From nobody Sun May 11 20:57:46 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=none dis=none)  header.from=nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1734059617; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RxYifaW2UDOvL+DFoM7qD6o31J06dDbQf9w6QAJw4zfQ5CACIaMRqP4ko0eC1Ynuff/4wDsIqkp3hL6aNuMyiCsu6060G+maAku/hlXX7Y+0aaeperetHycYBFEMLNCaATOjq7FeoUxPC8BR9l1KxzmeOC5cJ4zRh346tcgW1bE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1734059617;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id;
	bh=l8ElYlV9OGZOk3kCFLf3Bzeo9NJ8glbOWpHK8TL2x80=;
	b=K5ix0HCwikTi05xsWj/qqEjhf7rs9D8UiAKsA+lbTc+/DMN/4JYPrKT7eFCB7b4j2kWJQ6SneuLEx8cpJA9k4rHxCmVneUePTzUOlSvM/Zk1Jc4uwCwERwJs6Ircb90YuSRhvdqHeYIYTcVBbcjHhfr19xb/nv+47dUR5XXYKE4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<qemu-devel@nongnu.org> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17340596170597.796626363097516;
 Thu, 12 Dec 2024 19:13:37 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1tLw6W-0001q8-2a; Thu, 12 Dec 2024 22:12:36 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jamin_lin@aspeedtech.com>)
 id 1tLw6U-0001oa-Do; Thu, 12 Dec 2024 22:12:34 -0500
Received: from mail.aspeedtech.com ([211.20.114.72] helo=TWMBX01.aspeed.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jamin_lin@aspeedtech.com>)
 id 1tLw6P-0002gT-Dk; Thu, 12 Dec 2024 22:12:33 -0500
Received: from TWMBX01.aspeed.com (192.168.0.62) by TWMBX01.aspeed.com
 (192.168.0.62) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.12; Fri, 13 Dec
 2024 11:12:05 +0800
Received: from localhost.localdomain (192.168.10.10) by TWMBX01.aspeed.com
 (192.168.0.62) with Microsoft SMTP Server id 15.2.1258.12 via Frontend
 Transport; Fri, 13 Dec 2024 11:12:05 +0800
To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>, Bin Meng
 <bmeng.cn@gmail.com>, "open list:SD (Secure Card)" <qemu-block@nongnu.org>,
 "open list:All patches CC here" <qemu-devel@nongnu.org>
CC: <jamin_lin@aspeedtech.com>, <troy_lee@aspeedtech.com>,
 <yunlin.tang@aspeedtech.com>
Subject: [PATCH v2 1/2] hw/sd/sdhci: Fix boundary_count overflow in
 sdhci_sdma_transfer_multi_blocks
Date: Fri, 13 Dec 2024 11:12:04 +0800
Message-ID: <20241213031205.641009-2-jamin_lin@aspeedtech.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20241213031205.641009-1-jamin_lin@aspeedtech.com>
References: <20241213031205.641009-1-jamin_lin@aspeedtech.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=211.20.114.72;
 envelope-from=jamin_lin@aspeedtech.com; helo=TWMBX01.aspeed.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_FAIL=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Reply-to: Jamin Lin <jamin_lin@aspeedtech.com>
From: Jamin Lin via <qemu-devel@nongnu.org>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1734059619208116600
Content-Type: text/plain; charset="utf-8"

How to reproduce it:
1. The value of "s->blksie" was 0x7200. The bits[14:12] was "111", so the b=
uffer
   boundary was 0x80000.(512Kbytes). This SDMA buffer boundary was the same=
 as
   u-boot default value.
   The bit[11:0] was "001000000000", so the block size was 0x200.(512bytes)
2. The SDMA address was 0x83123456 which was not page aligned and
   "s->sdmasysad % boundary_chk" was 0x23456. The value of boundary_count w=
as
   0x5cbaa.("boundary_chk - (s->sdmasysad % boundary_chk)" -->
   "(0x80000 - 0x23456)")

However, boundary_count did not align the block size 512 bytes and the SDMA
address was not page aligned(0x80000), so the following if-statement never =
be true,
```
if (((boundary_count + begin) < block_size) && page_aligned)
````

Finally, it caused boundary_count overflow because its data type was uint32=
_t.
Ex: the last boundary_count was 0x1aa and "0x1aa - 0x200" became "0xffffffa=
a".
It is the wrong behavior.

To fix it, change to check boundary_count smaller than block size if system
address did not page align

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/sd/sdhci.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 37875c02c3..f1a329fdaf 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -618,7 +618,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState=
 *s)
                 sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
             }
             begin =3D s->data_count;
-            if (((boundary_count + begin) < block_size) && page_aligned) {
+            if (((boundary_count + begin) < block_size) && !page_aligned) {
                 s->data_count =3D boundary_count + begin;
                 boundary_count =3D 0;
              } else {
@@ -634,7 +634,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState=
 *s)
             if (s->data_count =3D=3D block_size) {
                 s->data_count =3D 0;
             }
-            if (page_aligned && boundary_count =3D=3D 0) {
+            if (boundary_count =3D=3D 0) {
                 break;
             }
         }
@@ -642,7 +642,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState=
 *s)
         s->prnsts |=3D SDHC_DOING_WRITE;
         while (s->blkcnt) {
             begin =3D s->data_count;
-            if (((boundary_count + begin) < block_size) && page_aligned) {
+            if (((boundary_count + begin) < block_size) && !page_aligned) {
                 s->data_count =3D boundary_count + begin;
                 boundary_count =3D 0;
              } else {
@@ -659,7 +659,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState=
 *s)
                     s->blkcnt--;
                 }
             }
-            if (page_aligned && boundary_count =3D=3D 0) {
+            if (boundary_count =3D=3D 0) {
                 break;
             }
         }
--=20
2.34.1
From nobody Sun May 11 20:57:46 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=none dis=none)  header.from=nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1734059617; cv=none;
	d=zohomail.com; s=zohoarc;
	b=J0aF0wNpaf01EcwrQEy+nNaVRYX7LtF1L6y1qYlGNQOgdO1A3X0cB1OyoZic3GDuZDy2OhC8ys6cGsmlnekqWptoHjB6kf6euS/7hCz1TExlMd3ZapXPsZB7oRKlZS3ga5mjV+oRO3xl6FB8tKeqLqopXUdBJ+K+oaVfAh7YR1g=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1734059617;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id;
	bh=KOnarFiWyQxP57HlPbagoa3HahoBjhy7wQ2EuIQJAHs=;
	b=cESFrmZKZ0BNEdgkP4I62FOksYcRfIn4wF7+OWWmMqAHejPPBCMqe2d/BHKuHyYwhmY1RqJyxXUS1KxDP3beaXWC1fVli9xBc07vqZhHKs5yXZD/FeYT2OQhLIXngVBDCw1pY7jm5J3NpUpGBbCLVdMXBJW7/tOLwopNGzoCP3g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<qemu-devel@nongnu.org> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1734059617594763.5487583422373;
 Thu, 12 Dec 2024 19:13:37 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1tLw6Z-0001r7-B3; Thu, 12 Dec 2024 22:12:39 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jamin_lin@aspeedtech.com>)
 id 1tLw6X-0001qL-1G; Thu, 12 Dec 2024 22:12:37 -0500
Received: from mail.aspeedtech.com ([211.20.114.72] helo=TWMBX01.aspeed.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jamin_lin@aspeedtech.com>)
 id 1tLw6V-0002gT-Ai; Thu, 12 Dec 2024 22:12:36 -0500
Received: from TWMBX01.aspeed.com (192.168.0.62) by TWMBX01.aspeed.com
 (192.168.0.62) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.12; Fri, 13 Dec
 2024 11:12:05 +0800
Received: from localhost.localdomain (192.168.10.10) by TWMBX01.aspeed.com
 (192.168.0.62) with Microsoft SMTP Server id 15.2.1258.12 via Frontend
 Transport; Fri, 13 Dec 2024 11:12:05 +0800
To: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>, Bin Meng
 <bmeng.cn@gmail.com>, "open list:SD (Secure Card)" <qemu-block@nongnu.org>,
 "open list:All patches CC here" <qemu-devel@nongnu.org>
CC: <jamin_lin@aspeedtech.com>, <troy_lee@aspeedtech.com>,
 <yunlin.tang@aspeedtech.com>
Subject: [PATCH v2 2/2] hw/sd/sdhci: Fix data transfer did not complete if
 data size is bigger than SDMA Buffer Boundary
Date: Fri, 13 Dec 2024 11:12:05 +0800
Message-ID: <20241213031205.641009-3-jamin_lin@aspeedtech.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20241213031205.641009-1-jamin_lin@aspeedtech.com>
References: <20241213031205.641009-1-jamin_lin@aspeedtech.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=211.20.114.72;
 envelope-from=jamin_lin@aspeedtech.com; helo=TWMBX01.aspeed.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_FAIL=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Reply-to: Jamin Lin <jamin_lin@aspeedtech.com>
From: Jamin Lin via <qemu-devel@nongnu.org>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1734059619237116600
Content-Type: text/plain; charset="utf-8"

According to the design of sdhci_sdma_transfer_multi_blocks, if the
"s->blkcnt * 512" was bigger than the SDMA Buffer boundary, it break the
while loop of data transfer and set SDHC_NISEN_DMA in the normal interrupt
status to notify the firmware that this SDMA boundary buffer Transfer Compl=
ete
and firmware should set the system address of the next SDMA boundary buffer
for the remained data transfer.

However, after firmware set the system address of the next SDMA boundary bu=
ffer
in the SDMA System Address Register(0x00), SDHCI model did not restart the =
data
transfer, again. Finally, firmware break the data transfer because firmware
did not receive the either "DMA Interrupt" or "Transfer Complete Interrupt"
from SDHCI model.

Error log from u-boot
```
sdhci_transfer_data: Transfer data timeout
 ** fs_devread read error - block
```

According to the following mention from SDMA System Address Register of SDH=
CI
spec,
'''
This register contains the system memory address for an SDMA transfer in
32-bit addressing mode. When the Host Controller stops an SDMA transfer,
this register shall point to the system address of the next contiguous data
position.
It can be accessed only if no transaction is executing (i.e., after a trans=
action
has stopped). Reading this register during SDMA transfers may return an
invalid value.
The Host Driver shall initialize this register before starting an SDMA
transaction.
After SDMA has stopped, the next system address of the next contiguous
data position can be read from this register.
The SDMA transfer waits at the every boundary specified by the SDMA
Buffer Boundary in the Block Size register. The Host Controller generates
DMA Interrupt to request the Host Driver to update this register. The Host
Driver sets the next system address of the next data position to this regis=
ter.
When the most upper byte of this register (003h) is written, the Host Contr=
oller
restarts the SDMA transfer.
''',

restart the data transfer if firmware writes the most upper byte of SDMA Sy=
stem
Address, s->blkcnt is bigger than 0 and SDHCI is in the data transfer state.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/sd/sdhci.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index f1a329fdaf..a632177735 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1180,6 +1180,18 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t va=
l, unsigned size)
                     sdhci_sdma_transfer_single_block(s);
                 }
             }
+        } else if (TRANSFERRING_DATA(s->prnsts)) {
+            s->sdmasysad =3D (s->sdmasysad & mask) | value;
+            MASKED_WRITE(s->sdmasysad, mask, value);
+            /* restarts the SDMA transfer if the most upper byte is writte=
n */
+            if ((s->sdmasysad & 0xFF000000) && s->blkcnt &&
+                SDHC_DMA_TYPE(s->hostctl1) =3D=3D SDHC_CTRL_SDMA) {
+                if (s->trnmod & SDHC_TRNS_MULTI) {
+                    sdhci_sdma_transfer_multi_blocks(s);
+                } else {
+                    sdhci_sdma_transfer_single_block(s);
+                }
+            }
         }
         break;
     case SDHC_BLKSIZE:
--=20
2.34.1