lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160416002647.GA391@tuxbot>
Date:	Fri, 15 Apr 2016 17:26:47 -0700
From:	Bjorn Andersson <bjorn.andersson@...aro.org>
To:	John Stultz <john.stultz@...aro.org>
Cc:	Ohad Ben-Cohen <ohad@...ery.com>, Rob Herring <robh+dt@...nel.org>,
	Suman Anna <s-anna@...com>,
	lkml <linux-kernel@...r.kernel.org>,
	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>,
	"linux-arm-msm@...r.kernel.org" <linux-arm-msm@...r.kernel.org>,
	linux-remoteproc@...r.kernel.org,
	Bjorn Andersson <bjorn.andersson@...ymobile.com>
Subject: Re: [PATCH v2 4/9] remoteproc: Introduce Qualcomm WCNSS firmware
 loader

On Fri 15 Apr 13:17 PDT 2016, John Stultz wrote:

> On Mon, Mar 28, 2016 at 8:37 PM, Bjorn Andersson
> <bjorn.andersson@...aro.org> wrote:
> > From: Bjorn Andersson <bjorn.andersson@...ymobile.com>
> >
> > This introduces the peripheral image loader, for loading WCNSS firmware
> > and boot the core on e.g. MSM8974. The firmware is verified and booted
> > with the help of the Peripheral Authentication System (PAS) in
> > TrustZone.
> >
> > Signed-off-by: Bjorn Andersson <bjorn.andersson@...ymobile.com>
> > Signed-off-by: Bjorn Andersson <bjorn.andersson@...aro.org>
> > ---
> >
> > Changes since v1:
> > - Split iris definition into separate driver/dt-node
> > - Move constants from DT to code
> > - Make stop-state and some of interrupts optional to properly work on 8064
> > - Cleaned up and made mdt loader support relocation, which is needed on 8016.
> 
> Hey Bjorn,
>     As you know,  I've been successfully using this patchset along
> with a number of other patches in your trees to get wifi working on
> the 2013 Nexus7. So for that, this can get a Tested-by: John Stultz
> <john.stultz@...aro.org> :)
> 

Thanks!

> Though while I don't have much feedback on this specific driver, I am
> a little curious about how the bigger integrated picture should look.
> 
> Currently, after bootup, one must "echo start >
> /sys/kernel/debug/remoteproc/remoteproc0/state" to actually boot the
> remote processor.
> 
> One issue is that if I try to integrate that line into some of the
> bootup scripts, the system will hard hang. No panic, no OOPs, no
> watchdog reboot, just a full device lockup. So it seems like there
> needs to be some checks to ensure that whatever clks or otherhardware
> is needed are up and running.
> 

I do see a similar problem on 8974, if I enable "clock scaling" on the
RPM. My guess here is that while booting the WCNSS firmware it releases
some clock that we have not voted for, which makes the RPM pull the
carpet underneath us.

> Second, after booting when I do "echo start..." manually, on occasion
> I run into the case where while we're waiting for the firmware to
> finish loading and the remote proc to come up, wpa_supplicant kicks in
> and starts the wcnss driver, which tries to load the configuration
> firmware before the remoteproc is all the way up. This fails, and then
> usually a few seconds later there's a bad pointer traversal that
> Oopses the machine (dmesg log below)
> 

There are two cases I've seen this:
1) When the WLAN driver starts communicating with the WLAN part of the
firmware before the WCNSS part has informed us about it being fully
booted (and have accepted the NV).

2) When not being patient enough on the first message sent (after
passing #1).


I redesigned the solution to not probe the wifi (and bt) drivers before
we get the indication from the wcnss firmware, I believe that's what
you're running. So #1 should not be causing this.

I have not seen any additional handling for #2 in the downstream driver,
so perhaps we should just bump the timeout and accept that it's going to
take some time for the firmware to get ready. But further archaeological
efforts are needed to conclude this.

> This is clearly racy, and I wonder if the starting of the remoteproc
> is something that should be done by the wcnss driver which depends on
> it?  Though I'm not sure how this would be integrated.
> 

The race should be handled regardless.

But the question of who actually triggers the booting of the wifi
system is still an open one. All executing parts of the wcnss and wifi
driver follows the life cycle of the remote services, i.e. follows the
remoteproc life cycle - so they can't request the system to boot.

We could design it so that the life cycle follows module_init/exit of
the wcnss driver, but that's clunky and as we don't have the firmware
available until later during boot this requires us to have these as
modules (or figure out how to get async firmware loading that waits for
the partition to be mounted).


In the downstream kernel we can see a few different solutions:
- The wireless subsystem comes to life when you touch /dev/wlan, and I
  don't think you can shut it down.
- The application DSP has followed a few different models, one being
  tied 1:1 with a kernel module for the specific purpose of booting and
  stopping the core.
- The video coprocessor, follows the life cycle of the v4l driver - so
  that should be fine - except for the firmware not being available at
  probe time, so we're back at loading from a future file system.
- The modem is booted when a certain QMI service is being looked for.


In the Android case we could use the HALs and some reference counting to
keep the other CPUs running, but in a normal Linux system we don't have
something like this.

So this is still an open issue, that we have to spend more time on.

> thanks
> -john
> 
> 
> "echo start..." happened here...
> 
> [   46.719340]  remoteproc0: powering up 3204000.wcnss-rproc
> [   46.719486]  remoteproc0: Booting fw image wcnss.mdt, size 6804
> [   47.307160] qcom_wcnss_ctrl riva.wcnss: WCNSS Version 1.4 1.2
> [   47.321853] wcn36xx: mac address: 18:00:2d:88:9c:a9

Hey, that's my MAC address ;)

> 
> But, before loading is finished, wpa_supplicant starts up...
> 
> [   47.403815] init: Starting service 'wpa_supplicant'...
> [   47.749631] wcn36xx smd:riva@6:wcnss:wifi: loading
> /system/vendor/firmware/wlan/prima/WCNSS_qcom_wlan_nv.bin failed with
> error -13
> [   47.749824] wcn36xx smd:riva@6:wcnss:wifi: Direct firmware load for
> wlan/prima/WCNSS_qcom_wlan_nv.bin failed with error -2
> [   47.749841] wcn36xx smd:riva@6:wcnss:wifi: Falling back to user helper
> 
> (Note, this firmware load error above happens normally, and the
> userhelper usually has to save the day, this is probably a separate
> issue with the wcn36xx patches I'm using, and not an issue  with the
> remoteproc code)
> 

Yeah, I've seen some of that too. As you say it's unrelated, but we
should look into making this not shooting odd error messages at people.

> [   48.246701] wcn36xx: ERROR Timeout! No SMD response in 500ms
> [   48.246752] wcn36xx: ERROR Failed to push NV to chip
> [   48.268973] init: Service 'wpa_supplicant' (pid 1170) exited with status 255
> [   51.858442]  remoteproc0: remote processor 3204000.wcnss-rproc is now up
> [   67.543147] init: Starting service 'wpa_supplicant'...
> [   67.877434] wcn36xx: ERROR hal_load_nv response failed err=5

Hmm, 5...

I have not seen that since I figured out how to properly calibrate the
XO before booting the firmware. I'll replicate your setup and will see
if I can trigger this.

> [   67.877443] wcn36xx: ERROR Failed to push NV to chip
> [   67.891921] init: Service 'wpa_supplicant' (pid 1175) exited with status 255
> [   87.682962] Unable to handle kernel NULL pointer dereference at
> virtual address 00000038
> [   87.683324] pgd = e7d2c000
> [   87.691595] [00000038] *pgd=00000000
> [   87.697486] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> [   87.697658] CPU: 3 PID: 159 Comm: lmkd Not tainted
> 4.6.0-rc3-00095-ga08f5eb #1252
> [   87.703041] Hardware name: Qualcomm (Flattened Device Tree)
> [   87.710413] task: e7c69a00 ti: e7d30000 task.ti: e7d30000
> [   87.715798] PC is at kmem_cache_alloc+0x80/0x234
> [   87.721347] LR is at kmem_cache_alloc+0x40/0x234

This seems "unrelated", I wonder if either we or the remote is trashing
some memory when we're triggering this case.

Regards,
Bjorn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ