From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Apr 2022 14:16:46 +0000 (+0200)
Subject: 5.17-stable patches
X-Git-Tag: v4.9.312~70
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=48e0cdc406e79143148584c6f3585ac6be0f60e9;p=thirdparty%2Fkernel%2Fstable-queue.git

5.17-stable patches

added patches:
	scsi-ufs-core-scsi_get_lba-error-fix.patch
---

diff --git a/queue-5.17/scsi-ufs-core-scsi_get_lba-error-fix.patch b/queue-5.17/scsi-ufs-core-scsi_get_lba-error-fix.patch
new file mode 100644
index 00000000000..25f7df521f0
--- /dev/null
+++ b/queue-5.17/scsi-ufs-core-scsi_get_lba-error-fix.patch
@@ -0,0 +1,60 @@
+From 2bd3b6b75946db2ace06e145d53988e10ed7e99a Mon Sep 17 00:00:00 2001
+From: Peter Wang <peter.wang@mediatek.com>
+Date: Mon, 7 Mar 2022 19:17:52 +0800
+Subject: scsi: ufs: core: scsi_get_lba() error fix
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+commit 2bd3b6b75946db2ace06e145d53988e10ed7e99a upstream.
+
+When ufs initializes without scmd->device->sector_size set, scsi_get_lba()
+will get a wrong shift number and trigger an ubsan error.  The shift
+exponent 4294967286 is too large for the 64-bit type 'sector_t' (aka
+'unsigned long long').
+
+Call scsi_get_lba() only when opcode is READ_10/WRITE_10/UNMAP.
+
+Link: https://lore.kernel.org/r/20220307111752.10465-1-peter.wang@mediatek.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -367,7 +367,7 @@ static void ufshcd_add_uic_command_trace
+ static void ufshcd_add_command_trace(struct ufs_hba *hba, unsigned int tag,
+ 				     enum ufs_trace_str_t str_t)
+ {
+-	u64 lba;
++	u64 lba = 0;
+ 	u8 opcode = 0, group_id = 0;
+ 	u32 intr, doorbell;
+ 	struct ufshcd_lrb *lrbp = &hba->lrb[tag];
+@@ -384,7 +384,6 @@ static void ufshcd_add_command_trace(str
+ 		return;
+ 
+ 	opcode = cmd->cmnd[0];
+-	lba = scsi_get_lba(cmd);
+ 
+ 	if (opcode == READ_10 || opcode == WRITE_10) {
+ 		/*
+@@ -392,6 +391,7 @@ static void ufshcd_add_command_trace(str
+ 		 */
+ 		transfer_len =
+ 		       be32_to_cpu(lrbp->ucd_req_ptr->sc.exp_data_transfer_len);
++		lba = scsi_get_lba(cmd);
+ 		if (opcode == WRITE_10)
+ 			group_id = lrbp->cmd->cmnd[6];
+ 	} else if (opcode == UNMAP) {
+@@ -399,6 +399,7 @@ static void ufshcd_add_command_trace(str
+ 		 * The number of Bytes to be unmapped beginning with the lba.
+ 		 */
+ 		transfer_len = blk_rq_bytes(rq);
++		lba = scsi_get_lba(cmd);
+ 	}
+ 
+ 	intr = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
diff --git a/queue-5.17/series b/queue-5.17/series
index b8ba712d02f..10d99a39461 100644
--- a/queue-5.17/series
+++ b/queue-5.17/series
@@ -3,3 +3,4 @@ perf-tools-fix-segfault-accessing-sample_id-xyarray.patch
 drm-amd-display-only-set-psr-version-when-valid.patch
 block-compat_ioctl-fix-range-check-in-blkgetsize.patch
 gfs2-assign-rgrp-glock-before-compute_bitstructs.patch
+scsi-ufs-core-scsi_get_lba-error-fix.patch