From 0fa758c3a069bc59a0d903d69028971c46d1a119 Mon Sep 17 00:00:00 2001 From: Corey Minyard Date: Mon, 24 Oct 2016 16:26:55 +0100 Subject: i2c: Fix SMBus read transactions to avoid double events Change 2293c27faddf (i2c: implement broadcast write) added broadcast capability to the I2C bus, but it broke SMBus read transactions. An SMBus read transaction does two i2c_start_transaction() calls without an intervening i2c_end_transfer() call. This will result in i2c_start_transfer() adding the same device to the current_devs list twice, and then the ->event() for the same device gets called twice in the second call to i2c_start_transfer(), resulting in the smbus code getting confused. Note that this happens even with pure I2C devices when simulating SMBus over I2C. This fix only scans the bus if the current set of devices is empty. This means that the current set of devices stays fixed until i2c_end_transfer() is called, which is really what you want. This also deletes the empty check from the top of i2c_end_transfer(). It's unnecessary, and it prevents the broadcast variable from being set to false at the end of the transaction if no devices were on the bus. Cc: KONRAD Frederic Cc: Alistair Francis Cc: Peter Crosthwaite Cc: Kwon Cc: Peter Maydell Signed-off-by: Corey Minyard Reviewed-by: KONRAD Frederic Tested-by: KONRAD Frederic Message-id: 1470153614-6657-1-git-send-email-minyard@acm.org Signed-off-by: Peter Maydell --- hw/i2c/core.c | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) (limited to 'hw/i2c') diff --git a/hw/i2c/core.c b/hw/i2c/core.c index 4afbe0b..bd8f167 100644 --- a/hw/i2c/core.c +++ b/hw/i2c/core.c @@ -104,15 +104,25 @@ int i2c_start_transfer(I2CBus *bus, uint8_t address, int recv) bus->broadcast = true; } - QTAILQ_FOREACH(kid, &bus->qbus.children, sibling) { - DeviceState *qdev = kid->child; - I2CSlave *candidate = I2C_SLAVE(qdev); - if ((candidate->address == address) || (bus->broadcast)) { - node = g_malloc(sizeof(struct I2CNode)); - node->elt = candidate; - QLIST_INSERT_HEAD(&bus->current_devs, node, next); - if (!bus->broadcast) { - break; + /* + * If there are already devices in the list, that means we are in + * the middle of a transaction and we shouldn't rescan the bus. + * + * This happens with any SMBus transaction, even on a pure I2C + * device. The interface does a transaction start without + * terminating the previous transaction. + */ + if (QLIST_EMPTY(&bus->current_devs)) { + QTAILQ_FOREACH(kid, &bus->qbus.children, sibling) { + DeviceState *qdev = kid->child; + I2CSlave *candidate = I2C_SLAVE(qdev); + if ((candidate->address == address) || (bus->broadcast)) { + node = g_malloc(sizeof(struct I2CNode)); + node->elt = candidate; + QLIST_INSERT_HEAD(&bus->current_devs, node, next); + if (!bus->broadcast) { + break; + } } } } @@ -137,10 +147,6 @@ void i2c_end_transfer(I2CBus *bus) I2CSlaveClass *sc; I2CNode *node, *next; - if (QLIST_EMPTY(&bus->current_devs)) { - return; - } - QLIST_FOREACH_SAFE(node, &bus->current_devs, next, next) { sc = I2C_SLAVE_GET_CLASS(node->elt); if (sc->event) { -- cgit v1.1 From cc083d8a25e0a886c3cd4bea0bf57ac4e896fa3f Mon Sep 17 00:00:00 2001 From: Corey Minyard Date: Mon, 24 Oct 2016 10:42:33 -0500 Subject: i2c: Add asserts for second smbus i2c_start_transfer() Some SMBus operations restart the transfer to convert from write to read mode without an intervening i2c_end_transfer(). The second call cannot fail, so the return code is unchecked, but this causes Coverity to complain. So add some asserts and documentation about this. Signed-off-by: Corey Minyard Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/i2c/core.c | 7 ++++++- hw/i2c/smbus.c | 12 +++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'hw/i2c') diff --git a/hw/i2c/core.c b/hw/i2c/core.c index bd8f167..abd4c4c 100644 --- a/hw/i2c/core.c +++ b/hw/i2c/core.c @@ -88,7 +88,12 @@ int i2c_bus_busy(I2CBus *bus) return !QLIST_EMPTY(&bus->current_devs); } -/* Returns non-zero if the address is not valid. */ +/* + * Returns non-zero if the address is not valid. If this is called + * again without an intervening i2c_end_transfer(), like in the SMBus + * case where the operation is switched from write to read, this + * function will not rescan the bus and thus cannot fail. + */ /* TODO: Make this handle multiple masters. */ int i2c_start_transfer(I2CBus *bus, uint8_t address, int recv) { diff --git a/hw/i2c/smbus.c b/hw/i2c/smbus.c index 3979b3d..5b4dd3e 100644 --- a/hw/i2c/smbus.c +++ b/hw/i2c/smbus.c @@ -248,7 +248,9 @@ int smbus_read_byte(I2CBus *bus, uint8_t addr, uint8_t command) return -1; } i2c_send(bus, command); - i2c_start_transfer(bus, addr, 1); + if (i2c_start_transfer(bus, addr, 1)) { + assert(0); + } data = i2c_recv(bus); i2c_nack(bus); i2c_end_transfer(bus); @@ -273,7 +275,9 @@ int smbus_read_word(I2CBus *bus, uint8_t addr, uint8_t command) return -1; } i2c_send(bus, command); - i2c_start_transfer(bus, addr, 1); + if (i2c_start_transfer(bus, addr, 1)) { + assert(0); + } data = i2c_recv(bus); data |= i2c_recv(bus) << 8; i2c_nack(bus); @@ -302,7 +306,9 @@ int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data) return -1; } i2c_send(bus, command); - i2c_start_transfer(bus, addr, 1); + if (i2c_start_transfer(bus, addr, 1)) { + assert(0); + } len = i2c_recv(bus); if (len > 32) { len = 0; -- cgit v1.1