nv-tegra-mirror/linux-nv-oot
1
0
Fork 0
mirror of git://nv-tegra.nvidia.com/linux-nv-oot.git synced 2025-12-23 01:31:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

vsc: fix out of bound memory access

Browse Source 
kernel panic when doing a IOCTL on UFS virtual partition
with pass thru enabled. IOCTL require larger space than
the mempool size (512KB) and the len check fails and leads
to a out-of-bound memory access.

Bug 4683333

Change-Id: Ie8d13bbed13a257e73087c9472054aa4083cf3eb
Signed-off-by: Manish Bhardwaj <mbhardwaj@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3151274
Reviewed-by: Sumeet Gupta <sumeetg@nvidia.com>
Tested-by: Tonny Liang <tonnyl@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Tonny Liang <tonnyl@nvidia.com>
Reviewed-by: Sanjith T D <std@nvidia.com>
This commit is contained in:
Manish Bhardwaj
2024-06-05 04:09:13 +00:00
committed by mobile promotions
parent 2a104ca84d
commit e44802987e
2 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/block/tegra_virt_storage/tegra_hv_ioctl.c
View File

@@ -55,7 +55,7 @@ int vblk_prep_ioctl_req(struct vblk_dev *vblkdev,
if (ioctl_req->ioctl_len > vsc_req->mempool_len) { if (ioctl_req->ioctl_len > vsc_req->mempool_len) {
dev_err(vblkdev->device, dev_err(vblkdev->device,
"Ioctl length exceeding mempool length!\n"); "Ioctl length %u exceeding mempool length!\n", ioctl_req->ioctl_len);
return -EINVAL; return -EINVAL;
} }

3
drivers/block/tegra_virt_storage/tegra_hv_vblk.c
View File

@@ -1144,14 +1144,15 @@ static void setup_device(struct vblk_dev *vblkdev)
req->mempool_virt = (void *)((uintptr_t)vblkdev->shared_buffer + req->mempool_virt = (void *)((uintptr_t)vblkdev->shared_buffer +
(uintptr_t)(req_id * max_io_bytes)); (uintptr_t)(req_id * max_io_bytes));
req->mempool_offset = (req_id * max_io_bytes); req->mempool_offset = (req_id * max_io_bytes);
req->mempool_len = max_io_bytes;
} else { } else {
if (vblkdev->config.blk_config.req_ops_supported & VS_BLK_IOCTL_OP_F) { if (vblkdev->config.blk_config.req_ops_supported & VS_BLK_IOCTL_OP_F) {
req->mempool_virt = (void *)((uintptr_t)vblkdev->shared_buffer + req->mempool_virt = (void *)((uintptr_t)vblkdev->shared_buffer +
(uintptr_t)((req_id % max_ioctl_requests) * UFS_IOCTL_MAX_SIZE_SUPPORTED)); (uintptr_t)((req_id % max_ioctl_requests) * UFS_IOCTL_MAX_SIZE_SUPPORTED));
req->mempool_offset = (req_id % max_ioctl_requests) * UFS_IOCTL_MAX_SIZE_SUPPORTED; req->mempool_offset = (req_id % max_ioctl_requests) * UFS_IOCTL_MAX_SIZE_SUPPORTED;
req->mempool_len = UFS_IOCTL_MAX_SIZE_SUPPORTED;
} }
} }
req->mempool_len = max_io_bytes;
req->id = req_id; req->id = req_id;
req->vblkdev = vblkdev; req->vblkdev = vblkdev;
} }