There shouldn't be any restriction of the descriptor size (not the descriptor id for that matter) up to QUERY_DESC_MAX_SIZE. According to the spec, the caller can use any descriptor size, and it is up to the device to return the actual size. Therefore there shouldn't be any sizes hardcoded in the kernel, nor any need to cache it, hence ufshcd_map_desc_id_to_length function is redundant. Always read the descriptors with QUERY_DESC_MAX_SIZE size. Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx> Reviewed-by: Bean Huo <beanhuo@xxxxxxxxxx> Suggested-by: Bean Huo <beanhuo@xxxxxxxxxx> Signed-off-by: Arthur Simchaev <Arthur.Simchaev@xxxxxxx> --- drivers/ufs/core/ufs_bsg.c | 1 - drivers/ufs/core/ufshcd.c | 23 +++++++++++------------ 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c index 7eec38c..dc441ac 100644 --- a/drivers/ufs/core/ufs_bsg.c +++ b/drivers/ufs/core/ufs_bsg.c @@ -16,7 +16,6 @@ static int ufs_bsg_get_query_desc_size(struct ufs_hba *hba, int *desc_len, struct utp_upiu_query *qr) { int desc_size = be16_to_cpu(qr->length); - int desc_id = qr->idn; if (desc_size <= 0) return -EINVAL; diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index b6ef92d3..7f89626 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3395,12 +3395,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, if (desc_id >= QUERY_DESC_IDN_MAX || !param_size) return -EINVAL; - if (param_offset >= buff_len) { - dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n", - __func__, param_offset, desc_id, buff_len); - return -EINVAL; - } - /* Check whether we need temp memory */ if (param_offset != 0 || param_size < buff_len) { desc_buf = kzalloc(buff_len, GFP_KERNEL); @@ -3413,15 +3407,23 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, /* Request for full descriptor */ ret = ufshcd_query_descriptor_retry(hba, UPIU_QUERY_OPCODE_READ_DESC, - desc_id, desc_index, 0, - desc_buf, &buff_len); - + desc_id, desc_index, 0, + desc_buf, &buff_len); if (ret) { dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d\n", __func__, desc_id, desc_index, param_offset, ret); goto out; } + /* Update descriptor length */ + buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET]; + + if (param_offset >= buff_len) { + dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n", + __func__, param_offset, desc_id, buff_len); + return -EINVAL; + } + /* Sanity check */ if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) { dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header\n", @@ -3430,9 +3432,6 @@ int ufshcd_read_desc_param(struct ufs_hba *hba, goto out; } - /* Update descriptor length */ - buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET]; - if (is_kmalloc) { /* Make sure we don't copy more data than available */ if (param_offset >= buff_len) -- 2.7.4