5.17-stable patches

added patches:
	scsi-ufs-core-scsi_get_lba-error-fix.patch

diff --git a/queue-5.17/scsi-ufs-core-scsi_get_lba-error-fix.patch b/queue-5.17/scsi-ufs-core-scsi_get_lba-error-fix.patch
new file mode 100644 (file)
index 0000000..25f7df5
--- /dev/null
+++ b/queue-5.17/scsi-ufs-core-scsi_get_lba-error-fix.patch
@@ -0,0 +1,60 @@
+From 2bd3b6b75946db2ace06e145d53988e10ed7e99a Mon Sep 17 00:00:00 2001
+From: Peter Wang <peter.wang@mediatek.com>
+Date: Mon, 7 Mar 2022 19:17:52 +0800
+Subject: scsi: ufs: core: scsi_get_lba() error fix
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+commit 2bd3b6b75946db2ace06e145d53988e10ed7e99a upstream.
+
+When ufs initializes without scmd->device->sector_size set, scsi_get_lba()
+will get a wrong shift number and trigger an ubsan error.  The shift
+exponent 4294967286 is too large for the 64-bit type 'sector_t' (aka
+'unsigned long long').
+
+Call scsi_get_lba() only when opcode is READ_10/WRITE_10/UNMAP.
+
+Link: https://lore.kernel.org/r/20220307111752.10465-1-peter.wang@mediatek.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -367,7 +367,7 @@ static void ufshcd_add_uic_command_trace
+ static void ufshcd_add_command_trace(struct ufs_hba *hba, unsigned int tag,
+                                    enum ufs_trace_str_t str_t)
+ {
+-      u64 lba;
++      u64 lba = 0;
+       u8 opcode = 0, group_id = 0;
+       u32 intr, doorbell;
+       struct ufshcd_lrb *lrbp = &hba->lrb[tag];
+@@ -384,7 +384,6 @@ static void ufshcd_add_command_trace(str
+               return;
+ 
+       opcode = cmd->cmnd[0];
+-      lba = scsi_get_lba(cmd);
+ 
+       if (opcode == READ_10 || opcode == WRITE_10) {
+               /*
+@@ -392,6 +391,7 @@ static void ufshcd_add_command_trace(str
+                */
+               transfer_len =
+                      be32_to_cpu(lrbp->ucd_req_ptr->sc.exp_data_transfer_len);
++              lba = scsi_get_lba(cmd);
+               if (opcode == WRITE_10)
+                       group_id = lrbp->cmd->cmnd[6];
+       } else if (opcode == UNMAP) {
+@@ -399,6 +399,7 @@ static void ufshcd_add_command_trace(str
+                * The number of Bytes to be unmapped beginning with the lba.
+                */
+               transfer_len = blk_rq_bytes(rq);
++              lba = scsi_get_lba(cmd);
+       }
+ 
+       intr = ufshcd_readl(hba, REG_INTERRUPT_STATUS);

diff --git a/queue-5.17/series b/queue-5.17/series
index b8ba712d02ff5ba358e82894128f4a0721a376e5..10d99a394619fb067df95829d16095640125e78a 100644 (file)
--- a/queue-5.17/series
+++ b/queue-5.17/series
@@ -3,3 +3,4 @@ perf-tools-fix-segfault-accessing-sample_id-xyarray.patch
 drm-amd-display-only-set-psr-version-when-valid.patch
 block-compat_ioctl-fix-range-check-in-blkgetsize.patch
 gfs2-assign-rgrp-glock-before-compute_bitstructs.patch
+scsi-ufs-core-scsi_get_lba-error-fix.patch