There shouldn't be any restriction of the descriptor size
(not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE.
According to the spec, the caller can use any descriptor size,
and it is up to the device to return the actual size.
Therefore there shouldn't be any sizes hardcoded in the kernel,
nor any need to cache it, hence ufshcd_map_desc_id_to_length function is
redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size.
Reviewed-by: Bart Van Assche <[email protected]>
Reviewed-by: Bean Huo <[email protected]>
Suggested-by: Bean Huo <[email protected]>
Signed-off-by: Arthur Simchaev <[email protected]>
---
drivers/ufs/core/ufs_bsg.c | 1 -
drivers/ufs/core/ufshcd.c | 23 +++++++++++------------
2 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c
index 7eec38c..dc441ac 100644
--- a/drivers/ufs/core/ufs_bsg.c
+++ b/drivers/ufs/core/ufs_bsg.c
@@ -16,7 +16,6 @@ static int ufs_bsg_get_query_desc_size(struct ufs_hba *hba, int *desc_len,
struct utp_upiu_query *qr)
{
int desc_size = be16_to_cpu(qr->length);
- int desc_id = qr->idn;
if (desc_size <= 0)
return -EINVAL;
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index b6ef92d3..7f89626 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -3395,12 +3395,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
return -EINVAL;
- if (param_offset >= buff_len) {
- dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n",
- __func__, param_offset, desc_id, buff_len);
- return -EINVAL;
- }
-
/* Check whether we need temp memory */
if (param_offset != 0 || param_size < buff_len) {
desc_buf = kzalloc(buff_len, GFP_KERNEL);
@@ -3413,15 +3407,23 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
/* Request for full descriptor */
ret = ufshcd_query_descriptor_retry(hba, UPIU_QUERY_OPCODE_READ_DESC,
- desc_id, desc_index, 0,
- desc_buf, &buff_len);
-
+ desc_id, desc_index, 0,
+ desc_buf, &buff_len);
if (ret) {
dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d\n",
__func__, desc_id, desc_index, param_offset, ret);
goto out;
}
+ /* Update descriptor length */
+ buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
+
+ if (param_offset >= buff_len) {
+ dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n",
+ __func__, param_offset, desc_id, buff_len);
+ return -EINVAL;
+ }
+
/* Sanity check */
if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) {
dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header\n",
@@ -3430,9 +3432,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
goto out;
}
- /* Update descriptor length */
- buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
-
if (is_kmalloc) {
/* Make sure we don't copy more data than available */
if (param_offset >= buff_len)
--
2.7.4
On 12/11/22 05:05, Arthur Simchaev wrote:
> There shouldn't be any restriction of the descriptor size
> (not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE.
> According to the spec, the caller can use any descriptor size,
> and it is up to the device to return the actual size.
> Therefore there shouldn't be any sizes hardcoded in the kernel,
> nor any need to cache it, hence ufshcd_map_desc_id_to_length function is
> redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size.
>
> Reviewed-by: Bart Van Assche <[email protected]>
I have not yet replied with "Reviewed-by" to this patch so you are not
yet allowed to add my Reviewed-by tag to this patch.
> + /* Update descriptor length */
> + buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
Should a check be added here that desc_buf[QUERY_DESC_LENGTH_OFFSET]
<= QUERY_DESC_MAX_SIZE to protect against firmware bugs? Since
QUERY_DESC_MAX_SIZE == 255, adding BUILD_BUG_ON(QUERY_DESC_SIZE != 255)
and a comment may be sufficient.
Thanks,
Bart.
> Should a check be added here that desc_buf[QUERY_DESC_LENGTH_OFFSET]
> <= QUERY_DESC_MAX_SIZE to protect against firmware bugs? Since
> QUERY_DESC_MAX_SIZE == 255, adding BUILD_BUG_ON(QUERY_DESC_SIZE !=
> 255)
> and a comment may be sufficient.
Sorry - my bad.
In the previous review you mentioned that the patch looks good to you, hence the "Review by".
Regarding your comment, we can do that, although I don't think we should cover for those FW basic bugs.
Please let me know that you prefer.
Regards
Arthur
> -----Original Message-----
> From: Bart Van Assche <[email protected]>
> Sent: Monday, December 12, 2022 2:19 AM
> To: Arthur Simchaev <[email protected]>;
> [email protected]
> Cc: [email protected]; [email protected]; linux-
> [email protected]
> Subject: Re: [PATCH v5 4/4] ufs: core: Remove ufshcd_map_desc_id_to_length
> function
>
> CAUTION: This email originated from outside of Western Digital. Do not click
> on links or open attachments unless you recognize the sender and know that
> the content is safe.
>
>
> On 12/11/22 05:05, Arthur Simchaev wrote:
> > There shouldn't be any restriction of the descriptor size
> > (not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE.
> > According to the spec, the caller can use any descriptor size,
> > and it is up to the device to return the actual size.
> > Therefore there shouldn't be any sizes hardcoded in the kernel,
> > nor any need to cache it, hence ufshcd_map_desc_id_to_length function is
> > redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size.
> >
> > Reviewed-by: Bart Van Assche <[email protected]>
>
> I have not yet replied with "Reviewed-by" to this patch so you are not
> yet allowed to add my Reviewed-by tag to this patch.
>
> > + /* Update descriptor length */
> > + buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
>
> Should a check be added here that desc_buf[QUERY_DESC_LENGTH_OFFSET]
> <= QUERY_DESC_MAX_SIZE to protect against firmware bugs? Since
> QUERY_DESC_MAX_SIZE == 255, adding BUILD_BUG_ON(QUERY_DESC_SIZE !=
> 255)
> and a comment may be sufficient.
>
> Thanks,
>
> Bart.
On 12/11/22 05:05, Arthur Simchaev wrote:
> There shouldn't be any restriction of the descriptor size
> (not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE.
> According to the spec, the caller can use any descriptor size,
> and it is up to the device to return the actual size.
> Therefore there shouldn't be any sizes hardcoded in the kernel,
> nor any need to cache it, hence ufshcd_map_desc_id_to_length function is
> redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size.
Reviewed-by: Bart Van Assche <[email protected]>
On 12/12/22 01:10, Arthur Simchaev wrote:
> Regarding your comment, we can do that, although I don't think we should cover for those FW basic bugs.
> Please let me know that you prefer.
I think this version is good enough. I will post my Reviewed-by.
Thanks,
Bart.