-
Notifications
You must be signed in to change notification settings - Fork 846
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe buffer access in AXI SPI Engine offload #2300
Comments
It also looks like there is potentially another bug here. |
Also, if there are multiple xfers, e.g. of len=2, this would make the data in |
Yeah, I think linux/drivers/spi/spi-axi-spi-engine.c Line 373 in b8d0e51
This also implicitly casts u16 -> u32 So yeah, the offload support is indeed very messy and and really needs a proper cleanup. As I was saying last week, IMO, we need to have this API's going through the SPI subsystem. Having it "open coded" like this and freely "reinventing" things like
For the above two comments, I think the HW is actually auto incrementing so you just end up writing on the same MMIO address and the HW makes it right. Looking at this: linux/drivers/spi/spi-axi-spi-engine.c Line 373 in b8d0e51
made me wonder how was this working at all... Then, I looked at the hdl code and this seems to be the trick: combined with: But yeah, my hdl knowledge is very limited so I might be misreading this at all :) One thing that came to my attention was the |
Agreed. I came to the same conclusion.
The SPI engine wiki pages say that each engine could have more than one offload, so that is probably what it is for. Writing to the same same register for offload number 0 as a sort of FIFO makes sense now. |
Hmm that makes sense... I think we don't have any project using more than one offload block so I would likely keep it simple for now. |
This applies to offload support that hasn't been upstreamed yet.
In
spi_engine_offload_load_msg()
, the tx buffer of each spi xfer is copied to the SPI engine memory-mapped registers.linux/drivers/spi/spi-axi-spi-engine.c
Lines 364 to 370 in b8d0e51
According to the SPI framework,
xfer->len
is the length ofxfer->tx_buf
in bytes. However the loop is iteratingbuf
which castsxfer->tx_buf
(a byte array) to a u32 array. There are two problems with this.xfer->tx_buf
is not aligned to 4 bytes, we get unaligned memory access.This is further complicated by #2299 which modifies
xfer->len
, so if we attempt to fix this issue without addressing #2299 first, then we will have a bug that not all of the tx buffer will be copied.The text was updated successfully, but these errors were encountered: