Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3ca013cd authored by Jens Axboe's avatar Jens Axboe Committed by Greg Kroah-Hartman
Browse files

libata: add SG safety checks in SFF pio transfers 



[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ]

Abort processing of a command if we run out of mapped data in the
SG list. This should never happen, but a previous bug caused it to
be possible. Play it safe and attempt to abort nicely if we don't
have more SG segments left.

Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 3b84bbef

drivers/ata/libata-sff.c

+6 −0
Original line number Original line Diff line number Diff line
@@ -674,6 +674,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) 
	unsigned int offset;

	unsigned int offset;

	unsigned char *buf;

	unsigned char *buf;





	if (!qc->cursg) {

		qc->curbytes = qc->nbytes;

		return;

	}

	if (qc->curbytes == qc->nbytes - qc->sect_size)

	if (qc->curbytes == qc->nbytes - qc->sect_size)

		ap->hsm_task_state = HSM_ST_LAST;

		ap->hsm_task_state = HSM_ST_LAST;
@@ -699,6 +703,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) 




	if (qc->cursg_ofs == qc->cursg->length) {

	if (qc->cursg_ofs == qc->cursg->length) {

		qc->cursg = sg_next(qc->cursg);

		qc->cursg = sg_next(qc->cursg);

		if (!qc->cursg)

			ap->hsm_task_state = HSM_ST_LAST;

		qc->cursg_ofs = 0;

		qc->cursg_ofs = 0;

	}

	}

}

}