Commit 3ca013cd authored by Jens Axboe's avatar Jens Axboe Committed by Greg Kroah-Hartman

libata: add SG safety checks in SFF pio transfers

[ Upstream commit 752ead44 ]

Abort processing of a command if we run out of mapped data in the
SG list. This should never happen, but a previous bug caused it to
be possible. Play it safe and attempt to abort nicely if we don't
have more SG segments left.
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 3b84bbef
...@@ -674,6 +674,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) ...@@ -674,6 +674,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
unsigned int offset; unsigned int offset;
unsigned char *buf; unsigned char *buf;
if (!qc->cursg) {
qc->curbytes = qc->nbytes;
return;
}
if (qc->curbytes == qc->nbytes - qc->sect_size) if (qc->curbytes == qc->nbytes - qc->sect_size)
ap->hsm_task_state = HSM_ST_LAST; ap->hsm_task_state = HSM_ST_LAST;
...@@ -699,6 +703,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) ...@@ -699,6 +703,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
if (qc->cursg_ofs == qc->cursg->length) { if (qc->cursg_ofs == qc->cursg->length) {
qc->cursg = sg_next(qc->cursg); qc->cursg = sg_next(qc->cursg);
if (!qc->cursg)
ap->hsm_task_state = HSM_ST_LAST;
qc->cursg_ofs = 0; qc->cursg_ofs = 0;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment