RE: [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from ufshcd_read_desc

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

* RE: [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from ufshcd_read_desc_param()
       [not found] <CGME20201023063528epcms2p11b57d929a926d582539ce4e1a57caf80@epcms2p1>
@ 2020-10-23  6:35 ` Daejun Park
  2020-10-26  2:56   ` Can Guo
  0 siblings, 1 reply; 3+ messages in thread
From: Daejun Park @ 2020-10-23  6:35 UTC (permalink / raw)
  To: cang@codeaurora.org
  Cc: ALIM AKHTAR, asutoshd@codeaurora.org, avri.altman@wdc.com,
	beanhuo@micron.com, bvanassche@acm.org, hongwus@codeaurora.org,
	jejb@linux.ibm.com, kernel-team@android.com,
	linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org,
	martin.petersen@oracle.com, nguyenb@codeaurora.org,
	rnayak@codeaurora.org, salyzyn@google.com, saravanak@google.com,
	stanley.chu@mediatek.com

Hi, Can Guo

>Since WB feature has been added, WB related sysfs entries can be accessed
>even when an UFS device does not support WB feature. In that case, the
>descriptors which are not supported by the UFS device may be wrongly
>reported when they are accessed from their corrsponding sysfs entries.
>Fix it by adding a sanity check of parameter offset against the actual
>decriptor length.
>
>Signed-off-by: Can Guo <cang@codeaurora.org>
>---
> drivers/scsi/ufs/ufshcd.c | 24 +++++++++++++++---------
> 1 file changed, 15 insertions(+), 9 deletions(-)
>
>diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
>index a2ebcc8..aeec10d 100644
>--- a/drivers/scsi/ufs/ufshcd.c
>+++ b/drivers/scsi/ufs/ufshcd.c
>@@ -3184,13 +3184,19 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
> 	/* Get the length of descriptor */
> 	ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
> 	if (!buff_len) {
>-		dev_err(hba->dev, "%s: Failed to get desc length", __func__);
>+		dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
>+		return -EINVAL;
>+	}
>+
>+	if (param_offset >= buff_len) {
>+		dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n",
>+			__func__, param_offset, desc_id, buff_len);

In my understanding, this code seems to check incorrect access to not
supportted features (e.g. WB) via buff_len value from
ufshcd_map_desc_id_to_length().
However, since buff_len is initialized as QUERY_DESC_MAX_SIZE and is
updated later by ufshcd_update_desc_length(), So it is impossible to find
incorrect access by checking buff_len at first time.

Thanks,
Daejun

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from ufshcd_read_desc_param()
  2020-10-23  6:35 ` [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from ufshcd_read_desc_param() Daejun Park
@ 2020-10-26  2:56   ` Can Guo
  2020-10-30  7:19     ` Daejun Park
  0 siblings, 1 reply; 3+ messages in thread
From: Can Guo @ 2020-10-26  2:56 UTC (permalink / raw)
  To: daejun7.park
  Cc: ALIM AKHTAR, asutoshd, avri.altman, beanhuo, bvanassche, hongwus,
	jejb, kernel-team, linux-kernel, linux-scsi, martin.petersen,
	nguyenb, rnayak, salyzyn, saravanak, stanley.chu

On 2020-10-23 14:35, Daejun Park wrote:
> Hi, Can Guo
> 
>> Since WB feature has been added, WB related sysfs entries can be 
>> accessed
>> even when an UFS device does not support WB feature. In that case, the
>> descriptors which are not supported by the UFS device may be wrongly
>> reported when they are accessed from their corrsponding sysfs entries.
>> Fix it by adding a sanity check of parameter offset against the actual
>> decriptor length.
>> 
>> Signed-off-by: Can Guo <cang@codeaurora.org>
>> ---
>> drivers/scsi/ufs/ufshcd.c | 24 +++++++++++++++---------
>> 1 file changed, 15 insertions(+), 9 deletions(-)
>> 
>> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
>> index a2ebcc8..aeec10d 100644
>> --- a/drivers/scsi/ufs/ufshcd.c
>> +++ b/drivers/scsi/ufs/ufshcd.c
>> @@ -3184,13 +3184,19 @@ int ufshcd_read_desc_param(struct ufs_hba 
>> *hba,
>> 	/* Get the length of descriptor */
>> 	ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
>> 	if (!buff_len) {
>> -		dev_err(hba->dev, "%s: Failed to get desc length", __func__);
>> +		dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
>> +		return -EINVAL;
>> +	}
>> +
>> +	if (param_offset >= buff_len) {
>> +		dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, 
>> length 0x%x\n",
>> +			__func__, param_offset, desc_id, buff_len);
> 
> In my understanding, this code seems to check incorrect access to not
> supportted features (e.g. WB) via buff_len value from
> ufshcd_map_desc_id_to_length().
> However, since buff_len is initialized as QUERY_DESC_MAX_SIZE and is
> updated later by ufshcd_update_desc_length(), So it is impossible to 
> find
> incorrect access by checking buff_len at first time.
> 
> Thanks,
> Daejun

Yes, I considered that during bootup time, but the current driver won't 
even
access WB related stuffs it is not supported (there are checks against 
UFS version
and feature supports in ufshcd_wb_probe()). So this change is only 
proecting illegal
access from sysfs entries after bootup is done. Do you see real error 
during bootup
time? If yes, please let me know.

Thanks,

Can Guo.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: Re: [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from ufshcd_read_desc_param()
  2020-10-26  2:56   ` Can Guo
@ 2020-10-30  7:19     ` Daejun Park
  0 siblings, 0 replies; 3+ messages in thread
From: Daejun Park @ 2020-10-30  7:19 UTC (permalink / raw)
  To: Can Guo, Daejun Park, avri.altman@wdc.com
  Cc: ALIM AKHTAR, asutoshd@codeaurora.org, beanhuo@micron.com,
	bvanassche@acm.org, hongwus@codeaurora.org, jejb@linux.ibm.com,
	kernel-team@android.com, linux-kernel@vger.kernel.org,
	linux-scsi@vger.kernel.org, martin.petersen@oracle.com,
	nguyenb@codeaurora.org, rnayak@codeaurora.org, salyzyn@google.com,
	saravanak@google.com, stanley.chu@mediatek.com

>> Hi, Can Guo
>> 
>>> Since WB feature has been added, WB related sysfs entries can be 
>>> accessed
>>> even when an UFS device does not support WB feature. In that case, the
>>> descriptors which are not supported by the UFS device may be wrongly
>>> reported when they are accessed from their corrsponding sysfs entries.
>>> Fix it by adding a sanity check of parameter offset against the actual
>>> decriptor length.
>>> 
>>> Signed-off-by: Can Guo <cang@codeaurora.org>
>>> ---
>>> drivers/scsi/ufs/ufshcd.c | 24 +++++++++++++++---------
>>> 1 file changed, 15 insertions(+), 9 deletions(-)
>>> 
>>> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
>>> index a2ebcc8..aeec10d 100644
>>> --- a/drivers/scsi/ufs/ufshcd.c
>>> +++ b/drivers/scsi/ufs/ufshcd.c
>>> @@ -3184,13 +3184,19 @@ int ufshcd_read_desc_param(struct ufs_hba 
>>> *hba,
>>> 	/* Get the length of descriptor */
>>> 	ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
>>> 	if (!buff_len) {
>>> -		dev_err(hba->dev, "%s: Failed to get desc length", __func__);
>>> +		dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
>>> +		return -EINVAL;
>>> +	}
>>> +
>>> +	if (param_offset >= buff_len) {
>>> +		dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, 
>>> length 0x%x\n",
>>> +			__func__, param_offset, desc_id, buff_len);
>> 
>> In my understanding, this code seems to check incorrect access to not
>> supportted features (e.g. WB) via buff_len value from
>> ufshcd_map_desc_id_to_length().
>> However, since buff_len is initialized as QUERY_DESC_MAX_SIZE and is
>> updated later by ufshcd_update_desc_length(), So it is impossible to 
>> find
>> incorrect access by checking buff_len at first time.
>> 
>> Thanks,
>> Daejun
>
>Yes, I considered that during bootup time, but the current driver won't 
>even
>access WB related stuffs it is not supported (there are checks against 
>UFS version
>and feature supports in ufshcd_wb_probe()). So this change is only 
>proecting illegal
>access from sysfs entries after bootup is done. Do you see real error 
>during bootup
>time? If yes, please let me know.
>
>Thanks,
>
>Can Guo.

Can Guo,
I haven't seen any real errors. If it's meant to prevent erroneous access
from sysfs, it seems good enough.

Acked-by: Daejun Park <daejun7.park@samsung.com>

Avri,
ufshcd_is_wb_attrs or ufshcd_is_wb_flag is used to match appropriate lun
in case of shared lu WB. I think Can Guo's code is suitable to prevent
wrong access to descriptors.

Thanks,
Daejun

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-10-30  7:23 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CGME20201023063528epcms2p11b57d929a926d582539ce4e1a57caf80@epcms2p1>
2020-10-23  6:35 ` [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from ufshcd_read_desc_param() Daejun Park
2020-10-26  2:56   ` Can Guo
2020-10-30  7:19     ` Daejun Park

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox