Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Sender: cang=codeaurora.org@mg.codeaurora.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date:   Mon, 26 Oct 2020 10:56:10 +0800
From:   Can Guo <cang@codeaurora.org>
To:     daejun7.park@samsung.com
Cc:     ALIM AKHTAR <alim.akhtar@samsung.com>, asutoshd@codeaurora.org,
        avri.altman@wdc.com, beanhuo@micron.com, bvanassche@acm.org,
        hongwus@codeaurora.org, jejb@linux.ibm.com,
        kernel-team@android.com, linux-kernel@vger.kernel.org,
        linux-scsi@vger.kernel.org, martin.petersen@oracle.com,
        nguyenb@codeaurora.org, rnayak@codeaurora.org, salyzyn@google.com,
        saravanak@google.com, stanley.chu@mediatek.com
Subject: Re: [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from
 ufshcd_read_desc_param()
In-Reply-To: <963815509.21603435202191.JavaMail.epsvc@epcpadp1>
References: <CGME20201023063528epcms2p11b57d929a926d582539ce4e1a57caf80@epcms2p1>
 <963815509.21603435202191.JavaMail.epsvc@epcpadp1>
Message-ID: <da29783bdd6eb1326e3ff8fd50921c54@codeaurora.org>
User-Agent: Roundcube Webmail/1.3.9
Precedence: bulk

On 2020-10-23 14:35, Daejun Park wrote:
> Hi, Can Guo
> 
>> Since WB feature has been added, WB related sysfs entries can be 
>> accessed
>> even when an UFS device does not support WB feature. In that case, the
>> descriptors which are not supported by the UFS device may be wrongly
>> reported when they are accessed from their corrsponding sysfs entries.
>> Fix it by adding a sanity check of parameter offset against the actual
>> decriptor length.
>> 
>> Signed-off-by: Can Guo <cang@codeaurora.org>
>> ---
>> drivers/scsi/ufs/ufshcd.c | 24 +++++++++++++++---------
>> 1 file changed, 15 insertions(+), 9 deletions(-)
>> 
>> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
>> index a2ebcc8..aeec10d 100644
>> --- a/drivers/scsi/ufs/ufshcd.c
>> +++ b/drivers/scsi/ufs/ufshcd.c
>> @@ -3184,13 +3184,19 @@ int ufshcd_read_desc_param(struct ufs_hba 
>> *hba,
>> 	/* Get the length of descriptor */
>> 	ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
>> 	if (!buff_len) {
>> -		dev_err(hba->dev, "%s: Failed to get desc length", __func__);
>> +		dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
>> +		return -EINVAL;
>> +	}
>> +
>> +	if (param_offset >= buff_len) {
>> +		dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, 
>> length 0x%x\n",
>> +			__func__, param_offset, desc_id, buff_len);
> 
> In my understanding, this code seems to check incorrect access to not
> supportted features (e.g. WB) via buff_len value from
> ufshcd_map_desc_id_to_length().
> However, since buff_len is initialized as QUERY_DESC_MAX_SIZE and is
> updated later by ufshcd_update_desc_length(), So it is impossible to 
> find
> incorrect access by checking buff_len at first time.
> 
> Thanks,
> Daejun

Yes, I considered that during bootup time, but the current driver won't 
even
access WB related stuffs it is not supported (there are checks against 
UFS version
and feature supports in ufshcd_wb_probe()). So this change is only 
proecting illegal
access from sysfs entries after bootup is done. Do you see real error 
during bootup
time? If yes, please let me know.

Thanks,

Can Guo.