Check buffer pointer alignment, disallow using i64/u64 words in buffers

kalkyl · kalkyl · commit 21c280a9802a · 2020-09-17T23:44:21.000+02:00
diff --git a/examples/i2s-controller-demo/Cargo.toml b/examples/i2s-controller-demo/Cargo.toml
@@ -12,6 +12,7 @@ cortex-m = "0.6.2"
 cortex-m-rtic = "0.5.3"
 rtt-target = {version = "0.2.0", features = ["cortex-m"] }
 nrf52840-hal = { features = ["rt"], path = "../../nrf52840-hal" }
+aligned = "0.3.4"
 heapless = "0.5.5"
 small_morse = "0.1.0"
 
diff --git a/examples/i2s-controller-demo/src/main.rs b/examples/i2s-controller-demo/src/main.rs
@@ -5,6 +5,7 @@
 // Generates Morse code audio signals for text from UART, playing back over I2S
 // Tested with nRF52840-DK and a UDA1334a DAC
 
+use aligned::{Aligned, A4};
 use embedded_hal::digital::v2::{InputPin, OutputPin};
 use heapless::{
     consts::*,
@@ -51,8 +52,9 @@ const APP: () = {
 
     #[init(resources = [queue], spawn = [tick])]
     fn init(mut ctx: init::Context) -> init::LateResources {
-        static mut MUTE_BUF: [i16; 32] = [0i16; 32];
-        static mut SIGNAL_BUF: [i16; 32] = [0i16; 32];
+        // The I2S buffer address must be 4 byte aligned.
+        static mut MUTE_BUF: Aligned<A4, [i16; 32]> = Aligned([0i16; 32]);
+        static mut SIGNAL_BUF: Aligned<A4, [i16; 32]> = Aligned([0i16; 32]);
 
         // Fill signal buffer with triangle waveform, 2 channels interleaved
         let len = SIGNAL_BUF.len() / 2;
diff --git a/examples/i2s-peripheral-demo/Cargo.toml b/examples/i2s-peripheral-demo/Cargo.toml
@@ -12,6 +12,7 @@ cortex-m = "0.6.2"
 cortex-m-rtic = "0.5.3"
 rtt-target = {version = "0.2.0", features = ["cortex-m"] }
 nrf52840-hal = { features = ["rt"], path = "../../nrf52840-hal" }
+aligned = "0.3.4"
 
 [dependencies.embedded-hal]
 version = "0.2.3"
diff --git a/examples/i2s-peripheral-demo/src/main.rs b/examples/i2s-peripheral-demo/src/main.rs
@@ -4,6 +4,7 @@
 // I2S `peripheral mode` demo
 // Signal average level indicator using an RGB LED (APA102 on ItsyBitsy nRF52840)
 
+use aligned::{Aligned, A4};
 use embedded_hal::blocking::spi::Write;
 use {
     core::{
@@ -29,12 +30,13 @@ const RED: [u8; 9] = [0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x10, 0xFF];
 const APP: () = {
     struct Resources {
         rgb: Spim<SPIM0>,
-        transfer: Option<Transfer<&'static mut [i16; 128]>>,
+        transfer: Option<Transfer<&'static mut [i16]>>,
     }
 
     #[init]
     fn init(ctx: init::Context) -> init::LateResources {
-        static mut RX_BUF: [i16; 128] = [0; 128];
+        // The I2S buffer address must be 4 byte aligned.
+        static mut RX_BUF: Aligned<A4, [i16; 128]> = Aligned([0; 128]);
 
         let _clocks = hal::clocks::Clocks::new(ctx.device.CLOCK).enable_ext_hfosc();
         rtt_init_print!();
@@ -78,7 +80,7 @@ const APP: () = {
         );
         init::LateResources {
             rgb,
-            transfer: i2s.rx(RX_BUF).ok(),
+            transfer: i2s.rx(&mut RX_BUF[..]).ok(),
         }
     }
 
@@ -87,7 +89,7 @@ const APP: () = {
         let (rx_buf, i2s) = ctx.resources.transfer.take().unwrap().wait();
         if i2s.is_event_triggered(I2SEvent::RxPtrUpdated) {
             i2s.reset_event(I2SEvent::RxPtrUpdated);
-            //Calculate mono summed average of received buffer
+            // Calculate mono summed average of received buffer
             let avg = (rx_buf.iter().map(|x| (*x).abs() as u32).sum::<u32>() / rx_buf.len() as u32)
                 as u16;
             let color = match avg {
diff --git a/nrf-hal-common/src/i2s.rs b/nrf-hal-common/src/i2s.rs
@@ -259,14 +259,20 @@ impl I2S {
             _ => Channels::Right,
         }
     }
+
     /// Receives data into the given `buffer` until it's filled.
+    /// Buffer address must be 4 byte aligned and located in RAM.
     /// Returns a value that represents the in-progress DMA transfer.
     #[allow(unused_mut)]
     pub fn rx<W, B>(mut self, mut buffer: B) -> Result<Transfer<B>, Error>
     where
+        W: SupportedWordSize,
         B: WriteBuffer<Word = W>,
     {
         let (ptr, len) = unsafe { buffer.write_buffer() };
+        if ptr as u32 % 4 != 0 {
+            return Err(Error::BufferMisaligned);
+        }
         let maxcnt = (len / (core::mem::size_of::<u32>() / core::mem::size_of::<W>())) as u32;
         if maxcnt > MAX_DMA_MAXCNT {
             return Err(Error::BufferTooLong);
@@ -283,7 +289,8 @@ impl I2S {
 
     /// Full duplex DMA transfer.
     /// Transmits the given `tx_buffer` while simultaneously receiving data
-    /// into the given `rx_buffer` until it is filled. The buffers must be of equal size.
+    /// into the given `rx_buffer` until it is filled.
+    /// The buffers must be of equal size and their addresses must be 4 byte aligned and located in RAM.
     /// Returns a value that represents the in-progress DMA transfer.
     #[allow(unused_mut)]
     pub fn transfer<W, TxB, RxB>(
@@ -292,11 +299,15 @@ impl I2S {
         mut rx_buffer: RxB,
     ) -> Result<TransferFullDuplex<TxB, RxB>, Error>
     where
+        W: SupportedWordSize,
         TxB: ReadBuffer<Word = W>,
         RxB: WriteBuffer<Word = W>,
     {
         let (rx_ptr, rx_len) = unsafe { rx_buffer.write_buffer() };
         let (tx_ptr, tx_len) = unsafe { tx_buffer.read_buffer() };
+        if tx_ptr as u32 % 4 != 0 || rx_ptr as u32 % 4 != 0 {
+            return Err(Error::BufferMisaligned);
+        }
         let maxcnt = (tx_len / (core::mem::size_of::<u32>() / core::mem::size_of::<W>())) as u32;
         if tx_len != rx_len {
             return Err(Error::BuffersDontMatch);
@@ -328,13 +339,18 @@ impl I2S {
     }
 
     /// Transmits the given `tx_buffer`.
+    /// Buffer address must be 4 byte aligned and located in RAM.
     /// Returns a value that represents the in-progress DMA transfer.
     #[allow(unused_mut)]
     pub fn tx<W, B>(mut self, buffer: B) -> Result<Transfer<B>, Error>
     where
+        W: SupportedWordSize,
         B: ReadBuffer<Word = W>,
     {
         let (ptr, len) = unsafe { buffer.read_buffer() };
+        if ptr as u32 % 4 != 0 {
+            return Err(Error::BufferMisaligned);
+        }
         let maxcnt = (len / (core::mem::size_of::<u32>() / core::mem::size_of::<W>())) as u32;
         if maxcnt > MAX_DMA_MAXCNT {
             return Err(Error::BufferTooLong);
@@ -468,6 +484,7 @@ pub enum Error {
     DMABufferNotInDataMemory,
     BufferTooLong,
     BuffersDontMatch,
+    BufferMisaligned,
 }
 
 /// I2S Mode
@@ -650,3 +667,22 @@ impl<TxB, RxB> Drop for TransferFullDuplex<TxB, RxB> {
         }
     }
 }
+
+pub trait SupportedWordSize: private::Sealed {}
+impl private::Sealed for i8 {}
+impl SupportedWordSize for i8 {}
+impl private::Sealed for u8 {}
+impl SupportedWordSize for u8 {}
+impl private::Sealed for i16 {}
+impl SupportedWordSize for i16 {}
+impl private::Sealed for u16 {}
+impl SupportedWordSize for u16 {}
+impl private::Sealed for i32 {}
+impl SupportedWordSize for i32 {}
+impl private::Sealed for u32 {}
+impl SupportedWordSize for u32 {}
+
+mod private {
+    /// Prevents code outside of the parent module from implementing traits.
+    pub trait Sealed {}
+}
