usb: typec: ucsi: Limit read size on v1.2

Between UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was
increased from 16 to 256. In order to avoid overflowing reads for older
systems, add a mechanism to use the read UCSI version to truncate read
sizes on UCSI v1.2.

Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Prashant Malani <pmalani@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Link: https://lore.kernel.org/r/20240209143723.v5.1.Iacf5570a66b82b73ef03daa6557e2fc0db10266a@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index 14f5a7bfae2e92873e405b369ca8ce5620d856c0..7c5cecdd93d66ac0d3174d6a4248144bb758415d 100644 (file)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -36,6 +36,19 @@
  */
 #define UCSI_SWAP_TIMEOUT_MS   5000
 
+static int ucsi_read_message_in(struct ucsi *ucsi, void *buf,
+                                         size_t buf_size)
+{
+       /*
+        * Below UCSI 2.0, MESSAGE_IN was limited to 16 bytes. Truncate the
+        * reads here.
+        */
+       if (ucsi->version <= UCSI_VERSION_1_2)
+               buf_size = clamp(buf_size, 0, 16);
+
+       return ucsi->ops->read(ucsi, UCSI_MESSAGE_IN, buf, buf_size);
+}
+
 static int ucsi_acknowledge_command(struct ucsi *ucsi)
 {
        u64 ctrl;
@@ -72,7 +85,7 @@ static int ucsi_read_error(struct ucsi *ucsi)
        if (ret < 0)
                return ret;
 
-       ret = ucsi->ops->read(ucsi, UCSI_MESSAGE_IN, &error, sizeof(error));
+       ret = ucsi_read_message_in(ucsi, &error, sizeof(error));
        if (ret)
                return ret;
 
@@ -170,7 +183,7 @@ int ucsi_send_command(struct ucsi *ucsi, u64 command,
        length = ret;
 
        if (data) {
-               ret = ucsi->ops->read(ucsi, UCSI_MESSAGE_IN, data, size);
+               ret = ucsi_read_message_in(ucsi, data, size);
                if (ret)
                        goto out;
        }
@@ -1558,6 +1571,15 @@ int ucsi_register(struct ucsi *ucsi)
        if (!ucsi->version)
                return -ENODEV;
 
+       /*
+        * Version format is JJ.M.N (JJ = Major version, M = Minor version,
+        * N = sub-minor version).
+        */
+       dev_dbg(ucsi->dev, "Registered UCSI interface with version %x.%x.%x",
+               UCSI_BCD_GET_MAJOR(ucsi->version),
+               UCSI_BCD_GET_MINOR(ucsi->version),
+               UCSI_BCD_GET_SUBMINOR(ucsi->version));
+
        queue_delayed_work(system_long_wq, &ucsi->work, 0);
 
        ucsi_debugfs_register(ucsi);

diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h
index 6478016d5cb8bf405f8590b8d475a8933504cad3..bec920fa6b8aeee2c6f2e6acee4dfd09a61f1118 100644 (file)
--- a/drivers/usb/typec/ucsi/ucsi.h
+++ b/drivers/usb/typec/ucsi/ucsi.h
@@ -23,6 +23,17 @@ struct dentry;
 #define UCSI_CONTROL                   8
 #define UCSI_MESSAGE_IN                        16
 #define UCSI_MESSAGE_OUT               32
+#define UCSIv2_MESSAGE_OUT             272
+
+/* UCSI versions */
+#define UCSI_VERSION_1_2       0x0120
+#define UCSI_VERSION_2_0       0x0200
+#define UCSI_VERSION_2_1       0x0210
+#define UCSI_VERSION_3_0       0x0300
+
+#define UCSI_BCD_GET_MAJOR(_v_)                (((_v_) >> 8) & 0xFF)
+#define UCSI_BCD_GET_MINOR(_v_)                (((_v_) >> 4) & 0x0F)
+#define UCSI_BCD_GET_SUBMINOR(_v_)     ((_v_) & 0x0F)
 
 /* Command Status and Connector Change Indication (CCI) bits */
 #define UCSI_CCI_CONNECTOR(_c_)                (((_c_) & GENMASK(7, 1)) >> 1)