Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp5420169pxu;
        Thu, 22 Oct 2020 01:36:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx3qqV2GvkHincDQVrgrgPI2NgQvYyAsHckQtJ6rn2OVIe6Fl5GWqX2qVAjuun7iTTSR6ew
X-Received: by 2002:a17:906:494:: with SMTP id f20mr1152757eja.285.1603355767683;
        Thu, 22 Oct 2020 01:36:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603355767; cv=none;
        d=google.com; s=arc-20160816;
        b=j7J8ytQRFWQVNoatif6cTuHsAhOMoIaeFnCKSz6vHIk4AgMyI8rxv4OZlXPNO6vQmq
         y2EF9VgmFImZGzTIjM6z8mdtyF+bninFVU8gOAqpDjw0NTC1CoX5cfx6DjG0RR7U3O3s
         2P4eMzjpMb8/fkHMgG60V7KQt8bIUc2dMLSv5d0qz9kvLf3aI7vH3oJJkiMHpvCGExLT
         9YVeYZg4+lzBOLpQlb59vNsCQx4XcK0azH8jei9K5VsZju1v/KgedqUfFUhPFA5MQ8bF
         diuLwfFAO1Avw1cAFKu7zFUaMQjR9HhKi8Ba5XeKMLd5pa6y8m7ff7pLkwh8Rin2iTU/
         J9Jg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from:ironport-sdr;
        bh=MsaS9QlcD4kFQDEISbDAiMhmxLAc/5qfD0uV2/XlxmE=;
        b=EcXDoqLeDpn880iN5JkL6r4mM5vpkOo6kcBtqQq7plZpdjOnD4iXwArmrpDE5gFYo2
         vRVVldFL/PcjvpZAQgF9lqZiIZUTqD96zI4V5BoKGI0Q8Zxf9xEAKqhhaTJWAiYf9MAn
         mfShrpSOgYJMoCF5dS1OxXxG0mR0GWmfZxliFkfhcf73wPAi0F/5ZbD7qCaD3ZqAOGTy
         lap5i+O9vySHMsugzSfkkwMFMkXeAva8Y3L4rfFJTwvvhL3VisWiWTxGEFeoL1PQx4Ri
         2b6sGfJsnxU+9F6fmM2fh8Ygx9S5SsNYh9tBI4U6zGx+YzwYmuouq010RdyYH4bJm9QV
         ZPjw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o13si505188ejb.631.2020.10.22.01.35.45;
        Thu, 22 Oct 2020 01:36:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2508126AbgJVF7p (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Thu, 22 Oct 2020 01:59:45 -0400
Received: from labrats.qualcomm.com ([199.106.110.90]:8866 "EHLO
        labrats.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2503108AbgJVF7p (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Oct 2020 01:59:45 -0400
IronPort-SDR: HYB9Gc8zPVPKv26CPESz9gL9FavoMbNCtojlpvoKKWL0n4ihfr9reMtZ2HnB5cDuMU2GD3flH4
 2nXaxDEmpQtuqaAD6aN4r8r8RlCLi2In7AKKvsQk7bN2vP8Ag2nW821NOt1RDmT5zERPFOTfw6
 pZ7VmwgxaIh1+zLuv6wVeKqHiEpk+Bym3/kkeAd8ZzOV+Vnj7ZKTSYNqLrDO2I5g3aZGDEZuNp
 bqVty32muENdyFqlcid8JtXrTaPgwAn8Ykdtqmz030vpifxXevRPtPeFPNq+XE7HBT62GnNRS1
 4eU=
X-IronPort-AV: E=Sophos;i="5.77,403,1596524400"; 
   d="scan'208";a="29224131"
Received: from unknown (HELO ironmsg05-sd.qualcomm.com) ([10.53.140.145])
  by labrats.qualcomm.com with ESMTP; 21 Oct 2020 22:59:11 -0700
X-QCInternal: smtphost
Received: from stor-presley.qualcomm.com ([192.168.140.85])
  by ironmsg05-sd.qualcomm.com with ESMTP; 21 Oct 2020 22:59:10 -0700
Received: by stor-presley.qualcomm.com (Postfix, from userid 359480)
        id 60C5E21718; Wed, 21 Oct 2020 22:59:10 -0700 (PDT)
From:   Can Guo <cang@codeaurora.org>
To:     asutoshd@codeaurora.org, nguyenb@codeaurora.org,
        hongwus@codeaurora.org, rnayak@codeaurora.org,
        linux-scsi@vger.kernel.org, kernel-team@android.com,
        saravanak@google.com, salyzyn@google.com, cang@codeaurora.org
Cc:     Alim Akhtar <alim.akhtar@samsung.com>,
        Avri Altman <avri.altman@wdc.com>,
        "James E.J. Bottomley" <jejb@linux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        Stanley Chu <stanley.chu@mediatek.com>,
        Bean Huo <beanhuo@micron.com>,
        Bart Van Assche <bvanassche@acm.org>,
        linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from ufshcd_read_desc_param()
Date:   Wed, 21 Oct 2020 22:59:00 -0700
Message-Id: <1603346348-14149-1-git-send-email-cang@codeaurora.org>
X-Mailer: git-send-email 2.7.4
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Since WB feature has been added, WB related sysfs entries can be accessed
even when an UFS device does not support WB feature. In that case, the
descriptors which are not supported by the UFS device may be wrongly
reported when they are accessed from their corrsponding sysfs entries.
Fix it by adding a sanity check of parameter offset against the actual
decriptor length.

Signed-off-by: Can Guo <cang@codeaurora.org>
---
 drivers/scsi/ufs/ufshcd.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index a2ebcc8..aeec10d 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -3184,13 +3184,19 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	/* Get the length of descriptor */
 	ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
 	if (!buff_len) {
-		dev_err(hba->dev, "%s: Failed to get desc length", __func__);
+		dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
+		return -EINVAL;
+	}
+
+	if (param_offset >= buff_len) {
+		dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n",
+			__func__, param_offset, desc_id, buff_len);
 		return -EINVAL;
 	}
 
 	/* Check whether we need temp memory */
 	if (param_offset != 0 || param_size < buff_len) {
-		desc_buf = kmalloc(buff_len, GFP_KERNEL);
+		desc_buf = kzalloc(buff_len, GFP_KERNEL);
 		if (!desc_buf)
 			return -ENOMEM;
 	} else {
@@ -3204,14 +3210,14 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 					desc_buf, &buff_len);
 
 	if (ret) {
-		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d",
+		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d\n",
 			__func__, desc_id, desc_index, param_offset, ret);
 		goto out;
 	}
 
 	/* Sanity check */
 	if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) {
-		dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header",
+		dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header\n",
 			__func__, desc_buf[QUERY_DESC_DESC_TYPE_OFFSET]);
 		ret = -EINVAL;
 		goto out;
@@ -3221,12 +3227,12 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
 	ufshcd_update_desc_length(hba, desc_id, desc_index, buff_len);
 
-	/* Check wherher we will not copy more data, than available */
-	if (is_kmalloc && (param_offset + param_size) > buff_len)
-		param_size = buff_len - param_offset;
-
-	if (is_kmalloc)
+	if (is_kmalloc) {
+		/* Make sure we don't copy more data than available */
+		if (param_offset + param_size > buff_len)
+			param_size = buff_len - param_offset;
 		memcpy(param_read_buf, &desc_buf[param_offset], param_size);
+	}
 out:
 	if (is_kmalloc)
 		kfree(desc_buf);
-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.