From: Jens Axboe <axboe@kernel.dk>
Date: Wed, 7 Aug 2019 18:23:57 +0000 (-0600)
Subject: libata: add SG safety checks in SFF pio transfers
X-Git-Tag: v4.9.191~62
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=071434c30d6882ab447a417b2cc4692c26525df9;p=platform%2Fkernel%2Flinux-amlogic.git

libata: add SG safety checks in SFF pio transfers

[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ]

Abort processing of a command if we run out of mapped data in the
SG list. This should never happen, but a previous bug caused it to
be possible. Play it safe and attempt to abort nicely if we don't
have more SG segments left.

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
index 8d22acd..0e2bc5b 100644
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -703,6 +703,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 	unsigned int offset;
 	unsigned char *buf;
 
+	if (!qc->cursg) {
+		qc->curbytes = qc->nbytes;
+		return;
+	}
 	if (qc->curbytes == qc->nbytes - qc->sect_size)
 		ap->hsm_task_state = HSM_ST_LAST;
 
@@ -742,6 +746,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 
 	if (qc->cursg_ofs == qc->cursg->length) {
 		qc->cursg = sg_next(qc->cursg);
+		if (!qc->cursg)
+			ap->hsm_task_state = HSM_ST_LAST;
 		qc->cursg_ofs = 0;
 	}
 }