1. Patchew
  2. QEMU
  3. [PULL 0/3] ufs queue
  4. View patch

[PULL 1/3] hw/ufs: Ensure DBC of PRDT uses only lower 18 bits

Jeuk Kim posted 3 patches 3 weeks, 4 days ago
Maintainers: Jeuk Kim <jeuk20.kim@samsung.com>, Fabiano Rosas <farosas@suse.de>, Laurent Vivier <lvivier@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>
There is a newer version of this series
[PULL 1/3] hw/ufs: Ensure DBC of PRDT uses only lower 18 bits
Posted by Jeuk Kim 3 weeks, 4 days ago 
The UFS spec defines the PRDT data byte count as an 18-bit field. This
commit masks the value to the lower 18 bits to prevent incorrect
transfer lengths and ensure compliance.

Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
---
 hw/ufs/ufs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
index cab42ae7b6..4ee6755d82 100644
--- a/hw/ufs/ufs.c
+++ b/hw/ufs/ufs.c
@@ -224,7 +224,8 @@ static MemTxResult ufs_dma_read_prdt(UfsRequest *req)
 
     for (uint16_t i = 0; i < prdt_len; ++i) {
         hwaddr data_dma_addr = le64_to_cpu(prd_entries[i].addr);
-        uint32_t data_byte_count = le32_to_cpu(prd_entries[i].size) + 1;
+        uint32_t data_byte_count =
+            le32_to_cpu(prd_entries[i].size & 0x3ffff) + 1;
         qemu_sglist_add(req->sg, data_dma_addr, data_byte_count);
         req->data_len += data_byte_count;
     }
-- 
2.43.0
Re: [PULL 1/3] hw/ufs: Ensure DBC of PRDT uses only lower 18 bits
Posted by Richard Henderson 3 weeks, 3 days ago 
On 1/15/26 15:53, Jeuk Kim wrote:
> The UFS spec defines the PRDT data byte count as an 18-bit field. This
> commit masks the value to the lower 18 bits to prevent incorrect
> transfer lengths and ensure compliance.
> 
> Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
> ---
>   hw/ufs/ufs.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
> index cab42ae7b6..4ee6755d82 100644
> --- a/hw/ufs/ufs.c
> +++ b/hw/ufs/ufs.c
> @@ -224,7 +224,8 @@ static MemTxResult ufs_dma_read_prdt(UfsRequest *req)
>   
>       for (uint16_t i = 0; i < prdt_len; ++i) {
>           hwaddr data_dma_addr = le64_to_cpu(prd_entries[i].addr);
> -        uint32_t data_byte_count = le32_to_cpu(prd_entries[i].size) + 1;
> +        uint32_t data_byte_count =
> +            le32_to_cpu(prd_entries[i].size & 0x3ffff) + 1;
>           qemu_sglist_add(req->sg, data_dma_addr, data_byte_count);
>           req->data_len += data_byte_count;
>       }

This fails on a big-endian host:

https://gitlab.com/qemu-project/qemu/-/jobs/12725280508

You need to move the mask outside of the le32_to_cpu.


r~
Re: [PULL 1/3] hw/ufs: Ensure DBC of PRDT uses only lower 18 bits
Posted by Jeuk Kim 3 weeks, 3 days ago 
On 1/16/2026 7:30 AM, Richard Henderson wrote:
> On 1/15/26 15:53, Jeuk Kim wrote:
>> The UFS spec defines the PRDT data byte count as an 18-bit field. This
>> commit masks the value to the lower 18 bits to prevent incorrect
>> transfer lengths and ensure compliance.
>>
>> Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
>> ---
>>   hw/ufs/ufs.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
>> index cab42ae7b6..4ee6755d82 100644
>> --- a/hw/ufs/ufs.c
>> +++ b/hw/ufs/ufs.c
>> @@ -224,7 +224,8 @@ static MemTxResult ufs_dma_read_prdt(UfsRequest 
>> *req)
>>         for (uint16_t i = 0; i < prdt_len; ++i) {
>>           hwaddr data_dma_addr = le64_to_cpu(prd_entries[i].addr);
>> -        uint32_t data_byte_count = le32_to_cpu(prd_entries[i].size) 
>> + 1;
>> +        uint32_t data_byte_count =
>> +            le32_to_cpu(prd_entries[i].size & 0x3ffff) + 1;
>>           qemu_sglist_add(req->sg, data_dma_addr, data_byte_count);
>>           req->data_len += data_byte_count;
>>       }
>
> This fails on a big-endian host:
>
> https://gitlab.com/qemu-project/qemu/-/jobs/12725280508
>
> You need to move the mask outside of the le32_to_cpu.
>
>
> r~


Thanks for letting me know.

I’ll fix it and send an updated patch.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.