From patchwork Wed Nov 28 14:40:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 152296 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1170913ljp; Wed, 28 Nov 2018 06:40:29 -0800 (PST) X-Google-Smtp-Source: AFSGD/VAdvSAhU8OxIm1V37VNlATgi/jCEIkRM50d5xhEmNAWKhmFhWS0IvKOp1s8e6A8vuAOl5Z X-Received: by 2002:a17:902:9692:: with SMTP id n18mr14971472plp.333.1543416028870; Wed, 28 Nov 2018 06:40:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543416028; cv=none; d=google.com; s=arc-20160816; b=enqSp+QRgs8g2XfR1A0BrrMi6UE8zu0JZz9ymziKLo9pr8XRzpH4a1NWxztmRNzZ6d IteYXF+zxmmd4eHkCaXl2zZK9EcuFYTARGsVDhBguK6Xsy2DOWmLColw7KIb0wsyVrsL KYFciTGzSmNEECXM3P6PzP7Vrc9w11YuUHFfS3DEHxAcsl/bauzEGgttB3MNUZzS+yui jiSf+sw018ljS31h9E99uP5khDl8dmAKl01zCjnL1iyPjW5PMZCsPgyNr78uJtV82qUu cOjGQ/6pK2052uQrgIlNbN0y39rzhe7yikMIf1PEZ5Re+OKxADcfGbC1lllBWsEKkUtY fDfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=MJLzwpbG1f4M8znpLtghowB6HqNILAu72y4ymu0e+aE=; b=TrYiS29ESy/wnflXtD3i3EwCwkww1oMRX5/IB/WlpCBW/Viup5yAtYwIWoosQ4wjhC C2e01/NghheTulqrIUY+ehslQVMPeobHdkygIKJFE7Hdl4C9BtvqG4s+clui4wYtgviL ZxZSJ5IJp2LXWA3XVS9N+pn6rJaBf4BpnRwoTR0eIcxBVYmP3whtbDPd04ie9G1Apdwb 65UKTacE7AaOs3cI5qJOxszNxm6/8e/qCNR06IHxPeslevF350mIPIQwS7NOQzIq0E/0 3VhypECtNKo9Ema5WK7kLp/tHxDy1N3TSRVmOhyGf6Mghozo98EGRPtNdnOP1PQ195lT kPHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=htJfYjz5; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l23si7489048pgh.533.2018.11.28.06.40.28; Wed, 28 Nov 2018 06:40:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=htJfYjz5; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728458AbeK2BmU (ORCPT + 15 others); Wed, 28 Nov 2018 20:42:20 -0500 Received: from mail-pf1-f196.google.com ([209.85.210.196]:46058 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728223AbeK2BmU (ORCPT ); Wed, 28 Nov 2018 20:42:20 -0500 Received: by mail-pf1-f196.google.com with SMTP id g62so10249155pfd.12 for ; Wed, 28 Nov 2018 06:40:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=MJLzwpbG1f4M8znpLtghowB6HqNILAu72y4ymu0e+aE=; b=htJfYjz52sn2mVU/FyxbX8mPQj4VXQjWNFlJuqvOMJA4JUPJb3NgfrSzOXDHtr7dBU focmLM7W6YWlW+UIG7JC8ErdCOf4buqRMpI5RjIjQdA9gINTybWgsF/taE5t2hXW2hNL LBZJEkdUZ0Uggd/0lMkUjVXKLav6nt2RKRo0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=MJLzwpbG1f4M8znpLtghowB6HqNILAu72y4ymu0e+aE=; b=K+5Utoo/+HnRljgnUm7PNtlQqFMjoicXfpek4bIWyYGKSwG9PZrOh2l9SLAB8PXu18 aSrkxSvvXyxkUgBfLgtKqFpLY6CHg62IeyzEww4dw6mDZR8BnjUnJEJ8O+AS/DBsaE7m dx6eoL6CsDtt7X0yKDdG/sodBxyCyojxzPg73KOW7iLZX3pGsrNqnrKk+mk62rTR7qqi ftRY8IOF5eoIar9fuAkzNmgXfQ3sGadx2kLIElSjyzIt4a0netGwqeujveCxFW5QAnTT pK7qTzsuZXT0VkpcqWhpMFpzsyAP5mQ5BJZd0yY17VBsQS58Uma7mhGCAC3OhlhrLujk Olwg== X-Gm-Message-State: AA+aEWbqcco4IuzJ9sFxZjYSxFZUG2NJKhHTgS//7RI7Jx5UFIUDqpLY MGNcHEZ80dgW4LtjIlhlBICRNw== X-Received: by 2002:a63:8149:: with SMTP id t70mr28391012pgd.172.1543416026736; Wed, 28 Nov 2018 06:40:26 -0800 (PST) Received: from localhost.localdomain ([49.207.53.6]) by smtp.gmail.com with ESMTPSA id b26sm24227637pfe.91.2018.11.28.06.40.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 28 Nov 2018 06:40:25 -0800 (PST) From: Amit Pundir To: Greg KH Cc: Stable , Yaniv Gardi , Subhash Jadavani , "Martin K . Petersen" Subject: [PATCH for-4.9.y 07/10] scsi: ufs: fix bugs related to null pointer access and array size Date: Wed, 28 Nov 2018 20:10:01 +0530 Message-Id: <1543416004-1547-8-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1543416004-1547-1-git-send-email-amit.pundir@linaro.org> References: <1543416004-1547-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Yaniv Gardi commit e3ce73d69aff44421d7899b235fec5ac2c306ff4 upstream. In this change there are a few fixes of possible NULL pointer access and possible access to index that exceeds array boundaries. Signed-off-by: Yaniv Gardi Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir --- drivers/scsi/ufs/ufs.h | 3 ++- drivers/scsi/ufs/ufshcd.c | 25 +++++++++++++++++++------ 2 files changed, 21 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/drivers/scsi/ufs/ufs.h b/drivers/scsi/ufs/ufs.h index 5bb2316f60bf..54deeb754db5 100644 --- a/drivers/scsi/ufs/ufs.h +++ b/drivers/scsi/ufs/ufs.h @@ -46,6 +46,7 @@ #define QUERY_DESC_HDR_SIZE 2 #define QUERY_OSF_SIZE (GENERAL_UPIU_REQUEST_SIZE - \ (sizeof(struct utp_upiu_header))) +#define RESPONSE_UPIU_SENSE_DATA_LENGTH 18 #define UPIU_HEADER_DWORD(byte3, byte2, byte1, byte0)\ cpu_to_be32((byte3 << 24) | (byte2 << 16) |\ @@ -410,7 +411,7 @@ struct utp_cmd_rsp { __be32 residual_transfer_count; __be32 reserved[4]; __be16 sense_data_len; - u8 sense_data[18]; + u8 sense_data[RESPONSE_UPIU_SENSE_DATA_LENGTH]; }; /** diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index f857086ce2fa..5a1ea5aa799e 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -901,10 +901,14 @@ static inline void ufshcd_copy_sense_data(struct ufshcd_lrb *lrbp) int len; if (lrbp->sense_buffer && ufshcd_get_rsp_upiu_data_seg_len(lrbp->ucd_rsp_ptr)) { + int len_to_copy; + len = be16_to_cpu(lrbp->ucd_rsp_ptr->sr.sense_data_len); + len_to_copy = min_t(int, RESPONSE_UPIU_SENSE_DATA_LENGTH, len); + memcpy(lrbp->sense_buffer, lrbp->ucd_rsp_ptr->sr.sense_data, - min_t(int, len, SCSI_SENSE_BUFFERSIZE)); + min_t(int, len_to_copy, SCSI_SENSE_BUFFERSIZE)); } } @@ -6373,7 +6377,10 @@ EXPORT_SYMBOL(ufshcd_system_suspend); int ufshcd_system_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered || pm_runtime_suspended(hba->dev)) + if (!hba) + return -EINVAL; + + if (!hba->is_powered || pm_runtime_suspended(hba->dev)) /* * Let the runtime resume take care of resuming * if runtime suspended. @@ -6394,7 +6401,10 @@ EXPORT_SYMBOL(ufshcd_system_resume); */ int ufshcd_runtime_suspend(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; return ufshcd_suspend(hba, UFS_RUNTIME_PM); @@ -6424,10 +6434,13 @@ EXPORT_SYMBOL(ufshcd_runtime_suspend); */ int ufshcd_runtime_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; - else - return ufshcd_resume(hba, UFS_RUNTIME_PM); + + return ufshcd_resume(hba, UFS_RUNTIME_PM); } EXPORT_SYMBOL(ufshcd_runtime_resume);