From nobody Mon Jun  8 09:48:08 2026
Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com
 [209.85.219.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E226B426EB7
	for <linux-kernel@vger.kernel.org>; Wed,  3 Jun 2026 23:56:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780531009; cv=none;
 b=HaXoN1verNlbGC1nT8GYrP61Evuah3EL/QjUt6qXY3nDoBg3WEiBy0JErkIxP7EyH3DecHvbvPWUuRlybXlTLpQVhWSe7rFqeXGkIFXF8UxAnOwROR3O0W2FdqcELBlsImuUVbCe51ZM36wJ9sE7dFMJruE5lzN+w5enOFvxmIY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780531009; c=relaxed/simple;
	bh=T0/NMI00gb3tSsw/lDXZhV7NFN3on5mOm+ZY3F9d1wQ=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=gaCmHDMvDP7TkMoVciDbVY5YUKjR7fdj4StJ4ASYdj18Or6fAcfk2txG/zF5cz/ANOhyUamA5zKVAgQsLxY0AKhEiEcJgYyERbPA/qZoPDYXB4hK8DRQsc90OhIGu6iavYhe43IpH91MDoq8Oc8HH9QWd3MdMBAwdtLTe+C1FZw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=trailofbits.com;
 spf=pass smtp.mailfrom=trailofbits.com;
 dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com
 header.b=JTcPcI/Y; arc=none smtp.client-ip=209.85.219.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=trailofbits.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=trailofbits.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com
 header.b="JTcPcI/Y"
Received: by mail-qv1-f50.google.com with SMTP id
 6a1803df08f44-8ccdef9f3d4so1079526d6.2
        for <linux-kernel@vger.kernel.org>;
 Wed, 03 Jun 2026 16:56:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=trailofbits.com; s=google; t=1780531006; x=1781135806;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=mp1vJh8uao2AHw0c9OHkXhZ0mnitHWn6AZWE/LHDbYg=;
        b=JTcPcI/Yw8faw9RsFSbCZAfPrdzVklTwre1eWRTyAoYlOiYzElLOGiZIw9PFonW2aD
         72QVYkzOICXTVYiBRYLzljogletAi7ox16+mY8TGPQLN/pZRfmnj/I1dY7+btzoxwpwc
         /dJh3fM8VXFDYHnFIYUwsM51kCpD6Zzm1xydE5k7tyfCWOJU7H0/rlzErJXMjME4P+6E
         DVqYhnfLkJnRZ03CCnkGh2gv2AbNjGps8YaQ3vZfG94Y6wWvWxduJUpypj+ObXxwtSzo
         Dd9wiTYVYWHy/HkyAFpS5nrClMxU+rfTzmkVcvEIZMsMZTFksc+4SSv8E3vqY9QDtGtS
         haxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780531006; x=1781135806;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=mp1vJh8uao2AHw0c9OHkXhZ0mnitHWn6AZWE/LHDbYg=;
        b=KHvQE5FSg9ObYsA1lFGP57xJW0hhRLzVO2Jzn05HfZgdBT9UPvgTSwVTwIf7TlT4xB
         q2WMr8cQMF+SdXfcstP5tSCgURMNd7UYyihj/rsuEBbb5x/reOfLdsotsCftVbrFXJn/
         IVXs4KNdMgcn4w5mv3YeZIYDRlEE+qqUICoQ5DKV53YILluCwJWOGkfy1rv1GNe3l7h5
         C4DDHNF4FlmVn4IwgTgyOwmQLgllwv32YGjnsChxy5aygdGXnhhRXSd4//icrnNTkxXk
         AAVoTSYMjnxxNRS8rs5yHThtvPVu9+d0AUXjyeO6d5O+LmomZF3QJVAhHtvrBt4Jwjed
         zD6g==
X-Forwarded-Encrypted: i=1;
 AFNElJ9dIPfY/IOPSO+AZI5L3eR9VrYYz7++4II+tmHw0WuK44GoTf2Os7PTHGv89Wb9/JkGc6zq5DkiFx6I4hQ=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy0BdeuPgkDJoQijvsx1R5fUspNuEHQvrwYoq0dAxu9Uhs6Bqq8
	N+BLoOUBn7b0Q3VzYcDyCE8vCLreVIOHdIYL9J/jiEejbpqasr49S82wLu488NoOP74iyCsAyWt
	sRXbwYCs=
X-Gm-Gg: Acq92OGPFY7Zb2zw58gHBWNov8gxx5Ew31ndGOgrzqmG7HiVrFmzN3SZl1kE3AejOT0
	RcXevSojLtc6Okstj+dB9wxh4E7AOkwiOJ4Do1c8HEeYCgF1+DNH+Buh/Cleow6UMJwnKyHncPC
	nY+jD9jbhV8NV6euIdnDQO9Z+qt4sRQo1iR+zdOjO7zi0yb126sOedJlic6OIK3aPm/gsuI2veB
	j9Yv5x3MqaijsYkl/5hDJpp01C4NzyYJt3B5EMatI311bOvb+LzrIZLO8imcKMXE1arX1eJADTY
	N2EGYs211Z26Vx6tsNbkz407sudKNIDLq6C7Fa7DLbSIsDPpt7Csfpa0/HP48CMkNjpn2LsaptB
	lvCl3uVAuBbbZtgfFC01u4R/Rd4sLSTfO+oFUEnQSLkDVN5lyMPiyJPVn/3PFgIV7oTiWPQM0KQ
	ipKGkpf633yX/FqHa8ys3XcIs9E210J/W4ZElZyQ==
X-Received: by 2002:a05:6214:2424:b0:8ce:cc3e:9d08 with SMTP id
 6a1803df08f44-8cecdd35d4cmr80141996d6.45.1780531006561;
        Wed, 03 Jun 2026 16:56:46 -0700 (PDT)
Received: from localhost ([161.35.96.86])
        by smtp.gmail.com with UTF8SMTPSA id
 6a1803df08f44-8cecd277070sm34168026d6.48.2026.06.03.16.56.44
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 03 Jun 2026 16:56:46 -0700 (PDT)
From: Samuel Moelius <sam.moelius@trailofbits.com>
To: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: Samuel Moelius <sam.moelius@trailofbits.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org (open list:SCSI SUBSYSTEM),
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v2] scsi: scsi_debug: fix one-partition tape setup bounds
Date: Wed,  3 Jun 2026 23:55:48 +0000
Message-ID: <20260603235616.124535-1-sam.moelius@trailofbits.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The tape setup path writes partition metadata one element past the
allocated tape_blocks array when a one-partition configuration is
selected.

That corrupts adjacent state during device initialization before any
command is issued.

Reject a declared multi-partition layout that has no space for partition
1, and initialize partition 1's marker only when partition 1 exists.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
Changes in v2
  - Fixed handling of part_1_size =3D=3D 0 case

 drivers/scsi/scsi_debug.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 1515495fd9ea..edcc2f5f6977 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -3661,12 +3661,18 @@ static int partition_tape(struct sdebug_dev_info *d=
evip, int nbr_partitions,
=20
 	if (part_0_size + part_1_size > TAPE_UNITS)
 		return -1;
+	if (nbr_partitions > 1 && part_1_size <=3D 0)
+		return -1;
 	devip->tape_eop[0] =3D part_0_size;
 	devip->tape_blocks[0]->fl_size =3D TAPE_BLOCK_EOD_FLAG;
 	devip->tape_eop[1] =3D part_1_size;
-	devip->tape_blocks[1] =3D devip->tape_blocks[0] +
-			devip->tape_eop[0];
-	devip->tape_blocks[1]->fl_size =3D TAPE_BLOCK_EOD_FLAG;
+	if (nbr_partitions > 1) {
+		devip->tape_blocks[1] =3D devip->tape_blocks[0] +
+				devip->tape_eop[0];
+		devip->tape_blocks[1]->fl_size =3D TAPE_BLOCK_EOD_FLAG;
+	} else {
+		devip->tape_blocks[1] =3D NULL;
+	}
=20
 	for (i =3D 0 ; i < TAPE_MAX_PARTITIONS; i++)
 		devip->tape_location[i] =3D 0;
--=20
2.43.0