Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp5237074ybl; Tue, 27 Aug 2019 01:19:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqzSs6Ablp4i1vjhoks5ly3Hpi2BGzaUW8O3gPqKIrIPL2xyi6wrVQGyVit+gUCWqVPAg3dr X-Received: by 2002:a17:90a:17c4:: with SMTP id q62mr23639204pja.135.1566893941130; Tue, 27 Aug 2019 01:19:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566893941; cv=none; d=google.com; s=arc-20160816; b=f22q9ngXNSTg3jec5cqm35KVh6op/gXGRc6OpIB4kRjZD1Tyus8zR4GSOE4CuZXy/w qNAsf+rmQq1pih2PTAEJ4wQJQ4N4CZZQnuuvLonlehZ/12wP1R6tRB2r+cqS8ZU6klWz 8Id4JgxMabBsA24jM2yazgWf9osOmGTBivv+Y/fOYse+7DSpjq3I4yoH8To3b1tqTWz7 VUi46UrrAZcbZbbPWHGb2rryOhS3KRPP/NK1MiNPN9/4irDY67A3BM3qia1Y9QNYr9rQ QwWiP9CVCe2CRYmrLrr33MUCesrzfTWwpfppKvIVi+afIZwWJOd5I78048x4eWBMc9mL JHXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=bu/457ZQo1D/wYytAU8FIJVFKFnmAhTwbbj5H1hQzwk=; b=H+nTwVWOppYIuiw311EVervGl7ppjl5oXx5R/GiHTTwnRxiZdBs4T2mk34i2A2hDvP n3Ya/uZM3idrTAv4UJbliHtZIvRceJdOiPlqpYGRscfIx62tETgIKQ3JC3adTBkIJU2G Fs79mRWzyfsfRM+6N4joK4VIypmpUP7me0cT4wSogth/pbX/u3bBshgdbk+/vB0BvghS BF3pztqJf0QH/RLdTR4vy5sk5PmmWgvHJEkRMftH2TTD47XlegDlu1YtZyK+iqpZ5P75 ot4HLU9qahII2Ub44qBnctHkf4OYnS4/h4x9gYt+Ou5AjUUbtxFxVJdt4XbP2oaPLoWi A/cA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=umHcwDd0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v8si11942153plp.96.2019.08.27.01.18.45; Tue, 27 Aug 2019 01:19:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=umHcwDd0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730818AbfH0IRL (ORCPT + 99 others); Tue, 27 Aug 2019 04:17:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:44146 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729512AbfH0Hwn (ORCPT ); Tue, 27 Aug 2019 03:52:43 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 791EE2186A; Tue, 27 Aug 2019 07:52:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566892363; bh=MCX7CmsiPjmCXkciOtTum36tIlpCMfDC+mLmzUX/5vU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=umHcwDd0rUV8zAV775PUdQ0ROQQ6jrXSXXxo6If1yUN5yMAaf4+uvrDyJVoHNzEew 8I0t8fHfZWEsVPWIFfaII/cu9EuE9aZoYIqpSrTP9FybRBG4ff1/BBUUOpRt1Go9hL Sw1YJoMknxfsOxE//AW3H/lVkLFzXvD/U7Xvk8iQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Jens Axboe , Sasha Levin Subject: [PATCH 4.14 29/62] libata: add SG safety checks in SFF pio transfers Date: Tue, 27 Aug 2019 09:50:34 +0200 Message-Id: <20190827072702.445760099@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190827072659.803647352@linuxfoundation.org> References: <20190827072659.803647352@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ] Abort processing of a command if we run out of mapped data in the SG list. This should never happen, but a previous bug caused it to be possible. Play it safe and attempt to abort nicely if we don't have more SG segments left. Reviewed-by: Kees Cook Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- drivers/ata/libata-sff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c index cc2f2e35f4c2e..8c36ff0c2dd49 100644 --- a/drivers/ata/libata-sff.c +++ b/drivers/ata/libata-sff.c @@ -704,6 +704,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) unsigned int offset; unsigned char *buf; + if (!qc->cursg) { + qc->curbytes = qc->nbytes; + return; + } if (qc->curbytes == qc->nbytes - qc->sect_size) ap->hsm_task_state = HSM_ST_LAST; @@ -729,6 +733,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) if (qc->cursg_ofs == qc->cursg->length) { qc->cursg = sg_next(qc->cursg); + if (!qc->cursg) + ap->hsm_task_state = HSM_ST_LAST; qc->cursg_ofs = 0; } } -- 2.20.1