On Tue, May 27, 2014 at 12:51 PM, Dolev Raviv <draviv@xxxxxxxxxxxxxx> wrote:
> Check query response status before copying the response.
> Add descriptor query response size check, before copying it to buffer.
>
> Signed-off-by: Dolev Raviv <draviv@xxxxxxxxxxxxxx>
> Signed-off-by: Raviv Shvili <rshvili@xxxxxxxxxxxxxx>
> ---
> drivers/scsi/ufs/ufshcd.c | 49 +++++++++++++++++++++++++++++++----------------
> 1 file changed, 32 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
> index ed533f4..f3768ec 100644
> --- a/drivers/scsi/ufs/ufshcd.c
> +++ b/drivers/scsi/ufs/ufshcd.c
> @@ -446,30 +446,34 @@ static inline void ufshcd_copy_sense_data(struct ufshcd_lrb *lrbp)
> * @lrb - pointer to local reference block
> */
> static
> -void ufshcd_copy_query_response(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
> +int ufshcd_copy_query_response(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
> {
> struct ufs_query_res *query_res = &hba->dev_cmd.query.response;
>
> - /* Get the UPIU response */
> - query_res->response = ufshcd_get_rsp_upiu_result(lrbp->ucd_rsp_ptr) >>
> - UPIU_RSP_CODE_OFFSET;
> -
> memcpy(&query_res->upiu_res, &lrbp->ucd_rsp_ptr->qr, QUERY_OSF_SIZE);
>
> -
> /* Get the descriptor */
> if (lrbp->ucd_rsp_ptr->qr.opcode == UPIU_QUERY_OPCODE_READ_DESC) {
> u8 *descp = (u8 *)lrbp->ucd_rsp_ptr +
> GENERAL_UPIU_REQUEST_SIZE;
> - u16 len;
> + u16 resp_len;
> + u16 buf_len;
>
> /* data segment length */
> - len = be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_2) &
> + resp_len = be32_to_cpu(lrbp->ucd_rsp_ptr->header.dword_2) &
> MASK_QUERY_DATA_SEG_LEN;
> -
> - memcpy(hba->dev_cmd.query.descriptor, descp,
> - min_t(u16, len, QUERY_DESC_MAX_SIZE));
> + buf_len = hba->dev_cmd.query.request.upiu_req.length;
> + if (likely(buf_len >= resp_len)) {
> + memcpy(hba->dev_cmd.query.descriptor, descp, resp_len);
> + } else {
> + dev_warn(hba->dev,
> + "%s: Response size is bigger than buffer",
> + __func__);
> + return -EINVAL;
> + }
> }
> +
> + return 0;
> }
>
> /**
> @@ -797,11 +801,9 @@ static void ufshcd_prepare_utp_query_req_upiu(struct ufs_hba *hba,
> QUERY_OSF_SIZE);
>
> /* Copy the Descriptor */
> - if ((len > 0) && (query->request.upiu_req.opcode ==
> - UPIU_QUERY_OPCODE_WRITE_DESC)) {
> - memcpy(descp, query->descriptor,
> - min_t(u16, len, QUERY_DESC_MAX_SIZE));
> - }
> + if (query->request.upiu_req.opcode == UPIU_QUERY_OPCODE_WRITE_DESC)
> + memcpy(descp, query->descriptor, len);
> +
> }
>
> static inline void ufshcd_prepare_utp_nop_upiu(struct ufshcd_lrb *lrbp)
> @@ -980,6 +982,17 @@ ufshcd_clear_cmd(struct ufs_hba *hba, int tag)
> return err;
> }
>
> +static int
> +ufshcd_check_query_response(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
> +{
> + struct ufs_query_res *query_res = &hba->dev_cmd.query.response;
> +
> + /* Get the UPIU response */
> + query_res->response = ufshcd_get_rsp_upiu_result(lrbp->ucd_rsp_ptr) >>
> + UPIU_RSP_CODE_OFFSET;
> + return query_res->response;
> +}
> +
> /**
> * ufshcd_dev_cmd_completion() - handles device management command responses
> * @hba: per adapter instance
> @@ -1002,7 +1015,9 @@ ufshcd_dev_cmd_completion(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
> }
> break;
> case UPIU_TRANSACTION_QUERY_RSP:
> - ufshcd_copy_query_response(hba, lrbp);
> + err = ufshcd_check_query_response(hba, lrbp);
> + if (!err)
> + err = ufshcd_copy_query_response(hba, lrbp);
> break;
> case UPIU_TRANSACTION_REJECT_UPIU:
> /* TODO: handle Reject UPIU Response */
> --
> 1.8.5.2
>
Acked-by: Santosh Y <santoshsy@xxxxxxxxx>
--
~Santosh
--
To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
