From: Anton Vorontsov <cbouatmailru-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Joakim Tjernlund
<joakim.tjernlund-SNLAxHN9vbcOP4wsBPIw7w@public.gmane.org>
Cc: spi-devel-general-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [PATCH] spi: spi_mpc8xxx.c: fix potential memory corruption.
Date: Thu, 13 May 2010 20:18:51 +0400 [thread overview]
Message-ID: <20100513161851.GA23404@oksana.dev.rtsoft.ru> (raw)
In-Reply-To: <OF224832EB.3B3694C0-ONC1257722.00574009-C1257722.00577791-SNLAxHN9vbcOP4wsBPIw7w@public.gmane.org>
On Thu, May 13, 2010 at 05:55:22PM +0200, Joakim Tjernlund wrote:
> Anton Vorontsov <cbouatmailru-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote on 2010/05/13 11:55:45:
> >
> > On Thu, May 13, 2010 at 11:36:15AM +0200, Joakim Tjernlund wrote:
> > [...]
> > > The new QE mode is so broken :(
> > > Notice how the byte order is swapped for word = 16, 32
> >
> > *yawn*, it's not a news... :-) Remember QE-specific rx/tx_shift
> > stuff?
> >
> > I'm sure the issue is related to how the QE SPI shift register
> > works. I.e. SDMA just feeds the shift register, and it's shift
> > register that is causing > 8 bits words to misbehave, or the
> > issue is in how SDMA and shift registers connected.
> >
> > > Not even sure what is right to begin with :)
> > > Can't see how one should fix this either.
> >
> > I guess by copying the whole buffer, shifting bytes back and
> > forth, remapping it, doing transfer, and copying data back.
> > I think that'll work, but no idea how efficient that will be.
> >
> > Also, I'd not do that for CPM hardware, I tend to believe
> > that it's not affected.
>
> Anton, would you be happy with the following patch?
Sure.
Just a few cosmetic suggestions, feel free to ignore. ;-)
> Basically it works around LE endian shift for !LSB
> transfers.
>
> diff --git a/drivers/spi/spi_mpc8xxx.c b/drivers/spi/spi_mpc8xxx.c
> index c312d0e..c995aa5 100644
> --- a/drivers/spi/spi_mpc8xxx.c
> +++ b/drivers/spi/spi_mpc8xxx.c
> @@ -315,41 +315,51 @@ int mpc8xxx_spi_setup_transfer(struct spi_device *spi, struct spi_transfer *t)
> if (!hz)
> hz = spi->max_speed_hz;
>
> - cs->rx_shift = 0;
> - cs->tx_shift = 0;
> - if (bits_per_word <= 8) {
> - cs->get_rx = mpc8xxx_spi_rx_buf_u8;
> - cs->get_tx = mpc8xxx_spi_tx_buf_u8;
> - if (mpc8xxx_spi->flags & SPI_QE_CPU_MODE) {
> - cs->rx_shift = 16;
> - cs->tx_shift = 24;
> - }
> - } else if (bits_per_word <= 16) {
> - cs->get_rx = mpc8xxx_spi_rx_buf_u16;
> - cs->get_tx = mpc8xxx_spi_tx_buf_u16;
> - if (mpc8xxx_spi->flags & SPI_QE_CPU_MODE) {
> - cs->rx_shift = 16;
> - cs->tx_shift = 16;
> + if (!(mpc8xxx_spi->flags & SPI_CPM_MODE)) {
> + cs->rx_shift = 0;
> + cs->tx_shift = 0;
> + if (bits_per_word <= 8) {
> + cs->get_rx = mpc8xxx_spi_rx_buf_u8;
> + cs->get_tx = mpc8xxx_spi_tx_buf_u8;
> + if (mpc8xxx_spi->flags & SPI_QE_CPU_MODE) {
> + cs->rx_shift = 16;
> + cs->tx_shift = 24;
> + }
> + } else if (bits_per_word <= 16) {
> + cs->get_rx = mpc8xxx_spi_rx_buf_u16;
> + cs->get_tx = mpc8xxx_spi_tx_buf_u16;
> + if (mpc8xxx_spi->flags & SPI_QE_CPU_MODE) {
> + cs->rx_shift = 16;
> + cs->tx_shift = 16;
> + }
> + } else if (bits_per_word <= 32) {
> + cs->get_rx = mpc8xxx_spi_rx_buf_u32;
> + cs->get_tx = mpc8xxx_spi_tx_buf_u32;
> + } else
> + return -EINVAL;
> +
> + if (mpc8xxx_spi->flags & SPI_QE_CPU_MODE &&
> + spi->mode & SPI_LSB_FIRST) {
> + cs->tx_shift = 0;
> + if (bits_per_word <= 8)
> + cs->rx_shift = 8;
> + else
> + cs->rx_shift = 0;
While you're at it, can you move this monstrous stuff to its
own function? That'll save one indent level, and will make the
patch nicier to read (let's hope), i.e.
if (!(mpc8xxx_spi->flags & SPI_CPM_MODE))
rc = mspi_apply_cpu_mode_quirks(cs);
else if (mpc8xxx_spi->flags & SPI_QE)
rc = mspi_apply_qe_mode_quirks(cs);
if (rc)
return rc;
> }
> - } else if (bits_per_word <= 32) {
> - cs->get_rx = mpc8xxx_spi_rx_buf_u32;
> - cs->get_tx = mpc8xxx_spi_tx_buf_u32;
> - } else
> - return -EINVAL;
>
> - if (mpc8xxx_spi->flags & SPI_QE_CPU_MODE &&
> - spi->mode & SPI_LSB_FIRST) {
> - cs->tx_shift = 0;
> - if (bits_per_word <= 8)
> - cs->rx_shift = 8;
> - else
> - cs->rx_shift = 0;
> - }
> + mpc8xxx_spi->rx_shift = cs->rx_shift;
> + mpc8xxx_spi->tx_shift = cs->tx_shift;
> + mpc8xxx_spi->get_rx = cs->get_rx;
> + mpc8xxx_spi->get_tx = cs->get_tx;
>
> - mpc8xxx_spi->rx_shift = cs->rx_shift;
> - mpc8xxx_spi->tx_shift = cs->tx_shift;
> - mpc8xxx_spi->get_rx = cs->get_rx;
> - mpc8xxx_spi->get_tx = cs->get_tx;
> + } else if (mpc8xxx_spi->flags & SPI_QE) {
> + /* Note: 32 bits word, LSB works iff
> + * tfcr/rfcr is set to CPMFCR_GBL */
> + if (spi->mode & SPI_LSB_FIRST &&
> + bits_per_word != 8)
^^^ one more tab here?
> + return -EINVAL;
> + bits_per_word = 8;
> + }
>
> if (bits_per_word == 32)
> bits_per_word = 0;
>
Thanks!
--
Anton Vorontsov
email: cbouatmailru-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
irc://irc.freenode.net/bd2
------------------------------------------------------------------------------
next prev parent reply other threads:[~2010-05-13 16:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-12 15:50 [PATCH] spi: spi_mpc8xxx.c: fix potential memory corruption Joakim Tjernlund
[not found] ` <1273679450-4185-1-git-send-email-Joakim.Tjernlund-SNLAxHN9vbcOP4wsBPIw7w@public.gmane.org>
2010-05-12 16:22 ` Anton Vorontsov
[not found] ` <20100512162231.GA449-wnGakbxT3iijyJ0x5qLZdcN33GVbZNy3@public.gmane.org>
2010-05-12 16:28 ` Joakim Tjernlund
[not found] ` <OFB1D6A895.8E381278-ONC1257721.005A1E7B-C1257721.005A885D-SNLAxHN9vbcOP4wsBPIw7w@public.gmane.org>
2010-05-12 16:43 ` Anton Vorontsov
[not found] ` <20100512164321.GA5522-wnGakbxT3iijyJ0x5qLZdcN33GVbZNy3@public.gmane.org>
2010-05-13 7:53 ` Joakim Tjernlund
2010-05-13 9:36 ` Joakim Tjernlund
[not found] ` <OFD4A1BD4A.1E890808-ONC1257722.00336F58-C1257722.0034C1F5-SNLAxHN9vbcOP4wsBPIw7w@public.gmane.org>
2010-05-13 9:55 ` Anton Vorontsov
[not found] ` <20100513095545.GA11506-wnGakbxT3iijyJ0x5qLZdcN33GVbZNy3@public.gmane.org>
2010-05-13 12:33 ` Joakim Tjernlund
2010-05-13 13:50 ` Joakim Tjernlund
2010-05-13 15:55 ` Joakim Tjernlund
[not found] ` <OF224832EB.3B3694C0-ONC1257722.00574009-C1257722.00577791-SNLAxHN9vbcOP4wsBPIw7w@public.gmane.org>
2010-05-13 16:18 ` Anton Vorontsov [this message]
[not found] ` <20100513161851.GA23404-wnGakbxT3iijyJ0x5qLZdcN33GVbZNy3@public.gmane.org>
2010-05-13 19:47 ` Joakim Tjernlund
2010-05-13 21:13 ` Grant Likely
[not found] ` <AANLkTillcDbtpIcq7ZYID9xBpHuGfcBQNNSZJFuyqHYM-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-05-14 12:30 ` Joakim Tjernlund
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100513161851.GA23404@oksana.dev.rtsoft.ru \
--to=cbouatmailru-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=joakim.tjernlund-SNLAxHN9vbcOP4wsBPIw7w@public.gmane.org \
--cc=spi-devel-general-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).