| Message ID | 20221201134845.4055907-3-rf@opensource.cirrus.com |
|---|---|
| State | New |
| Headers | show |
| Series | soundwire: cadence: Fix oversized FIFO size define | expand |
On 12/1/22 07:48, Richard Fitzgerald wrote: > The response_buf was declared much larger (128 entries) than the number > of responses that could ever be written into it (maximum 8). Indeed I don't know why we used 128 entries. This is a magic value that doesn't appear in any specs I've looked at. Note that there's 'sniffer' mode when each response takes two consecutive 32-words in the FIFO. we've never used this mode though so it's not really an issue. It's also possible that this is related to the automatic command retry, where a failed command can be re-issued 15 times. However in that case the worst case would be 32 commands * 15 = 480. The value of 128 makes no sense at all, unless it was an upper bound for 8 * 15. We don't use this hardware retry btw. See more below... > Reduce response_buf to 8 entries and add checking in cdns_read_response() > to prevent overflowing reponse_buf if CDNS_MCP_RX_FIFO_AVAIL contains > an unexpectedly large number. > > Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> > --- > drivers/soundwire/cadence_master.c | 6 ++++++ > drivers/soundwire/cadence_master.h | 2 +- > 2 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c > index 27699f341f2c..95c84d9f0775 100644 > --- a/drivers/soundwire/cadence_master.c > +++ b/drivers/soundwire/cadence_master.c > @@ -774,8 +774,14 @@ static void cdns_read_response(struct sdw_cdns *cdns) > u32 num_resp, cmd_base; > int i; > > + BUILD_BUG_ON(ARRAY_SIZE(cdns->response_buf) < CDNS_MCP_CMD_LEN); > + > num_resp = cdns_readl(cdns, CDNS_MCP_FIFOSTAT); > num_resp &= CDNS_MCP_RX_FIFO_AVAIL; > + if (num_resp > ARRAY_SIZE(cdns->response_buf)) { > + dev_warn(cdns->dev, "RX AVAIL %d too long\n", num_resp); > + num_resp = CDNS_MCP_CMD_LEN; .... this is different from what the hardware documentation tells me. The range of values to RX_FIFO_AVAIL is 0..RX_FIFO_DEPTH + 2. I don't understand the +2, but we should maybe be more cautious and use u32 response_buf[CDNS_MCP_CMD_LEN + 2]; > + } > > cmd_base = CDNS_MCP_CMD_BASE; > > diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h > index 0434d70d4b1f..c2d817e8e22a 100644 > --- a/drivers/soundwire/cadence_master.h > +++ b/drivers/soundwire/cadence_master.h > @@ -117,7 +117,7 @@ struct sdw_cdns { > struct sdw_bus bus; > unsigned int instance; > > - u32 response_buf[0x80]; > + u32 response_buf[8]; > struct completion tx_complete; > struct sdw_defer *defer; >
On 01/12/2022 18:12, Pierre-Louis Bossart wrote: > > > On 12/1/22 07:48, Richard Fitzgerald wrote: >> The response_buf was declared much larger (128 entries) than the number >> of responses that could ever be written into it (maximum 8). > > Indeed I don't know why we used 128 entries. This is a magic value that > doesn't appear in any specs I've looked at. > > Note that there's 'sniffer' mode when each response takes two > consecutive 32-words in the FIFO. we've never used this mode though so > it's not really an issue. > > It's also possible that this is related to the automatic command retry, > where a failed command can be re-issued 15 times. However in that case > the worst case would be 32 commands * 15 = 480. The value of 128 makes > no sense at all, unless it was an upper bound for 8 * 15. We don't use > this hardware retry btw. > > See more below... > >> Reduce response_buf to 8 entries and add checking in cdns_read_response() >> to prevent overflowing reponse_buf if CDNS_MCP_RX_FIFO_AVAIL contains >> an unexpectedly large number. >> >> Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> >> --- >> drivers/soundwire/cadence_master.c | 6 ++++++ >> drivers/soundwire/cadence_master.h | 2 +- >> 2 files changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c >> index 27699f341f2c..95c84d9f0775 100644 >> --- a/drivers/soundwire/cadence_master.c >> +++ b/drivers/soundwire/cadence_master.c >> @@ -774,8 +774,14 @@ static void cdns_read_response(struct sdw_cdns *cdns) >> u32 num_resp, cmd_base; >> int i; >> >> + BUILD_BUG_ON(ARRAY_SIZE(cdns->response_buf) < CDNS_MCP_CMD_LEN); >> + >> num_resp = cdns_readl(cdns, CDNS_MCP_FIFOSTAT); >> num_resp &= CDNS_MCP_RX_FIFO_AVAIL; >> + if (num_resp > ARRAY_SIZE(cdns->response_buf)) { >> + dev_warn(cdns->dev, "RX AVAIL %d too long\n", num_resp); >> + num_resp = CDNS_MCP_CMD_LEN; > > .... this is different from what the hardware documentation tells me. > The range of values to RX_FIFO_AVAIL is 0..RX_FIFO_DEPTH + 2. > > I don't understand the +2, but we should maybe be more cautious and use > u32 response_buf[CDNS_MCP_CMD_LEN + 2]; > Probably we wouldn't know what to do with those extra 2 responses. _cdns_xfer_msg() tells cdns_fill_msg_resp() to extract the same number of responses as the original message length. So it would only extract 8 maximum. But anyway yes I can add the mysterious +2 into this. Thinking about it, that's probably a good idea anyay for the next patch that drains the RX FIFO after an error. >> + } >> >> cmd_base = CDNS_MCP_CMD_BASE; >> >> diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h >> index 0434d70d4b1f..c2d817e8e22a 100644 >> --- a/drivers/soundwire/cadence_master.h >> +++ b/drivers/soundwire/cadence_master.h >> @@ -117,7 +117,7 @@ struct sdw_cdns { >> struct sdw_bus bus; >> unsigned int instance; >> >> - u32 response_buf[0x80]; >> + u32 response_buf[8]; >> struct completion tx_complete; >> struct sdw_defer *defer; >>
diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c index 27699f341f2c..95c84d9f0775 100644 --- a/drivers/soundwire/cadence_master.c +++ b/drivers/soundwire/cadence_master.c @@ -774,8 +774,14 @@ static void cdns_read_response(struct sdw_cdns *cdns) u32 num_resp, cmd_base; int i; + BUILD_BUG_ON(ARRAY_SIZE(cdns->response_buf) < CDNS_MCP_CMD_LEN); + num_resp = cdns_readl(cdns, CDNS_MCP_FIFOSTAT); num_resp &= CDNS_MCP_RX_FIFO_AVAIL; + if (num_resp > ARRAY_SIZE(cdns->response_buf)) { + dev_warn(cdns->dev, "RX AVAIL %d too long\n", num_resp); + num_resp = CDNS_MCP_CMD_LEN; + } cmd_base = CDNS_MCP_CMD_BASE; diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h index 0434d70d4b1f..c2d817e8e22a 100644 --- a/drivers/soundwire/cadence_master.h +++ b/drivers/soundwire/cadence_master.h @@ -117,7 +117,7 @@ struct sdw_cdns { struct sdw_bus bus; unsigned int instance; - u32 response_buf[0x80]; + u32 response_buf[8]; struct completion tx_complete; struct sdw_defer *defer;
The response_buf was declared much larger (128 entries) than the number of responses that could ever be written into it (maximum 8). Reduce response_buf to 8 entries and add checking in cdns_read_response() to prevent overflowing reponse_buf if CDNS_MCP_RX_FIFO_AVAIL contains an unexpectedly large number. Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> --- drivers/soundwire/cadence_master.c | 6 ++++++ drivers/soundwire/cadence_master.h | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-)