From patchwork Thu Nov 24 00:31:41 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: subhashj@codeaurora.org
X-Patchwork-Id: 9444561
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D11F360779 for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 24 Nov 2016 00:33:25 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CED8D27E5A
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 24 Nov 2016 00:33:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C39F227F0B; Thu, 24 Nov 2016 00:33:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6E84727EE9
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 24 Nov 2016 00:33:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935677AbcKXAb7 (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Wed, 23 Nov 2016 19:31:59 -0500
Received: from smtp.codeaurora.org ([198.145.29.96]:51090 "EHLO
	smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S935509AbcKXAbr (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Wed, 23 Nov 2016 19:31:47 -0500
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id D6E7D61563; Thu, 24 Nov 2016 00:31:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1479947506;
	bh=rpWkvh2eOu18Gq/OqRa+UIufnrmiCWoas8aXIaHLGQI=;
	h=From:To:Cc:Subject:Date:From;
	b=FP1wweIvY7X8Dxaw3rfICi7CFC403WmGX7ZIlhurmzt6kb0lVFdaA8OI0fzYn1HX5
	ZFiBgf06cH6o/ja/UQWDqR8Y2cbTVbwreqya5nzwg2UNadz46+w7X4TEtzxp+rRL5t
	gn1KaSLtiiCzHic8c/cUrRXaOJx/m20gnrax6k58=
Received: from subhashj-linux1.qualcomm.com (i-global254.qualcomm.com
	[199.106.103.254])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: subhashj@smtp.codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id 01F5C614A1;
	Thu, 24 Nov 2016 00:31:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1479947506;
	bh=rpWkvh2eOu18Gq/OqRa+UIufnrmiCWoas8aXIaHLGQI=;
	h=From:To:Cc:Subject:Date:From;
	b=FP1wweIvY7X8Dxaw3rfICi7CFC403WmGX7ZIlhurmzt6kb0lVFdaA8OI0fzYn1HX5
	ZFiBgf06cH6o/ja/UQWDqR8Y2cbTVbwreqya5nzwg2UNadz46+w7X4TEtzxp+rRL5t
	gn1KaSLtiiCzHic8c/cUrRXaOJx/m20gnrax6k58=
DMARC-Filter: OpenDMARC Filter v1.3.1 smtp.codeaurora.org 01F5C614A1
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=pass smtp.mailfrom=subhashj@codeaurora.org
From: Subhash Jadavani <subhashj@codeaurora.org>
To: vinholikatti@gmail.com, jejb@linux.vnet.ibm.com,
	martin.petersen@oracle.com
Cc: Subhash Jadavani <subhashj@codeaurora.org>,
	linux-scsi@vger.kernel.org (open list:UNIVERSAL FLASH STORAGE HOST
	CONTROLLER DRIVER), linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v1 04/11] scsi: ufs: fix failure to read the string
	descriptor
Date: Wed, 23 Nov 2016 16:31:41 -0800
Message-Id: <1479947501-7056-1-git-send-email-subhashj@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

While reading variable size descriptors (like string descriptor), some UFS
devices may report the "LENGTH" (field in "Transaction Specific fields" of
Query Response UPIU) same as what was requested in Query Request UPIU
instead of reporting the actual size of the variable size descriptor.
Although it's safe to ignore the "LENGTH" field for variable size
descriptors as we can always derive the length of the descriptor from
the descriptor header fields. Hence this change impose the length match
check only for fixed size descriptors (for which we always request the
correct size as part of Query Request UPIU).

Reviewed-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
---
 drivers/scsi/ufs/ufshcd.c | 40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 9abc11e..d6e87dc 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -2108,16 +2108,38 @@ static int ufshcd_read_desc_param(struct ufs_hba *hba,
 					desc_id, desc_index, 0, desc_buf,
 					&buff_len);
 
-	if (ret || (buff_len < ufs_query_desc_max_size[desc_id]) ||
-	    (desc_buf[QUERY_DESC_LENGTH_OFFSET] !=
-	     ufs_query_desc_max_size[desc_id])
-	    || (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id)) {
-		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, param_offset %d, buff_len %d ,index %d, ret %d",
-			__func__, desc_id, param_offset, buff_len,
-			desc_index, ret);
-		if (!ret)
-			ret = -EINVAL;
+	if (ret) {
+		dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d",
+			__func__, desc_id, desc_index, param_offset, ret);
+
+		goto out;
+	}
+
+	/* Sanity check */
+	if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) {
+		dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header",
+			__func__, desc_buf[QUERY_DESC_DESC_TYPE_OFFSET]);
+		ret = -EINVAL;
+		goto out;
+	}
 
+	/*
+	 * While reading variable size descriptors (like string descriptor),
+	 * some UFS devices may report the "LENGTH" (field in "Transaction
+	 * Specific fields" of Query Response UPIU) same as what was requested
+	 * in Query Request UPIU instead of reporting the actual size of the
+	 * variable size descriptor.
+	 * Although it's safe to ignore the "LENGTH" field for variable size
+	 * descriptors as we can always derive the length of the descriptor from
+	 * the descriptor header fields. Hence this change impose the length
+	 * match check only for fixed size descriptors (for which we always
+	 * request the correct size as part of Query Request UPIU).
+	 */
+	if ((desc_id != QUERY_DESC_IDN_STRING) &&
+	    (buff_len != desc_buf[QUERY_DESC_LENGTH_OFFSET])) {
+		dev_err(hba->dev, "%s: desc_buf length mismatch: buff_len %d, buff_len(desc_header) %d",
+			__func__, buff_len, desc_buf[QUERY_DESC_LENGTH_OFFSET]);
+		ret = -EINVAL;
 		goto out;
 	}