diff mbox series

[6.1] scsi: ufs: ufshpb: Fix NULL deallocation in ufshpb_pre_req_mempool_destroy()

Message ID 20240703111751.23377-1-amishin@t-argos.ru
State New
Headers show
Series [6.1] scsi: ufs: ufshpb: Fix NULL deallocation in ufshpb_pre_req_mempool_destroy() | expand

Commit Message

Aleksandr Mishin July 3, 2024, 11:17 a.m. UTC
No upstream commit exists for this commit.

The issue was introduced with commit 41d8a9333cc9 ("scsi: ufs: ufshpb:
Add HPB 2.0 support").

In ufshpb_pre_req_mempool_destroy() __free_page() is called only if pointer
contains NULL value.
Fix this bug by modifying check condition.

Upstream branch code has been significantly refactored and can't be
backported directly.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 41d8a9333cc9 ("scsi: ufs: ufshpb: Add HPB 2.0 support")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/ufs/core/ufshpb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Bart Van Assche July 3, 2024, 7:11 p.m. UTC | #1
On 7/3/24 4:17 AM, Aleksandr Mishin wrote:
> No upstream commit exists for this commit.
> 
> The issue was introduced with commit 41d8a9333cc9 ("scsi: ufs: ufshpb:
> Add HPB 2.0 support").
> 
> In ufshpb_pre_req_mempool_destroy() __free_page() is called only if pointer
> contains NULL value.
> Fix this bug by modifying check condition.
> 
> Upstream branch code has been significantly refactored and can't be
> backported directly.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 41d8a9333cc9 ("scsi: ufs: ufshpb: Add HPB 2.0 support")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>   drivers/ufs/core/ufshpb.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/ufs/core/ufshpb.c b/drivers/ufs/core/ufshpb.c
> index b7f412d0f301..c649e8a10a23 100644
> --- a/drivers/ufs/core/ufshpb.c
> +++ b/drivers/ufs/core/ufshpb.c
> @@ -2120,7 +2120,7 @@ static void ufshpb_pre_req_mempool_destroy(struct ufshpb_lu *hpb)
>   	for (i = 0; i < hpb->throttle_pre_req; i++) {
>   		pre_req = hpb->pre_req + i;
>   		bio_put(hpb->pre_req[i].bio);
> -		if (!pre_req->wb.m_page)
> +		if (pre_req->wb.m_page)
>   			__free_page(hpb->pre_req[i].wb.m_page);
>   		list_del_init(&pre_req->list_req);
>   	}

Are any users of the 6.1 kernel using UFS HPB support? If not, another
possibility is to backport commit 7e9609d2daea ("scsi: ufs: core: Remove
HPB support").

Thanks,

Bart.
diff mbox series

Patch

diff --git a/drivers/ufs/core/ufshpb.c b/drivers/ufs/core/ufshpb.c
index b7f412d0f301..c649e8a10a23 100644
--- a/drivers/ufs/core/ufshpb.c
+++ b/drivers/ufs/core/ufshpb.c
@@ -2120,7 +2120,7 @@  static void ufshpb_pre_req_mempool_destroy(struct ufshpb_lu *hpb)
 	for (i = 0; i < hpb->throttle_pre_req; i++) {
 		pre_req = hpb->pre_req + i;
 		bio_put(hpb->pre_req[i].bio);
-		if (!pre_req->wb.m_page)
+		if (pre_req->wb.m_page)
 			__free_page(hpb->pre_req[i].wb.m_page);
 		list_del_init(&pre_req->list_req);
 	}