[U-Boot,v2] usb_storage: fix ehci driver max transfer size

Message ID	fce6d97c0746ecbaaf63f29c112bbc5689c5750f.1341863102.git.stefan@herbrechtsmeier.net
State	Accepted
Commit	1b4bd0e66cd3b5124669c78bc968510b1040e9d9
Delegated to:	Marek Vasut
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net> To: u-boot@lists.denx.de Date: Mon, 9 Jul 2012 21:52:29 +0200 Message-Id: <fce6d97c0746ecbaaf63f29c112bbc5689c5750f.1341863102.git.stefan@herbrechtsmeier.net> In-Reply-To: <1340043748-9261-1-git-send-email-stefan@herbrechtsmeier.net> References: <1340043748-9261-1-git-send-email-stefan@herbrechtsmeier.net> Cc: Marek Vasut <marex@denx.de> Subject: [U-Boot] [PATCH v2] usb_storage: fix ehci driver max transfer size Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de

Message ID

fce6d97c0746ecbaaf63f29c112bbc5689c5750f.1341863102.git.stefan@herbrechtsmeier.net

State

Accepted

Commit

1b4bd0e66cd3b5124669c78bc968510b1040e9d9

Delegated to:

Marek Vasut

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id C87792C0081
	for <incoming@patchwork.ozlabs.org>;
	Tue, 10 Jul 2012 05:59:42 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 6C63428188;
	Mon,  9 Jul 2012 21:59:41 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id qEAx03JLlbP5; Mon,  9 Jul 2012 21:59:41 +0200 (CEST)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id C1B0A2817E;
	Mon,  9 Jul 2012 21:59:39 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 0F31E2817E
	for <u-boot@lists.denx.de>; Mon,  9 Jul 2012 21:59:37 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id DO84-lJZFJn0 for <u-boot@lists.denx.de>;
	Mon,  9 Jul 2012 21:59:36 +0200 (CEST)
X-Greylist: delayed 375 seconds by postgrey-1.27 at theia;
	Mon, 09 Jul 2012 21:59:34 CEST
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from dd19416.kasserver.com (dd19416.kasserver.com [85.13.139.185])
	by theia.denx.de (Postfix) with ESMTPS id 214392817B
	for <u-boot@lists.denx.de>; Mon,  9 Jul 2012 21:59:34 +0200 (CEST)
Received: from localhost.localdomain (blfd-4d083cb1.pool.mediaWays.net
	[77.8.60.177])
	by dd19416.kasserver.com (Postfix) with ESMTPSA id 18CEA1840DAC;
	Mon,  9 Jul 2012 21:53:19 +0200 (CEST)
From: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
To: u-boot@lists.denx.de
Date: Mon,  9 Jul 2012 21:52:29 +0200
Message-Id: <fce6d97c0746ecbaaf63f29c112bbc5689c5750f.1341863102.git.stefan@herbrechtsmeier.net>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1340043748-9261-1-git-send-email-stefan@herbrechtsmeier.net>
References: <1340043748-9261-1-git-send-email-stefan@herbrechtsmeier.net>
Cc: Marek Vasut <marex@denx.de>
Subject: [U-Boot] [PATCH v2] usb_storage: fix ehci driver max transfer size
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de

Commit Message

Stefan Herbrechtsmeier July 9, 2012, 7:52 p.m. UTC

The commit 5dd95cf93dfffa1d19a1928990852aac9f55b9d9 'usb_storage:
Fix EHCI "out of buffer pointers" with CD-ROM' introduce a bug in
usb_storage as it wrongly assumes that every transfer can use
4096 bytes per qt_buffer. This is wrong if the start address of
the data is not page aligned to 4096 bytes and leads to 'EHCI
timed out on TD' messages because of 'out of buffer pointers'
in ehci_td_buffer function.

The bug appears during load of a fragmented file and
read from or write to an unaligned memory address.

Cc: Marek Vasut <marex@denx.de>
Signed-off-by: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>

---
Changes for v2:
 - Replace fixed worst case calculation with dynamic
   computation based on start address of transfer

 common/usb_storage.c |   37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

Comments

Marek Vasut July 10, 2012, 2:12 a.m. UTC | #1

Dear Stefan Herbrechtsmeier,

> The commit 5dd95cf93dfffa1d19a1928990852aac9f55b9d9 'usb_storage:
> Fix EHCI "out of buffer pointers" with CD-ROM' introduce a bug in
> usb_storage as it wrongly assumes that every transfer can use
> 4096 bytes per qt_buffer. This is wrong if the start address of
> the data is not page aligned to 4096 bytes and leads to 'EHCI
> timed out on TD' messages because of 'out of buffer pointers'
> in ehci_td_buffer function.

Yes, this can be simply confirmed even with USB stick by loading to unaligned 
address. It'll make the buffers overflow too.

> The bug appears during load of a fragmented file and
> read from or write to an unaligned memory address.
> 
> Cc: Marek Vasut <marex@denx.de>
> Signed-off-by: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
> 
> ---
> Changes for v2:
>  - Replace fixed worst case calculation with dynamic
>    computation based on start address of transfer
> 
>  common/usb_storage.c |   37 ++++++++++++++++++++-----------------
>  1 file changed, 20 insertions(+), 17 deletions(-)
> 
> diff --git a/common/usb_storage.c b/common/usb_storage.c
> index faad237..bdc306f 100644
> --- a/common/usb_storage.c
> +++ b/common/usb_storage.c
> @@ -150,12 +150,17 @@ struct us_data {
>  	unsigned int	irqpipe;	 	/* pipe for release_irq */
>  	unsigned char	irqmaxp;		/* max packed for irq Pipe */
>  	unsigned char	irqinterval;		/* Intervall for IRQ Pipe */
> -	unsigned long	max_xfer_blk;		/* Max blocks per xfer */
>  	ccb		*srb;			/* current srb */
>  	trans_reset	transport_reset;	/* reset routine */
>  	trans_cmnd	transport;		/* transport routine */
>  };
> 
> +/*
> + * The U-Boot EHCI driver cannot handle more than 5 page aligned buffers
> + * of 4096 bytes in a transfer without running itself out of qt_buffers
> + */
> +#define USB_MAX_XFER_BLK(start, blksz)	(((4096 * 5) - (start % 4096)) /
> blksz) +

Can't something in include/common.h around line 900 can't be used?

btw put braces around (start) in the macro and around (blksz) .

[...]

The rest is good, thanks! :-)

Best regards,
Marek Vasut

Stefan Herbrechtsmeier July 10, 2012, 6:53 a.m. UTC | #2

Am 10.07.2012 04:12, schrieb Marek Vasut:
>> The commit 5dd95cf93dfffa1d19a1928990852aac9f55b9d9 'usb_storage:
>> Fix EHCI "out of buffer pointers" with CD-ROM' introduce a bug in
>> usb_storage as it wrongly assumes that every transfer can use
>> 4096 bytes per qt_buffer. This is wrong if the start address of
>> the data is not page aligned to 4096 bytes and leads to 'EHCI
>> timed out on TD' messages because of 'out of buffer pointers'
>> in ehci_td_buffer function.
> Yes, this can be simply confirmed even with USB stick by loading to unaligned
> address. It'll make the buffers overflow too.
>
>> The bug appears during load of a fragmented file and
>> read from or write to an unaligned memory address.
>>
>> Cc: Marek Vasut <marex@denx.de>
>> Signed-off-by: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
>>
>> ---
>> Changes for v2:
>>   - Replace fixed worst case calculation with dynamic
>>     computation based on start address of transfer
>>
>>   common/usb_storage.c |   37 ++++++++++++++++++++-----------------
>>   1 file changed, 20 insertions(+), 17 deletions(-)
>>
>> diff --git a/common/usb_storage.c b/common/usb_storage.c
>> index faad237..bdc306f 100644
>> --- a/common/usb_storage.c
>> +++ b/common/usb_storage.c
>> @@ -150,12 +150,17 @@ struct us_data {
>>   	unsigned int	irqpipe;	 	/* pipe for release_irq */
>>   	unsigned char	irqmaxp;		/* max packed for irq Pipe */
>>   	unsigned char	irqinterval;		/* Intervall for IRQ Pipe */
>> -	unsigned long	max_xfer_blk;		/* Max blocks per xfer */
>>   	ccb		*srb;			/* current srb */
>>   	trans_reset	transport_reset;	/* reset routine */
>>   	trans_cmnd	transport;		/* transport routine */
>>   };
>>
>> +/*
>> + * The U-Boot EHCI driver cannot handle more than 5 page aligned buffers
>> + * of 4096 bytes in a transfer without running itself out of qt_buffers
>> + */
>> +#define USB_MAX_XFER_BLK(start, blksz)	(((4096 * 5) - (start % 4096)) /
>> blksz) +
> Can't something in include/common.h around line 900 can't be used?
If you mean the round functions I don't need them, as I need the
leftover of 4096 and I need to divide round down the count.

> btw put braces around (start) in the macro and around (blksz) .
I will send a v3 tonight.

Regards,
     Stefan

Marek Vasut July 10, 2012, 7:22 a.m. UTC | #3

Dear Stefan Herbrechtsmeier,

> Am 10.07.2012 04:12, schrieb Marek Vasut:
> >> The commit 5dd95cf93dfffa1d19a1928990852aac9f55b9d9 'usb_storage:
> >> Fix EHCI "out of buffer pointers" with CD-ROM' introduce a bug in
> >> usb_storage as it wrongly assumes that every transfer can use
> >> 4096 bytes per qt_buffer. This is wrong if the start address of
> >> the data is not page aligned to 4096 bytes and leads to 'EHCI
> >> timed out on TD' messages because of 'out of buffer pointers'
> >> in ehci_td_buffer function.
> > 
> > Yes, this can be simply confirmed even with USB stick by loading to
> > unaligned address. It'll make the buffers overflow too.
> > 
> >> The bug appears during load of a fragmented file and
> >> read from or write to an unaligned memory address.
> >> 
> >> Cc: Marek Vasut <marex@denx.de>
> >> Signed-off-by: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
> >> 
> >> ---
> >> 
> >> Changes for v2:
> >>   - Replace fixed worst case calculation with dynamic
> >>   
> >>     computation based on start address of transfer
> >>   
> >>   common/usb_storage.c |   37 ++++++++++++++++++++-----------------
> >>   1 file changed, 20 insertions(+), 17 deletions(-)
> >> 
> >> diff --git a/common/usb_storage.c b/common/usb_storage.c
> >> index faad237..bdc306f 100644
> >> --- a/common/usb_storage.c
> >> +++ b/common/usb_storage.c
> >> @@ -150,12 +150,17 @@ struct us_data {
> >> 
> >>   	unsigned int	irqpipe;	 	/* pipe for release_irq */
> >>   	unsigned char	irqmaxp;		/* max packed for irq Pipe */
> >>   	unsigned char	irqinterval;		/* Intervall for IRQ Pipe */
> >> 
> >> -	unsigned long	max_xfer_blk;		/* Max blocks per xfer */
> >> 
> >>   	ccb		*srb;			/* current srb */
> >>   	trans_reset	transport_reset;	/* reset routine */
> >>   	trans_cmnd	transport;		/* transport routine */
> >>   
> >>   };
> >> 
> >> +/*
> >> + * The U-Boot EHCI driver cannot handle more than 5 page aligned
> >> buffers + * of 4096 bytes in a transfer without running itself out of
> >> qt_buffers + */
> >> +#define USB_MAX_XFER_BLK(start, blksz)	(((4096 * 5) - (start % 4096)) /
> >> blksz) +
> > 
> > Can't something in include/common.h around line 900 can't be used?
> 
> If you mean the round functions I don't need them, as I need the
> leftover of 4096 and I need to divide round down the count.
> 
> > btw put braces around (start) in the macro and around (blksz) .
> 
> I will send a v3 tonight.

Ok then, I think this is just perfect than and it should definitelly hit this 
release :-)

Thank you very much, sorry for pestering you too much and adding delays. Shame 
on my maintaining skills.

> Regards,
>      Stefan

Best regards,
Marek Vasut

diff --git a/common/usb_storage.c b/common/usb_storage.c
index faad237..bdc306f 100644
--- a/common/usb_storage.c
+++ b/common/usb_storage.c
@@ -150,12 +150,17 @@  struct us_data {
 	unsigned int	irqpipe;	 	/* pipe for release_irq */
 	unsigned char	irqmaxp;		/* max packed for irq Pipe */
 	unsigned char	irqinterval;		/* Intervall for IRQ Pipe */
-	unsigned long	max_xfer_blk;		/* Max blocks per xfer */
 	ccb		*srb;			/* current srb */
 	trans_reset	transport_reset;	/* reset routine */
 	trans_cmnd	transport;		/* transport routine */
 };
 
+/*
+ * The U-Boot EHCI driver cannot handle more than 5 page aligned buffers
+ * of 4096 bytes in a transfer without running itself out of qt_buffers
+ */
+#define USB_MAX_XFER_BLK(start, blksz)	(((4096 * 5) - (start % 4096)) / blksz)
+
 static struct us_data usb_stor[USB_MAX_STOR_DEV];
 
 
@@ -1041,7 +1046,7 @@  static void usb_bin_fixup(struct usb_device_descriptor descriptor,
 unsigned long usb_stor_read(int device, unsigned long blknr,
 			    unsigned long blkcnt, void *buffer)
 {
-	unsigned long start, blks, buf_addr;
+	unsigned long start, blks, buf_addr, max_xfer_blk;
 	unsigned short smallblks;
 	struct usb_device *dev;
 	struct us_data *ss;
@@ -1083,12 +1088,14 @@  unsigned long usb_stor_read(int device, unsigned long blknr,
 		/* XXX need some comment here */
 		retry = 2;
 		srb->pdata = (unsigned char *)buf_addr;
-		if (blks > ss->max_xfer_blk)
-			smallblks = ss->max_xfer_blk;
+		max_xfer_blk = USB_MAX_XFER_BLK(buf_addr,
+						usb_dev_desc[device].blksz);
+		if (blks > max_xfer_blk)
+			smallblks = (unsigned short) max_xfer_blk;
 		else
 			smallblks = (unsigned short) blks;
 retry_it:
-		if (smallblks == ss->max_xfer_blk)
+		if (smallblks == max_xfer_blk)
 			usb_show_progress();
 		srb->datalen = usb_dev_desc[device].blksz * smallblks;
 		srb->pdata = (unsigned char *)buf_addr;
@@ -1109,7 +1116,7 @@  retry_it:
 			start, smallblks, buf_addr);
 
 	usb_disable_asynch(0); /* asynch transfer allowed */
-	if (blkcnt >= ss->max_xfer_blk)
+	if (blkcnt >= max_xfer_blk)
 		debug("\n");
 	return blkcnt;
 }
@@ -1117,7 +1124,7 @@  retry_it:
 unsigned long usb_stor_write(int device, unsigned long blknr,
 				unsigned long blkcnt, const void *buffer)
 {
-	unsigned long start, blks, buf_addr;
+	unsigned long start, blks, buf_addr, max_xfer_blk;
 	unsigned short smallblks;
 	struct usb_device *dev;
 	struct us_data *ss;
@@ -1162,12 +1169,14 @@  unsigned long usb_stor_write(int device, unsigned long blknr,
 		 */
 		retry = 2;
 		srb->pdata = (unsigned char *)buf_addr;
-		if (blks > ss->max_xfer_blk)
-			smallblks = ss->max_xfer_blk;
+		max_xfer_blk = USB_MAX_XFER_BLK(buf_addr,
+						usb_dev_desc[device].blksz);
+		if (blks > max_xfer_blk)
+			smallblks = (unsigned short) max_xfer_blk;
 		else
 			smallblks = (unsigned short) blks;
 retry_it:
-		if (smallblks == ss->max_xfer_blk)
+		if (smallblks == max_xfer_blk)
 			usb_show_progress();
 		srb->datalen = usb_dev_desc[device].blksz * smallblks;
 		srb->pdata = (unsigned char *)buf_addr;
@@ -1188,7 +1197,7 @@  retry_it:
 			start, smallblks, buf_addr);
 
 	usb_disable_asynch(0); /* asynch transfer allowed */
-	if (blkcnt >= ss->max_xfer_blk)
+	if (blkcnt >= max_xfer_blk)
 		debug("\n");
 	return blkcnt;
 
@@ -1415,12 +1424,6 @@  int usb_stor_get_info(struct usb_device *dev, struct us_data *ss,
 	USB_STOR_PRINTF(" address %d\n", dev_desc->target);
 	USB_STOR_PRINTF("partype: %d\n", dev_desc->part_type);
 
-	/*
-	 * The U-Boot EHCI driver cannot handle more than 4096 * 5 bytes in a
-	 * transfer without running itself out of qt_buffers.
-	 */
-	ss->max_xfer_blk = (4096 * 5) / dev_desc->blksz;
-
 	init_part(dev_desc);
 
 	USB_STOR_PRINTF("partype: %d\n", dev_desc->part_type);

[U-Boot,v2] usb_storage: fix ehci driver max transfer size

Commit Message

Comments

Patch