+23
−5
Loading
spi: spidev: only use up TX/RX bounce buffer space when needed
This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by:Ian Abbott <abbotti@mev.co.uk> Signed-off-by: