Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2558573imu;
        Thu, 29 Nov 2018 06:53:45 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Ul72tYxl6qUni3R40BQYVIoMJ9eMwsbPxl3AZ1x93SnYzTy0p/iw5wIONX7uYQ7BLe3o4z
X-Received: by 2002:a17:902:d905:: with SMTP id c5mr1705052plz.43.1543503225300;
        Thu, 29 Nov 2018 06:53:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543503225; cv=none;
        d=google.com; s=arc-20160816;
        b=TWZ2sdWFF8APnVOz5gtDmNQvzEOreRTdzqfP/B1txMmSu6AU2uOhcEA02Sa1i1DzWn
         0fdknbD7SMtzTeE5+zwm8iyIEFVmkDIjJ28+85+3dzKSmMrjf2dumk3kKj22ust6NB0J
         4hSeMz//FSLbjxpptHuDwa9fr48RXp6qPxLEhn6FNuMwy93gtR/UvMFPOG0N+HGnM641
         LwjtzujKBgt64aMc2wNWgwjSRtwftelGiTPwrwpCO2D64j4Oqr/HQuw1d0nC9bMC3q5G
         /wrzjHcWfnyMeuK2RiHfBb+IoZZvLdxgQDCMmvLZOvt8u0R+zClThM3YCz3Ga7e7WCXV
         M6FA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ksaCVouwJc+8+l2Ocz2qQSLYRl43gOBCMAL7Iw8dxpI=;
        b=bPGTXetq506EmJ9DOO9NN4EJE4zDHq0R/j9JZB4dA3iu6sDKZbyXPj+NbFmv1ji104
         gNwYjOFqFIJz4hvO2ZLxVDR6D+92LjTLxLIunIo+IjbFoMPMMXTnBzXGKEAyUJzjpoH8
         FGV/4f9UA9K3WtwYHl0DrhpAuGSwnzy9qXXsnEduA94ReUATx6jOVvR6iaX2dCz3o1lm
         wmZfTsjdwGdr0M0YVrCtdzdRlhLvF9qgcokvtYfx6AkXuN7Lt6TDD4wJoAFiQM2Z7ZA0
         uBvciwL5pOLPDi0wL6zGu7CG0RZcqbYpnbKhY5+q0NcUdWaNabcrT4tvCqno4SC3xuBx
         E4tQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=hCR4db7q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id bh12si509691plb.353.2018.11.29.06.53.23;
        Thu, 29 Nov 2018 06:53:45 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=hCR4db7q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732289AbeK3B2w (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Thu, 29 Nov 2018 20:28:52 -0500
Received: from mail.kernel.org ([198.145.29.99]:54772 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731487AbeK3B2v (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Nov 2018 20:28:51 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 5C24A205C9;
        Thu, 29 Nov 2018 14:23:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1543501399;
        bh=B8ZB/FRCRN/gfgxUyhhxWVnXYd4NNV3QUFrk2gvhmC8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=hCR4db7qjKJ+1bkB13orkUK9f4SAKgOd9ZKxzd1on4v9lyyQNdz9ez4Ktak8e1ZYT
         f4EizQ9HQffkXZPMYnSMuaqQa73PM93UBaS8wNiJA3X2l9FskVcapwAMPdk2zGFqff
         ETUmXYIau0DzRFgfo5ti3PQWUGrPxqVJuVV2TxjQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Yaniv Gardi <ygardi@codeaurora.org>,
        Subhash Jadavani <subhashj@codeaurora.org>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 4.9 75/92] scsi: ufs: fix bugs related to null pointer access and array size
Date:   Thu, 29 Nov 2018 15:12:44 +0100
Message-Id: <20181129140112.481328901@linuxfoundation.org>
X-Mailer: git-send-email 2.19.2
In-Reply-To: <20181129140106.520639693@linuxfoundation.org>
References: <20181129140106.520639693@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yaniv Gardi <ygardi@codeaurora.org>

commit e3ce73d69aff44421d7899b235fec5ac2c306ff4 upstream.

In this change there are a few fixes of possible NULL pointer access and
possible access to index that exceeds array boundaries.

Signed-off-by: Yaniv Gardi <ygardi@codeaurora.org>
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/ufs/ufs.h    |    3 ++-
 drivers/scsi/ufs/ufshcd.c |   25 +++++++++++++++++++------
 2 files changed, 21 insertions(+), 7 deletions(-)

--- a/drivers/scsi/ufs/ufs.h
+++ b/drivers/scsi/ufs/ufs.h
@@ -46,6 +46,7 @@
 #define QUERY_DESC_HDR_SIZE       2
 #define QUERY_OSF_SIZE            (GENERAL_UPIU_REQUEST_SIZE - \
 					(sizeof(struct utp_upiu_header)))
+#define RESPONSE_UPIU_SENSE_DATA_LENGTH	18
 
 #define UPIU_HEADER_DWORD(byte3, byte2, byte1, byte0)\
 			cpu_to_be32((byte3 << 24) | (byte2 << 16) |\
@@ -410,7 +411,7 @@ struct utp_cmd_rsp {
 	__be32 residual_transfer_count;
 	__be32 reserved[4];
 	__be16 sense_data_len;
-	u8 sense_data[18];
+	u8 sense_data[RESPONSE_UPIU_SENSE_DATA_LENGTH];
 };
 
 /**
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -901,10 +901,14 @@ static inline void ufshcd_copy_sense_dat
 	int len;
 	if (lrbp->sense_buffer &&
 	    ufshcd_get_rsp_upiu_data_seg_len(lrbp->ucd_rsp_ptr)) {
+		int len_to_copy;
+
 		len = be16_to_cpu(lrbp->ucd_rsp_ptr->sr.sense_data_len);
+		len_to_copy = min_t(int, RESPONSE_UPIU_SENSE_DATA_LENGTH, len);
+
 		memcpy(lrbp->sense_buffer,
 			lrbp->ucd_rsp_ptr->sr.sense_data,
-			min_t(int, len, SCSI_SENSE_BUFFERSIZE));
+			min_t(int, len_to_copy, SCSI_SENSE_BUFFERSIZE));
 	}
 }
 
@@ -6373,7 +6377,10 @@ EXPORT_SYMBOL(ufshcd_system_suspend);
 
 int ufshcd_system_resume(struct ufs_hba *hba)
 {
-	if (!hba || !hba->is_powered || pm_runtime_suspended(hba->dev))
+	if (!hba)
+		return -EINVAL;
+
+	if (!hba->is_powered || pm_runtime_suspended(hba->dev))
 		/*
 		 * Let the runtime resume take care of resuming
 		 * if runtime suspended.
@@ -6394,7 +6401,10 @@ EXPORT_SYMBOL(ufshcd_system_resume);
  */
 int ufshcd_runtime_suspend(struct ufs_hba *hba)
 {
-	if (!hba || !hba->is_powered)
+	if (!hba)
+		return -EINVAL;
+
+	if (!hba->is_powered)
 		return 0;
 
 	return ufshcd_suspend(hba, UFS_RUNTIME_PM);
@@ -6424,10 +6434,13 @@ EXPORT_SYMBOL(ufshcd_runtime_suspend);
  */
 int ufshcd_runtime_resume(struct ufs_hba *hba)
 {
-	if (!hba || !hba->is_powered)
+	if (!hba)
+		return -EINVAL;
+
+	if (!hba->is_powered)
 		return 0;
-	else
-		return ufshcd_resume(hba, UFS_RUNTIME_PM);
+
+	return ufshcd_resume(hba, UFS_RUNTIME_PM);
 }
 EXPORT_SYMBOL(ufshcd_runtime_resume);