Done
-----Original Message-----
From: Bean Huo <huobean@xxxxxxxxx>
Sent: Monday, February 17, 2025 8:40 PM
To: Arthur Simchaev <Arthur.Simchaev@xxxxxxxxxxx>; martin.petersen@xxxxxxxxxx
Cc: Avri Altman <Avri.Altman@xxxxxxxxxxx>; Avi Shchislowski <Avi.Shchislowski@xxxxxxxxxxx>; beanhuo@xxxxxxxxxx; linux-scsi@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; bvanassche@xxxxxxx
Subject: Re: [PATCH] scsi: ufs: core: Fix memory crash in case arpmb command failed
On Mon, 2025-02-17 at 18:43 +0200, Arthur Simchaev wrote:
> In case the device doesn't support arpmb, the kernel get memory crash
> due to copy user data in bsg_transport_sg_io_fn level. So in case
> ufshcd_send_bsg_uic_cmd returned error, do not change the job's
> reply_len.
>
> Memory crash backtrace:
> 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -
> 22
It is Advanced RPMB access and not related to the UIC command,
If the deivce didn't support advanced rpmb, got return -EINVAL(-22).
In this case, in bsg_transport_sg_io_fn,
if (job->result < 0) {
job->reply_len = sizeof(u32);
then:
int len = min(hdr->max_response_len, job->reply_len);
if (copy_to_user(uptr64(hdr->response), job->reply, len))
It looks like you didn't initialize the correct response buffer from user space.
Could you rephrase your commit message, add a Fixes tag, and resubmit?
Kind regards,
Bean
