lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 27 Apr 2018 13:45:59 -0600
From:   Lina Iyer <ilina@...eaurora.org>
To:     Matthias Kaehlcke <mka@...omium.org>
Cc:     andy.gross@...aro.org, david.brown@...aro.org,
        linux-arm-msm@...r.kernel.org, linux-soc@...r.kernel.org,
        rnayak@...eaurora.org, bjorn.andersson@...aro.org,
        linux-kernel@...r.kernel.org, sboyd@...nel.org,
        evgreen@...omium.org, dianders@...omium.org
Subject: Re: [PATCH v6 05/10] drivers: qcom: rpmh-rsc: write sleep/wake
 requests to TCS

On Fri, Apr 27 2018 at 12:40 -0600, Matthias Kaehlcke wrote:
>On Fri, Apr 27, 2018 at 11:39:43AM -0600, Lina Iyer wrote:
>> On Wed, Apr 25 2018 at 15:41 -0600, Matthias Kaehlcke wrote:
>> > On Thu, Apr 19, 2018 at 04:16:30PM -0600, Lina Iyer wrote:
>> > > Sleep and wake requests are sent when the application processor
>> > > subsystem of the SoC is entering deep sleep states like in suspend.
>> > > These requests help lower the system power requirements when the
>> > > resources are not in use.
>> > >
>> > > Sleep and wake requests are written to the TCS slots but are not
>> > > triggered at the time of writing. The TCS are triggered by the firmware
>> > > after the last of the CPUs has executed its WFI. Since these requests
>> > > may come in different batches of requests, it is the job of this
>> > > controller driver to find and arrange the requests into the available
>> > > TCSes.
>> > >
>> > > Signed-off-by: Lina Iyer <ilina@...eaurora.org>
>> > > Reviewed-by: Evan Green <evgreen@...omium.org>
>> > > ---
>> > >  drivers/soc/qcom/rpmh-internal.h |   8 +++
>> > >  drivers/soc/qcom/rpmh-rsc.c      | 120 +++++++++++++++++++++++++++++++
>> > >  2 files changed, 128 insertions(+)
>> > >
>> > > diff --git a/drivers/soc/qcom/rpmh-internal.h b/drivers/soc/qcom/rpmh-internal.h
>> > > index d9a21726e568..6e19fe458c31 100644
>> > > --- a/drivers/soc/qcom/rpmh-internal.h
>> > > +++ b/drivers/soc/qcom/rpmh-internal.h
>> >
>> > <snip>
>> >
>> > > +static int find_match(const struct tcs_group *tcs, const struct tcs_cmd *cmd,
>> > > +		      int len)
>> > > +{
>> > > +	int i, j;
>> > > +
>> > > +	/* Check for already cached commands */
>> > > +	for_each_set_bit(i, tcs->slots, MAX_TCS_SLOTS) {
>> > > +		for (j = 0; j < len; j++) {
>> > > +			if (tcs->cmd_cache[i] != cmd[0].addr) {
>> >
>> > Shouldn't the condition be 'tcs->cmd_cache[i + j] != cmd[j].addr'?
>> >
>> Here, we are trying to find the first address from the request and its
>> position 'i' in the cmd_cache.
>>
>> > Otherwise the code below the following if branch will never be
>> > executed. Either the 'tcs->cmd_cache[i] != cmd[0].addr' branch isn't
>> > entered because the addresses match, or the addresses don't match
>> > and the inner loop is aborted after the first iteration.
>> >
>> > > +				if (j == 0)
>> > > +					break;
>> > > +				WARN(tcs->cmd_cache[i + j] != cmd[j].addr,
>> > > +				     "Message does not match previous sequence.\n");
>> We now check for the sequence using the iterator 'j' only after we have
>> found 'i' (the beginning of our request).
>>
>> I hope that helps clear the concern.
>
>It doesn't, maybe I'm just confused, the driver has a certain
>complexity and I don't claim to have a comprehensive understanding :)
>
>If I understand correctly find_match() is used to find a sequence of
>commands of length 'len' in the command cache. If that is correct I
>would expect it to do the following:
>
>1. iterate through the commands in the command cache and find a
>command that matches the first command in the sequence
>
>2. verify that the (len - 1) subsequent commands match those in the
>sequence, otherwise bail out
>
>If I'm not mistaken the current version of find_match() only checks
>that the first command exists. After that it happily increases the
>command index, but doesn't perform any checks (after finding the first
>command 'tcs->cmd_cache[i] != cmd[0].addr' remains false for the
>subsequent values of j). When j reaches (len - 1) the function
>returns the index of the first command in the cache, regardless of
>whether the other commands match or not.
>
Did you miss the check inside the WARN?
WARN(tcs->cmd_cache[i + j] != cmd[j].addr,

--Lina

Powered by blists - more mailing lists