From patchwork Wed Nov 28 17:29:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 152332 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365249ljp; Wed, 28 Nov 2018 09:29:40 -0800 (PST) X-Google-Smtp-Source: AFSGD/XdUYLstCxuN0m2eZk3x2WKmEz+RNkBYvubL+VALhDvPg98wVNZvEUVQkV+dnkMIJ3TWQYO X-Received: by 2002:a62:b511:: with SMTP id y17mr16149498pfe.199.1543426180727; Wed, 28 Nov 2018 09:29:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543426180; cv=none; d=google.com; s=arc-20160816; b=rAizNBN9+l/zq0zo7Wm3dILNR9IQeF++0p+PoZeYk40tMSokL5JhJK8Te53TYJG/7P vtHdOK/ZgZk5rdiudBujEmdAoW2Oh/Y7rOaHbRsE0Hfb8N5ExJ3pj0qJ1JTo0uT1cQbt CXV4fscoragWHQK8xJeaRwE7IDHnQ625zzOQXGfBbeeQIpMVO/Xf1nGc+4Ct4ofy3pWE y7Z0tWoDKcvVRrKmkBD3cJUwhPDNdILHePgTcx/I7VLjKIx5WNffPOr7IiQWU95shvQk TM7k0CDiehGvUNKeWCmziwJPdI/x3SAwDmBdjN9gw7FRCEDiabN2n/aUhe36IAtSrgXX 9vYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=5iqaxsLDLybvVYVXmsKBWOon7Y0B0MItaK3FQ7fOqzo=; b=TVJaDXksyA6XznSO2niHAtoTeoiMu2kunfktQW3Hu2RkYWzaltJ97l/0uieYBPal7f vaVqcUmTpgfrry09skbi2jPWGWCXqVWZ8JFXidjUmlI0HHdKLZGHYLQJ9KVH5HMYRmwZ jzabK+gItG9HpepKktWrr0V3v+Cmpn4qkwS+hVNxv7HpQ93Az+4CEr7hJI8YSdeVspod WokQ9M93S9+HP47OE+hD+Z1aAsGlf6Eko20POQRNPyu1HgjEKVAgHL1c6MLOcbwZAxJ2 sdwuyv6HbWOUbLZpSpoyHxzaj5AAffvu2w4ZxE8fr2XJoFkeASn32ihhe0lyWoY4zbgZ Oz9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RlFFLXoG; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.38; Wed, 28 Nov 2018 09:29:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RlFFLXoG; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729239AbeK2Ebu (ORCPT + 15 others); Wed, 28 Nov 2018 23:31:50 -0500 Received: from mail-pl1-f193.google.com ([209.85.214.193]:35755 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729146AbeK2Ebu (ORCPT ); Wed, 28 Nov 2018 23:31:50 -0500 Received: by mail-pl1-f193.google.com with SMTP id p8so7426105plo.2 for ; Wed, 28 Nov 2018 09:29:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=5iqaxsLDLybvVYVXmsKBWOon7Y0B0MItaK3FQ7fOqzo=; b=RlFFLXoGnf5dtBAx49UMkKpTP1TjMkBQWSxKEv+Rx+cvAzwHqBgCBpUR6Dd0vTSnr/ fNbQv+Vkmsuv/iSWa5jftMMC9K38rgnqLMGPesUyNdJfpvr6zgSrLiAnoPmygv4imGOE RfRnn3wfDwE1oV3BdoGCik1kl3gJRBhR9TWhc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=5iqaxsLDLybvVYVXmsKBWOon7Y0B0MItaK3FQ7fOqzo=; b=PkrogHGQc4FLvtEaK2hYPrJGUEzIKI774fa0BWNd+LVP0Idj31S0X5O7/ChpPQu4rV shzEwEatReeHUhmrXd0WpiR/Qem5r2QmnCfvJuBWHbJPN9vLF0gP0nr1cH13Jz7aTXPM zdgzUxV5NpJhkSlWiq8oR2AYUQNcPp2msLHdM/mQMP1Hlze+VlMq5MZrkgVXVpSuUZIP kjz8VK+yAyPkfgCkILjlmrC9a3WBhtJESE7wWr+q+PGymcshIyEgQPZLNMQcr0sz7lYy ipI0EHe8N/V3/eO0nz2noC2bsglmVabFo1OMxUfhykgDwdcniWwnl7PhjnbjW70/D7/p 08vg== X-Gm-Message-State: AA+aEWa0dxDHSMlfPT46IuH2S3mzMs5WAmihAcIs5t/RgfZUO7flVWyI f6y8j/JarZLYSPiBh/dfwKkOzg== X-Received: by 2002:a17:902:bb05:: with SMTP id l5mr21802583pls.230.1543426167237; Wed, 28 Nov 2018 09:29:27 -0800 (PST) Received: from localhost.localdomain ([49.207.53.6]) by smtp.gmail.com with ESMTPSA id 84sm13624360pfk.134.2018.11.28.09.29.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 28 Nov 2018 09:29:26 -0800 (PST) From: Amit Pundir To: Greg KH Cc: Stable , Yaniv Gardi , Subhash Jadavani , "Martin K . Petersen" Subject: [PATCH for-4.4.y 05/10] scsi: ufs: fix bugs related to null pointer access and array size Date: Wed, 28 Nov 2018 22:59:04 +0530 Message-Id: <1543426149-7269-6-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org> References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Yaniv Gardi commit e3ce73d69aff44421d7899b235fec5ac2c306ff4 upstream. In this change there are a few fixes of possible NULL pointer access and possible access to index that exceeds array boundaries. Signed-off-by: Yaniv Gardi Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen [AmitP: Rebased for linux-4.4.y] Signed-off-by: Amit Pundir --- drivers/scsi/ufs/ufs.h | 3 ++- drivers/scsi/ufs/ufshcd.c | 25 +++++++++++++++++++------ 2 files changed, 21 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/drivers/scsi/ufs/ufs.h b/drivers/scsi/ufs/ufs.h index 42c459a9d3fe..ce5234555cc9 100644 --- a/drivers/scsi/ufs/ufs.h +++ b/drivers/scsi/ufs/ufs.h @@ -45,6 +45,7 @@ #define QUERY_DESC_MIN_SIZE 2 #define QUERY_OSF_SIZE (GENERAL_UPIU_REQUEST_SIZE - \ (sizeof(struct utp_upiu_header))) +#define RESPONSE_UPIU_SENSE_DATA_LENGTH 18 #define UPIU_HEADER_DWORD(byte3, byte2, byte1, byte0)\ cpu_to_be32((byte3 << 24) | (byte2 << 16) |\ @@ -383,7 +384,7 @@ struct utp_cmd_rsp { __be32 residual_transfer_count; __be32 reserved[4]; __be16 sense_data_len; - u8 sense_data[18]; + u8 sense_data[RESPONSE_UPIU_SENSE_DATA_LENGTH]; }; /** diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 8c58adadb728..0663cd6a19d3 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -813,10 +813,14 @@ static inline void ufshcd_copy_sense_data(struct ufshcd_lrb *lrbp) int len; if (lrbp->sense_buffer && ufshcd_get_rsp_upiu_data_seg_len(lrbp->ucd_rsp_ptr)) { + int len_to_copy; + len = be16_to_cpu(lrbp->ucd_rsp_ptr->sr.sense_data_len); + len_to_copy = min_t(int, RESPONSE_UPIU_SENSE_DATA_LENGTH, len); + memcpy(lrbp->sense_buffer, lrbp->ucd_rsp_ptr->sr.sense_data, - min_t(int, len, SCSI_SENSE_BUFFERSIZE)); + min_t(int, len_to_copy, SCSI_SENSE_BUFFERSIZE)); } } @@ -5251,7 +5255,10 @@ EXPORT_SYMBOL(ufshcd_system_suspend); int ufshcd_system_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered || pm_runtime_suspended(hba->dev)) + if (!hba) + return -EINVAL; + + if (!hba->is_powered || pm_runtime_suspended(hba->dev)) /* * Let the runtime resume take care of resuming * if runtime suspended. @@ -5272,7 +5279,10 @@ EXPORT_SYMBOL(ufshcd_system_resume); */ int ufshcd_runtime_suspend(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; return ufshcd_suspend(hba, UFS_RUNTIME_PM); @@ -5302,10 +5312,13 @@ EXPORT_SYMBOL(ufshcd_runtime_suspend); */ int ufshcd_runtime_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; - else - return ufshcd_resume(hba, UFS_RUNTIME_PM); + + return ufshcd_resume(hba, UFS_RUNTIME_PM); } EXPORT_SYMBOL(ufshcd_runtime_resume);