On Wed, 2021-07-28 at 23:37 -0400, Martin K. Petersen wrote: > On Mon, 19 Jul 2021 16:11:22 -0700, Bart Van Assche wrote: > > > > > If param_offset > buff_len then the memcpy() statement in > > ufshcd_read_desc_param() corrupts memory since it copies > > 256 + buff_len - param_offset bytes into a buffer with size > > buff_len. > > Since param_offset < 256 this results in writing past the bound of > > the > > output buffer. > > > Applied to 5.14/scsi-fixes, thanks! > > > > [1/1] scsi: ufs: Fix memory corruption by ufshcd_read_desc_param() > > https://git.kernel.org/mkp/scsi/c/b1d5de8c6ea2 Hi Martin, This patch has a problem, we should revert it. and the correct fix patch is in Bart's another series of patch: https://patchwork.kernel.org/project/linux-scsi/patch/20210722033439.26550-2-bvanassche@xxxxxxx/ Bean
