summaryrefslogtreecommitdiff
path: root/drivers/message
diff options
context:
space:
mode:
authorTomas Henzl <thenzl@redhat.com>2020-06-16 18:04:46 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-07-16 09:16:36 +0300
commit2485b6afadd7f8863c4970b13706db3af83c1135 (patch)
tree3285ed1b364d1b6a3acc0fc743283a7ba9c5bbef /drivers/message
parent10533390da7cf1e2750c63dae44cacfa5964dce1 (diff)
downloadlinux-2485b6afadd7f8863c4970b13706db3af83c1135.tar.xz
scsi: mptscsih: Fix read sense data size
[ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ] The sense data buffer in sense_buf_pool is allocated with size of MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96) is used when reading the data. That may lead to a read from unallocated area, sometimes from another (unallocated) page. To fix this, limit the read size to MPT_SENSE_BUFFER_ALLOC. Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com Co-developed-by: Stanislav Saner <ssaner@redhat.com> Signed-off-by: Stanislav Saner <ssaner@redhat.com> Signed-off-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/message')
-rw-r--r--drivers/message/fusion/mptscsih.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
index f0737c57ed5f..1491561d2e5c 100644
--- a/drivers/message/fusion/mptscsih.c
+++ b/drivers/message/fusion/mptscsih.c
@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state);
int mptscsih_resume(struct pci_dev *pdev);
#endif
-#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE
-
/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
/*
@@ -2422,7 +2420,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR
/* Copy the sense received into the scsi command block. */
req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx);
sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC));
- memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc));
+ memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC);
/* Log SMART data (asc = 0x5D, non-IM case only) if required.
*/