[PATCH 0/3] mmc: mmc_spi: Fix potential spec violation in receiving card response

Bin Meng bmeng.cn at gmail.com
Mon Feb 1 05:20:31 CET 2021


After command is sent and before card response shows up on the line,
there is a variable number of clock cycles in between called Ncr.
The spec [1] says the minimum is 1 byte and the maximum is 8 bytes.

Current logic in mmc_spi_sendcmd() has a flaw that it could only work
with certain SD cards with their Ncr being just 1 byte.

When resp_match is false, the codes try to receive only 1 byte from
the SD card. On the other hand when resp_match is true, the logic
happens to be no problem as it loops until timeout to receive as many
bytes as possible to see a match of the expected resp_match_value.
However not every call to mmc_spi_sendcmd() is made with resp_match
being true hence this exposes a potential issue with SD cards that
have a larger Ncr value.

Given no issue was reported as of today, we can reasonably conclude
that all cards being used on the supported boards happen to have a 1
byte Ncr timing requirement. But a broken case can be triggered by
utilizing QEMU to emulate a larger value of Ncr (by default 1 byte
Ncr is used on QEMU). This series fixes such potential spec violation
to improve the card compatibility.

[1] "Physical Layer Specification Version 8.00"
     chapter 7.5.1: Command / Response
     chapter 7.5.4: Timing Values


Bin Meng (3):
  mmc: mmc_spi: Move argument check to the beginning of
    mmc_spi_sendcmd()
  mmc: mmc_spi: Fix potential spec violation in receiving card response
  mmc: mmc_spi: Document the 3 local functions

 drivers/mmc/mmc_spi.c | 74 ++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 55 insertions(+), 19 deletions(-)

-- 
2.7.4



More information about the U-Boot mailing list