scsi: ufs: core: Fix referencing invalid rsp field (d5d92b64) · Commits · EulixOS / Software / Kernel

drivers/scsi/ufs/ufshpb.c

+7 −12

Original line number	Diff line number	Diff line
		@@ -1254,6 +1254,13 @@ void ufshpb_rsp_upiu(struct ufs_hba hba, struct ufshcd_lrb lrbp)
		struct utp_hpb_rsp *rsp_field = &lrbp->ucd_rsp_ptr->hr;
		int data_seg_len;

		data_seg_len = be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_2)
		& MASK_RSP_UPIU_DATA_SEG_LEN;

		/* If data segment length is zero, rsp_field is not valid */
		if (!data_seg_len)
		return;

		if (unlikely(lrbp->lun != rsp_field->lun)) {
		struct scsi_device *sdev;
		bool found = false;
		@@ -1288,18 +1295,6 @@ void ufshpb_rsp_upiu(struct ufs_hba hba, struct ufshcd_lrb lrbp)
		return;
		}

		data_seg_len = be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_2)
		& MASK_RSP_UPIU_DATA_SEG_LEN;

		/* To flush remained rsp_list, we queue the map_work task */
		if (!data_seg_len) {
		if (!ufshpb_is_general_lun(hpb->lun))
		return;

		ufshpb_kick_map_work(hpb);
		return;
		}

		BUILD_BUG_ON(sizeof(struct utp_hpb_rsp) != UTP_HPB_RSP_SIZE);

		if (!ufshpb_is_hpb_rsp_valid(hba, lrbp, rsp_field))