5.15-stable patches

added patches:
	scsi-ufs-core-scsi_get_lba-error-fix.patch

diff --git a/queue-5.15/scsi-ufs-core-scsi_get_lba-error-fix.patch b/queue-5.15/scsi-ufs-core-scsi_get_lba-error-fix.patch
new file mode 100644 (file)
index 0000000..7ce392e
--- /dev/null
+++ b/queue-5.15/scsi-ufs-core-scsi_get_lba-error-fix.patch
@@ -0,0 +1,60 @@
+From 2bd3b6b75946db2ace06e145d53988e10ed7e99a Mon Sep 17 00:00:00 2001
+From: Peter Wang <peter.wang@mediatek.com>
+Date: Mon, 7 Mar 2022 19:17:52 +0800
+Subject: scsi: ufs: core: scsi_get_lba() error fix
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+commit 2bd3b6b75946db2ace06e145d53988e10ed7e99a upstream.
+
+When ufs initializes without scmd->device->sector_size set, scsi_get_lba()
+will get a wrong shift number and trigger an ubsan error.  The shift
+exponent 4294967286 is too large for the 64-bit type 'sector_t' (aka
+'unsigned long long').
+
+Call scsi_get_lba() only when opcode is READ_10/WRITE_10/UNMAP.
+
+Link: https://lore.kernel.org/r/20220307111752.10465-1-peter.wang@mediatek.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -358,7 +358,7 @@ static void ufshcd_add_uic_command_trace
+ static void ufshcd_add_command_trace(struct ufs_hba *hba, unsigned int tag,
+                                    enum ufs_trace_str_t str_t)
+ {
+-      u64 lba;
++      u64 lba = 0;
+       u8 opcode = 0, group_id = 0;
+       u32 intr, doorbell;
+       struct ufshcd_lrb *lrbp = &hba->lrb[tag];
+@@ -375,7 +375,6 @@ static void ufshcd_add_command_trace(str
+               return;
+ 
+       opcode = cmd->cmnd[0];
+-      lba = scsi_get_lba(cmd);
+ 
+       if (opcode == READ_10 || opcode == WRITE_10) {
+               /*
+@@ -383,6 +382,7 @@ static void ufshcd_add_command_trace(str
+                */
+               transfer_len =
+                      be32_to_cpu(lrbp->ucd_req_ptr->sc.exp_data_transfer_len);
++              lba = scsi_get_lba(cmd);
+               if (opcode == WRITE_10)
+                       group_id = lrbp->cmd->cmnd[6];
+       } else if (opcode == UNMAP) {
+@@ -390,6 +390,7 @@ static void ufshcd_add_command_trace(str
+                * The number of Bytes to be unmapped beginning with the lba.
+                */
+               transfer_len = blk_rq_bytes(rq);
++              lba = scsi_get_lba(cmd);
+       }
+ 
+       intr = ufshcd_readl(hba, REG_INTERRUPT_STATUS);

diff --git a/queue-5.15/series b/queue-5.15/series
index 69f93b2c4e6a29abe533230495c7579a0b292fab..ff39f5597f62d84d27382bc0f1bd05d458e9527b 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -10,3 +10,4 @@ mm-page_alloc-fix-building-error-on-werror-array-compare.patch
 perf-tools-fix-segfault-accessing-sample_id-xyarray.patch
 mm-kfence-support-kmem_dump_obj-for-kfence-objects.patch
 gfs2-assign-rgrp-glock-before-compute_bitstructs.patch
+scsi-ufs-core-scsi_get_lba-error-fix.patch