From patchwork Wed Nov 28 14:47:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 152301 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1178678ljp; Wed, 28 Nov 2018 06:47:58 -0800 (PST) X-Google-Smtp-Source: AJdET5cCThv0KkCs7K8EqpJXs66E55hk4G47fK4qmWG8j0EO6MZ3FZQ54i+ea9btLM+dIOXK0EGt X-Received: by 2002:a63:e247:: with SMTP id y7mr31982781pgj.84.1543416478245; Wed, 28 Nov 2018 06:47:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543416478; cv=none; d=google.com; s=arc-20160816; b=wQjBD6SOabHw6ITMOqXxDLZU9gbmlLbCXZfisiiAA/PlXA1iwBSrQlclSsw179/p2K ZqXsBgW7Pil6Eycc7yWW8NUNl+Q2dXRWwwp0B2G5Sa4+PdNtUCEWkRTHHg6lrPZmMRJu p1G+FDl3AcZ5vNClfn1687QjbPFu4le2SE4Lrqh7ov6fWOfrbHLB0Z9cLQUkxlwoQ6dl vQ64DKARdnmOZlY4krzvUkIcqHoqMDPn9yS8ZzugNGvxj5/Y9Eve1LoR74/ia+GB8PLD WNrUzWnqXv73WjhGOX2wFtUUensDjDylCHz8PRSdEnXoSitBIOQMyB7C5hAVBCO/sre6 5igw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=L2Ql2glawLImkKLxM4s+Y5yxHJGenrZp2mwk5CueTRs=; b=oIkwxKkVZAaBH718HFvH4R2zU4gT2oLgLoKBy77zcMbf4L6WF3PY+Ov2iPiezMtdHd rUEwXGOUxSd3v5poXR/P3qbidjyHHFcsCmOpxV7NcHhdmFowZ90ninMKHruCbIb6WEcX pWAlK2H6MaDSo1Fehafq1uwG3Pduq7QQhOPFKK/kujsDX7bH2XPBbTeFTjuh00BPldwg tbNpVpfXi2/fu2kKgMub/+UdkAaQ0Q7zHK5g/9+x6fNexCidHElpmsCfMkzG0/81YTQJ HKObMUz7wMFCu/4t6tPnOk0SoVWhi8qOUNZfxO/4b2mNJgnDy88A42tTPqw+jVjU1Dbd wiuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=UXAZAkzj; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p64si7857277pfa.94.2018.11.28.06.47.58; Wed, 28 Nov 2018 06:47:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=UXAZAkzj; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727872AbeK2Btw (ORCPT + 15 others); Wed, 28 Nov 2018 20:49:52 -0500 Received: from mail-pl1-f194.google.com ([209.85.214.194]:42906 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727726AbeK2Btv (ORCPT ); Wed, 28 Nov 2018 20:49:51 -0500 Received: by mail-pl1-f194.google.com with SMTP id x21-v6so17470728pln.9 for ; Wed, 28 Nov 2018 06:47:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=L2Ql2glawLImkKLxM4s+Y5yxHJGenrZp2mwk5CueTRs=; b=UXAZAkzj62easljbstkEtJqTaNQ2IbY1goHkJjf4/o/2jLNfzGw/VvC7i5JBxGOGal vwZYfDVdEyQmgNdESogfp3gl56cDdmIyX3cDgsVRM8X2nNCegYe/e8P6zchsC+JlWuV5 l8C0eDjDeKiClC5jHv5E/6o0A2b0m3Xs4+IXw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=L2Ql2glawLImkKLxM4s+Y5yxHJGenrZp2mwk5CueTRs=; b=IyFWnevCvk6ff4vIPtKTT9CnFnfqBqJykOTRW2/3NLahkEnILYvwqKbg6ABLQRSc6/ inrC1P347AUfuuyUeqBtUoSuBcr3BZCAZlCCknjCvfczilDlRmI2rr+SMTmbuid6Z1wC 6KuaLY3mDiLLde07q3JMVXjeCDuLYsYOSPe8MA2O50yENwRIS5M0b077dMhsolieXYPG yys9NSzesb08P90nhADO6Kn1aj9XEgHlZkcGCRawXgNcmfJQUa6h5VyiTjnoIybG3ysy vZs8RyeJTulaMiu9BoEyIZAdRcHDbTHLN2xmUq2O97qskZHEGlwTp3uFdnaupXLIoeEX Zdog== X-Gm-Message-State: AA+aEWbz6Q7XeBWach9RZVt/GULzUDU+mQ1uqolhKVEzZ0IkdZdmRSA4 EtKcMktUNJIVGAnJEJox+ruA0Q== X-Received: by 2002:a17:902:6502:: with SMTP id b2mr36682533plk.44.1543416476751; Wed, 28 Nov 2018 06:47:56 -0800 (PST) Received: from localhost.localdomain ([49.207.53.6]) by smtp.gmail.com with ESMTPSA id r80sm14295109pfa.111.2018.11.28.06.47.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 28 Nov 2018 06:47:55 -0800 (PST) From: Amit Pundir To: Greg KH Cc: Stable , Yaniv Gardi , Subhash Jadavani , "Martin K . Petersen" Subject: [PATCH for-3.18.y 2/5] scsi: ufs: fix bugs related to null pointer access and array size Date: Wed, 28 Nov 2018 20:17:44 +0530 Message-Id: <1543416467-2081-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1543416467-2081-1-git-send-email-amit.pundir@linaro.org> References: <1543416467-2081-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Yaniv Gardi commit e3ce73d69aff44421d7899b235fec5ac2c306ff4 upstream. In this change there are a few fixes of possible NULL pointer access and possible access to index that exceeds array boundaries. Signed-off-by: Yaniv Gardi Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen [AmitP: Rebased for linux-3.18.y] Signed-off-by: Amit Pundir --- drivers/scsi/ufs/ufs.h | 3 ++- drivers/scsi/ufs/ufshcd.c | 25 +++++++++++++++++++------ 2 files changed, 21 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/drivers/scsi/ufs/ufs.h b/drivers/scsi/ufs/ufs.h index 42c459a9d3fe..ce5234555cc9 100644 --- a/drivers/scsi/ufs/ufs.h +++ b/drivers/scsi/ufs/ufs.h @@ -45,6 +45,7 @@ #define QUERY_DESC_MIN_SIZE 2 #define QUERY_OSF_SIZE (GENERAL_UPIU_REQUEST_SIZE - \ (sizeof(struct utp_upiu_header))) +#define RESPONSE_UPIU_SENSE_DATA_LENGTH 18 #define UPIU_HEADER_DWORD(byte3, byte2, byte1, byte0)\ cpu_to_be32((byte3 << 24) | (byte2 << 16) |\ @@ -383,7 +384,7 @@ struct utp_cmd_rsp { __be32 residual_transfer_count; __be32 reserved[4]; __be16 sense_data_len; - u8 sense_data[18]; + u8 sense_data[RESPONSE_UPIU_SENSE_DATA_LENGTH]; }; /** diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 39a4e61bf8d2..3ff98821bec5 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -796,10 +796,14 @@ static inline void ufshcd_copy_sense_data(struct ufshcd_lrb *lrbp) int len; if (lrbp->sense_buffer && ufshcd_get_rsp_upiu_data_seg_len(lrbp->ucd_rsp_ptr)) { + int len_to_copy; + len = be16_to_cpu(lrbp->ucd_rsp_ptr->sr.sense_data_len); + len_to_copy = min_t(int, RESPONSE_UPIU_SENSE_DATA_LENGTH, len); + memcpy(lrbp->sense_buffer, lrbp->ucd_rsp_ptr->sr.sense_data, - min_t(int, len, SCSI_SENSE_BUFFERSIZE)); + min_t(int, len_to_copy, SCSI_SENSE_BUFFERSIZE)); } } @@ -5161,7 +5165,10 @@ EXPORT_SYMBOL(ufshcd_system_suspend); int ufshcd_system_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered || pm_runtime_suspended(hba->dev)) + if (!hba) + return -EINVAL; + + if (!hba->is_powered || pm_runtime_suspended(hba->dev)) /* * Let the runtime resume take care of resuming * if runtime suspended. @@ -5182,7 +5189,10 @@ EXPORT_SYMBOL(ufshcd_system_resume); */ int ufshcd_runtime_suspend(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; return ufshcd_suspend(hba, UFS_RUNTIME_PM); @@ -5212,10 +5222,13 @@ EXPORT_SYMBOL(ufshcd_runtime_suspend); */ int ufshcd_runtime_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; - else - return ufshcd_resume(hba, UFS_RUNTIME_PM); + + return ufshcd_resume(hba, UFS_RUNTIME_PM); } EXPORT_SYMBOL(ufshcd_runtime_resume);