[PATCH] scsi: megaraid: cap passthrough copyout length

Next message: Danilo Krummrich: "Re: [PATCH v4 2/2] rust: introduce abstractions for fwctl"
Previous message: Jonathan Cameron: "Re: [PATCH v1 05/13] iio: dac: max5522: Simplify device abstraction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Wed Jun 24 2026 - 13:41:55 EST

MIMD passthrough commands store the DMA transfer length in dataxferlen.

The common ioctl path copied xferlen bytes back to userspace instead.

For read commands, a larger xferlen can expose stale DMA buffer bytes.

Those bytes are beyond the data returned by the controller.

Validate dataxferlen for both directions and copy back only that length.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/scsi/megaraid/megaraid_mm.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c
index e57266590..75f6b7198 100644
--- a/drivers/scsi/megaraid/megaraid_mm.c
+++ b/drivers/scsi/megaraid/megaraid_mm.c
@@ -480,12 +480,14 @@ mimd_to_kioc(mimd_t __user *umimd, mraid_mmadp_t *adp, uioc_t *kioc)
return (-EFAULT);
}

+ if (pthru32->dataxferlen > kioc->xferlen)
+ return -EINVAL;
+ kioc->user_data_len = pthru32->dataxferlen;
+
pthru32->dataxferaddr = kioc->buf_paddr;
if (kioc->data_dir & UIOC_WR) {
- if (pthru32->dataxferlen > kioc->xferlen)
- return -EINVAL;
if (copy_from_user(kioc->buf_vaddr, kioc->user_data,
- pthru32->dataxferlen)) {
+ pthru32->dataxferlen)) {
return (-EFAULT);
}
}
--
2.54.0