Commit 312904ba authored Jun 16, 2020 by Tomas Henzl Committed by Greg Kroah-Hartman Jul 16, 2020

scsi: mptscsih: Fix read sense data size

[ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ]

The sense data buffer in sense_buf_pool is allocated with size of
MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96)
is used when reading the data.  That may lead to a read from unallocated
area, sometimes from another (unallocated) page.  To fix this, limit the
read size to MPT_SENSE_BUFFER_ALLOC.

Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com


Co-developed-by: Stanislav Saner <ssaner@redhat.com>
Signed-off-by: Stanislav Saner <ssaner@redhat.com>
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 9634cd8e

drivers/message/fusion/mptscsih.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state);
		int mptscsih_resume(struct pci_dev *pdev);
		#endif

		#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE


		/=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=/
		/*
		@@ -2420,7 +2418,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd sc, MPT_SCSI_HOST hd, MPT_FRAME_HDR
		/* Copy the sense received into the scsi command block. */
		req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx);
		sense_data = ((u8 )ioc->sense_buf_pool + (req_index MPT_SENSE_BUFFER_ALLOC));
		memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc));
		memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC);

		/* Log SMART data (asc = 0x5D, non-IM case only) if required.
		*/