Commit b2d6b1d4 authored Jan 21, 2026 by Kery Qi Committed by Martin K. Petersen Jan 23, 2026

scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg()

The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of
"tpg->tport_tpgt" is u16. This causes a type truncation issue.

When a user creates a TPG via configfs mkdir, for example:

mkdir /sys/kernel/config/target/sbp/<wwn>/tpgt_70000

The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less
than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt,
the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the
value the user specified to differ from what is actually stored, leading to
confusion and potential unexpected behavior.

Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which
will properly reject values outside the u16 range.

Fixes: a511ce33 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent 4747bafa

drivers/target/sbp/sbp_target.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1960,12 +1960,12 @@ static struct se_portal_group sbp_make_tpg(struct se_wwn wwn,
		container_of(wwn, struct sbp_tport, tport_wwn);

		struct sbp_tpg *tpg;
		unsigned long tpgt;
		u16 tpgt;
		int ret;

		if (strstr(name, "tpgt_") != name)
		return ERR_PTR(-EINVAL);
		if (kstrtoul(name + 5, 10, &tpgt) \|\| tpgt > UINT_MAX)
		if (kstrtou16(name + 5, 10, &tpgt))
		return ERR_PTR(-EINVAL);

		if (tport->tpg) {