[1/2] Revert "rockchip: spi: fix off-by-one in chunk size computation"

Message ID 20191211132623.430-2-jagan@amarulasolutions.com
State New
Headers show
Series
  • spi: rk_spi: Fix transfer size overflow
Related show

Commit Message

Jagan Teki Dec. 11, 2019, 1:26 p.m. UTC
The maximum transfer length (in a single transaction) for the Rockchip
SPI controller is 64Kframes (i.e. 0x10000 frames) of 8bit or 16bit
frames and is encoded as (num_frames - 1) in CTRLR1.

So the 0x10000 is offset value for 64K but the actual size value would
be 'minus 1' from 0x10000.

With the existing code of 0x10000 transfer length leads to read
failure when we try to read the flash with > 0x10000 size like,

1. sf read failure when with > 0x10000

2. Boot from SPI flash failed during spi_flash_read call in
   common/spl/spl_spi.c

Observed and Tested in
- Rockpro64 with Gigadevice flash
- ROC-RK3399-PC with Winbond flash

This reverts commit e647decdd93c7408741329432f26758fbec04c7a.

Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
---
 drivers/spi/rk_spi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Philipp Tomsich Dec. 11, 2019, 1:40 p.m. UTC | #1
> On 11.12.2019, at 14:26, Jagan Teki <jagan@amarulasolutions.com> wrote:
> 
> The maximum transfer length (in a single transaction) for the Rockchip
> SPI controller is 64Kframes (i.e. 0x10000 frames) of 8bit or 16bit
> frames and is encoded as (num_frames - 1) in CTRLR1.
> 
> So the 0x10000 is offset value for 64K but the actual size value would
> be 'minus 1' from 0x10000.

NAK. Please see 2 code lines below your change to see that the “minus 1”
is applied there… so a todo of 0x10000 will write 0xffff to regs->ctrlr1.

The problem must be somewhere else and this patch will only mask the
underlying issue.

> 
> With the existing code of 0x10000 transfer length leads to read
> failure when we try to read the flash with > 0x10000 size like,
> 
> 1. sf read failure when with > 0x10000
> 
> 2. Boot from SPI flash failed during spi_flash_read call in
>   common/spl/spl_spi.c
> 
> Observed and Tested in
> - Rockpro64 with Gigadevice flash
> - ROC-RK3399-PC with Winbond flash
> 
> This reverts commit e647decdd93c7408741329432f26758fbec04c7a.
> 
> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
> ---
> drivers/spi/rk_spi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/spi/rk_spi.c b/drivers/spi/rk_spi.c
> index c04535ac44..d9a310ce80 100644
> --- a/drivers/spi/rk_spi.c
> +++ b/drivers/spi/rk_spi.c
> @@ -451,7 +451,7 @@ static int rockchip_spi_xfer(struct udevice *dev, unsigned int bitlen,
> 
> 	/* This is the original 8bit reader/writer code */
> 	while (len > 0) {
> -		int todo = min(len, 0x10000);
> +		int todo = min(len, 0xffff);
> 
> 		rkspi_enable_chip(regs, false);
> 		writel(todo - 1, &regs->ctrlr1);
> -- 
> 2.18.0.321.gffc6fa0e3
>
Jagan Teki Dec. 11, 2019, 2:10 p.m. UTC | #2
On Wed, 11 Dec, 2019, 7:10 PM Philipp Tomsich, <
philipp.tomsich@theobroma-systems.com> wrote:

>
>
> > On 11.12.2019, at 14:26, Jagan Teki <jagan@amarulasolutions.com> wrote:
> >
> > The maximum transfer length (in a single transaction) for the Rockchip
> > SPI controller is 64Kframes (i.e. 0x10000 frames) of 8bit or 16bit
> > frames and is encoded as (num_frames - 1) in CTRLR1.
> >
> > So the 0x10000 is offset value for 64K but the actual size value would
> > be 'minus 1' from 0x10000.
>
> NAK. Please see 2 code lines below your change to see that the “minus 1”
> is applied there… so a todo of 0x10000 will write 0xffff to regs->ctrlr1.
>
> The problem must be somewhere else and this patch will only mask the
> underlying issue.
>
> >
> > With the existing code of 0x10000 transfer length leads to read
> > failure when we try to read the flash with > 0x10000 size like,
> >
> > 1. sf read failure when with > 0x10000
> >
> > 2. Boot from SPI flash failed during spi_flash_read call in
> >   common/spl/spl_spi.c
> >
> > Observed and Tested in
> > - Rockpro64 with Gigadevice flash
> > - ROC-RK3399-PC with Winbond flash
> >
> > This reverts commit e647decdd93c7408741329432f26758fbec04c7a.
> >
> > Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
> > ---
> > drivers/spi/rk_spi.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/spi/rk_spi.c b/drivers/spi/rk_spi.c
> > index c04535ac44..d9a310ce80 100644
> > --- a/drivers/spi/rk_spi.c
> > +++ b/drivers/spi/rk_spi.c
> > @@ -451,7 +451,7 @@ static int rockchip_spi_xfer(struct udevice *dev,
> unsigned int bitlen,
> >
> >       /* This is the original 8bit reader/writer code */
> >       while (len > 0) {
> > -             int todo = min(len, 0x10000);
> > +             int todo = min(len, 0xffff);
> >
> >               rkspi_enable_chip(regs, false);
> >               writel(todo - 1, &regs->ctrlr1);
> > --
> > 2.18.0.321.gffc6fa0e3
> >
>

I have looked multiple areas but didn't get it so and i belive offset and
size values aren't same.

 Would you please send me the log of sf read to more than 64K on your
hardware? This would confirm my hardware issue if you succeed.

>
Jagan Teki Dec. 21, 2019, 7:32 a.m. UTC | #3
Hi Philipp,

On Wed, Dec 11, 2019 at 7:10 PM Philipp Tomsich
<philipp.tomsich@theobroma-systems.com> wrote:
>
>
>
> > On 11.12.2019, at 14:26, Jagan Teki <jagan@amarulasolutions.com> wrote:
> >
> > The maximum transfer length (in a single transaction) for the Rockchip
> > SPI controller is 64Kframes (i.e. 0x10000 frames) of 8bit or 16bit
> > frames and is encoded as (num_frames - 1) in CTRLR1.
> >
> > So the 0x10000 is offset value for 64K but the actual size value would
> > be 'minus 1' from 0x10000.
>
> NAK. Please see 2 code lines below your change to see that the “minus 1”
> is applied there… so a todo of 0x10000 will write 0xffff to regs->ctrlr1.
>
> The problem must be somewhere else and this patch will only mask the
> underlying issue.

Please check the below changes. the max transfer size is 64K - 1 which
is 0xffff and we need to write -1 of this to cr1.

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/spi/spi-rockchip.c?id=5185a81c02d4118b11e6cb7b5fbf6f15ff7aff90
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/spi/spi-rockchip.c?id=04b37d2d02c0a5ae2f4e59326ef6deaff18e0456
Kever Yang Dec. 23, 2019, 2:28 a.m. UTC | #4
On 2019/12/21 下午3:32, Jagan Teki wrote:
> Hi Philipp,
>
> On Wed, Dec 11, 2019 at 7:10 PM Philipp Tomsich
> <philipp.tomsich@theobroma-systems.com> wrote:
>>
>>
>>> On 11.12.2019, at 14:26, Jagan Teki <jagan@amarulasolutions.com> wrote:
>>>
>>> The maximum transfer length (in a single transaction) for the Rockchip
>>> SPI controller is 64Kframes (i.e. 0x10000 frames) of 8bit or 16bit
>>> frames and is encoded as (num_frames - 1) in CTRLR1.
>>>
>>> So the 0x10000 is offset value for 64K but the actual size value would
>>> be 'minus 1' from 0x10000.
>> NAK. Please see 2 code lines below your change to see that the “minus 1”
>> is applied there… so a todo of 0x10000 will write 0xffff to regs->ctrlr1.
>>
>> The problem must be somewhere else and this patch will only mask the
>> underlying issue.
> Please check the below changes. the max transfer size is 64K - 1 which
> is 0xffff and we need to write -1 of this to cr1.

Yep, the counter is 16bit, and the actual max size will be 0xffff and 
the max available value in reg should

be 0xffff-1.


Thanks,

- Kever

>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/spi/spi-rockchip.c?id=5185a81c02d4118b11e6cb7b5fbf6f15ff7aff90
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/spi/spi-rockchip.c?id=04b37d2d02c0a5ae2f4e59326ef6deaff18e0456
>
>

Patch

diff --git a/drivers/spi/rk_spi.c b/drivers/spi/rk_spi.c
index c04535ac44..d9a310ce80 100644
--- a/drivers/spi/rk_spi.c
+++ b/drivers/spi/rk_spi.c
@@ -451,7 +451,7 @@  static int rockchip_spi_xfer(struct udevice *dev, unsigned int bitlen,
 
 	/* This is the original 8bit reader/writer code */
 	while (len > 0) {
-		int todo = min(len, 0x10000);
+		int todo = min(len, 0xffff);
 
 		rkspi_enable_chip(regs, false);
 		writel(todo - 1, &regs->ctrlr1);