* [PATCH] mptscsih: fix read sense data size
@ 2020-06-16 15:04 Tomas Henzl
2020-06-24 4:29 ` Martin K. Petersen
0 siblings, 1 reply; 2+ messages in thread
From: Tomas Henzl @ 2020-06-16 15:04 UTC (permalink / raw)
To: linux-scsi; +Cc: ssaner, sreekanth.reddy
The sense data buffer in sense_buf_pool is allocated with
size of MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth)
while SNS_LEN(sc)(96) is used when reading the data.
That may lead to a read from unallocated area,
sometimes from another (unallocated) page.
To fix this limit the read size to MPT_SENSE_BUFFER_ALLOC.
Co-developed-by: Stanislav Saner <ssaner@redhat.com>
Signed-off-by: Stanislav Saner <ssaner@redhat.com>
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
---
drivers/message/fusion/mptscsih.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
index f0737c57e..1491561d2 100644
--- a/drivers/message/fusion/mptscsih.c
+++ b/drivers/message/fusion/mptscsih.c
@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state);
int mptscsih_resume(struct pci_dev *pdev);
#endif
-#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE
-
/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
/*
@@ -2422,7 +2420,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR
/* Copy the sense received into the scsi command block. */
req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx);
sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC));
- memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc));
+ memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC);
/* Log SMART data (asc = 0x5D, non-IM case only) if required.
*/
--
2.21.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] mptscsih: fix read sense data size
2020-06-16 15:04 [PATCH] mptscsih: fix read sense data size Tomas Henzl
@ 2020-06-24 4:29 ` Martin K. Petersen
0 siblings, 0 replies; 2+ messages in thread
From: Martin K. Petersen @ 2020-06-24 4:29 UTC (permalink / raw)
To: linux-scsi, Tomas Henzl; +Cc: Martin K . Petersen, sreekanth.reddy, ssaner
On Tue, 16 Jun 2020 17:04:46 +0200, Tomas Henzl wrote:
> The sense data buffer in sense_buf_pool is allocated with
> size of MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth)
> while SNS_LEN(sc)(96) is used when reading the data.
> That may lead to a read from unallocated area,
> sometimes from another (unallocated) page.
> To fix this limit the read size to MPT_SENSE_BUFFER_ALLOC.
Applied to 5.8/scsi-fixes, thanks!
[1/1] scsi: mptscsih: Fix read sense data size
https://git.kernel.org/mkp/scsi/c/afe89f115e84
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-24 4:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 15:04 [PATCH] mptscsih: fix read sense data size Tomas Henzl
2020-06-24 4:29 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).