UFSHCI spec mentions that Response UPIU Length(RUL) field in Transfer Request Descriptor should be in dword. Query Response UPIU size is variable depending on the data to be read/written and the size of a SCSI command Response UPIU is fixed. Currently response_upiu_length is being updated in bytes. If a UFS host controller prepares a Query Response UPIU with response_upiu_length, it will result in wrong Query Response UPIU size corrupting the command descriptor list. This issue will not affect the current UFSHCD Ver 0.1, since Query function support is not yet implemented. But this patch also ensures against command descriptor list corruption if a UFS controller prepares SCSI Response UPIU with response_upiu_length. Reported-by: KOBAYASHI Yoshitake <yoshitake.kobayashi@xxxxxxxxxxxxx> Reviewed-by: Vinayak Holikatti <vinholikatti@xxxxxxxxx> Signed-off-by: Santosh Y <santoshsy@xxxxxxxxx> --- drivers/scsi/ufs/ufshcd.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 52b96e8..1878cd8 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -830,13 +830,16 @@ static void ufshcd_host_memory_configure(struct ufs_hba *hba) utrdlp[i].command_desc_base_addr_hi = cpu_to_le32(upper_32_bits(cmd_desc_element_addr)); - /* Response upiu and prdt offset should be in double words */ + /* + * Response upiu offset, prdt offset and response upiu length + * should be in double words + */ utrdlp[i].response_upiu_offset = cpu_to_le16((response_offset >> 2)); utrdlp[i].prd_table_offset = cpu_to_le16((prdt_offset >> 2)); utrdlp[i].response_upiu_length = - cpu_to_le16(ALIGNED_UPIU_SIZE); + cpu_to_le16(ALIGNED_UPIU_SIZE >> 2); hba->lrb[i].utr_descriptor_ptr = (utrdlp + i); hba->lrb[i].ucd_cmd_ptr = -- 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
