| Message ID | 20221123211705.126900-1-nathan.morrison@timesys.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp3033122wrr;
Wed, 23 Nov 2022 13:19:22 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf6pRHeSnHdv0H9J/6+mOG2pLk7ppIOW9k1tXKp2iJs2Y+SoeAuHA86zAWS+MSwjlUl/yIw3
X-Received: by 2002:a17:90a:ad4c:b0:212:d3ec:632f with SMTP id
w12-20020a17090aad4c00b00212d3ec632fmr10828008pjv.43.1669238362106;
Wed, 23 Nov 2022 13:19:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669238362; cv=none;
d=google.com; s=arc-20160816;
b=r5iQwiSmjLZV8ZAX37OTzCIESwzFafLjZai71+S8GAdmwcubC9QB8GtmvnALwIOBrU
f0sElyNxsHpB7D2EEYPQ+POvP+ggblulQVsC2O1M9SWGe54z3LrZrhDTXA6SfjdnM7T9
za+aZaL3L1wEKWJrMmf3jAPxHje8knYEVOwdWUsS3tBa5qT5WBZeSGHgykvpS+k6NJA4
niTxUNCKEimFADz/OXIxfADfHDJg5eTyfq/Cv2pd9c/I4W5uh2VfEaPLjZeqWND2WDVO
d112jXcH46J8elFTQ0YY8eH9hvRvx585Me3eynedAHs/0WvA7TzL7cHgK7C+wbcD29Ac
Oxsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:to:content-transfer-encoding:mime-version
:message-id:date:subject:cc:from:dkim-signature;
bh=4aqA0Mj3WFRM9SvHIljdHQ8+p96l5z6GhwHZgBiTLAE=;
b=Bhu4TtN4FaH+59izBDfQuigmXBFpVbJn4f8zH2v5ZdKWw+XvReTpDc6kQ0MK2HQylz
I0/8KHrod21P1qLUTZS3UnJlmBBzDg9IVcdPLQCEo4IYT0Y8MYWabzJi6lCUwNrovymC
oyraal/SK5p4ZWNEjK4GaxHpidcl/ocKTlNg0UPhYoiAi4ayMBiTq99bAo7FZ0EtygTS
vNlcaMEmfYWkZinJjEu3rq68XySwl2IbyOQn6X0+Nyz83iO2wWnLkt18oCu3nseaoEG6
ooS+Y8k4vOt23w1jkP587i5teT+Uof1bouJOHd3RlFgNwao9eFn61R0rpBJYMYrouXEH
Ql5w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@timesys-com.20210112.gappssmtp.com
header.s=20210112 header.b="HOfGOF/K";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
r187-20020a632bc4000000b0046ef23ae9a6si664815pgr.848.2022.11.23.13.19.09;
Wed, 23 Nov 2022 13:19:22 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=fail header.i=@timesys-com.20210112.gappssmtp.com
header.s=20210112 header.b="HOfGOF/K";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S235333AbiKWVRV (ORCPT <rfc822;fengqi706@gmail.com> + 99 others);
Wed, 23 Nov 2022 16:17:21 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35988 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S235288AbiKWVRM (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 23 Nov 2022 16:17:12 -0500
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com
[IPv6:2607:f8b0:4864:20::831])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95745A314A
for <linux-kernel@vger.kernel.org>;
Wed, 23 Nov 2022 13:17:09 -0800 (PST)
Received: by mail-qt1-x831.google.com with SMTP id l15so29378qtv.4
for <linux-kernel@vger.kernel.org>;
Wed, 23 Nov 2022 13:17:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=timesys-com.20210112.gappssmtp.com; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=4aqA0Mj3WFRM9SvHIljdHQ8+p96l5z6GhwHZgBiTLAE=;
b=HOfGOF/KzrNbTIEs25w7CIh7DweUpRjCaPuDjlosBtlXKTk5QqFEzt3NJlVaE74iA+
jA7UAv8BMJsiduZ2LNB6LjS1SQ3WuyoMibpm7eolcRqsiqLLvyhUKhSNeEF4sUsGESwh
n+QZCA9GvgGW7ATurAKm+W2fnWmcLbPdkaWDw+LVsC2p4hEzmgOAnczFW9efTzBhqi9w
pGreWtPd65aM7ysQ+zIW0zT8Giv73OPlqvwvs64u+gAwgRbZ59rlJq3oQfikHxObzYjT
LRppuKzblg5+Qk6uqK2hM6hItqAFhcw94hgYsYMjILCR13DJUb7ZnTQsRERX5hOSc2Gn
xsQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=4aqA0Mj3WFRM9SvHIljdHQ8+p96l5z6GhwHZgBiTLAE=;
b=3roqT5bRFqsZIazKeMPW99Lc3foRM8a8d80QWgD0i/foLVUi/Mol4A28R5O04C+P5I
EP0dlz8hEADExZzxPEEgA0zVaKM00H9HhB2p80325n43UAMy6IpZhOuA9wUdHYxZaWxg
8DNndqbd4j8y2npKx0lW3hOyvlb10bmHRUihH/C+R/QzZK2Bo+gncRdBMaWsPYWcASQn
2B9maj2UIqsyWDTHa/8wp6cIOXftNFgqZY0oKlHiiNqGoMmu8qg5v373vfLQ16+ST1PN
/sQ0dikBG4Ndd4wH001pETIW72XwWNgN/KKFAWiInDkCDQE77GR6E9pHUA0zso7pbtu0
LG8w==
X-Gm-Message-State: ANoB5pmvN6miFQkK38QJu7v72CtTT3ToGK2OaK/wJnLcSPB4DRGGJUDH
QubFMPYBW7wRI8X3TNC+5myoTQ==
X-Received: by 2002:ac8:4d4f:0:b0:3a6:1dea:8c1c with SMTP id
x15-20020ac84d4f000000b003a61dea8c1cmr18403042qtv.157.1669238228695;
Wed, 23 Nov 2022 13:17:08 -0800 (PST)
Received: from nathan-ideapad.. (d-75-76-18-234.oh.cpe.breezeline.net.
[75.76.18.234])
by smtp.gmail.com with ESMTPSA id
o22-20020ac872d6000000b00399edda03dfsm10203066qtp.67.2022.11.23.13.17.08
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 23 Nov 2022 13:17:08 -0800 (PST)
From: Nathan Barrett-Morrison <nathan.morrison@timesys.com>
Cc: nathan.morrison@timesys.com, greg.malysa@timesys.com,
Mark Brown <broonie@kernel.org>,
linux-spi@vger.kernel.org (open list:SPI SUBSYSTEM),
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] spi: cadence-quadspi: Add upper limit safety check to
baudrate divisor
Date: Wed, 23 Nov 2022 16:17:05 -0500
Message-Id: <20221123211705.126900-1-nathan.morrison@timesys.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1750323284474363117?=
X-GMAIL-MSGID: =?utf-8?q?1750323284474363117?=
|
| Series |
spi: cadence-quadspi: Add upper limit safety check to baudrate divisor
|
|
Commit Message
Nathan Barrett-Morrison
Nov. 23, 2022, 9:17 p.m. UTC
While bringing up the cadence-quadspi driver on a customer board,
I discovered that the baud divisor calculation can exceed the
peripheral's maximum in some circumstances. This will prevent it.
Signed-off-by: Nathan Barrett-Morrison <nathan.morrison@timesys.com>
---
drivers/spi/spi-cadence-quadspi.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
Hi Nathan, Thanks for your contribution. However, there are a few issues that I would like you to address. On 24/11/22 02:47, Nathan Barrett-Morrison wrote: > While bringing up the cadence-quadspi driver on a customer board, > I discovered that the baud divisor calculation can exceed the > peripheral's maximum in some circumstances. This will prevent it. What is the peripheral's maximum? Is the peripheral a flash? Please define what you mean by "some circumstances". > > Signed-off-by: Nathan Barrett-Morrison <nathan.morrison@timesys.com> > --- > drivers/spi/spi-cadence-quadspi.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c > index 447230547945..250575fb7b0e 100644 > --- a/drivers/spi/spi-cadence-quadspi.c > +++ b/drivers/spi/spi-cadence-quadspi.c > @@ -1119,6 +1119,10 @@ static void cqspi_config_baudrate_div(struct cqspi_st *cqspi) > /* Recalculate the baudrate divisor based on QSPI specification. */ > div = DIV_ROUND_UP(ref_clk_hz, 2 * cqspi->sclk) - 1; > > + /* Maximum baud divisor */ > + if (div > CQSPI_REG_CONFIG_BAUD_MASK) I don't think comparing "greater than" with a MASK is atall a good idea. > + div = CQSPI_REG_CONFIG_BAUD_MASK; I would not encourage this either. > + > reg = readl(reg_base + CQSPI_REG_CONFIG); > reg &= ~(CQSPI_REG_CONFIG_BAUD_MASK << CQSPI_REG_CONFIG_BAUD_LSB); > reg |= (div & CQSPI_REG_CONFIG_BAUD_MASK) << CQSPI_REG_CONFIG_BAUD_LSB; Either come up with a better MACRO, or if what I understand is correct, the peripheral's max value will depend, well on the _peripheral_ in which case it is that "peripheral" driver's responsibility to properly tell the controller what to do. Again, I don't fully understand your situation is as in what is the peripheral you are using. So please elaborate on that. Importantly, I would suggest that you _NEVER_ compare ANY value to a MASK Macro. MASK Macros are meant to MASK bits.
On Thu, Nov 24, 2022 at 12:16:10PM +0530, Dhruva Gole wrote: > On 24/11/22 02:47, Nathan Barrett-Morrison wrote: > > + /* Maximum baud divisor */ > > + if (div > CQSPI_REG_CONFIG_BAUD_MASK) > I don't think comparing "greater than" with a MASK is atall a good idea. Why - it's checking that the calculated divisor can actually fit in the relevant register field which seems like a totally normal thing to do? > Again, I don't fully understand your situation is as in > what is the peripheral you are using. So please elaborate on that. As far as I can tell the issue here is that the device is asking for a rate which requires a larger divisor than the controller can support but the driver doesn't do any bounds checking so it just writes the calculated divisor out to the hardware, corrupting any adjacent fields. In this context the SPI controller is a peripheral within the SoC. > Importantly, I would suggest that you _NEVER_ compare ANY value to a > MASK Macro. MASK Macros are meant to MASK bits. It's very common to also use masks to identify when values have overflowed the values that can be written to a field.
On Wed, Nov 23, 2022 at 04:17:05PM -0500, Nathan Barrett-Morrison wrote: > + /* Maximum baud divisor */ > + if (div > CQSPI_REG_CONFIG_BAUD_MASK) > + div = CQSPI_REG_CONFIG_BAUD_MASK; This will fix the overflow of the divisor but it means that we'll be generating a faster clock than the device asked for which might lead to problems. We should at the very least warn, though returning an error would be safer. Ideally we'd be able to adjust the input clock to the SPI controller to allow us to divide out an appropriate clock but that's more disruptive.
Hi Mark & Dhruva, Your understanding is correct. This is just checking if the divisor field has exceed the bit field's full scale (0xF) in this case. This was observed when we had a reference block of 500MHz and a max SPI clock of 10MHz setting. 500000000/2*10000000 = 25 25 > 0xF (15) Would you like me to add a dev_err (or such) bailout error condition and resubmit? Sincerely, Nathan
On Thu, Nov 24, 2022 at 06:53:54AM -0500, Nathan Barrett-Morrison wrote:
> Would you like me to add a dev_err (or such) bailout error condition and resubmit?
Yes, please. A bit of rewording to clarify the commit log might help as
well.
Hi Mark, Thanks for your clarification. On 24/11/22 17:05, Mark Brown wrote: > On Thu, Nov 24, 2022 at 12:16:10PM +0530, Dhruva Gole wrote: >> On 24/11/22 02:47, Nathan Barrett-Morrison wrote: > >>> + /* Maximum baud divisor */ >>> + if (div > CQSPI_REG_CONFIG_BAUD_MASK) > >> I don't think comparing "greater than" with a MASK is atall a good idea. > > Why - it's checking that the calculated divisor can actually fit in the > relevant register field which seems like a totally normal thing to do? okay, it makes sense in the sense that it will cap the div rate to 0xF. > >> Again, I don't fully understand your situation is as in >> what is the peripheral you are using. So please elaborate on that. > > As far as I can tell the issue here is that the device is asking for a > rate which requires a larger divisor than the controller can support but > the driver doesn't do any bounds checking so it just writes the > calculated divisor out to the hardware, corrupting any adjacent fields. but, I am not sure it would anyway corrupt any adjacent bits, The code reg |= (div & CQSPI_REG_CONFIG_BAUD_MASK) << CQSPI_REG_CONFIG_BAUD_LSB does mask the div value to ensure bits ONLY in CQSPI_REG_CONFIG_BAUD_MASK region are set and nothing else right? > > In this context the SPI controller is a peripheral within the SoC. Ah okay, my understanding was that one would call a peripheral something that is connected via a SPI Bus to the SPI controller. > >> Importantly, I would suggest that you _NEVER_ compare ANY value to a >> MASK Macro. MASK Macros are meant to MASK bits. > > It's very common to also use masks to identify when values have > overflowed the values that can be written to a field. okay, this does make sense when the code doesn't mask the values before modifying the registers. However as I showed above, there is a masking done of div before setting the bits in the reg. I agree there is the other justification to use the BAUD_MASK macro to cap the div value to maximum if it is larger than maximum. However as you said as well, This will fix the overflow of the divisor but it means that we'll be generating a faster clock than the device asked for which might lead to problems. I believe a simple warning is enough, and better not touch the div variable because it seems unnecessary. We already have a mask to take care of masking the appropriate bits. As the commit said, "can exceed the peripheral's maximum in some circumstances. This will prevent it." The prevent it part does not seem to be special to his patch, because anyway we were masking the bits so the value wont exceed as such in register.
On Thu, Nov 24, 2022 at 05:57:10PM +0530, Dhruva Gole wrote: > On 24/11/22 17:05, Mark Brown wrote: > > As far as I can tell the issue here is that the device is asking for a > > rate which requires a larger divisor than the controller can support but > > the driver doesn't do any bounds checking so it just writes the > > calculated divisor out to the hardware, corrupting any adjacent fields. > but, I am not sure it would anyway corrupt any adjacent bits, > The code > reg |= (div & CQSPI_REG_CONFIG_BAUD_MASK) << CQSPI_REG_CONFIG_BAUD_LSB > does mask the div value to ensure bits ONLY in CQSPI_REG_CONFIG_BAUD_MASK > region are set and nothing else right? Yes, that'd avoid corrupting adjacent bits (though it'd still be making things worse in that it makes the divider smaller). > I believe a simple warning is enough, and better not touch the div variable > because it seems unnecessary. We already have a mask to take care of masking > the appropriate bits. That'd still leave the clock driven too fast which could break things, going for the maximum divider would mitigate this (though an error would be even safer).
diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index 447230547945..250575fb7b0e 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -1119,6 +1119,10 @@ static void cqspi_config_baudrate_div(struct cqspi_st *cqspi) /* Recalculate the baudrate divisor based on QSPI specification. */ div = DIV_ROUND_UP(ref_clk_hz, 2 * cqspi->sclk) - 1; + /* Maximum baud divisor */ + if (div > CQSPI_REG_CONFIG_BAUD_MASK) + div = CQSPI_REG_CONFIG_BAUD_MASK; + reg = readl(reg_base + CQSPI_REG_CONFIG); reg &= ~(CQSPI_REG_CONFIG_BAUD_MASK << CQSPI_REG_CONFIG_BAUD_LSB); reg |= (div & CQSPI_REG_CONFIG_BAUD_MASK) << CQSPI_REG_CONFIG_BAUD_LSB;