| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <df671650-a5af-4453-a11d-e8e2a32bd1ab@oss.qualcomm.com>
Date: Thu, 25 Sep 2025 14:07:47 +0200
From: Konrad Dybcio <konrad.dybcio@....qualcomm.com>
To: Anjelique Melendez <anjelique.melendez@....qualcomm.com>,
heikki.krogerus@...ux.intel.com, gregkh@...uxfoundation.org
Cc: lumag@...nel.org, neil.armstrong@...aro.org, johan+linaro@...nel.org,
quic_bjorande@...cinc.com, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-arm-msm@...r.kernel.org
Subject: Re: [PATCH v4 2/2] usb: typec: ucsi_glink: Increase buffer size to
support UCSI v2
On 9/25/25 1:26 AM, Anjelique Melendez wrote:
> UCSI v2 specification has increased the MSG_IN and MSG_OUT size from
> 16 bytes to 256 bytes each for the message exchange between OPM and PPM
> This makes the total buffer size increase from 48 bytes to 528 bytes.
> Update the buffer size to support this increase.
>
> Signed-off-by: Anjelique Melendez <anjelique.melendez@....qualcomm.com>
> ---
[...]
> static int pmic_glink_ucsi_read(struct ucsi *__ucsi, unsigned int offset,
> @@ -131,18 +143,34 @@ static int pmic_glink_ucsi_read_message_in(struct ucsi *ucsi, void *val, size_t
> static int pmic_glink_ucsi_locked_write(struct pmic_glink_ucsi *ucsi, unsigned int offset,
> const void *val, size_t val_len)
> {
> - struct ucsi_write_buf_req_msg req = {};
> - unsigned long left;
> + struct ucsi_v2_write_buf_req_msg req = {};
> + unsigned long left, max_buf_len;
> + size_t req_len;
> int ret;
>
> + memset(&req, 0, sizeof(req));
= {} already zero-initializes the struct
> req.hdr.owner = PMIC_GLINK_OWNER_USBC;
> req.hdr.type = MSG_TYPE_REQ_RESP;
> req.hdr.opcode = UC_UCSI_WRITE_BUF_REQ;
> +
> + if (ucsi->ucsi->version >= UCSI_VERSION_2_0) {
> + req_len = sizeof(struct ucsi_v2_write_buf_req_msg);
> + max_buf_len = UCSI_BUF_V2_SIZE;
> + } else if (ucsi->ucsi->version) {
> + req_len = sizeof(struct ucsi_v1_write_buf_req_msg);
> + max_buf_len = UCSI_BUF_V1_SIZE;
> + } else {
> + return -EINVAL;
> + }
> +
> + if (offset + val_len > max_buf_len)
> + return -EINVAL;
> +
> memcpy(&req.buf[offset], val, val_len);
>
> reinit_completion(&ucsi->write_ack);
>
> - ret = pmic_glink_send(ucsi->client, &req, sizeof(req));
> + ret = pmic_glink_send(ucsi->client, &req, req_len);
This code keeps the 'reserved' field zeored out for v1, but it does so
in a fragile and implicit way :/
> if (ret < 0) {
> dev_err(ucsi->dev, "failed to send UCSI write request: %d\n", ret);
> return ret;
> @@ -216,12 +244,39 @@ static const struct ucsi_operations pmic_glink_ucsi_ops = {
>
> static void pmic_glink_ucsi_read_ack(struct pmic_glink_ucsi *ucsi, const void *data, int len)
> {
> - const struct ucsi_read_buf_resp_msg *resp = data;
> + u8 *buf = ((struct ucsi_v2_read_buf_resp_msg *)data)->buf;
> + u32 ret_code, max_len;
> + u32 buf_len = 0;
> +
> + if (ucsi->ucsi->version) {
> + if (ucsi->ucsi->version >= UCSI_VERSION_2_0)
> + buf_len = UCSI_BUF_V2_SIZE;
> + else
> + buf_len = UCSI_BUF_V1_SIZE;
> + } else if (!ucsi->ucsi_registered) {
> + /*
> + * If UCSI version is not known yet because device is not registered,
> + * choose buffer size which best fits incoming data
> + */
> + if (len > sizeof(struct pmic_glink_hdr) + UCSI_BUF_V2_SIZE)
> + buf_len = UCSI_BUF_V2_SIZE;
> + else
> + buf_len = UCSI_BUF_V1_SIZE;
> + }
>
> - if (resp->ret_code)
> + max_len = sizeof(struct pmic_glink_hdr) + buf_len + sizeof(u32);
> +
> + if (len > max_len)
> + return;
> +
> + if (buf_len > len - sizeof(struct pmic_glink_hdr) - sizeof(u32))
> + buf_len = len - sizeof(struct pmic_glink_hdr) - sizeof(u32);
Is this expected to happen?
Konrad
> +
> + memcpy(&ret_code, buf + buf_len, sizeof(u32));
> + if (ret_code)
> return;
>
> - memcpy(ucsi->read_buf, resp->buf, UCSI_BUF_SIZE);
> + memcpy(ucsi->read_buf, buf, buf_len);
> complete(&ucsi->read_ack);
> }
>
Powered by blists - more mailing lists