Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-11 06:31:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

spi: spi-ti-qspi: Handle truncated frames properly

Browse Source 
We clamp frame_len_words to a maximum of 4096, but do not actually
limit the number of words written or read through the DATA registers
or the length added to spi_message::actual_length.  This results in
silent data corruption for commands longer than this maximum.

Recalculate the length of each transfer, taking frame_len_words into
account.  Use this length in qspi_{read,write}_msg(), and to increment
spi_message::actual_length.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
This commit is contained in:
Ben Hutchings 2016-04-12 12:58:14 +01:00 committed by Mark Brown
parent ea1b60fb08
commit 1ff7760ff6
1 changed files with 20 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
drivers/spi/spi-ti-qspi.c
View File

@ -236,16 +236,16 @@ static inline int ti_qspi_poll_wc(struct ti_qspi *qspi)
return -ETIMEDOUT;
}
static int qspi_write_msg(struct ti_qspi *qspi, struct spi_transfer *t)
static int qspi_write_msg(struct ti_qspi *qspi, struct spi_transfer *t,
int count)
{
int wlen, count, xfer_len;
int wlen, xfer_len;
unsigned int cmd;
const u8 *txbuf;
u32 data;
txbuf = t->tx_buf;
cmd = qspi->cmd | QSPI_WR_SNGL;
count = t->len;
wlen = t->bits_per_word >> 3; /* in bytes */
xfer_len = wlen;
@ -305,9 +305,10 @@ static int qspi_write_msg(struct ti_qspi *qspi, struct spi_transfer *t)
return 0;
}
static int qspi_read_msg(struct ti_qspi *qspi, struct spi_transfer *t)
static int qspi_read_msg(struct ti_qspi *qspi, struct spi_transfer *t,
int count)
{
int wlen, count;
int wlen;
unsigned int cmd;
u8 *rxbuf;
@ -324,7 +325,6 @@ static int qspi_read_msg(struct ti_qspi *qspi, struct spi_transfer *t)
cmd |= QSPI_RD_SNGL;
break;
}
count = t->len;
wlen = t->bits_per_word >> 3; /* in bytes */
while (count) {
@ -355,12 +355,13 @@ static int qspi_read_msg(struct ti_qspi *qspi, struct spi_transfer *t)
return 0;
}
static int qspi_transfer_msg(struct ti_qspi *qspi, struct spi_transfer *t)
static int qspi_transfer_msg(struct ti_qspi *qspi, struct spi_transfer *t,
int count)
{
int ret;
if (t->tx_buf) {
ret = qspi_write_msg(qspi, t);
ret = qspi_write_msg(qspi, t, count);
if (ret) {
dev_dbg(qspi->dev, "Error while writing\n");
return ret;
@ -368,7 +369,7 @@ static int qspi_transfer_msg(struct ti_qspi *qspi, struct spi_transfer *t)
}
if (t->rx_buf) {
ret = qspi_read_msg(qspi, t);
ret = qspi_read_msg(qspi, t, count);
if (ret) {
dev_dbg(qspi->dev, "Error while reading\n");
return ret;
@ -451,7 +452,8 @@ static int ti_qspi_start_transfer_one(struct spi_master *master,
struct spi_device *spi = m->spi;
struct spi_transfer *t;
int status = 0, ret;
unsigned int frame_len_words;
unsigned int frame_len_words, transfer_len_words;
int wlen;
/* setup device control reg */
qspi->dc = 0;
@ -484,14 +486,20 @@ static int ti_qspi_start_transfer_one(struct spi_master *master,
qspi->cmd = ((qspi->cmd & ~QSPI_WLEN_MASK) |
QSPI_WLEN(t->bits_per_word));
ret = qspi_transfer_msg(qspi, t);
wlen = t->bits_per_word >> 3;
transfer_len_words = min(t->len / wlen, frame_len_words);
ret = qspi_transfer_msg(qspi, t, transfer_len_words * wlen);
if (ret) {
dev_dbg(qspi->dev, "transfer message failed\n");
mutex_unlock(&qspi->list_lock);
return -EINVAL;
}
m->actual_length += t->len;
m->actual_length += transfer_len_words * wlen;
frame_len_words -= transfer_len_words;
if (frame_len_words == 0)
break;
}
mutex_unlock(&qspi->list_lock);