| Message ID | 20250220142039.250992-1-arthur.simchaev@sandisk.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v3] ufs: core: bsg: Fix memory crash in case arpmb command failed | expand |
On 2/20/25 6:20 AM, Arthur Simchaev wrote: > In case the device doesn't support arpmb, the kernel get memory crash > due to copy user data in bsg_transport_sg_io_fn level. So in case > ufs_bsg_exec_advanced_rpmb_req returned error, do not set the job's > reply_len. Reviewed-by: Bart Van Assche <bvanassche@acm.org>
On Thu, 20 Feb 2025 16:20:39 +0200, Arthur Simchaev wrote: > In case the device doesn't support arpmb, the kernel get memory crash > due to copy user data in bsg_transport_sg_io_fn level. So in case > ufs_bsg_exec_advanced_rpmb_req returned error, do not set the job's > reply_len. > > Memory crash backtrace: > 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22 > > [...] Applied to 6.14/scsi-fixes, thanks! [1/1] ufs: core: bsg: Fix memory crash in case arpmb command failed https://git.kernel.org/mkp/scsi/c/f27a95845b01
diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c index 8d4ad0a3f2cf..252186124669 100644 --- a/drivers/ufs/core/ufs_bsg.c +++ b/drivers/ufs/core/ufs_bsg.c @@ -194,10 +194,12 @@ static int ufs_bsg_request(struct bsg_job *job) ufshcd_rpm_put_sync(hba); kfree(buff); bsg_reply->result = ret; - job->reply_len = !rpmb ? sizeof(struct ufs_bsg_reply) : sizeof(struct ufs_rpmb_reply); /* complete the job here only if no error */ - if (ret == 0) + if (ret == 0) { + job->reply_len = rpmb ? sizeof(struct ufs_rpmb_reply) : + sizeof(struct ufs_bsg_reply); bsg_job_done(job, ret, bsg_reply->reply_payload_rcv_len); + } return ret; }
In case the device doesn't support arpmb, the kernel get memory crash due to copy user data in bsg_transport_sg_io_fn level. So in case ufs_bsg_exec_advanced_rpmb_req returned error, do not set the job's reply_len. Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22 4,1308,531166555,-;Call Trace: 4,1309,531166559,-; <TASK> 4,1310,531166565,-; ? show_regs+0x6d/0x80 4,1311,531166575,-; ? die+0x37/0xa0 4,1312,531166583,-; ? do_trap+0xd4/0xf0 4,1313,531166593,-; ? do_error_trap+0x71/0xb0 4,1314,531166601,-; ? usercopy_abort+0x6c/0x80 4,1315,531166610,-; ? exc_invalid_op+0x52/0x80 4,1316,531166622,-; ? usercopy_abort+0x6c/0x80 4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20 4,1318,531166643,-; ? usercopy_abort+0x6c/0x80 4,1319,531166652,-; __check_heap_object+0xe3/0x120 4,1320,531166661,-; check_heap_object+0x185/0x1d0 4,1321,531166670,-; __check_object_size.part.0+0x72/0x150 4,1322,531166679,-; __check_object_size+0x23/0x30 4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0 Fixes: 6ff265fc5ef6 ("scsi: ufs: core: bsg: Add advanced RPMB support in ufs_bsg") Cc: stable@vger.kernel.org Reviewed-by: Bean Huo <beanhuo@micron.com> Signed-off-by: Arthur Simchaev <arthur.simchaev@sandisk.com> --- Changes in v3: - changing !rpmb into rpmb and by swapping the two sizeof() expressions --- Changes in v2: - Add Fixes tag - Elaborate commit log --- drivers/ufs/core/ufs_bsg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)