Message ID | 20240703111751.23377-1-amishin@t-argos.ru |
---|---|
State | New |
Headers | show |
Series | [6.1] scsi: ufs: ufshpb: Fix NULL deallocation in ufshpb_pre_req_mempool_destroy() | expand |
On 7/3/24 4:17 AM, Aleksandr Mishin wrote: > No upstream commit exists for this commit. > > The issue was introduced with commit 41d8a9333cc9 ("scsi: ufs: ufshpb: > Add HPB 2.0 support"). > > In ufshpb_pre_req_mempool_destroy() __free_page() is called only if pointer > contains NULL value. > Fix this bug by modifying check condition. > > Upstream branch code has been significantly refactored and can't be > backported directly. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 41d8a9333cc9 ("scsi: ufs: ufshpb: Add HPB 2.0 support") > Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> > --- > drivers/ufs/core/ufshpb.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/ufs/core/ufshpb.c b/drivers/ufs/core/ufshpb.c > index b7f412d0f301..c649e8a10a23 100644 > --- a/drivers/ufs/core/ufshpb.c > +++ b/drivers/ufs/core/ufshpb.c > @@ -2120,7 +2120,7 @@ static void ufshpb_pre_req_mempool_destroy(struct ufshpb_lu *hpb) > for (i = 0; i < hpb->throttle_pre_req; i++) { > pre_req = hpb->pre_req + i; > bio_put(hpb->pre_req[i].bio); > - if (!pre_req->wb.m_page) > + if (pre_req->wb.m_page) > __free_page(hpb->pre_req[i].wb.m_page); > list_del_init(&pre_req->list_req); > } Are any users of the 6.1 kernel using UFS HPB support? If not, another possibility is to backport commit 7e9609d2daea ("scsi: ufs: core: Remove HPB support"). Thanks, Bart.
diff --git a/drivers/ufs/core/ufshpb.c b/drivers/ufs/core/ufshpb.c index b7f412d0f301..c649e8a10a23 100644 --- a/drivers/ufs/core/ufshpb.c +++ b/drivers/ufs/core/ufshpb.c @@ -2120,7 +2120,7 @@ static void ufshpb_pre_req_mempool_destroy(struct ufshpb_lu *hpb) for (i = 0; i < hpb->throttle_pre_req; i++) { pre_req = hpb->pre_req + i; bio_put(hpb->pre_req[i].bio); - if (!pre_req->wb.m_page) + if (pre_req->wb.m_page) __free_page(hpb->pre_req[i].wb.m_page); list_del_init(&pre_req->list_req); }
No upstream commit exists for this commit. The issue was introduced with commit 41d8a9333cc9 ("scsi: ufs: ufshpb: Add HPB 2.0 support"). In ufshpb_pre_req_mempool_destroy() __free_page() is called only if pointer contains NULL value. Fix this bug by modifying check condition. Upstream branch code has been significantly refactored and can't be backported directly. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 41d8a9333cc9 ("scsi: ufs: ufshpb: Add HPB 2.0 support") Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> --- drivers/ufs/core/ufshpb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)