From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Can Guo <cang@codeaurora.org>,
Asutosh Das <asutoshd@codeaurora.org>,
Daejun Park <daejun7.park@samsung.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.9 12/39] scsi: ufs: Fix unexpected values from ufshcd_read_desc_param()
Date: Thu, 3 Dec 2020 08:28:06 -0500 [thread overview]
Message-ID: <20201203132834.930999-12-sashal@kernel.org> (raw)
In-Reply-To: <20201203132834.930999-1-sashal@kernel.org>
From: Can Guo <cang@codeaurora.org>
[ Upstream commit 1699f980d87fb678a669490462cf0b9517c1fb47 ]
WB-related sysfs entries can be accessed even when an UFS device does not
support the feature. The descriptors which are not supported by the UFS
device may be wrongly reported when they are accessed from their
corrsponding sysfs entries. Fix it by adding a sanity check of parameter
offset against the actual decriptor length.
Link: https://lore.kernel.org/r/1603346348-14149-1-git-send-email-cang@codeaurora.org
Reviewed-by: Asutosh Das <asutoshd@codeaurora.org>
Acked-by: Daejun Park <daejun7.park@samsung.com>
Signed-off-by: Can Guo <cang@codeaurora.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 9dd32bb0ff2be..cbcdd79a1f76f 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -3163,13 +3163,19 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
/* Get the length of descriptor */
ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
if (!buff_len) {
- dev_err(hba->dev, "%s: Failed to get desc length", __func__);
+ dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
+ return -EINVAL;
+ }
+
+ if (param_offset >= buff_len) {
+ dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n",
+ __func__, param_offset, desc_id, buff_len);
return -EINVAL;
}
/* Check whether we need temp memory */
if (param_offset != 0 || param_size < buff_len) {
- desc_buf = kmalloc(buff_len, GFP_KERNEL);
+ desc_buf = kzalloc(buff_len, GFP_KERNEL);
if (!desc_buf)
return -ENOMEM;
} else {
@@ -3183,14 +3189,14 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
desc_buf, &buff_len);
if (ret) {
- dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d",
+ dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d\n",
__func__, desc_id, desc_index, param_offset, ret);
goto out;
}
/* Sanity check */
if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) {
- dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header",
+ dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header\n",
__func__, desc_buf[QUERY_DESC_DESC_TYPE_OFFSET]);
ret = -EINVAL;
goto out;
@@ -3200,12 +3206,12 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
ufshcd_update_desc_length(hba, desc_id, desc_index, buff_len);
- /* Check wherher we will not copy more data, than available */
- if (is_kmalloc && (param_offset + param_size) > buff_len)
- param_size = buff_len - param_offset;
-
- if (is_kmalloc)
+ if (is_kmalloc) {
+ /* Make sure we don't copy more data than available */
+ if (param_offset + param_size > buff_len)
+ param_size = buff_len - param_offset;
memcpy(param_read_buf, &desc_buf[param_offset], param_size);
+ }
out:
if (is_kmalloc)
kfree(desc_buf);
--
2.27.0
next prev parent reply other threads:[~2020-12-03 13:30 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 13:27 [PATCH AUTOSEL 5.9 01/39] phy: usb: Fix incorrect clearing of tca_drv_sel bit in SETUP reg for 7211 Sasha Levin
2020-12-03 13:27 ` [PATCH AUTOSEL 5.9 02/39] arm64: dts: rockchip: Remove system-power-controller from pmic on Odroid Go Advance Sasha Levin
2020-12-03 13:27 ` [PATCH AUTOSEL 5.9 03/39] iwlwifi: pcie: limit memory read spin time Sasha Levin
2020-12-03 13:27 ` [PATCH AUTOSEL 5.9 04/39] arm64: dts: rockchip: Assign a fixed index to mmc devices on rk3399 boards Sasha Levin
2020-12-03 13:27 ` [PATCH AUTOSEL 5.9 05/39] arm64: dts: rockchip: Reorder LED triggers from mmc devices on rk3399-roc-pc Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 06/39] iwlwifi: sta: set max HE max A-MPDU according to HE capa Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 07/39] iwlwifi: pcie: set LTR to avoid completion timeout Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 08/39] iwlwifi: mvm: fix kernel panic in case of assert during CSA Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 09/39] powerpc: Drop -me200 addition to build flags Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 10/39] arm64: dts: broadcom: clear the warnings caused by empty dma-ranges Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 11/39] ARC: stack unwinding: don't assume non-current task is sleeping Sasha Levin
2020-12-03 13:28 ` Sasha Levin [this message]
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 13/39] scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 14/39] interconnect: qcom: msm8916: Remove rpm-ids from non-RPM nodes Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 15/39] interconnect: qcom: qcs404: Remove GPU and display RPM IDs Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 16/39] usbnet: ipheth: fix connectivity with iOS 14 Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 17/39] tun: honor IOCB_NOWAIT flag Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 18/39] ibmvnic: skip tx timeout reset while in resetting Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 19/39] irqchip/gic-v3-its: Unconditionally save/restore the ITS state on suspend Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 20/39] drm/exynos: depend on COMMON_CLK to fix compile tests Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 21/39] spi: spi-nxp-fspi: fix fspi panic by unexpected interrupts Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 22/39] arm-smmu-qcom: Ensure the qcom_scm driver has finished probing Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 23/39] habanalabs/gaudi: fix missing code in ECC handling Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 24/39] btrfs: do nofs allocations when adding and removing qgroup relations Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 25/39] btrfs: fix lockdep splat when enabling and disabling qgroups Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 26/39] soc: fsl: dpio: Get the cpumask through cpumask_of(cpu) Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 27/39] sched/idle: Fix arch_cpu_idle() vs tracing Sasha Levin
2020-12-03 14:54 ` Heiko Carstens
2020-12-03 17:10 ` Peter Zijlstra
2020-12-13 14:10 ` Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 28/39] intel_idle: Fix intel_idle() " Sasha Levin
2020-12-03 17:10 ` Peter Zijlstra
2020-12-13 14:11 ` Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 29/39] arm64: tegra: Disable the ACONNECT for Jetson TX2 Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 30/39] platform/x86: thinkpad_acpi: add P1 gen3 second fan support Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 31/39] platform/x86: thinkpad_acpi: Do not report SW_TABLET_MODE on Yoga 11e Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 32/39] platform/x86: thinkpad_acpi: Add BAT1 is primary battery quirk for Thinkpad Yoga 11e 4th gen Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 33/39] platform/x86: thinkpad_acpi: Whitelist P15 firmware for dual fan control Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 34/39] platform/x86: acer-wmi: add automatic keyboard background light toggle key as KEY_LIGHTS_TOGGLE Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 35/39] platform/x86: intel-vbtn: Support for tablet mode on HP Pavilion 13 x360 PC Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 36/39] platform/x86: touchscreen_dmi: Add info for the Predia Basic tablet Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 37/39] platform/x86: touchscreen_dmi: Add info for the Irbis TW118 tablet Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 38/39] can: m_can: m_can_dev_setup(): add support for bosch mcan version 3.3.0 Sasha Levin
2020-12-03 13:28 ` [PATCH AUTOSEL 5.9 39/39] can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201203132834.930999-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=asutoshd@codeaurora.org \
--cc=cang@codeaurora.org \
--cc=daejun7.park@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox