[GIT PULL] SCSI fixes for 5.2-rc3

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [GIT PULL] SCSI fixes for 5.2-rc3
@ 2019-06-08  6:05 James Bottomley
  2019-06-08 19:30 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: James Bottomley @ 2019-06-08  6:05 UTC (permalink / raw)
  To: Andrew Morton, Linus Torvalds; +Cc: linux-scsi, linux-kernel

Two bug fixes, both for fairly serious problems; the UFS one looks like
it could be used to exfiltrate data from the kernel, although probably
only a privileged user has access to the command management interface
and the missing unlock in smartpqi is long standing and probably a
little used error path.

The patch is available here:

git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git scsi-fixes

The short changelog is:

Avri Altman (1):
      scsi: ufs: Check that space was properly alloced in copy_query_response

Dan Carpenter (1):
      scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous()

And the diffstat:

 drivers/scsi/smartpqi/smartpqi_init.c | 6 ++++--
 drivers/scsi/ufs/ufshcd.c             | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

With full diff below.

James

---

diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
index d6be4e8f4a8f..8fd5ffc55792 100644
--- a/drivers/scsi/smartpqi/smartpqi_init.c
+++ b/drivers/scsi/smartpqi/smartpqi_init.c
@@ -4046,8 +4046,10 @@ static int pqi_submit_raid_request_synchronous(struct pqi_ctrl_info *ctrl_info,
 				return -ETIMEDOUT;
 			msecs_blocked =
 				jiffies_to_msecs(jiffies - start_jiffies);
-			if (msecs_blocked >= timeout_msecs)
-				return -ETIMEDOUT;
+			if (msecs_blocked >= timeout_msecs) {
+				rc = -ETIMEDOUT;
+				goto out;
+			}
 			timeout_msecs -= msecs_blocked;
 		}
 	}
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 8c1c551f2b42..3fe3029617a8 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -1917,7 +1917,8 @@ int ufshcd_copy_query_response(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
 	memcpy(&query_res->upiu_res, &lrbp->ucd_rsp_ptr->qr, QUERY_OSF_SIZE);
 
 	/* Get the descriptor */
-	if (lrbp->ucd_rsp_ptr->qr.opcode == UPIU_QUERY_OPCODE_READ_DESC) {
+	if (hba->dev_cmd.query.descriptor &&
+	    lrbp->ucd_rsp_ptr->qr.opcode == UPIU_QUERY_OPCODE_READ_DESC) {
 		u8 *descp = (u8 *)lrbp->ucd_rsp_ptr +
 				GENERAL_UPIU_REQUEST_SIZE;
 		u16 resp_len;

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [GIT PULL] SCSI fixes for 5.2-rc3
  2019-06-08  6:05 [GIT PULL] SCSI fixes for 5.2-rc3 James Bottomley
@ 2019-06-08 19:30 ` pr-tracker-bot
  0 siblings, 0 replies; 2+ messages in thread
From: pr-tracker-bot @ 2019-06-08 19:30 UTC (permalink / raw)
  To: James Bottomley; +Cc: Andrew Morton, Linus Torvalds, linux-scsi, linux-kernel

The pull request you sent on Fri, 07 Jun 2019 23:05:26 -0700:

> git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git scsi-fixes

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/1b02caa319cf73ae89aced8714066a3a5bbe648b

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.wiki.kernel.org/userdoc/prtracker

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-06-08 19:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-08  6:05 [GIT PULL] SCSI fixes for 5.2-rc3 James Bottomley
2019-06-08 19:30 ` pr-tracker-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox