From: Bean Huo <beanhuo@micron.com>
Date: Wed, 3 Jun 2020 09:19:57 +0000 (+0200)
Subject: scsi: ufs: Fix potential NULL pointer access during memcpy
X-Git-Tag: v5.15~3084^2~308
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cbe193f6f093b79fd1ab998dd95f73f874fb4733;p=platform%2Fkernel%2Flinux-starfive.git

scsi: ufs: Fix potential NULL pointer access during memcpy

If param_offset is not 0, the memcpy length shouldn't be the true
descriptor length.

Link: https://lore.kernel.org/r/20200603091959.27618-4-huobean@gmail.com
Acked-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Bean Huo <beanhuo@micron.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 2288950..50364a1 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -3223,8 +3223,8 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
 	}
 
 	/* Check wherher we will not copy more data, than available */
-	if (is_kmalloc && param_size > buff_len)
-		param_size = buff_len;
+	if (is_kmalloc && (param_offset + param_size) > buff_len)
+		param_size = buff_len - param_offset;
 
 	if (is_kmalloc)
 		memcpy(param_read_buf, &desc_buf[param_offset], param_size);