Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'spi-fix-v6.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"As well as a few driver specific fixes we've got a core change here
which raises the hard coded limit on the number of devices we can
support on one SPI bus since some FPGA based systems are running into
the existing limit. This is not a good solution but it's one suitable
for this point in the release cycle, we should dynamically size the
relevant data structures which I hope will happen in the next couple
of merge windows.
We also pull in a MTD fix for the Qualcomm SNAND driver, the two fixes
cover the same issue and merging them together minimises bisection
issues"
* tag 'spi-fix-v6.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: cadence-quadspi: fix cleanup of rx_chan on failure paths
spi: spi-fsl-dspi: Clear completion counter before initiating transfer
spi: Raise limit on number of chip selects to 24
mtd: nand: qpic_common: prevent out of bounds access of BAM arrays
spi: spi-qpic-snand: reallocate BAM transactions
+61
-11
+26
-4
drivers/mtd/nand/qpic_common.c
+26
-4
drivers/mtd/nand/qpic_common.c
···
57
57
bam_txn_buf += sizeof(*bam_txn);
58
58
59
59
bam_txn->bam_ce = bam_txn_buf;
60
-
bam_txn_buf +=
61
-
sizeof(*bam_txn->bam_ce) * QPIC_PER_CW_CMD_ELEMENTS * num_cw;
60
+
bam_txn->bam_ce_nitems = QPIC_PER_CW_CMD_ELEMENTS * num_cw;
61
+
bam_txn_buf += sizeof(*bam_txn->bam_ce) * bam_txn->bam_ce_nitems;
62
62
63
63
bam_txn->cmd_sgl = bam_txn_buf;
64
-
bam_txn_buf +=
65
-
sizeof(*bam_txn->cmd_sgl) * QPIC_PER_CW_CMD_SGL * num_cw;
64
+
bam_txn->cmd_sgl_nitems = QPIC_PER_CW_CMD_SGL * num_cw;
65
+
bam_txn_buf += sizeof(*bam_txn->cmd_sgl) * bam_txn->cmd_sgl_nitems;
66
66
67
67
bam_txn->data_sgl = bam_txn_buf;
68
+
bam_txn->data_sgl_nitems = QPIC_PER_CW_DATA_SGL * num_cw;
68
69
69
70
init_completion(&bam_txn->txn_done);
70
71
···
239
238
struct bam_transaction *bam_txn = nandc->bam_txn;
240
239
u32 offset;
241
240
241
+
if (bam_txn->bam_ce_pos + size > bam_txn->bam_ce_nitems) {
242
+
dev_err(nandc->dev, "BAM %s array is full\n", "CE");
243
+
return -EINVAL;
244
+
}
245
+
242
246
bam_ce_buffer = &bam_txn->bam_ce[bam_txn->bam_ce_pos];
243
247
244
248
/* fill the command desc */
···
264
258
265
259
/* use the separate sgl after this command */
266
260
if (flags & NAND_BAM_NEXT_SGL) {
261
+
if (bam_txn->cmd_sgl_pos >= bam_txn->cmd_sgl_nitems) {
262
+
dev_err(nandc->dev, "BAM %s array is full\n",
263
+
"CMD sgl");
264
+
return -EINVAL;
265
+
}
266
+
267
267
bam_ce_buffer = &bam_txn->bam_ce[bam_txn->bam_ce_start];
268
268
bam_ce_size = (bam_txn->bam_ce_pos -
269
269
bam_txn->bam_ce_start) *
···
309
297
struct bam_transaction *bam_txn = nandc->bam_txn;
310
298
311
299
if (read) {
300
+
if (bam_txn->rx_sgl_pos >= bam_txn->data_sgl_nitems) {
301
+
dev_err(nandc->dev, "BAM %s array is full\n", "RX sgl");
302
+
return -EINVAL;
303
+
}
304
+
312
305
sg_set_buf(&bam_txn->data_sgl[bam_txn->rx_sgl_pos],
313
306
vaddr, size);
314
307
bam_txn->rx_sgl_pos++;
315
308
} else {
309
+
if (bam_txn->tx_sgl_pos >= bam_txn->data_sgl_nitems) {
310
+
dev_err(nandc->dev, "BAM %s array is full\n", "TX sgl");
311
+
return -EINVAL;
312
+
}
313
+
316
314
sg_set_buf(&bam_txn->data_sgl[bam_txn->tx_sgl_pos],
317
315
vaddr, size);
318
316
bam_txn->tx_sgl_pos++;
-5
drivers/spi/spi-cadence-quadspi.c
-5
drivers/spi/spi-cadence-quadspi.c
···
1960
1960
1961
1961
pm_runtime_enable(dev);
1962
1962
1963
-
if (cqspi->rx_chan) {
1964
-
dma_release_channel(cqspi->rx_chan);
1965
-
goto probe_setup_failed;
1966
-
}
1967
-
1968
1963
pm_runtime_set_autosuspend_delay(dev, CQSPI_AUTOSUSPEND_TIMEOUT);
1969
1964
pm_runtime_use_autosuspend(dev);
1970
1965
pm_runtime_get_noresume(dev);
+10
-1
drivers/spi/spi-fsl-dspi.c
+10
-1
drivers/spi/spi-fsl-dspi.c
···
983
983
if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) {
984
984
status = dspi_dma_xfer(dspi);
985
985
} else {
986
+
/*
987
+
* Reinitialize the completion before transferring data
988
+
* to avoid the case where it might remain in the done
989
+
* state due to a spurious interrupt from a previous
990
+
* transfer. This could falsely signal that the current
991
+
* transfer has completed.
992
+
*/
993
+
if (dspi->irq)
994
+
reinit_completion(&dspi->xfer_done);
995
+
986
996
dspi_fifo_write(dspi);
987
997
988
998
if (dspi->irq) {
989
999
wait_for_completion(&dspi->xfer_done);
990
-
reinit_completion(&dspi->xfer_done);
991
1000
} else {
992
1001
do {
993
1002
status = dspi_poll(dspi);
+16
drivers/spi/spi-qpic-snand.c
+16
drivers/spi/spi-qpic-snand.c
···
315
315
316
316
mtd_set_ooblayout(mtd, &qcom_spi_ooblayout);
317
317
318
+
/*
319
+
* Free the temporary BAM transaction allocated initially by
320
+
* qcom_nandc_alloc(), and allocate a new one based on the
321
+
* updated max_cwperpage value.
322
+
*/
323
+
qcom_free_bam_transaction(snandc);
324
+
325
+
snandc->max_cwperpage = cwperpage;
326
+
327
+
snandc->bam_txn = qcom_alloc_bam_transaction(snandc);
328
+
if (!snandc->bam_txn) {
329
+
dev_err(snandc->dev, "failed to allocate BAM transaction\n");
330
+
ret = -ENOMEM;
331
+
goto err_free_ecc_cfg;
332
+
}
333
+
318
334
ecc_cfg->cfg0 = FIELD_PREP(CW_PER_PAGE_MASK, (cwperpage - 1)) |
319
335
FIELD_PREP(UD_SIZE_BYTES_MASK, ecc_cfg->cw_data) |
320
336
FIELD_PREP(DISABLE_STATUS_AFTER_WRITE, 1) |
+8
include/linux/mtd/nand-qpic-common.h
+8
include/linux/mtd/nand-qpic-common.h
···
237
237
* @last_data_desc - last DMA desc in data channel (tx/rx).
238
238
* @last_cmd_desc - last DMA desc in command channel.
239
239
* @txn_done - completion for NAND transfer.
240
+
* @bam_ce_nitems - the number of elements in the @bam_ce array
241
+
* @cmd_sgl_nitems - the number of elements in the @cmd_sgl array
242
+
* @data_sgl_nitems - the number of elements in the @data_sgl array
240
243
* @bam_ce_pos - the index in bam_ce which is available for next sgl
241
244
* @bam_ce_start - the index in bam_ce which marks the start position ce
242
245
* for current sgl. It will be used for size calculation
···
258
255
struct dma_async_tx_descriptor *last_data_desc;
259
256
struct dma_async_tx_descriptor *last_cmd_desc;
260
257
struct completion txn_done;
258
+
259
+
unsigned int bam_ce_nitems;
260
+
unsigned int cmd_sgl_nitems;
261
+
unsigned int data_sgl_nitems;
262
+
261
263
struct_group(bam_positions,
262
264
u32 bam_ce_pos;
263
265
u32 bam_ce_start;