Linux-ide Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH AUTOSEL 5.2 100/123] ata: rb532_cf: Fix unused variable warning in rb532_pata_driver_probe
       [not found] <20190814021047.14828-1-sashal@kernel.org>
@ 2019-08-14  2:10 ` Sasha Levin
  2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 111/123] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Sasha Levin
  2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 112/123] libata: add SG safety checks in SFF pio transfers Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2019-08-14  2:10 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Gustavo A. R. Silva, Jens Axboe, Sasha Levin, linux-ide

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

[ Upstream commit db341a049ec7e87053c91008cb452d0bfa6dde72 ]

Fix the following warning (Building: rb532_defconfig mips):

drivers/ata/pata_rb532_cf.c: In function ‘rb532_pata_driver_remove’:
drivers/ata/pata_rb532_cf.c:161:24: warning: unused variable ‘info’ [-Wunused-variable]
  struct rb532_cf_info *info = ah->private_data;
                        ^~~~

Fixes: cd56f35e52d9 ("ata: rb532_cf: Convert to use GPIO descriptors")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/pata_rb532_cf.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/ata/pata_rb532_cf.c b/drivers/ata/pata_rb532_cf.c
index 7c37f2ff09e41..deae466395de1 100644
--- a/drivers/ata/pata_rb532_cf.c
+++ b/drivers/ata/pata_rb532_cf.c
@@ -158,7 +158,6 @@ static int rb532_pata_driver_probe(struct platform_device *pdev)
 static int rb532_pata_driver_remove(struct platform_device *pdev)
 {
 	struct ata_host *ah = platform_get_drvdata(pdev);
-	struct rb532_cf_info *info = ah->private_data;
 
 	ata_host_detach(ah);
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH AUTOSEL 5.2 111/123] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
       [not found] <20190814021047.14828-1-sashal@kernel.org>
  2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 100/123] ata: rb532_cf: Fix unused variable warning in rb532_pata_driver_probe Sasha Levin
@ 2019-08-14  2:10 ` Sasha Levin
  2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 112/123] libata: add SG safety checks in SFF pio transfers Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2019-08-14  2:10 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jens Axboe, Krishna Ram Prakash R, Kees Cook, Sasha Levin, linux-ide

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 2d7271501720038381d45fb3dcbe4831228fc8cc ]

For passthrough requests, libata-scsi takes what the user passes in
as gospel. This can be problematic if the user fills in the CDB
incorrectly. One example of that is in request sizes. For read/write
commands, the CDB contains fields describing the transfer length of
the request. These should match with the SG_IO header fields, but
libata-scsi currently does no validation of that.

Check that the number of blocks in the CDB for passthrough requests
matches what was mapped into the request. If the CDB asks for more
data then the validated SG_IO header fields, error it.

Reported-by: Krishna Ram Prakash R <krp@gtux.in>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index 391ac0503dc07..76d0f9de767bc 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -1786,6 +1786,21 @@ static unsigned int ata_scsi_verify_xlat(struct ata_queued_cmd *qc)
 	return 1;
 }
 
+static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks)
+{
+	struct request *rq = scmd->request;
+	u32 req_blocks;
+
+	if (!blk_rq_is_passthrough(rq))
+		return true;
+
+	req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size;
+	if (n_blocks > req_blocks)
+		return false;
+
+	return true;
+}
+
 /**
  *	ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one
  *	@qc: Storage for translated ATA taskfile
@@ -1830,6 +1845,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 		scsi_10_lba_len(cdb, &block, &n_block);
 		if (cdb[1] & (1 << 3))
 			tf_flags |= ATA_TFLAG_FUA;
+		if (!ata_check_nblocks(scmd, n_block))
+			goto invalid_fld;
 		break;
 	case READ_6:
 	case WRITE_6:
@@ -1844,6 +1861,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 		 */
 		if (!n_block)
 			n_block = 256;
+		if (!ata_check_nblocks(scmd, n_block))
+			goto invalid_fld;
 		break;
 	case READ_16:
 	case WRITE_16:
@@ -1854,6 +1873,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
 		scsi_16_lba_len(cdb, &block, &n_block);
 		if (cdb[1] & (1 << 3))
 			tf_flags |= ATA_TFLAG_FUA;
+		if (!ata_check_nblocks(scmd, n_block))
+			goto invalid_fld;
 		break;
 	default:
 		DPRINTK("no-byte command\n");
-- 
2.20.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH AUTOSEL 5.2 112/123] libata: add SG safety checks in SFF pio transfers
       [not found] <20190814021047.14828-1-sashal@kernel.org>
  2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 100/123] ata: rb532_cf: Fix unused variable warning in rb532_pata_driver_probe Sasha Levin
  2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 111/123] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Sasha Levin
@ 2019-08-14  2:10 ` Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2019-08-14  2:10 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Jens Axboe, Kees Cook, Sasha Levin, linux-ide

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ]

Abort processing of a command if we run out of mapped data in the
SG list. This should never happen, but a previous bug caused it to
be possible. Play it safe and attempt to abort nicely if we don't
have more SG segments left.

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/libata-sff.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
index 10aa278821427..4f115adb4ee83 100644
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -658,6 +658,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 	unsigned int offset;
 	unsigned char *buf;
 
+	if (!qc->cursg) {
+		qc->curbytes = qc->nbytes;
+		return;
+	}
 	if (qc->curbytes == qc->nbytes - qc->sect_size)
 		ap->hsm_task_state = HSM_ST_LAST;
 
@@ -683,6 +687,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 
 	if (qc->cursg_ofs == qc->cursg->length) {
 		qc->cursg = sg_next(qc->cursg);
+		if (!qc->cursg)
+			ap->hsm_task_state = HSM_ST_LAST;
 		qc->cursg_ofs = 0;
 	}
 }
-- 
2.20.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20190814021047.14828-1-sashal@kernel.org>
2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 100/123] ata: rb532_cf: Fix unused variable warning in rb532_pata_driver_probe Sasha Levin
2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 111/123] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Sasha Levin
2019-08-14  2:10 ` [PATCH AUTOSEL 5.2 112/123] libata: add SG safety checks in SFF pio transfers Sasha Levin

Linux-ide Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-ide/0 linux-ide/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-ide linux-ide/ https://lore.kernel.org/linux-ide \
		linux-ide@vger.kernel.org linux-ide@archiver.kernel.org
	public-inbox-index linux-ide

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-ide


AGPL code for this site: git clone https://public-inbox.org/ public-inbox