From bd224a5dad4d32f5224f5e8ae998b70e4621dcd3 Mon Sep 17 00:00:00 2001
From: Hao Wu <hao.a.wu@intel.com>
Date: Fri, 9 Nov 2018 15:14:08 +0800
Subject: [PATCH] MdeModulePkg/NvmExpressPei: Refine data buffer & len check in
 PassThru

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1142

The fix is similar to commit ebb6c7633bca47fcd5b460a67e18e4a717ea91cc.
We found that a similar fix should be applied to the NVMe PEI driver as
well. Hence, this one is for the PEI counterpart driver.

According to the the NVM Express spec Revision 1.1, for some commands
(like Get/Set Feature Command, Figure 89 & 90 of the spec), the Memory
Buffer maybe optional although the command opcode indicates there is a
data transfer between host & controller (Get/Set Feature Command, Figure
38 of the spec).

Hence, this commit refine the checks for the 'TransferLength' and
'TransferBuffer' field of the
EDKII_PEI_NVM_EXPRESS_PASS_THRU_COMMAND_PACKET structure to address this
issue.

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <Jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
---
 .../Pci/NvmExpressPei/NvmExpressPeiPassThru.c | 33 ++++++++++---------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/MdeModulePkg/Bus/Pci/NvmExpressPei/NvmExpressPeiPassThru.c b/MdeModulePkg/Bus/Pci/NvmExpressPei/NvmExpressPeiPassThru.c
index 81ad01b7ee..ddcfe03998 100644
--- a/MdeModulePkg/Bus/Pci/NvmExpressPei/NvmExpressPeiPassThru.c
+++ b/MdeModulePkg/Bus/Pci/NvmExpressPei/NvmExpressPeiPassThru.c
@@ -442,7 +442,8 @@ NvmePassThru (
   // specific addresses.
   //
   if ((Sq->Opc & (BIT0 | BIT1)) != 0) {
-    if ((Packet->TransferLength == 0) || (Packet->TransferBuffer == NULL)) {
+    if (((Packet->TransferLength != 0) && (Packet->TransferBuffer == NULL)) ||
+        ((Packet->TransferLength == 0) && (Packet->TransferBuffer != NULL))) {
       return EFI_INVALID_PARAMETER;
     }
 
@@ -468,21 +469,23 @@ NvmePassThru (
         MapOp = EdkiiIoMmuOperationBusMasterWrite;
       }
 
-      MapLength = Packet->TransferLength;
-      Status = IoMmuMap (
-                 MapOp,
-                 Packet->TransferBuffer,
-                 &MapLength,
-                 &PhyAddr,
-                 &MapData
-                 );
-      if (EFI_ERROR (Status) || (MapLength != Packet->TransferLength)) {
-        Status = EFI_OUT_OF_RESOURCES;
-        DEBUG ((DEBUG_ERROR, "%a: Fail to map data buffer.\n", __FUNCTION__));
-        goto Exit;
-      }
+      if ((Packet->TransferLength != 0) && (Packet->TransferBuffer != NULL)) {
+        MapLength = Packet->TransferLength;
+        Status = IoMmuMap (
+                   MapOp,
+                   Packet->TransferBuffer,
+                   &MapLength,
+                   &PhyAddr,
+                   &MapData
+                   );
+        if (EFI_ERROR (Status) || (MapLength != Packet->TransferLength)) {
+          Status = EFI_OUT_OF_RESOURCES;
+          DEBUG ((DEBUG_ERROR, "%a: Fail to map data buffer.\n", __FUNCTION__));
+          goto Exit;
+        }
 
-      Sq->Prp[0] = PhyAddr;
+        Sq->Prp[0] = PhyAddr;
+      }
 
       if((Packet->MetadataLength != 0) && (Packet->MetadataBuffer != NULL)) {
         MapLength = Packet->MetadataLength;