releases/4.4.81/libata-array-underflow-in-ata_find_dev.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 59a5e266c3f5c1567508888dd61a45b86daed0fa Mon Sep 17 00:00:00 2001
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Wed, 19 Jul 2017 13:06:41 +0300
 Subject: libata: array underflow in ata_find_dev()

 From: Dan Carpenter <dan.carpenter@oracle.com>

 commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream.

 My static checker complains that "devno" can be negative, meaning that
 we read before the start of the loop.  I've looked at the code, and I
 think the warning is right.  This come from /proc so it's root only or
 it would be quite a quite a serious bug.  The call tree looks like this:

 proc_scsi_write() <- gets id and channel from simple_strtoul()
 -> scsi_add_single_device() <- calls shost->transportt->user_scan()
    -> ata_scsi_user_scan()
       -> ata_find_dev()

 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Tejun Heo <tj@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/ata/libata-scsi.c |    6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

 --- a/drivers/ata/libata-scsi.c
 +++ b/drivers/ata/libata-scsi.c
 @@ -2832,10 +2832,12 @@ static unsigned int atapi_xlat(struct at
  static struct ata_device *ata_find_dev(struct ata_port *ap, int devno)
  {
  	if (!sata_pmp_attached(ap)) {
 -		if (likely(devno < ata_link_max_devices(&ap->link)))
 +		if (likely(devno >= 0 &&
 +			   devno < ata_link_max_devices(&ap->link)))
  			return &ap->link.device[devno];
  	} else {
 -		if (likely(devno < ap->nr_pmp_links))
 +		if (likely(devno >= 0 &&
 +			   devno < ap->nr_pmp_links))
  			return &ap->pmp_link[devno].device[0];
  	}
	From 59a5e266c3f5c1567508888dd61a45b86daed0fa Mon Sep 17 00:00:00 2001
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Wed, 19 Jul 2017 13:06:41 +0300
	Subject: libata: array underflow in ata_find_dev()

	From: Dan Carpenter <dan.carpenter@oracle.com>

	commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream.

	My static checker complains that "devno" can be negative, meaning that
	we read before the start of the loop. I've looked at the code, and I
	think the warning is right. This come from /proc so it's root only or
	it would be quite a quite a serious bug. The call tree looks like this:

	proc_scsi_write() <- gets id and channel from simple_strtoul()
	-> scsi_add_single_device() <- calls shost->transportt->user_scan()
	-> ata_scsi_user_scan()
	-> ata_find_dev()

	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Tejun Heo <tj@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/ata/libata-scsi.c \| 6 ++++--
	1 file changed, 4 insertions(+), 2 deletions(-)

	--- a/drivers/ata/libata-scsi.c
	+++ b/drivers/ata/libata-scsi.c
	@@ -2832,10 +2832,12 @@ static unsigned int atapi_xlat(struct at
	static struct ata_device ata_find_dev(struct ata_port ap, int devno)
	{
	if (!sata_pmp_attached(ap)) {
	- if (likely(devno < ata_link_max_devices(&ap->link)))
	+ if (likely(devno >= 0 &&
	+ devno < ata_link_max_devices(&ap->link)))
	return &ap->link.device[devno];
	} else {
	- if (likely(devno < ap->nr_pmp_links))
	+ if (likely(devno >= 0 &&
	+ devno < ap->nr_pmp_links))
	return &ap->pmp_link[devno].device[0];
	}