| From 386c9e0af9b82b9b9d8f4ac9d27058f7061b81ef Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 16 Jun 2020 17:04:46 +0200 |
| Subject: scsi: mptscsih: Fix read sense data size |
| |
| From: Tomas Henzl <thenzl@redhat.com> |
| |
| [ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ] |
| |
| The sense data buffer in sense_buf_pool is allocated with size of |
| MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96) |
| is used when reading the data. That may lead to a read from unallocated |
| area, sometimes from another (unallocated) page. To fix this, limit the |
| read size to MPT_SENSE_BUFFER_ALLOC. |
| |
| Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com |
| Co-developed-by: Stanislav Saner <ssaner@redhat.com> |
| Signed-off-by: Stanislav Saner <ssaner@redhat.com> |
| Signed-off-by: Tomas Henzl <thenzl@redhat.com> |
| Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/message/fusion/mptscsih.c | 4 +--- |
| 1 file changed, 1 insertion(+), 3 deletions(-) |
| |
| diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c |
| index f0737c57ed5fc..1491561d2e5c9 100644 |
| --- a/drivers/message/fusion/mptscsih.c |
| +++ b/drivers/message/fusion/mptscsih.c |
| @@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state); |
| int mptscsih_resume(struct pci_dev *pdev); |
| #endif |
| |
| -#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE |
| - |
| |
| /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ |
| /* |
| @@ -2422,7 +2420,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR |
| /* Copy the sense received into the scsi command block. */ |
| req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx); |
| sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC)); |
| - memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc)); |
| + memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC); |
| |
| /* Log SMART data (asc = 0x5D, non-IM case only) if required. |
| */ |
| -- |
| 2.25.1 |
| |