From e44802987ea356204e32f62a16e54df39b9fd214 Mon Sep 17 00:00:00 2001
From: Manish Bhardwaj <mbhardwaj@nvidia.com>
Date: Wed, 5 Jun 2024 04:09:13 +0000
Subject: [PATCH] vsc: fix out of bound memory access

kernel panic when doing a IOCTL on UFS virtual partition
with pass thru enabled. IOCTL require larger space than
the mempool size (512KB) and the len check fails and leads
to a out-of-bound memory access.

Bug 4683333

Change-Id: Ie8d13bbed13a257e73087c9472054aa4083cf3eb
Signed-off-by: Manish Bhardwaj <mbhardwaj@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3151274
Reviewed-by: Sumeet Gupta <sumeetg@nvidia.com>
Tested-by: Tonny Liang <tonnyl@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Tonny Liang <tonnyl@nvidia.com>
Reviewed-by: Sanjith T D <std@nvidia.com>
---
 drivers/block/tegra_virt_storage/tegra_hv_ioctl.c | 2 +-
 drivers/block/tegra_virt_storage/tegra_hv_vblk.c  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/block/tegra_virt_storage/tegra_hv_ioctl.c b/drivers/block/tegra_virt_storage/tegra_hv_ioctl.c
index d81e32f4..868a2fc0 100644
--- a/drivers/block/tegra_virt_storage/tegra_hv_ioctl.c
+++ b/drivers/block/tegra_virt_storage/tegra_hv_ioctl.c
@@ -55,7 +55,7 @@ int vblk_prep_ioctl_req(struct vblk_dev *vblkdev,
 
 	if (ioctl_req->ioctl_len > vsc_req->mempool_len) {
 		dev_err(vblkdev->device,
-			"Ioctl length exceeding mempool length!\n");
+			"Ioctl length %u exceeding mempool length!\n", ioctl_req->ioctl_len);
 		return -EINVAL;
 	}
 
diff --git a/drivers/block/tegra_virt_storage/tegra_hv_vblk.c b/drivers/block/tegra_virt_storage/tegra_hv_vblk.c
index fc83a988..6c82ceaa 100644
--- a/drivers/block/tegra_virt_storage/tegra_hv_vblk.c
+++ b/drivers/block/tegra_virt_storage/tegra_hv_vblk.c
@@ -1144,14 +1144,15 @@ static void setup_device(struct vblk_dev *vblkdev)
 			req->mempool_virt = (void *)((uintptr_t)vblkdev->shared_buffer +
 				(uintptr_t)(req_id * max_io_bytes));
 			req->mempool_offset = (req_id * max_io_bytes);
+			req->mempool_len = max_io_bytes;
 		} else {
 			if (vblkdev->config.blk_config.req_ops_supported & VS_BLK_IOCTL_OP_F) {
 				req->mempool_virt = (void *)((uintptr_t)vblkdev->shared_buffer +
 				(uintptr_t)((req_id % max_ioctl_requests) * UFS_IOCTL_MAX_SIZE_SUPPORTED));
 				req->mempool_offset = (req_id % max_ioctl_requests) * UFS_IOCTL_MAX_SIZE_SUPPORTED;
+				req->mempool_len = UFS_IOCTL_MAX_SIZE_SUPPORTED;
 			}
 		}
-		req->mempool_len = max_io_bytes;
 		req->id = req_id;
 		req->vblkdev = vblkdev;
 	}