Received: by 10.223.176.5 with SMTP id f5csp326456wra; Sat, 3 Feb 2018 00:04:13 -0800 (PST) X-Google-Smtp-Source: AH8x225rb9YnCimi1SUBAUUAlMB0F9A2U+1y7txVeCJ2ONsu84ACFgvW4dqyUgEbSk2DLB9EcT3p X-Received: by 2002:a17:902:6bc3:: with SMTP id m3-v6mr37213691plt.442.1517645053055; Sat, 03 Feb 2018 00:04:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517645053; cv=none; d=google.com; s=arc-20160816; b=VZk6D4wTX14vKPCgyBmHaTwd9F5foHpbq2m37DQVXA6Q9ZZ+Dw1KurEI8uEjicqAnR bD6/Emsb2BlssiY2bG8rXJPKFy9IVBxF9oQhScVdnh3biIFn5f2TV0JZQscfKfT8IZOt a2CsmoucVG434MqxoB60zkHJNcCkWHUHuODfyKKJ7YkidQtS7hugNEhHk0qFqm6B2JyH SwAq7Je//DA/IJ7lghVgsieZ2Xrrg4ojO7bQXeQK5ye5v0FkElhmQaAVNaA/xWdltyFh S9a2UzjnLLBwMZGToBBB8mud7OQJrTiQ2iQy1+KHafKAXPwuHFSk9WPTeeWqu9NO/WXb UvNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dmarc-filter:dkim-signature:dkim-signature :arc-authentication-results; bh=xF6ftAJ+UFePHMrjOuYvLOZOEdy+muOiVNCxVxcLB7g=; b=y/Cpby6Pa3I6LIHnOdenfCthzcPRqPMfdsQ68uiXv454hwoSgnFdN8Nr+JxchWavhL 6YBO1TKLCKo81Y3tpjuhuvkgdT8iznTq5qkocbq9EzYCjzw2bMbQvBWSBq6HLGk/OqRq ic8rhuFAqHpHzDic1mRrz39lzBdXF85lpls1anYwG5TeCaLW7J1ZVUbj/0tfV1+FRFma nYQtLdZ6dPybnxXChKmSQEXh4fgz+eSx5wiEShKJ6ZjqeoI9xZ0qxiass0tbnrYZrhcv YB2fH9YxPBwcYTLfagWA6PH+8PkAudCsSq2CkSvjkuSQOe6sbmSlBjyzcbH/nn18j7+e mM/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=TCNQMUlP; dkim=pass header.i=@codeaurora.org header.s=default header.b=TCNQMUlP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b11-v6si3297483plr.8.2018.02.03.00.03.58; Sat, 03 Feb 2018 00:04:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=TCNQMUlP; dkim=pass header.i=@codeaurora.org header.s=default header.b=TCNQMUlP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752547AbeBCIBq (ORCPT + 99 others); Sat, 3 Feb 2018 03:01:46 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:35806 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752001AbeBCH66 (ORCPT ); Sat, 3 Feb 2018 02:58:58 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id CE0A16081C; Sat, 3 Feb 2018 07:58:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1517644737; bh=Ymbm9MCE4lSJlitdwm3bSlv6DjhBdKUFEvymwsLpLGU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TCNQMUlP7avoKINXfZDYynMXaB5kyIP3ADdXY6IeTXVcNXedPzIbL79Y5KohvzKgv bj05GiSqrt+kBlbc82B49IlYD5O0qEaXvvze3KUkBkhPNrH5FAViZ00pB4FugafJdm gsXdS8R9BRetN8biMBghiBJ/GK7NGB96PMqh2T3Q= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Received: from absahu-linux.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: absahu@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 7F6E16050D; Sat, 3 Feb 2018 07:58:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1517644737; bh=Ymbm9MCE4lSJlitdwm3bSlv6DjhBdKUFEvymwsLpLGU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TCNQMUlP7avoKINXfZDYynMXaB5kyIP3ADdXY6IeTXVcNXedPzIbL79Y5KohvzKgv bj05GiSqrt+kBlbc82B49IlYD5O0qEaXvvze3KUkBkhPNrH5FAViZ00pB4FugafJdm gsXdS8R9BRetN8biMBghiBJ/GK7NGB96PMqh2T3Q= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 7F6E16050D Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=absahu@codeaurora.org From: Abhishek Sahu To: Andy Gross , Wolfram Sang Cc: David Brown , Sricharan R , linux-arm-msm@vger.kernel.org, linux-soc@vger.kernel.org, linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org, Abhishek Sahu Subject: [PATCH 09/12] i2c: qup: fix buffer overflow for multiple msg of maximum xfer len Date: Sat, 3 Feb 2018 13:28:14 +0530 Message-Id: <1517644697-30806-10-git-send-email-absahu@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1517644697-30806-1-git-send-email-absahu@codeaurora.org> References: <1517644697-30806-1-git-send-email-absahu@codeaurora.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The BAM mode requires buffer for start tag data and tx, rx SG list. Currently, this is being taken for maximum transfer length (65K). But an I2C transfer can have multiple messages and each message can be of this maximum length so the buffer overflow will happen in this case. Since increasing buffer length won’t be feasible since an I2C transfer can contain any number of messages so this patch does following changes to make i2c transfers working for multiple messages case. 1. Calculate the required buffers for 2 maximum length messages (65K * 2). 2. Split the descriptor formation and descriptor scheduling. The idea is to fit as many messages in one DMA transfers for 65K threshold value (max_xfer_sg_len). Whenever the sg_cnt is crossing this, then schedule the BAM transfer and subsequent transfer will again start from zero. Signed-off-by: Abhishek Sahu --- drivers/i2c/busses/i2c-qup.c | 199 +++++++++++++++++++++++++------------------ 1 file changed, 118 insertions(+), 81 deletions(-) diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c index 6df65ea..ba717bb 100644 --- a/drivers/i2c/busses/i2c-qup.c +++ b/drivers/i2c/busses/i2c-qup.c @@ -155,6 +155,7 @@ struct qup_i2c_bam { struct qup_i2c_tag tag; struct dma_chan *dma; struct scatterlist *sg; + unsigned int sg_cnt; }; struct qup_i2c_dev { @@ -195,6 +196,8 @@ struct qup_i2c_dev { bool use_dma; /* The threshold length above which DMA will be used */ unsigned int dma_threshold; + unsigned int max_xfer_sg_len; + unsigned int tag_buf_pos; struct dma_pool *dpool; struct qup_i2c_tag start_tag; struct qup_i2c_bam brx; @@ -699,86 +702,86 @@ static int qup_i2c_req_dma(struct qup_i2c_dev *qup) return 0; } -static int qup_i2c_bam_do_xfer(struct qup_i2c_dev *qup, struct i2c_msg *msg, - int num) +static int qup_i2c_bam_make_desc(struct qup_i2c_dev *qup, struct i2c_msg *msg) +{ + int ret = 0, limit = QUP_READ_LIMIT; + u32 len = 0, blocks, rem; + u32 i = 0, tlen, tx_len = 0; + u8 *tags; + + qup_i2c_set_blk_data(qup, msg); + + blocks = qup->blk.count; + rem = msg->len - (blocks - 1) * limit; + + if (msg->flags & I2C_M_RD) { + while (qup->blk.pos < blocks) { + tlen = (i == (blocks - 1)) ? rem : limit; + tags = &qup->start_tag.start[qup->tag_buf_pos + len]; + len += qup_i2c_set_tags(tags, qup, msg); + qup->blk.data_len -= tlen; + + /* scratch buf to read the start and len tags */ + ret = qup_sg_set_buf(&qup->brx.sg[qup->brx.sg_cnt++], + &qup->brx.tag.start[0], + 2, qup, DMA_FROM_DEVICE); + + if (ret) + return ret; + + ret = qup_sg_set_buf(&qup->brx.sg[qup->brx.sg_cnt++], + &msg->buf[limit * i], + tlen, qup, + DMA_FROM_DEVICE); + if (ret) + return ret; + + i++; + qup->blk.pos = i; + } + ret = qup_sg_set_buf(&qup->btx.sg[qup->btx.sg_cnt++], + &qup->start_tag.start[qup->tag_buf_pos], + len, qup, DMA_TO_DEVICE); + if (ret) + return ret; + + qup->tag_buf_pos += len; + } else { + while (qup->blk.pos < blocks) { + tlen = (i == (blocks - 1)) ? rem : limit; + tags = &qup->start_tag.start[qup->tag_buf_pos + tx_len]; + len = qup_i2c_set_tags(tags, qup, msg); + qup->blk.data_len -= tlen; + + ret = qup_sg_set_buf(&qup->btx.sg[qup->btx.sg_cnt++], + tags, len, + qup, DMA_TO_DEVICE); + if (ret) + return ret; + + tx_len += len; + ret = qup_sg_set_buf(&qup->btx.sg[qup->btx.sg_cnt++], + &msg->buf[limit * i], + tlen, qup, DMA_TO_DEVICE); + if (ret) + return ret; + i++; + qup->blk.pos = i; + } + + qup->tag_buf_pos += tx_len; + } + + return 0; +} + +static int qup_i2c_bam_schedule_desc(struct qup_i2c_dev *qup) { struct dma_async_tx_descriptor *txd, *rxd = NULL; - int ret = 0, idx = 0, limit = QUP_READ_LIMIT; + int ret = 0; dma_cookie_t cookie_rx, cookie_tx; - u32 len, blocks, rem; - u32 i, tlen, tx_len, tx_buf = 0, rx_buf = 0, off = 0; - u8 *tags; - - while (idx < num) { - tx_len = 0, len = 0, i = 0; - - qup->is_last = (idx == (num - 1)); - - qup_i2c_set_blk_data(qup, msg); - - blocks = qup->blk.count; - rem = msg->len - (blocks - 1) * limit; - - if (msg->flags & I2C_M_RD) { - while (qup->blk.pos < blocks) { - tlen = (i == (blocks - 1)) ? rem : limit; - tags = &qup->start_tag.start[off + len]; - len += qup_i2c_set_tags(tags, qup, msg); - qup->blk.data_len -= tlen; - - /* scratch buf to read the start and len tags */ - ret = qup_sg_set_buf(&qup->brx.sg[rx_buf++], - &qup->brx.tag.start[0], - 2, qup, DMA_FROM_DEVICE); - - if (ret) - return ret; - - ret = qup_sg_set_buf(&qup->brx.sg[rx_buf++], - &msg->buf[limit * i], - tlen, qup, - DMA_FROM_DEVICE); - if (ret) - return ret; - - i++; - qup->blk.pos = i; - } - ret = qup_sg_set_buf(&qup->btx.sg[tx_buf++], - &qup->start_tag.start[off], - len, qup, DMA_TO_DEVICE); - if (ret) - return ret; - - off += len; - } else { - while (qup->blk.pos < blocks) { - tlen = (i == (blocks - 1)) ? rem : limit; - tags = &qup->start_tag.start[off + tx_len]; - len = qup_i2c_set_tags(tags, qup, msg); - qup->blk.data_len -= tlen; - - ret = qup_sg_set_buf(&qup->btx.sg[tx_buf++], - tags, len, - qup, DMA_TO_DEVICE); - if (ret) - return ret; - - tx_len += len; - ret = qup_sg_set_buf(&qup->btx.sg[tx_buf++], - &msg->buf[limit * i], - tlen, qup, DMA_TO_DEVICE); - if (ret) - return ret; - i++; - qup->blk.pos = i; - } - off += tx_len; - - } - idx++; - msg++; - } + u32 len = 0; + u32 tx_buf = qup->btx.sg_cnt, rx_buf = qup->brx.sg_cnt; /* schedule the EOT and FLUSH I2C tags */ len = 1; @@ -878,11 +881,19 @@ static int qup_i2c_bam_do_xfer(struct qup_i2c_dev *qup, struct i2c_msg *msg, return ret; } +static void qup_i2c_bam_clear_tag_buffers(struct qup_i2c_dev *qup) +{ + qup->btx.sg_cnt = 0; + qup->brx.sg_cnt = 0; + qup->tag_buf_pos = 0; +} + static int qup_i2c_bam_xfer(struct i2c_adapter *adap, struct i2c_msg *msg, int num) { struct qup_i2c_dev *qup = i2c_get_adapdata(adap); int ret = 0; + int idx = 0; enable_irq(qup->irq); ret = qup_i2c_req_dma(qup); @@ -905,9 +916,34 @@ static int qup_i2c_bam_xfer(struct i2c_adapter *adap, struct i2c_msg *msg, goto out; writel(qup->clk_ctl, qup->base + QUP_I2C_CLK_CTL); + qup_i2c_bam_clear_tag_buffers(qup); + + for (idx = 0; idx < num; idx++) { + qup->msg = msg + idx; + qup->is_last = idx == (num - 1); + + ret = qup_i2c_bam_make_desc(qup, qup->msg); + if (ret) + break; + + /* + * Make DMA descriptor and schedule the BAM transfer if its + * already crossed the maximum length. Since the memory for all + * tags buffers have been taken for 2 maximum possible + * transfers length so it will never cross the buffer actual + * length. + */ + if (qup->btx.sg_cnt > qup->max_xfer_sg_len || + qup->brx.sg_cnt > qup->max_xfer_sg_len || + qup->is_last) { + ret = qup_i2c_bam_schedule_desc(qup); + if (ret) + break; + + qup_i2c_bam_clear_tag_buffers(qup); + } + } - qup->msg = msg; - ret = qup_i2c_bam_do_xfer(qup, qup->msg, num); out: disable_irq(qup->irq); @@ -1459,7 +1495,8 @@ static int qup_i2c_probe(struct platform_device *pdev) else if (ret != 0) goto nodma; - blocks = (MX_BLOCKS << 1) + 1; + qup->max_xfer_sg_len = (MX_BLOCKS << 1); + blocks = 2 * qup->max_xfer_sg_len + 1; qup->btx.sg = devm_kzalloc(&pdev->dev, sizeof(*qup->btx.sg) * blocks, GFP_KERNEL); @@ -1603,7 +1640,7 @@ static int qup_i2c_probe(struct platform_device *pdev) one_bit_t = (USEC_PER_SEC / clk_freq) + 1; qup->one_byte_t = one_bit_t * 9; qup->xfer_timeout = TOUT_MIN * HZ + - usecs_to_jiffies(MX_TX_RX_LEN * qup->one_byte_t); + usecs_to_jiffies(2 * MX_TX_RX_LEN * qup->one_byte_t); dev_dbg(qup->dev, "IN:block:%d, fifo:%d, OUT:block:%d, fifo:%d\n", qup->in_blk_sz, qup->in_fifo_sz, -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation