Patchwork i2c-designware: fix RX FIFO overrun

login
register
mail settings
Submitter Josef Ahmad
Date April 19, 2013, 6:05 p.m.
Message ID <alpine.DEB.2.02.1304191859570.17829@localhost>
Download mbox | patch
Permalink /patch/238088/
State Superseded
Headers show

Comments

Josef Ahmad - April 19, 2013, 6:05 p.m.
From a969728248c3b439dc97a69e7dac133b5efa34e7 Mon Sep 17 00:00:00 2001
From: Josef Ahmad <josef.ahmad@linux.intel.com>
Date: Fri, 19 Apr 2013 17:28:10 +0100
Subject: [PATCH] i2c-designware: fix RX FIFO overrun

i2c_dw_xfer_msg() pushes a number of bytes to transmit/receive
to/from the bus into the TX FIFO.
For master-rx transactions, the maximum amount of data that can be
received is calculated depending solely on TX and RX FIFO load.

This is racy - TX FIFO may contain master-rx data yet to be
processed, which will eventually land into the RX FIFO. This
data is not taken into account and the function may request more
data than the controller is actually capable of storing.

This patch ensures the driver takes into account the outstanding
master-rx data in TX FIFO to prevent RX FIFO overrun.

Signed-off-by: Josef Ahmad <josef.ahmad@linux.intel.com>
---
  drivers/i2c/busses/i2c-designware-core.c |   11 ++++++++++-
  drivers/i2c/busses/i2c-designware-core.h |    2 ++
  2 files changed, 12 insertions(+), 1 deletions(-)
Bryan O'Donoghue - April 19, 2013, 8:43 p.m.
Josef.

This fixes a real bug for us does it not, some failure case with a 
sustained amount of traffic ?


Bryan

--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Josef Ahmad - April 19, 2013, 9:20 p.m.
It does.
The bug appears with fairly-sized read transactions (in the order of kB)
returning corrupted data.

Josef

> Josef.
>
> This fixes a real bug for us does it not, some failure case with a
> sustained amount of traffic ?
>
>
> Bryan
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Mika Westerberg - April 22, 2013, 7:19 a.m.
On Fri, Apr 19, 2013 at 07:05:30PM +0100, Josef Ahmad wrote:
> >From a969728248c3b439dc97a69e7dac133b5efa34e7 Mon Sep 17 00:00:00 2001
> From: Josef Ahmad <josef.ahmad@linux.intel.com>
> Date: Fri, 19 Apr 2013 17:28:10 +0100
> Subject: [PATCH] i2c-designware: fix RX FIFO overrun
> 
> i2c_dw_xfer_msg() pushes a number of bytes to transmit/receive
> to/from the bus into the TX FIFO.
> For master-rx transactions, the maximum amount of data that can be
> received is calculated depending solely on TX and RX FIFO load.
> 
> This is racy - TX FIFO may contain master-rx data yet to be
> processed, which will eventually land into the RX FIFO. This
> data is not taken into account and the function may request more
> data than the controller is actually capable of storing.
> 
> This patch ensures the driver takes into account the outstanding
> master-rx data in TX FIFO to prevent RX FIFO overrun.

Can you add something to the changelog to show what the error looks like
(a dump from dmesg for example)?

> Signed-off-by: Josef Ahmad <josef.ahmad@linux.intel.com>
> ---
>  drivers/i2c/busses/i2c-designware-core.c |   11 ++++++++++-
>  drivers/i2c/busses/i2c-designware-core.h |    2 ++
>  2 files changed, 12 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/i2c/busses/i2c-designware-core.c b/drivers/i2c/busses/i2c-designware-core.c
> index 94fd818..8dbeef1 100644
> --- a/drivers/i2c/busses/i2c-designware-core.c
> +++ b/drivers/i2c/busses/i2c-designware-core.c
> @@ -426,8 +426,14 @@ i2c_dw_xfer_msg(struct dw_i2c_dev *dev)
>  				cmd |= BIT(9);
> 
>  			if (msgs[dev->msg_write_idx].flags & I2C_M_RD) {
> +
> +				/* avoid rx buffer overrun */
> +				if (rx_limit - dev->rx_outstanding <= 0)
> +					break;
> +
>  				dw_writel(dev, cmd | 0x100, DW_IC_DATA_CMD);
>  				rx_limit--;
> +				dev->rx_outstanding++;

Instead of adding a new variable, is there something preventing a use of
DW_IC_STATUS bits RFNE and TFNF?

>  			} else
>  				dw_writel(dev, cmd | *buf++, DW_IC_DATA_CMD);
>  			tx_limit--; buf_len--;
> @@ -480,8 +486,10 @@ i2c_dw_read(struct dw_i2c_dev *dev)
> 
>  		rx_valid = dw_readl(dev, DW_IC_RXFLR);
> 
> -		for (; len > 0 && rx_valid > 0; len--, rx_valid--)
> +		for (; len > 0 && rx_valid > 0; len--, rx_valid--) {
>  			*buf++ = dw_readl(dev, DW_IC_DATA_CMD);
> +			dev->rx_outstanding--;
> +		}
> 
>  		if (len > 0) {
>  			dev->status |= STATUS_READ_IN_PROGRESS;
> @@ -539,6 +547,7 @@ i2c_dw_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int num)
>  	dev->msg_err = 0;
>  	dev->status = STATUS_IDLE;
>  	dev->abort_source = 0;
> +	dev->rx_outstanding = 0;
> 
>  	ret = i2c_dw_wait_bus_not_busy(dev);
>  	if (ret < 0)
--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Josef Ahmad - April 22, 2013, 11:30 a.m.
> On Fri, Apr 19, 2013 at 07:05:30PM +0100, Josef Ahmad wrote:
>> >From a969728248c3b439dc97a69e7dac133b5efa34e7 Mon Sep 17 00:00:00 2001
>> From: Josef Ahmad <josef.ahmad@linux.intel.com>
>> Date: Fri, 19 Apr 2013 17:28:10 +0100
>> Subject: [PATCH] i2c-designware: fix RX FIFO overrun
>>
>> i2c_dw_xfer_msg() pushes a number of bytes to transmit/receive
>> to/from the bus into the TX FIFO.
>> For master-rx transactions, the maximum amount of data that can be
>> received is calculated depending solely on TX and RX FIFO load.
>>
>> This is racy - TX FIFO may contain master-rx data yet to be
>> processed, which will eventually land into the RX FIFO. This
>> data is not taken into account and the function may request more
>> data than the controller is actually capable of storing.
>>
>> This patch ensures the driver takes into account the outstanding
>> master-rx data in TX FIFO to prevent RX FIFO overrun.
>
> Can you add something to the changelog to show what the error looks like
> (a dump from dmesg for example)?
>

The issue is, the data is silently corrupted and not notified to the I2C core
driver.
The master-rx transaction returns success and the RX buffer overflow is not
reported by the driver, which will read dropped data.

FWIW, I have a simple test application receiving well-known data from a slave
in a single transaction, and comparing received to expected data.
Here's the outcome of three runs:

[19/03/13 20:30:14] i2c-error   : rcv'd message != ref msg (first diff
@byte 33)
[19/03/13 20:30:43] i2c-error   : rcv'd message != ref msg (first diff
@byte 108)
[19/03/13 20:31:24] i2c-error   : rcv'd message != ref msg (first diff
@byte 133)

>> Signed-off-by: Josef Ahmad <josef.ahmad@linux.intel.com>
>> ---
>>  drivers/i2c/busses/i2c-designware-core.c |   11 ++++++++++-
>>  drivers/i2c/busses/i2c-designware-core.h |    2 ++
>>  2 files changed, 12 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/i2c/busses/i2c-designware-core.c
>> b/drivers/i2c/busses/i2c-designware-core.c
>> index 94fd818..8dbeef1 100644
>> --- a/drivers/i2c/busses/i2c-designware-core.c
>> +++ b/drivers/i2c/busses/i2c-designware-core.c
>> @@ -426,8 +426,14 @@ i2c_dw_xfer_msg(struct dw_i2c_dev *dev)
>>  				cmd |= BIT(9);
>>
>>  			if (msgs[dev->msg_write_idx].flags & I2C_M_RD) {
>> +
>> +				/* avoid rx buffer overrun */
>> +				if (rx_limit - dev->rx_outstanding <= 0)
>> +					break;
>> +
>>  				dw_writel(dev, cmd | 0x100, DW_IC_DATA_CMD);
>>  				rx_limit--;
>> +				dev->rx_outstanding++;
>
> Instead of adding a new variable, is there something preventing a use of
> DW_IC_STATUS bits RFNE and TFNF?
>

DW_IC_STATUS bits won't give information of the type of elements (read or
write) that are in the fifos.
What we need here is more specific information, i.e. how many RX elements are
currently in TX fifo. The register set doesn't provide this information to my
knowledge, so I had to work it out externally with a status variable.

Consider this example with 8-byte fifos (E=empty, R=read, W=write elements):

State of the fifos:
        +-----------------+
TX  ->  | E E E E E W W R |
        +-----------------+
        +-----------------+
RX      | E E R R R R R R | <-
        +-----------------+

Now, say the transaction requires to pump 2 additional R elements into TX
fifo. We need to ensure that at this stage only 1 of the 2 R elements is
actually put into TX fifo: this way we we won't saturate the RX fifo.
Failing to do so exposes a race condition: if we don't read RX quickly
enough,
the R element + the new 2 R elements in the TX fifo will land into the RX,
resulting in an element being dropped.

>>  			} else
>>  				dw_writel(dev, cmd | *buf++, DW_IC_DATA_CMD);
>>  			tx_limit--; buf_len--;
>> @@ -480,8 +486,10 @@ i2c_dw_read(struct dw_i2c_dev *dev)
>>
>>  		rx_valid = dw_readl(dev, DW_IC_RXFLR);
>>
>> -		for (; len > 0 && rx_valid > 0; len--, rx_valid--)
>> +		for (; len > 0 && rx_valid > 0; len--, rx_valid--) {
>>  			*buf++ = dw_readl(dev, DW_IC_DATA_CMD);
>> +			dev->rx_outstanding--;
>> +		}
>>
>>  		if (len > 0) {
>>  			dev->status |= STATUS_READ_IN_PROGRESS;
>> @@ -539,6 +547,7 @@ i2c_dw_xfer(struct i2c_adapter *adap, struct i2c_msg
>> msgs[], int num)
>>  	dev->msg_err = 0;
>>  	dev->status = STATUS_IDLE;
>>  	dev->abort_source = 0;
>> +	dev->rx_outstanding = 0;
>>
>>  	ret = i2c_dw_wait_bus_not_busy(dev);
>>  	if (ret < 0)
>

--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Mika Westerberg - April 22, 2013, 12:28 p.m.
On Mon, Apr 22, 2013 at 04:30:41AM -0700, Josef Ahmad wrote:
> > On Fri, Apr 19, 2013 at 07:05:30PM +0100, Josef Ahmad wrote:
> >> >From a969728248c3b439dc97a69e7dac133b5efa34e7 Mon Sep 17 00:00:00 2001
> >> From: Josef Ahmad <josef.ahmad@linux.intel.com>
> >> Date: Fri, 19 Apr 2013 17:28:10 +0100
> >> Subject: [PATCH] i2c-designware: fix RX FIFO overrun
> >>
> >> i2c_dw_xfer_msg() pushes a number of bytes to transmit/receive
> >> to/from the bus into the TX FIFO.
> >> For master-rx transactions, the maximum amount of data that can be
> >> received is calculated depending solely on TX and RX FIFO load.
> >>
> >> This is racy - TX FIFO may contain master-rx data yet to be
> >> processed, which will eventually land into the RX FIFO. This
> >> data is not taken into account and the function may request more
> >> data than the controller is actually capable of storing.
> >>
> >> This patch ensures the driver takes into account the outstanding
> >> master-rx data in TX FIFO to prevent RX FIFO overrun.
> >
> > Can you add something to the changelog to show what the error looks like
> > (a dump from dmesg for example)?
> >
> 
> The issue is, the data is silently corrupted and not notified to the I2C core
> driver.
> The master-rx transaction returns success and the RX buffer overflow is not
> reported by the driver, which will read dropped data.

OK.

> FWIW, I have a simple test application receiving well-known data from a slave
> in a single transaction, and comparing received to expected data.
> Here's the outcome of three runs:
> 
> [19/03/13 20:30:14] i2c-error   : rcv'd message != ref msg (first diff
> @byte 33)
> [19/03/13 20:30:43] i2c-error   : rcv'd message != ref msg (first diff
> @byte 108)
> [19/03/13 20:31:24] i2c-error   : rcv'd message != ref msg (first diff
> @byte 133)
> 
> >> Signed-off-by: Josef Ahmad <josef.ahmad@linux.intel.com>
> >> ---
> >>  drivers/i2c/busses/i2c-designware-core.c |   11 ++++++++++-
> >>  drivers/i2c/busses/i2c-designware-core.h |    2 ++
> >>  2 files changed, 12 insertions(+), 1 deletions(-)
> >>
> >> diff --git a/drivers/i2c/busses/i2c-designware-core.c
> >> b/drivers/i2c/busses/i2c-designware-core.c
> >> index 94fd818..8dbeef1 100644
> >> --- a/drivers/i2c/busses/i2c-designware-core.c
> >> +++ b/drivers/i2c/busses/i2c-designware-core.c
> >> @@ -426,8 +426,14 @@ i2c_dw_xfer_msg(struct dw_i2c_dev *dev)
> >>  				cmd |= BIT(9);
> >>
> >>  			if (msgs[dev->msg_write_idx].flags & I2C_M_RD) {
> >> +
> >> +				/* avoid rx buffer overrun */
> >> +				if (rx_limit - dev->rx_outstanding <= 0)
> >> +					break;
> >> +
> >>  				dw_writel(dev, cmd | 0x100, DW_IC_DATA_CMD);
> >>  				rx_limit--;
> >> +				dev->rx_outstanding++;
> >
> > Instead of adding a new variable, is there something preventing a use of
> > DW_IC_STATUS bits RFNE and TFNF?
> >
> 
> DW_IC_STATUS bits won't give information of the type of elements (read or
> write) that are in the fifos.
> What we need here is more specific information, i.e. how many RX elements are
> currently in TX fifo. The register set doesn't provide this information to my
> knowledge, so I had to work it out externally with a status variable.
> 
> Consider this example with 8-byte fifos (E=empty, R=read, W=write elements):
> 
> State of the fifos:
>         +-----------------+
> TX  ->  | E E E E E W W R |
>         +-----------------+
>         +-----------------+
> RX      | E E R R R R R R | <-
>         +-----------------+
> 
> Now, say the transaction requires to pump 2 additional R elements into TX
> fifo. We need to ensure that at this stage only 1 of the 2 R elements is
> actually put into TX fifo: this way we we won't saturate the RX fifo.
> Failing to do so exposes a race condition: if we don't read RX quickly
> enough,
> the R element + the new 2 R elements in the TX fifo will land into the RX,
> resulting in an element being dropped.

Thanks for the explanation. Makes sense to me now.

Feel free to add my

Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/i2c/busses/i2c-designware-core.c b/drivers/i2c/busses/i2c-designware-core.c
index 94fd818..8dbeef1 100644
--- a/drivers/i2c/busses/i2c-designware-core.c
+++ b/drivers/i2c/busses/i2c-designware-core.c
@@ -426,8 +426,14 @@  i2c_dw_xfer_msg(struct dw_i2c_dev *dev)
  				cmd |= BIT(9);

  			if (msgs[dev->msg_write_idx].flags & I2C_M_RD) {
+
+				/* avoid rx buffer overrun */
+				if (rx_limit - dev->rx_outstanding <= 0)
+					break;
+
  				dw_writel(dev, cmd | 0x100, DW_IC_DATA_CMD);
  				rx_limit--;
+				dev->rx_outstanding++;
  			} else
  				dw_writel(dev, cmd | *buf++, DW_IC_DATA_CMD);
  			tx_limit--; buf_len--;
@@ -480,8 +486,10 @@  i2c_dw_read(struct dw_i2c_dev *dev)

  		rx_valid = dw_readl(dev, DW_IC_RXFLR);

-		for (; len > 0 && rx_valid > 0; len--, rx_valid--)
+		for (; len > 0 && rx_valid > 0; len--, rx_valid--) {
  			*buf++ = dw_readl(dev, DW_IC_DATA_CMD);
+			dev->rx_outstanding--;
+		}

  		if (len > 0) {
  			dev->status |= STATUS_READ_IN_PROGRESS;
@@ -539,6 +547,7 @@  i2c_dw_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int num)
  	dev->msg_err = 0;
  	dev->status = STATUS_IDLE;
  	dev->abort_source = 0;
+	dev->rx_outstanding = 0;

  	ret = i2c_dw_wait_bus_not_busy(dev);
  	if (ret < 0)
diff --git a/drivers/i2c/busses/i2c-designware-core.h b/drivers/i2c/busses/i2c-designware-core.h
index 9c1840e..e761ad1 100644
--- a/drivers/i2c/busses/i2c-designware-core.h
+++ b/drivers/i2c/busses/i2c-designware-core.h
@@ -60,6 +60,7 @@ 
   * @adapter: i2c subsystem adapter node
   * @tx_fifo_depth: depth of the hardware tx fifo
   * @rx_fifo_depth: depth of the hardware rx fifo
+ * @rx_outstanding: current master-rx elements in tx fifo
   */
  struct dw_i2c_dev {
  	struct device		*dev;
@@ -88,6 +89,7 @@  struct dw_i2c_dev {
  	u32			master_cfg;
  	unsigned int		tx_fifo_depth;
  	unsigned int		rx_fifo_depth;
+	int			rx_outstanding;
  };

  #define ACCESS_SWAP		0x00000001