From ccb21474171a2ffc67b7a229538288fd39891181 Mon Sep 17 00:00:00 2001
From: Avri Altman <avri.altman@wdc.com>
Date: Tue, 2 Jun 2020 15:14:56 +0300
Subject: [PATCH] scsi: ufshcd: Simplify ufshcd_read_desc_param

Always use a locally allocated buffer, and verify that the requested
parameters are indeed valid.

Fixes: a4b0e8a4e92b ("scsi: ufs: Factor out ufshcd_read_desc_param")
Signed-off-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Bean Huo <beanhuo@micron.com>
---
 drivers/scsi/ufs/ufshcd.c | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index af14e52..f036c59 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -3152,6 +3152,8 @@ EXPORT_SYMBOL(ufshcd_map_desc_id_to_length);
  * @param_size: sizeof(param_read_buf)
  *
  * Return 0 in case of success, non-zero otherwise
+ * The caller must ensure that param_read_buf points to at least param_size
+ * available bytes.
  */
 int ufshcd_read_desc_param(struct ufs_hba *hba,
 			   enum desc_idn desc_id,
@@ -3163,7 +3165,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	int ret;
 	u8 *desc_buf;
 	int buff_len;
-	bool is_kmalloc = true;
 
 	/* Safety check */
 	if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
@@ -3175,26 +3176,19 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	ret = ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
 
 	/* Sanity checks */
-	if (ret || !buff_len) {
+	if (ret || (param_offset + param_size >= buff_len)) {
 		dev_err(hba->dev, "%s: Failed to get full descriptor length",
 			__func__);
 		return ret;
 	}
 
-	/* Check whether we need temp memory */
-	if (param_offset != 0 || param_size < buff_len) {
-		desc_buf = kmalloc(buff_len, GFP_KERNEL);
-		if (!desc_buf)
-			return -ENOMEM;
-	} else {
-		desc_buf = param_read_buf;
-		is_kmalloc = false;
-	}
+	desc_buf = kmalloc(buff_len, GFP_KERNEL);
+	if (!desc_buf)
+		return -ENOMEM;
 
 	/* Request for full descriptor */
 	ret = ufshcd_query_descriptor_retry(hba, UPIU_QUERY_OPCODE_READ_DESC,
-					desc_id, desc_index, 0,
-					desc_buf, &buff_len);
+			desc_id, desc_index, 0, desc_buf, &buff_len);
 
 	if (ret) {
 		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d",
@@ -3210,15 +3204,10 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 		goto out;
 	}
 
-	/* Check wherher we will not copy more data, than available */
-	if (is_kmalloc && param_size > buff_len)
-		param_size = buff_len;
+	memcpy(param_read_buf, &desc_buf[param_offset], param_size);
 
-	if (is_kmalloc)
-		memcpy(param_read_buf, &desc_buf[param_offset], param_size);
 out:
-	if (is_kmalloc)
-		kfree(desc_buf);
+	kfree(desc_buf);
 	return ret;
 }
 
-- 
2.7.4