diff options
| author | Jens Axboe <axboe@kernel.dk> | 2019-08-07 21:23:57 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-29 09:28:45 +0300 |
| commit | 3ca013cd63be479be95ea953d08295f05f550c19 (patch) | |
| tree | d909025a313060f4ef743c504b592725a45edef1 /drivers/ata | |
| parent | 3b84bbef51c486af18fe93320ba85c065cf40caa (diff) | |
| download | linux-3ca013cd63be479be95ea953d08295f05f550c19.tar.xz | |
libata: add SG safety checks in SFF pio transfers
[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ]
Abort processing of a command if we run out of mapped data in the
SG list. This should never happen, but a previous bug caused it to
be possible. Play it safe and attempt to abort nicely if we don't
have more SG segments left.
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/ata')
| -rw-r--r-- | drivers/ata/libata-sff.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c index c5ea0fc635e5..873cc0906055 100644 --- a/drivers/ata/libata-sff.c +++ b/drivers/ata/libata-sff.c @@ -674,6 +674,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) unsigned int offset; unsigned char *buf; + if (!qc->cursg) { + qc->curbytes = qc->nbytes; + return; + } if (qc->curbytes == qc->nbytes - qc->sect_size) ap->hsm_task_state = HSM_ST_LAST; @@ -699,6 +703,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) if (qc->cursg_ofs == qc->cursg->length) { qc->cursg = sg_next(qc->cursg); + if (!qc->cursg) + ap->hsm_task_state = HSM_ST_LAST; qc->cursg_ofs = 0; } } |