On 11/7/19 3:19 PM, Andrew Murray wrote: > On Thu, Nov 07, 2019 at 12:37:44AM +0100, Marek Vasut wrote: >> On 10/26/19 10:36 PM, Andrew Murray wrote: >> [...]>> But this still leaves me with one open question -- how do I >> figure out >>>> what to program into the PCI controller inbound windows, so that the >>>> controller correctly filters inbound transfers which are targetting >>>> nonexisting memory ? >>> >>> Your driver should program into the RC->CPU windows, the exact ranges >>> described in the dma-ranges. Whilst also respecting the alignment and >>> max-size rules your controller has (e.g. the existing upstream logic >>> and also the new logic that recalculates the alignment per entry). >>> >>> As far as I can tell from looking at your U-Boot patch, I think I'd expect >>> a single dma-range to be presented in the DT, that describes >>> 0:0xFFFFFFFF => 0:0xFFFFFFFF. This is because 1) I understand your >>> controller is limited to 32 bits. And 2) there is a linear mapping between >>> PCI and CPU addresses (given that the second and third arguments on >>> pci_set_region are both the same). >>> >>> As you point out, this range includes lots of things that you don't >>> want the RC to touch - such as non-existent memory. This is OK, when >>> Linux programs addresses into the various EP's for them to DMA to host >>> memory, it uses its own logic to select addresses that are in RAM, the >>> purpose of the dma-range is to describe what the CPU RAM address looks >>> like from the perspective of the RC (for example if the RC was wired >>> with an offset such that made memory writes from the RC made to >>> 0x00000000 end up on the system map at 0x80000000, we need to tell Linux >>> about this offset. Otherwise when a EP device driver programs a DMA >>> address of a RAM buffer at 0x90000000, it'll end up targetting >>> 0x110000000. Thankfully our dma-range will tell Linux to apply an offset >>> such that the actual address written to the EP is 0x10000000.). >> >> I understand that Linux programs the endpoints correctly. However this >> still doesn't prevent the endpoint from being broken and from sending a >> transaction to that non-existent memory. > > Correct. > >> The PCI controller can prevent >> that and in an automotive SoC, I would very much like the PCI controller >> to do just that, rather than hope that the endpoint would always work. > > OK I understand - At least when working on the assumption that your RC will > block RC->CPU transactions that are not described in any of it's windows. > Thus you want to use the dma-ranges as a means to configure your controller > to do this. Yes > What actually happens if you have a broken endpoint that reads/writes to > non-existent memory on this hardware? Ideally the RC would generate a > CA or UR back to the endpoint - does something else happen? Lockup, dead RC, > performance issues? The behavior is undefined. > Using built-in features of the RC to prevent it from sending transactions > to non-existent addresses is clearly helpful. But of course it doesn't stop > a broken EP from writing to existent addresses, so only provides limited > protection. Correct. > Despite the good intentions here, it doesn't seem like dma-ranges is > designed for this purpose and as the hardware has limited ranges it will > only be best-effort. So what other options do we have ? -- Best regards, Marek Vasut
