From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Apr 2022 14:16:15 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v4.9.312~71
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=41f486531340dc38f2f640cf6eadbd1d5061e5a3;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	scsi-ufs-core-scsi_get_lba-error-fix.patch
---

diff --git a/queue-5.15/scsi-ufs-core-scsi_get_lba-error-fix.patch b/queue-5.15/scsi-ufs-core-scsi_get_lba-error-fix.patch
new file mode 100644
index 00000000000..7ce392efc35
--- /dev/null
+++ b/queue-5.15/scsi-ufs-core-scsi_get_lba-error-fix.patch
@@ -0,0 +1,60 @@
+From 2bd3b6b75946db2ace06e145d53988e10ed7e99a Mon Sep 17 00:00:00 2001
+From: Peter Wang <peter.wang@mediatek.com>
+Date: Mon, 7 Mar 2022 19:17:52 +0800
+Subject: scsi: ufs: core: scsi_get_lba() error fix
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+commit 2bd3b6b75946db2ace06e145d53988e10ed7e99a upstream.
+
+When ufs initializes without scmd->device->sector_size set, scsi_get_lba()
+will get a wrong shift number and trigger an ubsan error.  The shift
+exponent 4294967286 is too large for the 64-bit type 'sector_t' (aka
+'unsigned long long').
+
+Call scsi_get_lba() only when opcode is READ_10/WRITE_10/UNMAP.
+
+Link: https://lore.kernel.org/r/20220307111752.10465-1-peter.wang@mediatek.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -358,7 +358,7 @@ static void ufshcd_add_uic_command_trace
+ static void ufshcd_add_command_trace(struct ufs_hba *hba, unsigned int tag,
+ 				     enum ufs_trace_str_t str_t)
+ {
+-	u64 lba;
++	u64 lba = 0;
+ 	u8 opcode = 0, group_id = 0;
+ 	u32 intr, doorbell;
+ 	struct ufshcd_lrb *lrbp = &hba->lrb[tag];
+@@ -375,7 +375,6 @@ static void ufshcd_add_command_trace(str
+ 		return;
+ 
+ 	opcode = cmd->cmnd[0];
+-	lba = scsi_get_lba(cmd);
+ 
+ 	if (opcode == READ_10 || opcode == WRITE_10) {
+ 		/*
+@@ -383,6 +382,7 @@ static void ufshcd_add_command_trace(str
+ 		 */
+ 		transfer_len =
+ 		       be32_to_cpu(lrbp->ucd_req_ptr->sc.exp_data_transfer_len);
++		lba = scsi_get_lba(cmd);
+ 		if (opcode == WRITE_10)
+ 			group_id = lrbp->cmd->cmnd[6];
+ 	} else if (opcode == UNMAP) {
+@@ -390,6 +390,7 @@ static void ufshcd_add_command_trace(str
+ 		 * The number of Bytes to be unmapped beginning with the lba.
+ 		 */
+ 		transfer_len = blk_rq_bytes(rq);
++		lba = scsi_get_lba(cmd);
+ 	}
+ 
+ 	intr = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
diff --git a/queue-5.15/series b/queue-5.15/series
index 69f93b2c4e6..ff39f5597f6 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -10,3 +10,4 @@ mm-page_alloc-fix-building-error-on-werror-array-compare.patch
 perf-tools-fix-segfault-accessing-sample_id-xyarray.patch
 mm-kfence-support-kmem_dump_obj-for-kfence-objects.patch
 gfs2-assign-rgrp-glock-before-compute_bitstructs.patch
+scsi-ufs-core-scsi_get_lba-error-fix.patch