R0dn3yS/android_kernel_xiaomi_sm7250
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5a7dc5ffbc
android_kernel_xiaomi_sm7250/drivers/ata
History
Kai-Heng Feng 67a00c299c ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS 
commit 1e41e693f458eef2d5728207dbd327cd3b16580a upstream.

UBSAN complains about array-index-out-of-bounds:
[ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41
[ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]'
[ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu
[ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010
[ 1.980718] kernel: Call Trace:
[ 1.980721] kernel: <TASK>
[ 1.980723] kernel: show_stack+0x52/0x58
[ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f
[ 1.980734] kernel: dump_stack+0x10/0x12
[ 1.980736] kernel: ubsan_epilogue+0x9/0x45
[ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49
[ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci]
[ 1.980748] kernel: ata_qc_issue+0x135/0x240
[ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580
[ 1.980754] kernel: ? vprintk_default+0x1d/0x20
[ 1.980759] kernel: ata_exec_internal+0x67/0xa0
[ 1.980762] kernel: sata_pmp_read+0x8d/0xc0
[ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90
[ 1.980768] kernel: sata_pmp_attach+0x8b/0x310
[ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0
[ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30
[ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci]
[ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci]
[ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci]
[ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0
[ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560
[ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40
[ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci]
[ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600
[ 1.980810] kernel: ata_scsi_error+0x9c/0xd0
[ 1.980813] kernel: scsi_error_handler+0xa1/0x180
[ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0
[ 1.980820] kernel: kthread+0x12a/0x150
[ 1.980823] kernel: ? set_kthread_struct+0x50/0x50
[ 1.980826] kernel: ret_from_fork+0x22/0x30
[ 1.980831] kernel: </TASK>

This happens because sata_pmp_init_links() initialize link->pmp up to
SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array.

I can't find the maximum Enclosure Management ports specified in AHCI
spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier
Information" can utilize 4 bits, which implies it can support up to 16
ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the
issue.

BugLink: https://bugs.launchpad.net/bugs/1970074
Cc: stable@vger.kernel.org
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-11-03 23:52:24 +09:00
..
acard-ahci.c
ahci_brcm.c
ahci_ceva.c
ahci_da850.c
ahci_dm816.c
ahci_imx.c ata: ahci-imx: Fix MODULE_ALIAS 2022-11-03 23:52:24 +09:00
ahci_mtk.c
ahci_mvebu.c
ahci_octeon.c
ahci_platform.c
ahci_qoriq.c
ahci_seattle.c
ahci_st.c
ahci_sunxi.c
ahci_tegra.c
ahci_xgene.c
ahci.c
ahci.h ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS 2022-11-03 23:52:24 +09:00
ata_generic.c
ata_piix.c
Kconfig
libahci_platform.c ata: libahci_platform: Sanity check the DT child nodes number 2022-10-26 13:19:40 +02:00
libahci.c
libata-acpi.c
libata-core.c libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 2022-10-05 10:36:44 +02:00
libata-eh.c ata: libata-eh: Add missing command name 2022-08-25 11:15:34 +02:00
libata-pmp.c
libata-scsi.c
libata-sff.c
libata-trace.c
libata-transport.c ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files 2022-06-14 16:59:39 +02:00
libata-transport.h
libata-zpodd.c
libata.h
Makefile
pata_acpi.c
pata_ali.c
pata_amd.c
pata_arasan_cf.c
pata_artop.c
pata_atiixp.c
pata_atp867x.c
pata_bk3710.c
pata_cmd64x.c
pata_cmd640.c
pata_cs5520.c
pata_cs5530.c
pata_cs5535.c
pata_cs5536.c
pata_cypress.c
pata_efar.c
pata_ep93xx.c
pata_falcon.c
pata_ftide010.c
pata_gayle.c
pata_hpt3x2n.c
pata_hpt3x3.c
pata_hpt37x.c ata: pata_hpt37x: fix PCI clock detection 2022-03-08 19:04:07 +01:00
pata_hpt366.c
pata_icside.c
pata_imx.c
pata_isapnp.c
pata_it821x.c
pata_it8213.c
pata_ixp4xx_cf.c
pata_jmicron.c
pata_legacy.c
pata_macio.c
pata_marvell.c ata: pata_marvell: Check the 'bmdma_addr' beforing reading 2022-04-27 13:39:44 +02:00
pata_mpc52xx.c
pata_mpiix.c
pata_netcell.c
pata_ninja32.c
pata_ns87410.c
pata_ns87415.c
pata_octeon_cf.c ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe 2022-06-14 16:59:35 +02:00
pata_of_platform.c
pata_oldpiix.c
pata_opti.c
pata_optidma.c
pata_palmld.c
pata_pcmcia.c
pata_pdc202xx_old.c
pata_pdc2027x.c
pata_piccolo.c
pata_platform.c
pata_pxa.c
pata_radisys.c
pata_rb532_cf.c
pata_rdc.c
pata_rz1000.c
pata_samsung_cf.c
pata_sc1200.c
pata_sch.c
pata_serverworks.c
pata_sil680.c
pata_sis.c
pata_sl82c105.c
pata_triflex.c
pata_via.c
pdc_adma.c
sata_dwc_460ex.c ata: sata_dwc_460ex: Fix crash due to OOB write 2022-04-15 14:15:06 +02:00
sata_fsl.c
sata_gemini.c
sata_gemini.h
sata_highbank.c
sata_inic162x.c
sata_mv.c
sata_nv.c
sata_promise.c
sata_promise.h
sata_qstor.c
sata_rcar.c
sata_sil24.c
sata_sil.c
sata_sis.c
sata_svw.c
sata_sx4.c
sata_uli.c
sata_via.c
sata_vsc.c
sis.h