Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp3933444pxu;
        Tue, 20 Oct 2020 04:31:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxaK9gMGXK00NSotpSrG8u/uUzjPxDC5y2T7DWsGzlvvST7hpjnFXTIp2NyCZwx3WomnKm0
X-Received: by 2002:a17:906:cd14:: with SMTP id oz20mr2704703ejb.7.1603193502552;
        Tue, 20 Oct 2020 04:31:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603193502; cv=none;
        d=google.com; s=arc-20160816;
        b=URA86mNvPiUfrHeo7ayKvGy9LX4fdJNehvPIGlNVTxjpZQFctaEJ9TEEVykW9GiLgy
         mWdn3hTXx4M+qwFyD/ntJN3uAICpFVQ7WCE+Lxb7Saz4roM78csNoiNPsD6fA9u1wl/n
         2zdqBB2K/qyspNEBAahtUTBD7LONbpNZwfkte8+3c74S7Us+1QQSbwhhcxdpNip9i+Yd
         rP+lLuzp7Cyq4P9x1TzD3V01bC3J7jYxDCR2jqr97ioSFBrlDvPj8Wyyoqc+6ABfq7pJ
         +RvvehU5rOpEKufKnaRmvFxx4WqrSvKK0F+GzMtxuV1AybvWiR2JAZQ1+3NLWrXTjIAs
         IAJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from:ironport-sdr;
        bh=xKqZ0HnpbRJgBxMkNeMYglnn0WxBpq0PQsM8KtXIFLk=;
        b=SCXfoBqMTfgddra6qa/PjZsto6nOnF2PuEQO9r3eFhUNydulcf/sn7ksf60iy28n6A
         5m6xdjOjlOAvM0es1PxBNaeX2ijuddFFtxeB3HT8b8vy9VU8fiCqtbAHNzt2bMcm0ErW
         LTTFyZdWRWte7P38YavHsUYNzujBk+udR25WQIHXtA6Ra3e5sawuWqwthoENH3elVMMF
         mQoFrqYCBcZ5v5LNoNNKW7lfUBIzg0jO57XW56Ev1KNq9jTpCvz8uhEBPU45wbk2N0DG
         6TkTVl8Oh6IsNGEabmoWvuL1S289L1+BO8d0Siw/qCFbFxkEFgIKUqUaiILU8FWHYn/+
         JMzg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id se13si990582ejb.702.2020.10.20.04.31.20;
        Tue, 20 Oct 2020 04:31:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2393192AbgJTKar (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Tue, 20 Oct 2020 06:30:47 -0400
Received: from labrats.qualcomm.com ([199.106.110.90]:2361 "EHLO
        labrats.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2393162AbgJTK3r (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Oct 2020 06:29:47 -0400
IronPort-SDR: 1H2J4JFXZ2SPeNm32kfrUm5ItULGpxgfsxmluksRPcGf9vKAhDOJORoZqzRq4ItvjVvesza+u3
 UDzwuMwL6Gx/gDgGEcZbBjvITuSyQRtx4XD7jeg9bDruVKzcna03J85EaNpkcGJmnS6cYtw8iR
 2qpsuGLgb8yqUyVVY7M9KbtLHXNyTUgqgmbY0GRpa1FzsX9hNGtshj725FB4H2lhRpr3QsXu6E
 p/gVsHcVA4bdQgTpEV2mBPPA0v4FLUI2zRcr91Obp7GLL9raEG1IbUobX15wObkoImyh1TlK7c
 ejU=
X-IronPort-AV: E=Sophos;i="5.77,396,1596524400"; 
   d="scan'208";a="29218188"
Received: from unknown (HELO ironmsg03-sd.qualcomm.com) ([10.53.140.143])
  by labrats.qualcomm.com with ESMTP; 20 Oct 2020 03:29:47 -0700
X-QCInternal: smtphost
Received: from stor-presley.qualcomm.com ([192.168.140.85])
  by ironmsg03-sd.qualcomm.com with ESMTP; 20 Oct 2020 03:29:46 -0700
Received: by stor-presley.qualcomm.com (Postfix, from userid 359480)
        id 1F57B217A5; Tue, 20 Oct 2020 03:29:46 -0700 (PDT)
From:   Can Guo <cang@codeaurora.org>
To:     asutoshd@codeaurora.org, nguyenb@codeaurora.org,
        hongwus@codeaurora.org, rnayak@codeaurora.org,
        linux-scsi@vger.kernel.org, kernel-team@android.com,
        saravanak@google.com, salyzyn@google.com, cang@codeaurora.org
Cc:     Alim Akhtar <alim.akhtar@samsung.com>,
        Avri Altman <avri.altman@wdc.com>,
        "James E.J. Bottomley" <jejb@linux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        Stanley Chu <stanley.chu@mediatek.com>,
        Bean Huo <beanhuo@micron.com>,
        Bart Van Assche <bvanassche@acm.org>,
        linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] scsi: ufs: Fix unexpected values get from ufshcd_read_desc_param()
Date:   Tue, 20 Oct 2020 03:29:06 -0700
Message-Id: <1603189751-26541-1-git-send-email-cang@codeaurora.org>
X-Mailer: git-send-email 2.7.4
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Since WB feature has been added, WB related sysfs entries can be accessed
even when an UFS device does not support WB feature. In that case, the
descriptors which are not supported by the UFS device may be wrongly
reported when they are accessed from their corrsponding sysfs entries.
Fix it by adding a sanity check of parameter offset against the actual
decriptor length.

Signed-off-by: Can Guo <cang@codeaurora.org>

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index a2ebcc8..8861ad6 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -3184,13 +3184,19 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	/* Get the length of descriptor */
 	ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
 	if (!buff_len) {
-		dev_err(hba->dev, "%s: Failed to get desc length", __func__);
+		dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
+		return -EINVAL;
+	}
+
+	if (param_offset >= buff_len)
+		dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n",
+			__func__, param_offset, desc_id, buff_len);
 		return -EINVAL;
 	}
 
 	/* Check whether we need temp memory */
 	if (param_offset != 0 || param_size < buff_len) {
-		desc_buf = kmalloc(buff_len, GFP_KERNEL);
+		desc_buf = kzalloc(buff_len, GFP_KERNEL);
 		if (!desc_buf)
 			return -ENOMEM;
 	} else {
@@ -3204,14 +3210,14 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 					desc_buf, &buff_len);
 
 	if (ret) {
-		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d",
+		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d\n",
 			__func__, desc_id, desc_index, param_offset, ret);
 		goto out;
 	}
 
 	/* Sanity check */
 	if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) {
-		dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header",
+		dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header\n",
 			__func__, desc_buf[QUERY_DESC_DESC_TYPE_OFFSET]);
 		ret = -EINVAL;
 		goto out;
@@ -3221,12 +3227,12 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
 	ufshcd_update_desc_length(hba, desc_id, desc_index, buff_len);
 
-	/* Check wherher we will not copy more data, than available */
-	if (is_kmalloc && (param_offset + param_size) > buff_len)
-		param_size = buff_len - param_offset;
-
-	if (is_kmalloc)
+	if (is_kmalloc) {
+		/* Make sure we don't copy more data than available */
+		if (param_offset + param_size > buff_len)
+			param_size = buff_len - param_offset;
 		memcpy(param_read_buf, &desc_buf[param_offset], param_size);
+	}
 out:
 	if (is_kmalloc)
 		kfree(desc_buf);
-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.