - } 638 634 639 - memcpy(sdev->inquiry, inq_result, sdev->inquiry_len); 635 + /* 636 + * Copy at least 36 bytes of INQUIRY data, so that we don't 637 + * dereference unallocated memory when accessing the Vendor, 638 + * Product, and Revision strings. Badly behaved devices may set 639 + * the INQUIRY Additional Length byte to a small value, indicating 640 + * these strings are invalid, but often they contain plausible data 641 + * nonetheless. It doesn't matter if the device sent < 36 bytes 642 + * total, since scsi_probe_lun() initializes inq_result with 0s. 643 + */ 644 + sdev->inquiry = kmemdup(inq_result, 645 + max_t(size_t, sdev->inquiry_len, 36), 646 + GFP_ATOMIC); 647 + if (sdev->inquiry == NULL) 648 + return SCSI_SCAN_NO_RESPONSE; 649 + 640 650 sdev->vendor = (char *) (sdev->inquiry + 8); 641 651 sdev->model = (char *) (sdev->inquiry + 16); 642 652 sdev->rev = (char *) (sdev->inquiry + 32);