lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180427184017.GI243180@google.com>
Date:   Fri, 27 Apr 2018 11:40:17 -0700
From:   Matthias Kaehlcke <mka@...omium.org>
To:     Lina Iyer <ilina@...eaurora.org>
Cc:     andy.gross@...aro.org, david.brown@...aro.org,
        linux-arm-msm@...r.kernel.org, linux-soc@...r.kernel.org,
        rnayak@...eaurora.org, bjorn.andersson@...aro.org,
        linux-kernel@...r.kernel.org, sboyd@...nel.org,
        evgreen@...omium.org, dianders@...omium.org
Subject: Re: [PATCH v6 05/10] drivers: qcom: rpmh-rsc: write sleep/wake
 requests to TCS

On Fri, Apr 27, 2018 at 11:39:43AM -0600, Lina Iyer wrote:
> On Wed, Apr 25 2018 at 15:41 -0600, Matthias Kaehlcke wrote:
> > On Thu, Apr 19, 2018 at 04:16:30PM -0600, Lina Iyer wrote:
> > > Sleep and wake requests are sent when the application processor
> > > subsystem of the SoC is entering deep sleep states like in suspend.
> > > These requests help lower the system power requirements when the
> > > resources are not in use.
> > > 
> > > Sleep and wake requests are written to the TCS slots but are not
> > > triggered at the time of writing. The TCS are triggered by the firmware
> > > after the last of the CPUs has executed its WFI. Since these requests
> > > may come in different batches of requests, it is the job of this
> > > controller driver to find and arrange the requests into the available
> > > TCSes.
> > > 
> > > Signed-off-by: Lina Iyer <ilina@...eaurora.org>
> > > Reviewed-by: Evan Green <evgreen@...omium.org>
> > > ---
> > >  drivers/soc/qcom/rpmh-internal.h |   8 +++
> > >  drivers/soc/qcom/rpmh-rsc.c      | 120 +++++++++++++++++++++++++++++++
> > >  2 files changed, 128 insertions(+)
> > > 
> > > diff --git a/drivers/soc/qcom/rpmh-internal.h b/drivers/soc/qcom/rpmh-internal.h
> > > index d9a21726e568..6e19fe458c31 100644
> > > --- a/drivers/soc/qcom/rpmh-internal.h
> > > +++ b/drivers/soc/qcom/rpmh-internal.h
> > 
> > <snip>
> > 
> > > +static int find_match(const struct tcs_group *tcs, const struct tcs_cmd *cmd,
> > > +		      int len)
> > > +{
> > > +	int i, j;
> > > +
> > > +	/* Check for already cached commands */
> > > +	for_each_set_bit(i, tcs->slots, MAX_TCS_SLOTS) {
> > > +		for (j = 0; j < len; j++) {
> > > +			if (tcs->cmd_cache[i] != cmd[0].addr) {
> > 
> > Shouldn't the condition be 'tcs->cmd_cache[i + j] != cmd[j].addr'?
> > 
> Here, we are trying to find the first address from the request and its
> position 'i' in the cmd_cache.
> 
> > Otherwise the code below the following if branch will never be
> > executed. Either the 'tcs->cmd_cache[i] != cmd[0].addr' branch isn't
> > entered because the addresses match, or the addresses don't match
> > and the inner loop is aborted after the first iteration.
> > 
> > > +				if (j == 0)
> > > +					break;
> > > +				WARN(tcs->cmd_cache[i + j] != cmd[j].addr,
> > > +				     "Message does not match previous sequence.\n");
> We now check for the sequence using the iterator 'j' only after we have
> found 'i' (the beginning of our request).
> 
> I hope that helps clear the concern.

It doesn't, maybe I'm just confused, the driver has a certain
complexity and I don't claim to have a comprehensive understanding :)

If I understand correctly find_match() is used to find a sequence of
commands of length 'len' in the command cache. If that is correct I
would expect it to do the following:

1. iterate through the commands in the command cache and find a
command that matches the first command in the sequence

2. verify that the (len - 1) subsequent commands match those in the
sequence, otherwise bail out

If I'm not mistaken the current version of find_match() only checks
that the first command exists. After that it happily increases the
command index, but doesn't perform any checks (after finding the first
command 'tcs->cmd_cache[i] != cmd[0].addr' remains false for the
subsequent values of j). When j reaches (len - 1) the function
returns the index of the first command in the cache, regardless of
whether the other commands match or not.

Please correct me if I'm just confused, I think the negative logic of
'tcs->cmd_cache[i] != cmd[0].addr' doesn't help the readability of the
code.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ