From patchwork Tue Oct 18 00:09:24 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: subhashj@codeaurora.org X-Patchwork-Id: 9380873 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 54E64600CA for ; Tue, 18 Oct 2016 00:10:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4613028FE7 for ; Tue, 18 Oct 2016 00:10:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3974D28FF0; Tue, 18 Oct 2016 00:10:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5EAAD28FE7 for ; Tue, 18 Oct 2016 00:10:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935938AbcJRAJc (ORCPT ); Mon, 17 Oct 2016 20:09:32 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:43554 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935674AbcJRAJa (ORCPT ); Mon, 17 Oct 2016 20:09:30 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 59475617C7; Tue, 18 Oct 2016 00:09:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1476749369; bh=dw0BQBDZJhjJlqBOizD9G3FuL+oM0L/5Q7MIjtVNwwM=; h=From:To:Cc:Subject:Date:From; b=aaHx1HtuTrDOFHoGV21UnpqyknsVWR02KoUDQPqYUzrEOGObgCTK7ly7vdy3MNKVl 3aHgjjPncTVXszapWbT6mh8I5nB102S610wjw106kVR5C+9eAL9oImF/5Oklf/uUwr SVRaE2P64yz3muN/FkmiJSYjd9+MQhdTTFmwCc2Y= Received: from subhashj-linux1.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: subhashj@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id C2F09617BD; Tue, 18 Oct 2016 00:09:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1476749369; bh=dw0BQBDZJhjJlqBOizD9G3FuL+oM0L/5Q7MIjtVNwwM=; h=From:To:Cc:Subject:Date:From; b=aaHx1HtuTrDOFHoGV21UnpqyknsVWR02KoUDQPqYUzrEOGObgCTK7ly7vdy3MNKVl 3aHgjjPncTVXszapWbT6mh8I5nB102S610wjw106kVR5C+9eAL9oImF/5Oklf/uUwr SVRaE2P64yz3muN/FkmiJSYjd9+MQhdTTFmwCc2Y= DMARC-Filter: OpenDMARC Filter v1.3.1 smtp.codeaurora.org C2F09617BD Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=pass smtp.mailfrom=subhashj@codeaurora.org From: Subhash Jadavani To: vinholikatti@gmail.com, jejb@linux.vnet.ibm.com, martin.petersen@oracle.com Cc: Yaniv Gardi , Subhash Jadavani , linux-scsi@vger.kernel.org (open list:UNIVERSAL FLASH STORAGE HOST CONTROLLER DRIVER), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v1 03/11] scsi: ufs: fix bugs related to null pointer access and array size Date: Mon, 17 Oct 2016 17:09:24 -0700 Message-Id: <1476749364-11163-1-git-send-email-subhashj@codeaurora.org> X-Mailer: git-send-email 1.9.1 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Yaniv Gardi In this change there are a few fixes of possible NULL pointer access and possible access to index that exceeds array boundaries. Signed-off-by: Yaniv Gardi Signed-off-by: Subhash Jadavani --- drivers/scsi/ufs/ufs.h | 3 ++- drivers/scsi/ufs/ufshcd.c | 25 +++++++++++++++++++------ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/scsi/ufs/ufs.h b/drivers/scsi/ufs/ufs.h index 845b874..7a6ccb6 100644 --- a/drivers/scsi/ufs/ufs.h +++ b/drivers/scsi/ufs/ufs.h @@ -46,6 +46,7 @@ #define QUERY_DESC_HDR_SIZE 2 #define QUERY_OSF_SIZE (GENERAL_UPIU_REQUEST_SIZE - \ (sizeof(struct utp_upiu_header))) +#define RESPONSE_UPIU_SENSE_DATA_LENGTH 18 #define UPIU_HEADER_DWORD(byte3, byte2, byte1, byte0)\ cpu_to_be32((byte3 << 24) | (byte2 << 16) |\ @@ -416,7 +417,7 @@ struct utp_cmd_rsp { __be32 residual_transfer_count; __be32 reserved[4]; __be16 sense_data_len; - u8 sense_data[18]; + u8 sense_data[RESPONSE_UPIU_SENSE_DATA_LENGTH]; }; /** diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 834a28c..a99f57b 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -889,10 +889,14 @@ static inline void ufshcd_copy_sense_data(struct ufshcd_lrb *lrbp) int len; if (lrbp->sense_buffer && ufshcd_get_rsp_upiu_data_seg_len(lrbp->ucd_rsp_ptr)) { + int len_to_copy; + len = be16_to_cpu(lrbp->ucd_rsp_ptr->sr.sense_data_len); + len_to_copy = min_t(int, RESPONSE_UPIU_SENSE_DATA_LENGTH, len); + memcpy(lrbp->sense_buffer, lrbp->ucd_rsp_ptr->sr.sense_data, - min_t(int, len, SCSI_SENSE_BUFFERSIZE)); + min_t(int, len_to_copy, SCSI_SENSE_BUFFERSIZE)); } } @@ -6091,7 +6095,10 @@ EXPORT_SYMBOL(ufshcd_system_suspend); int ufshcd_system_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered || pm_runtime_suspended(hba->dev)) + if (!hba) + return -EINVAL; + + if (!hba->is_powered || pm_runtime_suspended(hba->dev)) /* * Let the runtime resume take care of resuming * if runtime suspended. @@ -6112,7 +6119,10 @@ EXPORT_SYMBOL(ufshcd_system_resume); */ int ufshcd_runtime_suspend(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; return ufshcd_suspend(hba, UFS_RUNTIME_PM); @@ -6142,10 +6152,13 @@ EXPORT_SYMBOL(ufshcd_runtime_suspend); */ int ufshcd_runtime_resume(struct ufs_hba *hba) { - if (!hba || !hba->is_powered) + if (!hba) + return -EINVAL; + + if (!hba->is_powered) return 0; - else - return ufshcd_resume(hba, UFS_RUNTIME_PM); + + return ufshcd_resume(hba, UFS_RUNTIME_PM); } EXPORT_SYMBOL(ufshcd_runtime_resume);