UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

SCSI fixes on 20190607 

Two bug fixes, both for fairly serious problems; the UFS one looks
 like it could be used to exfiltrate data from the kernel, although
 probably only a privileged user has access to the command management
 interface and the missing unlock in smartpqi is long standing and
 probably a little used error path.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCXPtPfyYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishV8bAP9ZWyAE
 2S5emgr42Q9IunXQ305k1i/ek4y5iq3VVLmJqAD/cJgZiCcNenry8jf9McRGFBKO
 HOLewQ+ErQvjf6DuxMM=
 =7+Oe
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Two bug fixes, both for fairly serious problems; the UFS one looks
  like it could be used to exfiltrate data from the kernel, although
  probably only a privileged user has access to the command management
  interface and the missing unlock in smartpqi is long standing and
  probably a little used error path"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous()
  scsi: ufs: Check that space was properly alloced in copy_query_response
This commit is contained in:
Linus Torvalds 2019-06-08 11:54:17 -07:00
parent 0ad43e29b6 cc8f52609b
commit 1b02caa319
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/scsi/smartpqi/smartpqi_init.c
View File

@ -4046,8 +4046,10 @@ static int pqi_submit_raid_request_synchronous(struct pqi_ctrl_info *ctrl_info,
return -ETIMEDOUT;
msecs_blocked =
jiffies_to_msecs(jiffies - start_jiffies);
if (msecs_blocked >= timeout_msecs)
return -ETIMEDOUT;
if (msecs_blocked >= timeout_msecs) {
rc = -ETIMEDOUT;
goto out;
}
timeout_msecs -= msecs_blocked;
}
}

3
drivers/scsi/ufs/ufshcd.c
View File

@ -1917,7 +1917,8 @@ int ufshcd_copy_query_response(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
memcpy(&query_res->upiu_res, &lrbp->ucd_rsp_ptr->qr, QUERY_OSF_SIZE);
/* Get the descriptor */
if (lrbp->ucd_rsp_ptr->qr.opcode == UPIU_QUERY_OPCODE_READ_DESC) {
if (hba->dev_cmd.query.descriptor &&
lrbp->ucd_rsp_ptr->qr.opcode == UPIU_QUERY_OPCODE_READ_DESC) {
u8 *descp = (u8 *)lrbp->ucd_rsp_ptr +
GENERAL_UPIU_REQUEST_SIZE;
u16 resp_len;