lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <433332bb-e066-e752-7204-e4df336e4c95@suse.cz>
Date:   Wed, 22 May 2019 11:01:34 +0200
From:   Jiri Slaby <jslaby@...e.cz>
To:     Arnaud Pouliquen <arnaud.pouliquen@...com>,
        xiang xiao <xiaoxiang781216@...il.com>,
        Bjorn Andersson <bjorn.andersson@...aro.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, Ohad Ben-Cohen <ohad@...ery.com>
Cc:     Alan Cox <gnomes@...rguk.ukuu.org.uk>,
        linux-stm32@...md-mailman.stormreply.com,
        Fabien DESSENNE <fabien.dessenne@...com>
Subject: Re: [PATCH v3 2/2] tty: add rpmsg driver

On 17. 05. 19, 16:27, Arnaud Pouliquen wrote:
> This driver exposes a standard tty interface on top of the rpmsg
> framework through the "rpmsg-tty-channel" rpmsg service.
> 
> This driver supports multi-instances, offering a /dev/ttyRPMSGx entry
> per rpmsg endpoint.
> 
> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@...com>
> Signed-off-by: Fabien Dessenne <fabien.dessenne@...com>
> ---
>  Documentation/serial/tty_rpmsg.txt |  38 +++
>  drivers/tty/Kconfig                |   9 +
>  drivers/tty/Makefile               |   1 +
>  drivers/tty/rpmsg_tty.c            | 479 +++++++++++++++++++++++++++++++++++++
>  4 files changed, 527 insertions(+)
>  create mode 100644 Documentation/serial/tty_rpmsg.txt
>  create mode 100644 drivers/tty/rpmsg_tty.c
> 
> diff --git a/Documentation/serial/tty_rpmsg.txt b/Documentation/serial/tty_rpmsg.txt
> new file mode 100644
> index 000000000000..e069ed268a2b
> --- /dev/null
> +++ b/Documentation/serial/tty_rpmsg.txt
> @@ -0,0 +1,38 @@
> +
> +			The rpmsg TTY

Perhaps you should use rst nowadays.

> diff --git a/drivers/tty/rpmsg_tty.c b/drivers/tty/rpmsg_tty.c
> new file mode 100644
> index 000000000000..c7f53352acb6
> --- /dev/null
> +++ b/drivers/tty/rpmsg_tty.c
> @@ -0,0 +1,479 @@
...
> +struct rpmsg_tty_port {
> +	struct tty_port		port;	 /* TTY port data */
> +	int			id;	 /* TTY rpmsg index */
> +	struct rpmsg_device	*rpdev;	 /* rpmsg device */
> +	int			cts;	 /* remote reception status */

Just a nit, but if you move this int to the one above, you save some
bytes thanks to alignment and holes.

> +};
> +
> +typedef void (*rpmsg_tty_rx_cb_t)(struct rpmsg_device *, void *, int, void *,
> +				  u32);
> +
> +static void rpmsg_tty_data_handler(struct rpmsg_device *rpdev, void *data,
> +				   int len, void *priv, u32 src)
> +{
> +	struct rpmsg_tty_port *cport = dev_get_drvdata(&rpdev->dev);
> +	u8 *cbuf;
> +	int space;
> +
> +	dev_dbg(&rpdev->dev, "msg(<- src 0x%x) len %d\n", src, len);
> +
> +	if (!len)
> +		return;
> +
> +	space = tty_prepare_flip_string(&cport->port, &cbuf, len);
> +	if (space != len)
> +		dev_dbg(&rpdev->dev, "trunc buffer: available space is %d\n",
> +			len, space);
> +	if (space <= 0)
> +		return;
> +
> +	memcpy(cbuf, data, space);

Why is the above not tty_insert_flip_string_fixed_flag instead?

> +	tty_flip_buffer_push(&cport->port);
> +}
> +
> +static void rpmsg_tty_ctrl_handler(struct rpmsg_device *rpdev, void *data,
> +				   int len, void *priv, u32 src)
> +{
> +	struct rpmsg_tty_port *cport = dev_get_drvdata(&rpdev->dev);
> +	struct rpmsg_tty_ctrl *ctrl = data;
> +
> +	dev_dbg(&rpdev->dev, "%s: ctrl received %d\n", __func__, ctrl->ctrl);
> +	print_hex_dump_debug(__func__, DUMP_PREFIX_NONE, 16, 1, data, len,
> +			     true);
> +
> +	if (len <= sizeof(*ctrl)) {
> +		dev_err(&rpdev->dev, "%s: ctrl message invalid\n", __func__);
> +		return;
> +	}
> +
> +	if (ctrl->ctrl == DATA_TERM_READY) {

Could this be switch-case instead?

> +		/* Update the CTS according to remote RTS */
> +		if (!ctrl->values[0]) {
> +			cport->cts = 0;
> +		} else {
> +			cport->cts = 1;
> +			tty_port_tty_wakeup(&cport->port);
> +		}
> +	} else {
> +		dev_err(&rpdev->dev, "unknown control ID %d\n", ctrl->ctrl);
> +	}
> +}
> +
> +static const rpmsg_tty_rx_cb_t rpmsg_tty_handler[] = {
> +	[RPMSG_DATA] = rpmsg_tty_data_handler,
> +	[RPMSG_CTRL] = rpmsg_tty_ctrl_handler,
> +};
> +
> +static int rpmsg_tty_cb(struct rpmsg_device *rpdev, void *data, int len,
> +			void *priv, u32 src)
> +{
> +	struct rpmsg_tty_payload  *rbuf = data;
> +
> +	if (len <= sizeof(*rbuf) || rbuf->cmd > NUM_RPMSG_TTY_TYPE) {
> +		dev_err(&rpdev->dev, "Invalid message: size %d, type %d\n",
> +			len, rbuf->cmd);
> +		return -EINVAL;
> +	}
> +
> +	rpmsg_tty_handler[rbuf->cmd](rpdev, &rbuf->data,
> +				     len - sizeof(rbuf->cmd), priv, src);

Out-of-bound access if rbuf->cmd == NUM_RPMSG_TTY_TYPE, right? Nice hole.

> +
> +	return 0;
> +}
> +
> +static int rpmsg_tty_write_control(struct tty_struct *tty, u8 ctrl, u8 *values,
> +				   unsigned int n_value)
> +{
> +	struct rpmsg_tty_port *cport = idr_find(&tty_idr, tty->index);
> +	struct rpmsg_tty_payload *msg;
> +	struct rpmsg_tty_ctrl *m_ctrl;
> +	struct rpmsg_device *rpdev;
> +	unsigned int msg_size;
> +	int ret;
> +
> +	if (!cport) {
> +		dev_err(tty->dev, "cannot get cport\n");
> +		return -ENODEV;
> +	}
> +
> +	rpdev = cport->rpdev;
> +
> +	msg_size = sizeof(*msg) + sizeof(*m_ctrl) + n_value;
> +	msg = kzalloc(msg_size, GFP_KERNEL);
> +	if (!msg)
> +		return -ENOMEM;
> +
> +	msg->cmd = RPMSG_CTRL;
> +	m_ctrl =  (struct rpmsg_tty_ctrl *)&msg->data[0];
> +	m_ctrl->ctrl = DATA_TERM_READY;
> +	memcpy(m_ctrl->values, values, n_value);
> +
> +	ret = rpmsg_trysend(rpdev->ept, msg, msg_size);
> +	if (ret < 0) {
> +		dev_dbg(tty->dev, "cannot send control (%d)\n", ret);
> +		ret = 0;
> +	}
> +	kfree(msg);
> +
> +	return ret;
> +};
> +
> +static void rpmsg_tty_throttle(struct tty_struct *tty)
> +{
> +	u8 rts = 0;
> +
> +	/* Disable remote transmission */
> +	rpmsg_tty_write_control(tty, DATA_TERM_READY, &rts, 1);
> +};
> +
> +static void rpmsg_tty_unthrottle(struct tty_struct *tty)
> +{
> +	u8 rts = 1;
> +
> +	/* Enable remote transmission */
> +	rpmsg_tty_write_control(tty, DATA_TERM_READY, &rts, 1);
> +};
> +
> +static int rpmsg_tty_install(struct tty_driver *driver, struct tty_struct *tty)
> +{
> +	struct rpmsg_tty_port *cport = idr_find(&tty_idr, tty->index);
> +
> +	if (!cport) {
> +		dev_err(tty->dev, "cannot get cport\n");
> +		return -ENODEV;
> +	}

Set cport to driver_data?

> +
> +	return tty_port_install(&cport->port, driver, tty);
> +}
> +
> +static int rpmsg_tty_open(struct tty_struct *tty, struct file *filp)
> +{
> +	return tty_port_open(tty->port, tty, filp);
> +}
> +
> +static void rpmsg_tty_close(struct tty_struct *tty, struct file *filp)
> +{
> +	return tty_port_close(tty->port, tty, filp);
> +}
> +
> +static int rpmsg_tty_write(struct tty_struct *tty, const u8 *buf, int len)
> +{
> +	struct rpmsg_tty_port *cport = idr_find(&tty_idr, tty->index);

Get from driver_data?

> +	struct rpmsg_device *rpdev;
> +	int msg_size, msg_max_size, ret = 0;
> +	int cmd_sz = sizeof(struct rpmsg_tty_payload);
> +	u8 *tmpbuf;
> +
> +	if (!cport) {

This would be superflous then?

> +		dev_err(tty->dev, "cannot get cport\n");
> +		return -ENODEV;
> +	}
> +
> +	/* If cts not set, the message is not sent*/
> +	if (!cport->cts)
> +		return 0;
> +
> +	rpdev = cport->rpdev;
> +
> +	dev_dbg(&rpdev->dev, "%s: send msg from tty->index = %d, len = %d\n",
> +		__func__, tty->index, len);
> +	if (!buf) {

How can this happen?

> +		dev_err(&rpdev->dev, "buf shouldn't be null.\n");
> +		return -ENOMEM;
> +	}
> +
> +	msg_max_size = rpmsg_get_buf_payload_size(rpdev->ept);
> +	if (msg_max_size < 0)
> +		return msg_max_size;
> +
> +	msg_size = min(len + cmd_sz, msg_max_size);
> +	tmpbuf = kzalloc(msg_size, GFP_KERNEL);
> +	if (!tmpbuf)
> +		return -ENOMEM;
> +
> +	tmpbuf[0] = RPMSG_DATA;
> +	memcpy(&tmpbuf[cmd_sz], buf, msg_size - cmd_sz);

Just curious: could "msg_size - cmd_sz" overflow to negatives? i.e.
msg_max_size < sizeof(struct rpmsg_tty_payload)?

> +
> +	/*
> +	 * Try to send the message to remote processor, if failed return 0 as
> +	 * no data sent
> +	 */
> +	ret = rpmsg_trysend(rpdev->ept, (void *)tmpbuf, msg_size);

No need to cast.

> +	kfree(tmpbuf);
> +	if (ret) {
> +		dev_dbg(&rpdev->dev, "rpmsg_send failed: %d\n", ret);
> +		return 0;
> +	}
> +
> +	return msg_size - sizeof(struct rpmsg_tty_payload);

The latter is cmd_sz or not?

> +}
> +
> +static int rpmsg_tty_write_room(struct tty_struct *tty)
> +{
> +	struct rpmsg_tty_port *cport = idr_find(&tty_idr, tty->index);
> +	int space = 0;
> +
> +	if (!cport) {

The same as above.

> +		dev_err(tty->dev, "cannot get cport\n");
> +		return -ENODEV;
> +	}
> +
> +	/*
> +	 * Report the space in the rpmsg buffer, first byte is reserved to
> +	 * define the buffer type.
> +	 */
> +	if (cport->cts) {
> +		space = rpmsg_get_buf_payload_size(cport->rpdev->ept);
> +		space -= sizeof(struct rpmsg_tty_payload);
> +	}
> +
> +	return space;
> +}
> +
> +static const struct tty_operations rpmsg_tty_ops = {
> +	.install	= rpmsg_tty_install,
> +	.open		= rpmsg_tty_open,
> +	.close		= rpmsg_tty_close,
> +	.write		= rpmsg_tty_write,
> +	.write_room	= rpmsg_tty_write_room,
> +	.throttle	= rpmsg_tty_throttle,
> +	.unthrottle	= rpmsg_tty_unthrottle,
> +};
> +
> +static struct rpmsg_tty_port *rpmsg_tty_alloc_cport(void)
> +{
> +	struct rpmsg_tty_port *cport;
> +
> +	cport = kzalloc(sizeof(*cport), GFP_KERNEL);
> +	if (!cport)
> +		return ERR_PTR(-ENOMEM);
> +
> +	mutex_lock(&idr_lock);
> +	cport->id = idr_alloc(&tty_idr, cport, 0, MAX_TTY_RPMSG, GFP_KERNEL);
> +	mutex_unlock(&idr_lock);
> +
> +	if (cport->id < 0) {
> +		kfree(cport);
> +		return ERR_PTR(-ENOSPC);
> +	}
> +
> +	return cport;
> +}
> +
> +static void rpmsg_tty_release_cport(struct rpmsg_tty_port *cport)
> +{
> +	mutex_lock(&idr_lock);
> +	idr_remove(&tty_idr, cport->id);
> +	mutex_unlock(&idr_lock);
> +
> +	kfree(cport);
> +}
> +
> +static int rpmsg_tty_port_activate(struct tty_port *p, struct tty_struct *tty)
> +{
> +	/* Allocate the buffer we use for writing data */
> +	return tty_port_alloc_xmit_buf(p);
> +}
> +
> +static void rpmsg_tty_port_shutdown(struct tty_port *p)
> +{
> +	/* Free the write buffer */
> +	tty_port_free_xmit_buf(p);
> +}
> +
> +static void rpmsg_tty_dtr_rts(struct tty_port *port, int raise)
> +{
> +	struct rpmsg_tty_port *cport =
> +				container_of(port, struct rpmsg_tty_port, port);
> +
> +	pr_debug("%s: dtr_rts state %d\n", __func__, raise);
> +	if (!port->tty || !cport) {

The latter barely can happen given you use container_of above.

> +		pr_err("invalid port\n");
> +		return;
> +	}
> +
> +	cport->cts = raise;
> +
> +	if (raise)
> +		rpmsg_tty_unthrottle(port->tty);
> +	else
> +		rpmsg_tty_throttle(port->tty);
> +}
> +
> +static const struct tty_port_operations rpmsg_tty_port_ops = {
> +	.activate = rpmsg_tty_port_activate,
> +	.shutdown = rpmsg_tty_port_shutdown,
> +	.dtr_rts  = rpmsg_tty_dtr_rts,
> +};
> +
> +static int rpmsg_tty_probe(struct rpmsg_device *rpdev)
> +{
> +	struct rpmsg_tty_port *cport;
> +	struct device *dev = &rpdev->dev;
> +	struct device *tty_dev;
> +	int ret;
> +
> +	cport = rpmsg_tty_alloc_cport();
> +	if (IS_ERR(cport)) {
> +		dev_err(dev, "failed to alloc tty port\n");
> +		return PTR_ERR(cport);
> +	}
> +
> +	tty_port_init(&cport->port);
> +	cport->port.low_latency = cport->port.flags | ASYNC_LOW_LATENCY;

"|"? Not "&"? You should prepend "!!" in any way as low latency is 13th bit.

> +	cport->port.ops = &rpmsg_tty_port_ops;
> +
> +	tty_dev = tty_port_register_device(&cport->port, rpmsg_tty_driver,
> +					   cport->id, dev);
> +	if (IS_ERR(tty_dev)) {
> +		dev_err(dev, "failed to register tty port\n");
> +		ret = PTR_ERR(tty_dev);
> +		goto  err_destroy;
> +	}
...
regards,
-- 
js
suse labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ