mptscsih: fix read sense data size

Message ID	20200616150446.4840-1-thenzl@redhat.com (mailing list archive)
State	Mainlined
Commit	afe89f115e84edbc76d316759e206580a06c6973
Headers	show Return-Path: <SRS0=Wxou=75=vger.kernel.org=linux-scsi-owner@kernel.org> From: Tomas Henzl <thenzl@redhat.com> To: linux-scsi@vger.kernel.org Cc: ssaner@redhat.com, sreekanth.reddy@broadcom.com Subject: [PATCH] mptscsih: fix read sense data size Date: Tue, 16 Jun 2020 17:04:46 +0200 Message-Id: <20200616150446.4840-1-thenzl@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk
Series	mptscsih: fix read sense data size \| expand mptscsih: fix read sense data size

Message ID

20200616150446.4840-1-thenzl@redhat.com (mailing list archive)

State

Mainlined

Commit

afe89f115e84edbc76d316759e206580a06c6973

Headers

From: Tomas Henzl <thenzl@redhat.com>
To: linux-scsi@vger.kernel.org
Cc: ssaner@redhat.com, sreekanth.reddy@broadcom.com
Subject: [PATCH] mptscsih: fix read sense data size
Date: Tue, 16 Jun 2020 17:04:46 +0200
Message-Id: <20200616150446.4840-1-thenzl@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk

Series

mptscsih: fix read sense data size | expand

Commit Message

Tomas Henzl June 16, 2020, 3:04 p.m. UTC

The sense data buffer in sense_buf_pool is allocated with
size of MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth)
while SNS_LEN(sc)(96) is used when reading the data.
That may lead to a read from unallocated area,
sometimes from another (unallocated) page.
To fix this limit the read size to MPT_SENSE_BUFFER_ALLOC.

Co-developed-by: Stanislav Saner <ssaner@redhat.com>
Signed-off-by: Stanislav Saner <ssaner@redhat.com>
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
---
 drivers/message/fusion/mptscsih.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

Comments

Martin K. Petersen June 24, 2020, 4:29 a.m. UTC | #1

On Tue, 16 Jun 2020 17:04:46 +0200, Tomas Henzl wrote:

> The sense data buffer in sense_buf_pool is allocated with
> size of MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth)
> while SNS_LEN(sc)(96) is used when reading the data.
> That may lead to a read from unallocated area,
> sometimes from another (unallocated) page.
> To fix this limit the read size to MPT_SENSE_BUFFER_ALLOC.

Applied to 5.8/scsi-fixes, thanks!

[1/1] scsi: mptscsih: Fix read sense data size
      https://git.kernel.org/mkp/scsi/c/afe89f115e84

diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
index f0737c57e..1491561d2 100644
--- a/drivers/message/fusion/mptscsih.c
+++ b/drivers/message/fusion/mptscsih.c
@@ -118,8 +118,6 @@  int 		mptscsih_suspend(struct pci_dev *pdev, pm_message_t state);
 int 		mptscsih_resume(struct pci_dev *pdev);
 #endif
 
-#define SNS_LEN(scp)	SCSI_SENSE_BUFFERSIZE
-
 
 /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
 /*
@@ -2422,7 +2420,7 @@  mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR
 		/* Copy the sense received into the scsi command block. */
 		req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx);
 		sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC));
-		memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc));
+		memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC);
 
 		/* Log SMART data (asc = 0x5D, non-IM case only) if required.
 		 */

mptscsih: fix read sense data size

Commit Message

Comments

Patch