| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Apr 2020 10:29:06 +0200
From: Arnaud POULIQUEN <arnaud.pouliquen@...com>
To: <rishabhb@...eaurora.org>,
Clément Leger <cleger@...rayinc.com>
CC: linux-kernel <linux-kernel@...r.kernel.org>,
linux-remoteproc <linux-remoteproc@...r.kernel.org>,
Bjorn Andersson <bjorn.andersson@...aro.org>,
psodagud <psodagud@...eaurora.org>, tsoni <tsoni@...eaurora.org>,
sidgup <sidgup@...eaurora.org>,
<linux-remoteproc-owner@...r.kernel.org>
Subject: Re: [PATCH v2 1/2] remoteproc: Add character device interface
On 4/8/20 8:34 PM, rishabhb@...eaurora.org wrote:
> On 2020-04-06 08:58, Clément Leger wrote:
>> Hi Arnaud,
>>
>> ----- On 6 Apr, 2020, at 16:17, Arnaud Pouliquen arnaud.pouliquen@...com wrote:
>>
>>> Hi Clément,
>>>
>>> On 4/6/20 2:06 PM, Clément Leger wrote:
>>>> Hi Arnaud,
>>>>
>>>> ----- On 6 Apr, 2020, at 11:01, Arnaud Pouliquen arnaud.pouliquen@...com wrote:
>>>>
>>>>> On 4/3/20 9:13 PM, rishabhb@...eaurora.org wrote:
>>>>>> On 2020-04-02 10:28, Arnaud POULIQUEN wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> On 4/1/20 2:03 AM, Rishabh Bhatnagar wrote:
>>>>>>>> Add the character device interface for userspace applications.
>>>>>>>> This interface can be used in order to boot up and shutdown
>>>>>>>> remote subsystems. Currently there is only a sysfs interface
>>>>>>>> which the userspace clients can use. If a usersapce application
>>>>>>>> crashes after booting the remote processor does not get any
>>>>>>>> indication about the crash. It might still assume that the
>>>>>>>> application is running. For example modem uses remotefs service
>>>>>>>> to fetch data from disk/flash memory. If the remotefs service
>>>>>>>> crashes, modem keeps on requesting data which might lead to a
>>>>>>>> crash. Adding a character device interface makes the remote
>>>>>>>> processor tightly coupled with the user space application.
>>>>>>>> A crash of the application leads to a close on the file descriptors
>>>>>>>> therefore shutting down the remoteproc.
>>>>>>>
>>>>>>> Sorry I'm late in the discussion, I hope I've gone through the whole
>>>>>>> discussion so I don't reopen a closed point...
>>>>>>>
>>>>>>> Something here is not crystal clear to me so I'd rather share it...
>>>>>>>
>>>>>>> I suppose that you the automatic restart of the application is not possible to
>>>>>>> stop and restart the remote processor...
>>>>>> Yes correct, while we wait for the application to restart we might observe a
>>>>>> fatal crash.
>>>>>>>
>>>>>>> Why this use case can not be solved by a process monitor or a service
>>>>>>> in userland that detects the application crash and stop the remote
>>>>>>> firmware using
>>>>>>> the sysfs interface?
>>>>>>>
>>>>>> What happens in the case where the process monitor itself crashes? This is
>>>>>> actually the approach we follow in our downstream code. We have a central entity
>>>>>> in userspace that controls bootup/shutdown of some remote processors based on
>>>>>> the
>>>>>> votes from userspace clients. We have observed cases where this entity
>>>>>> itself crashes and remote processors are left hanging.
>>>>>
>>>>> Your description makes me feel like this patch is only a workaround of something
>>>>> that
>>>>> should be fixed in the userland, even if i understand that hanging is one of the
>>>>> most
>>>>> critical problem and have to be fixed.
>>>>> For instance, how to handle several applications that interact with the remote
>>>>> processor
>>>>> ( e.g. rpmsg service applications) how to stop and restart everything. Using the
>>>>> char
>>>>> device would probaly resolve only a part of the issue...
>>>>>
>>>>> I'm not aware about your environment and i'm not a userland expert. But what i
>>>>> still not
>>>>> understand why a parent process can not do the job...
>>>>> I just test a simple script on my side that treat the kill -9 of an application
>>>>> ("cat" in my case).
>>>>
>>>> This is not entirely true, if the parent process is killed with a SIGKILL, then
>>>> the process will not be able to handle anything and the remoteproc will still
>>>> be running.
>>>>
>>>> What I understood from Rishabh patch is a way to allow a single process handling
>>>> the rproc state. We have the same kind of need and currently, if the
>>>> user application crashes, then the rproc is still running (which happens).
>>>>
>>>>>
>>>>> #start the remote firmware
>>>>> cp $1 /lib/firmware/
>>>>> echo $1> /sys/class/remoteproc/remoteproc0/firmware
>>>>> echo start >/sys/class/remoteproc/remoteproc0/state
>>>>> #your binary
>>>>> cat /dev/kmsg
>>>>> # stop the remote firmware in case of crash (and potentially some other apps)
>>>>> echo stop >/sys/class/remoteproc/remoteproc0/state
>>>>>
>>>>
>>>> This is not really "production proof" and what happens if the application is
>>>> responsible of setting the firmware which might be jitted ?
>>>> And if the script receives the SIGKILL, then we are back to the same problem.
>>> Yes this is just a basic example, not an implementation which would depend on
>>> the
>>> environment. i'm just trying here to put forward a multi-process solution...and
>>> that I'm not an userland expert :).
>>>
>>>>
>>>> I really think, this is a step forward an easier and reliable use of the
>>>> remoteproc
>>>> on userland to guarantee a coherent rproc state even if host application
>>>> crashes.
> Yes what we want is simple mechanism where a single userspace process can boot/
> shutdown the remote processor in all scenarios. Adding more processes to monitor
> the already existing process might have 2 issues. One is there might be a delay
> between the application crash and process monitor getting to know about it and taking
> action. This might prove to be fatal in our case. Second, possibly the monitor can hang
> or get killed and is not deterministic.
>>>
>>> I can see 3 ways of handling an application crash:
>>> - just shutdown the firmware
>>> => can be done through char device
>>> - stop some other related processes and/or generate a remote proc crash dump for
>>> debug
>>> => /sysfs and/or debugfs
>>> - do nothing as you want a silence application reboot and re-attach to the
>>> running firmware
>>> => use sysfs
>>>
>>> I'm challenging the solution because splitting the API seems to me not a good
>>> solution.
>>
>> Completely ok with that, we have to fully understand the targeted usecase to
>> avoid implemented a flawed interface.
>>
>>> Now i wonder how it works for the other applications that are relying on some
>>> other
>>> kernel frameworks...
>>
>> For some other device, there is a chardev. The watchdog for intance uses a
>> /dev/watchdog. Regarding the gpio, it seems they are also using a chardev
>> and the sysfs interface is deprecated.
>>
>>> Perhaps the answer is that these frameworks don't use sysfs but char device.
>>> That would means that the sysfs solution is not the more adapted solution and
>>> perhaps we should migrate to a char device.
>>> But in this case, i think that it should implement the whole API and be
>>> exclusive with
>>> the syfs legacy API (so no sysfs or sysfs in read-only).
>>
>> I agree with that, if another interface must be defined, then it should
>> implement everything that is supported right now with the sysfs.
>>
> The other fields that sysfs exposes right now are firmware_name, name(rproc name),
> state. The targeted usecase was that these are configuration parameters specific
> to the remoteproc and should stay in the sysfs interface. Whereas char device
> should provide direct access to remoteproc device.
> It would make sense to use this interface in conjunction with sysfs
> interface, where you use /dev/remoteproc0 to boot/shutdown the remote processor
> sysfs entries to fine tune the parameters.
> Adding ioctls to implement all sysfs functionality seems like overkill to me. Let
> me know what you guys think.
In my opinion if we open the possibility of accessing to remoteproc through a char
device, we should move torwards a solution that would replace the sysfs.
In this case sysfs fields could be read-only, and the char devices would have to
support the different shutdown modes. This means that the auto shutdown should be
configurable (IOCTL?).
But I assume that the minimum could be to only disable write access on the "state" field
and handle the "auto shutdown" as an option of the char device.
Anyway it only my opinion, let Bjorn an Mathieu comment and decide :)
Regards,
Arnaud
>>
>> Clément
>>
>>>
>>> Regards,
>>> Arnaud
>>>
>>>>
>>>> Regards,
>>>>
>>>> Clément
>>>>
>>>>> Anyway, it's just my feeling, let other people give their feedback.
>>>>>
>>>>>>> I just want to be sure that there is no alternative to this, because
>>>>>>> having two ways
>>>>>>> for application to shutdown the firmware seems to me confusing...
>>>>>> Does making this interface optional/configurable helps?
>>>>>>>
>>>>>>> What about the opposite service, mean inform the application that the remote
>>>>>>> processor is crashed?
>>>>>>> Do you identify such need? or the "auto" crash recovery is sufficient?
>>>>>> Auto recovery works perfectly for us. Although there is a mechanism in
>>>>>> place using QMI(Qualcomm MSM interface) that can notify clients about remote
>>>>>> processor crash.
>>>>>
>>>>> Thanks for the information.
>>>>>
>>>>> Regards
>>>>> Arnaud
>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Arnaud
>>>>>>>>
>>>>>>>> Signed-off-by: Rishabh Bhatnagar <rishabhb@...eaurora.org>
>>>>>>>> ---
>>>>>>>> drivers/remoteproc/Kconfig | 9 +++
>>>>>>>> drivers/remoteproc/Makefile | 1 +
>>>>>>>> drivers/remoteproc/remoteproc_cdev.c | 100 +++++++++++++++++++++++++++++++
>>>>>>>> drivers/remoteproc/remoteproc_internal.h | 22 +++++++
>>>>>>>> include/linux/remoteproc.h | 2 +
>>>>>>>> 5 files changed, 134 insertions(+)
>>>>>>>> create mode 100644 drivers/remoteproc/remoteproc_cdev.c
>>>>>>>>
>>>>>>>> diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig
>>>>>>>> index de3862c..6374b79 100644
>>>>>>>> --- a/drivers/remoteproc/Kconfig
>>>>>>>> +++ b/drivers/remoteproc/Kconfig
>>>>>>>> @@ -14,6 +14,15 @@ config REMOTEPROC
>>>>>>>>
>>>>>>>> if REMOTEPROC
>>>>>>>>
>>>>>>>> +config REMOTEPROC_CDEV
>>>>>>>> + bool "Remoteproc character device interface"
>>>>>>>> + help
>>>>>>>> + Say y here to have a character device interface for Remoteproc
>>>>>>>> + framework. Userspace can boot/shutdown remote processors through
>>>>>>>> + this interface.
>>>>>>>> +
>>>>>>>> + It's safe to say N if you don't want to use this interface.
>>>>>>>> +
>>>>>>>> config IMX_REMOTEPROC
>>>>>>>> tristate "IMX6/7 remoteproc support"
>>>>>>>> depends on ARCH_MXC
>>>>>>>> diff --git a/drivers/remoteproc/Makefile b/drivers/remoteproc/Makefile
>>>>>>>> index e30a1b1..b7d4f77 100644
>>>>>>>> --- a/drivers/remoteproc/Makefile
>>>>>>>> +++ b/drivers/remoteproc/Makefile
>>>>>>>> @@ -9,6 +9,7 @@ remoteproc-y += remoteproc_debugfs.o
>>>>>>>> remoteproc-y += remoteproc_sysfs.o
>>>>>>>> remoteproc-y += remoteproc_virtio.o
>>>>>>>> remoteproc-y += remoteproc_elf_loader.o
>>>>>>>> +obj-$(CONFIG_REMOTEPROC_CDEV) += remoteproc_cdev.o
>>>>>>>> obj-$(CONFIG_IMX_REMOTEPROC) += imx_rproc.o
>>>>>>>> obj-$(CONFIG_MTK_SCP) += mtk_scp.o mtk_scp_ipi.o
>>>>>>>> obj-$(CONFIG_OMAP_REMOTEPROC) += omap_remoteproc.o
>>>>>>>> diff --git a/drivers/remoteproc/remoteproc_cdev.c
>>>>>>>> b/drivers/remoteproc/remoteproc_cdev.c
>>>>>>>> new file mode 100644
>>>>>>>> index 0000000..8182bd1
>>>>>>>> --- /dev/null
>>>>>>>> +++ b/drivers/remoteproc/remoteproc_cdev.c
>>>>>>>> @@ -0,0 +1,100 @@
>>>>>>>> +// SPDX-License-Identifier: GPL-2.0-only
>>>>>>>> +/*
>>>>>>>> + * Character device interface driver for Remoteproc framework.
>>>>>>>> + *
>>>>>>>> + * Copyright (c) 2020, The Linux Foundation. All rights reserved.
>>>>>>>> + */
>>>>>>>> +
>>>>>>>> +#include <linux/cdev.h>
>>>>>>>> +#include <linux/fs.h>
>>>>>>>> +#include <linux/module.h>
>>>>>>>> +#include <linux/mutex.h>
>>>>>>>> +#include <linux/remoteproc.h>
>>>>>>>> +
>>>>>>>> +#include "remoteproc_internal.h"
>>>>>>>> +
>>>>>>>> +#define NUM_RPROC_DEVICES 64
>>>>>>>> +static dev_t rproc_cdev;
>>>>>>>> +static DEFINE_IDA(cdev_minor_ida);
>>>>>>>> +
>>>>>>>> +static int rproc_cdev_open(struct inode *inode, struct file *file)
>>>>>>>> +{
>>>>>>>> + struct rproc *rproc;
>>>>>>>> +
>>>>>>>> + rproc = container_of(inode->i_cdev, struct rproc, char_dev);
>>>>>>>> +
>>>>>>>> + if (!rproc)
>>>>>>>> + return -EINVAL;
>>>>>>>> +
>>>>>>>> + if (rproc->state == RPROC_RUNNING)
>>>>>>>> + return -EBUSY;
>>>>>>>> +
>>>>>>>> + return rproc_boot(rproc);
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static int rproc_cdev_release(struct inode *inode, struct file *file)
>>>>>>>> +{
>>>>>>>> + struct rproc *rproc;
>>>>>>>> +
>>>>>>>> + rproc = container_of(inode->i_cdev, struct rproc, char_dev);
>>>>>>>> +
>>>>>>>> + if (!rproc || rproc->state != RPROC_RUNNING)
>>>>>>>> + return -EINVAL;
>>>>>>>> +
>>>>>>>> + rproc_shutdown(rproc);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static const struct file_operations rproc_fops = {
>>>>>>>> + .open = rproc_cdev_open,
>>>>>>>> + .release = rproc_cdev_release,
>>>>>>>> +};
>>>>>>>> +
>>>>>>>> +int rproc_char_device_add(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> + int ret, minor;
>>>>>>>> + dev_t cdevt;
>>>>>>>> +
>>>>>>>> + minor = ida_simple_get(&cdev_minor_ida, 0, NUM_RPROC_DEVICES,
>>>>>>>> + GFP_KERNEL);
>>>>>>>> + if (minor < 0) {
>>>>>>>> + dev_err(&rproc->dev, "%s: No more minor numbers left! rc:%d\n",
>>>>>>>> + __func__, minor);
>>>>>>>> + return -ENODEV;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + cdev_init(&rproc->char_dev, &rproc_fops);
>>>>>>>> + rproc->char_dev.owner = THIS_MODULE;
>>>>>>>> +
>>>>>>>> + cdevt = MKDEV(MAJOR(rproc_cdev), minor);
>>>>>>>> + ret = cdev_add(&rproc->char_dev, cdevt, 1);
>>>>>>>> + if (ret < 0)
>>>>>>>> + ida_simple_remove(&cdev_minor_ida, minor);
>>>>>>>> +
>>>>>>>> + rproc->dev.devt = cdevt;
>>>>>>>> + return ret;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +void rproc_char_device_remove(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> + __unregister_chrdev(MAJOR(rproc->dev.devt), MINOR(rproc->dev.devt), 1,
>>>>>>>> + "rproc");
>>>>>>>> + ida_simple_remove(&cdev_minor_ida, MINOR(rproc->dev.devt));
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +void __init rproc_init_cdev(void)
>>>>>>>> +{
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + ret = alloc_chrdev_region(&rproc_cdev, 0, NUM_RPROC_DEVICES, "rproc");
>>>>>>>> + if (ret < 0) {
>>>>>>>> + pr_err("Failed to alloc rproc_cdev region, err %d\n", ret);
>>>>>>>> + return;
>>>>>>>> + }
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +void __exit rproc_exit_cdev(void)
>>>>>>>> +{
>>>>>>>> + __unregister_chrdev(MAJOR(rproc_cdev), 0, NUM_RPROC_DEVICES, "rproc");
>>>>>>>> +}
>>>>>>>> diff --git a/drivers/remoteproc/remoteproc_internal.h
>>>>>>>> b/drivers/remoteproc/remoteproc_internal.h
>>>>>>>> index 493ef92..28d61a1 100644
>>>>>>>> --- a/drivers/remoteproc/remoteproc_internal.h
>>>>>>>> +++ b/drivers/remoteproc/remoteproc_internal.h
>>>>>>>> @@ -47,6 +47,27 @@ struct dentry *rproc_create_trace_file(const char *name,
>>>>>>>> struct rproc *rproc,
>>>>>>>> int rproc_init_sysfs(void);
>>>>>>>> void rproc_exit_sysfs(void);
>>>>>>>>
>>>>>>>> +#ifdef CONFIG_REMOTEPROC_CDEV
>>>>>>>> +void rproc_init_cdev(void);
>>>>>>>> +void rproc_exit_cdev(void);
>>>>>>>> +int rproc_char_device_add(struct rproc *rproc);
>>>>>>>> +void rproc_char_device_remove(struct rproc *rproc);
>>>>>>>> +#else
>>>>>>>> +static inline void rproc_init_cdev(void)
>>>>>>>> +{
>>>>>>>> +}
>>>>>>>> +static inline void rproc_exit_cdev(void)
>>>>>>>> +{
>>>>>>>> +}
>>>>>>>> +static inline int rproc_char_device_add(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +static inline void rproc_char_device_remove(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> +}
>>>>>>>> +#endif
>>>>>>>> +
>>>>>>>> void rproc_free_vring(struct rproc_vring *rvring);
>>>>>>>> int rproc_alloc_vring(struct rproc_vdev *rvdev, int i);
>>>>>>>>
>>>>>>>> @@ -63,6 +84,7 @@ struct resource_table *rproc_elf_find_loaded_rsc_table(struct
>>>>>>>> rproc *rproc,
>>>>>>>> struct rproc_mem_entry *
>>>>>>>> rproc_find_carveout_by_name(struct rproc *rproc, const char *name, ...);
>>>>>>>>
>>>>>>>> +
>>>>>>>> static inline
>>>>>>>> int rproc_fw_sanity_check(struct rproc *rproc, const struct firmware *fw)
>>>>>>>> {
>>>>>>>> diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
>>>>>>>> index 16ad666..c4ca796 100644
>>>>>>>> --- a/include/linux/remoteproc.h
>>>>>>>> +++ b/include/linux/remoteproc.h
>>>>>>>> @@ -37,6 +37,7 @@
>>>>>>>>
>>>>>>>> #include <linux/types.h>
>>>>>>>> #include <linux/mutex.h>
>>>>>>>> +#include <linux/cdev.h>
>>>>>>>> #include <linux/virtio.h>
>>>>>>>> #include <linux/completion.h>
>>>>>>>> #include <linux/idr.h>
>>>>>>>> @@ -514,6 +515,7 @@ struct rproc {
>>>>>>>> bool auto_boot;
>>>>>>>> struct list_head dump_segments;
>>>>>>>> int nb_vdev;
>>>>>>>> + struct cdev char_dev;
>>>>>>>> };
>>>>>>>>
>>> >>>>> /**
Powered by blists - more mailing lists