libata: add SG safety checks in SFF pio transfers

[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ] Abort processing of a command if we run out of mapped data in the SG list. This should never happen, but a previous bug caused it to be possible. Play it safe and attempt to abort nicely if we don't have more SG segments left. Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Jens Axboe <axboe@kernel.dk> 2019-08-07 12:23:57 -0600
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-08-29 08:26:41 +0200
commit: 01b9d50557ea829b5fa5a1fb31b2667be8ff39e9 (patch)
tree: c0439b8710e31b2d89788edba9930f3b81ed31c5 /drivers/ata
parent: b853d7cbd238400d4e6f8767e839c14ed7a06a45 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
index cc2f2e35f4c2..8c36ff0c2dd4 100644
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -704,6 +704,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 	unsigned int offset;
 	unsigned char *buf;
 
+	if (!qc->cursg) {
+		qc->curbytes = qc->nbytes;
+		return;
+	}
 	if (qc->curbytes == qc->nbytes - qc->sect_size)
 		ap->hsm_task_state = HSM_ST_LAST;
 
@@ -729,6 +733,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 
 	if (qc->cursg_ofs == qc->cursg->length) {
 		qc->cursg = sg_next(qc->cursg);
+		if (!qc->cursg)
+			ap->hsm_task_state = HSM_ST_LAST;
 		qc->cursg_ofs = 0;
 	}
 }
author	Jens Axboe <axboe@kernel.dk>	2019-08-07 12:23:57 -0600
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-08-29 08:26:41 +0200
commit	01b9d50557ea829b5fa5a1fb31b2667be8ff39e9 (patch)
tree	c0439b8710e31b2d89788edba9930f3b81ed31c5 /drivers/ata
parent	b853d7cbd238400d4e6f8767e839c14ed7a06a45 (diff)