| Message ID | 1670763911-8695-5-git-send-email-Arthur.Simchaev@wdc.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ufs: core: Always read the descriptors with max length | expand |
On 12/11/22 05:05, Arthur Simchaev wrote: > There shouldn't be any restriction of the descriptor size > (not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE. > According to the spec, the caller can use any descriptor size, > and it is up to the device to return the actual size. > Therefore there shouldn't be any sizes hardcoded in the kernel, > nor any need to cache it, hence ufshcd_map_desc_id_to_length function is > redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size. > > Reviewed-by: Bart Van Assche <bvanassche@acm.org> I have not yet replied with "Reviewed-by" to this patch so you are not yet allowed to add my Reviewed-by tag to this patch. > + /* Update descriptor length */ > + buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET]; Should a check be added here that desc_buf[QUERY_DESC_LENGTH_OFFSET] <= QUERY_DESC_MAX_SIZE to protect against firmware bugs? Since QUERY_DESC_MAX_SIZE == 255, adding BUILD_BUG_ON(QUERY_DESC_SIZE != 255) and a comment may be sufficient. Thanks, Bart.
> Should a check be added here that desc_buf[QUERY_DESC_LENGTH_OFFSET] > <= QUERY_DESC_MAX_SIZE to protect against firmware bugs? Since > QUERY_DESC_MAX_SIZE == 255, adding BUILD_BUG_ON(QUERY_DESC_SIZE != > 255) > and a comment may be sufficient. Sorry - my bad. In the previous review you mentioned that the patch looks good to you, hence the "Review by". Regarding your comment, we can do that, although I don't think we should cover for those FW basic bugs. Please let me know that you prefer. Regards Arthur > -----Original Message----- > From: Bart Van Assche <bvanassche@acm.org> > Sent: Monday, December 12, 2022 2:19 AM > To: Arthur Simchaev <Arthur.Simchaev@wdc.com>; > martin.petersen@oracle.com > Cc: beanhuo@micron.com; linux-scsi@vger.kernel.org; linux- > kernel@vger.kernel.org > Subject: Re: [PATCH v5 4/4] ufs: core: Remove ufshcd_map_desc_id_to_length > function > > CAUTION: This email originated from outside of Western Digital. Do not click > on links or open attachments unless you recognize the sender and know that > the content is safe. > > > On 12/11/22 05:05, Arthur Simchaev wrote: > > There shouldn't be any restriction of the descriptor size > > (not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE. > > According to the spec, the caller can use any descriptor size, > > and it is up to the device to return the actual size. > > Therefore there shouldn't be any sizes hardcoded in the kernel, > > nor any need to cache it, hence ufshcd_map_desc_id_to_length function is > > redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size. > > > > Reviewed-by: Bart Van Assche <bvanassche@acm.org> > > I have not yet replied with "Reviewed-by" to this patch so you are not > yet allowed to add my Reviewed-by tag to this patch. > > > + /* Update descriptor length */ > > + buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET]; > > Should a check be added here that desc_buf[QUERY_DESC_LENGTH_OFFSET] > <= QUERY_DESC_MAX_SIZE to protect against firmware bugs? Since > QUERY_DESC_MAX_SIZE == 255, adding BUILD_BUG_ON(QUERY_DESC_SIZE != > 255) > and a comment may be sufficient. > > Thanks, > > Bart.
On 12/12/22 01:10, Arthur Simchaev wrote: > Regarding your comment, we can do that, although I don't think we should cover for those FW basic bugs. > Please let me know that you prefer. I think this version is good enough. I will post my Reviewed-by. Thanks, Bart.
On 12/11/22 05:05, Arthur Simchaev wrote: > There shouldn't be any restriction of the descriptor size > (not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE. > According to the spec, the caller can use any descriptor size, > and it is up to the device to return the actual size. > Therefore there shouldn't be any sizes hardcoded in the kernel, > nor any need to cache it, hence ufshcd_map_desc_id_to_length function is > redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size. Reviewed-by: Bart Van Assche <bvanassche@acm.org>
diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c index 7eec38c..dc441ac 100644 --- a/drivers/ufs/core/ufs_bsg.c +++ b/drivers/ufs/core/ufs_bsg.c @@ -16,7 +16,6 @@ static int ufs_bsg_get_query_desc_size(struct ufs_hba *hba, int *desc_len, struct utp_upiu_query *qr) { int desc_size = be16_to_cpu(qr->length); - int desc_id = qr->idn; if (desc_size <= 0) return -EINVAL; diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index b6ef92d3..7f89626 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3395,12 +3395,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, if (desc_id >= QUERY_DESC_IDN_MAX || !param_size) return -EINVAL; - if (param_offset >= buff_len) { - dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n", - __func__, param_offset, desc_id, buff_len); - return -EINVAL; - } - /* Check whether we need temp memory */ if (param_offset != 0 || param_size < buff_len) { desc_buf = kzalloc(buff_len, GFP_KERNEL); @@ -3413,15 +3407,23 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, /* Request for full descriptor */ ret = ufshcd_query_descriptor_retry(hba, UPIU_QUERY_OPCODE_READ_DESC, - desc_id, desc_index, 0, - desc_buf, &buff_len); - + desc_id, desc_index, 0, + desc_buf, &buff_len); if (ret) { dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d\n", __func__, desc_id, desc_index, param_offset, ret); goto out; } + /* Update descriptor length */ + buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET]; + + if (param_offset >= buff_len) { + dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n", + __func__, param_offset, desc_id, buff_len); + return -EINVAL; + } + /* Sanity check */ if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) { dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header\n", @@ -3430,9 +3432,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, goto out; } - /* Update descriptor length */ - buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET]; - if (is_kmalloc) { /* Make sure we don't copy more data than available */ if (param_offset >= buff_len)