| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Apr 2020 19:00:35 -0700
From: Bjorn Andersson <bjorn.andersson@...aro.org>
To: Arnaud POULIQUEN <arnaud.pouliquen@...com>
Cc: rishabhb@...eaurora.org, Cl?ment Leger <cleger@...rayinc.com>,
linux-kernel <linux-kernel@...r.kernel.org>,
linux-remoteproc <linux-remoteproc@...r.kernel.org>,
psodagud <psodagud@...eaurora.org>, tsoni <tsoni@...eaurora.org>,
sidgup <sidgup@...eaurora.org>,
linux-remoteproc-owner@...r.kernel.org
Subject: Re: [PATCH v2 1/2] remoteproc: Add character device interface
On Thu 09 Apr 01:29 PDT 2020, Arnaud POULIQUEN wrote:
>
> On 4/8/20 8:34 PM, rishabhb@...eaurora.org wrote:
> > On 2020-04-06 08:58, Clément Leger wrote:
> >> Hi Arnaud,
> >>
> >> ----- On 6 Apr, 2020, at 16:17, Arnaud Pouliquen arnaud.pouliquen@...com wrote:
> >>
> >>> Hi Clément,
> >>>
> >>> On 4/6/20 2:06 PM, Clément Leger wrote:
> >>>> Hi Arnaud,
> >>>>
> >>>> ----- On 6 Apr, 2020, at 11:01, Arnaud Pouliquen arnaud.pouliquen@...com wrote:
> >>>>
> >>>>> On 4/3/20 9:13 PM, rishabhb@...eaurora.org wrote:
> >>>>>> On 2020-04-02 10:28, Arnaud POULIQUEN wrote:
> >>>>>>> Hi
> >>>>>>>
> >>>>>>> On 4/1/20 2:03 AM, Rishabh Bhatnagar wrote:
> >>>>>>>> Add the character device interface for userspace applications.
> >>>>>>>> This interface can be used in order to boot up and shutdown
> >>>>>>>> remote subsystems. Currently there is only a sysfs interface
> >>>>>>>> which the userspace clients can use. If a usersapce application
> >>>>>>>> crashes after booting the remote processor does not get any
> >>>>>>>> indication about the crash. It might still assume that the
> >>>>>>>> application is running. For example modem uses remotefs service
> >>>>>>>> to fetch data from disk/flash memory. If the remotefs service
> >>>>>>>> crashes, modem keeps on requesting data which might lead to a
> >>>>>>>> crash. Adding a character device interface makes the remote
> >>>>>>>> processor tightly coupled with the user space application.
> >>>>>>>> A crash of the application leads to a close on the file descriptors
> >>>>>>>> therefore shutting down the remoteproc.
> >>>>>>>
> >>>>>>> Sorry I'm late in the discussion, I hope I've gone through the whole
> >>>>>>> discussion so I don't reopen a closed point...
> >>>>>>>
> >>>>>>> Something here is not crystal clear to me so I'd rather share it...
> >>>>>>>
> >>>>>>> I suppose that you the automatic restart of the application is not possible to
> >>>>>>> stop and restart the remote processor...
> >>>>>> Yes correct, while we wait for the application to restart we might observe a
> >>>>>> fatal crash.
> >>>>>>>
> >>>>>>> Why this use case can not be solved by a process monitor or a service
> >>>>>>> in userland that detects the application crash and stop the remote
> >>>>>>> firmware using
> >>>>>>> the sysfs interface?
> >>>>>>>
> >>>>>> What happens in the case where the process monitor itself crashes? This is
> >>>>>> actually the approach we follow in our downstream code. We have a central entity
> >>>>>> in userspace that controls bootup/shutdown of some remote processors based on
> >>>>>> the
> >>>>>> votes from userspace clients. We have observed cases where this entity
> >>>>>> itself crashes and remote processors are left hanging.
> >>>>>
> >>>>> Your description makes me feel like this patch is only a workaround of something
> >>>>> that
> >>>>> should be fixed in the userland, even if i understand that hanging is one of the
> >>>>> most
> >>>>> critical problem and have to be fixed.
> >>>>> For instance, how to handle several applications that interact with the remote
> >>>>> processor
> >>>>> ( e.g. rpmsg service applications) how to stop and restart everything. Using the
> >>>>> char
> >>>>> device would probaly resolve only a part of the issue...
> >>>>>
> >>>>> I'm not aware about your environment and i'm not a userland expert. But what i
> >>>>> still not
> >>>>> understand why a parent process can not do the job...
> >>>>> I just test a simple script on my side that treat the kill -9 of an application
> >>>>> ("cat" in my case).
> >>>>
> >>>> This is not entirely true, if the parent process is killed with a SIGKILL, then
> >>>> the process will not be able to handle anything and the remoteproc will still
> >>>> be running.
> >>>>
> >>>> What I understood from Rishabh patch is a way to allow a single process handling
> >>>> the rproc state. We have the same kind of need and currently, if the
> >>>> user application crashes, then the rproc is still running (which happens).
> >>>>
> >>>>>
> >>>>> #start the remote firmware
> >>>>> cp $1 /lib/firmware/
> >>>>> echo $1> /sys/class/remoteproc/remoteproc0/firmware
> >>>>> echo start >/sys/class/remoteproc/remoteproc0/state
> >>>>> #your binary
> >>>>> cat /dev/kmsg
> >>>>> # stop the remote firmware in case of crash (and potentially some other apps)
> >>>>> echo stop >/sys/class/remoteproc/remoteproc0/state
> >>>>>
> >>>>
> >>>> This is not really "production proof" and what happens if the application is
> >>>> responsible of setting the firmware which might be jitted ?
> >>>> And if the script receives the SIGKILL, then we are back to the same problem.
> >>> Yes this is just a basic example, not an implementation which would depend on
> >>> the
> >>> environment. i'm just trying here to put forward a multi-process solution...and
> >>> that I'm not an userland expert :).
> >>>
> >>>>
> >>>> I really think, this is a step forward an easier and reliable use of the
> >>>> remoteproc
> >>>> on userland to guarantee a coherent rproc state even if host application
> >>>> crashes.
> > Yes what we want is simple mechanism where a single userspace process can boot/
> > shutdown the remote processor in all scenarios. Adding more processes to monitor
> > the already existing process might have 2 issues. One is there might be a delay
> > between the application crash and process monitor getting to know about it and taking
> > action. This might prove to be fatal in our case. Second, possibly the monitor can hang
> > or get killed and is not deterministic.
> >>>
> >>> I can see 3 ways of handling an application crash:
> >>> - just shutdown the firmware
> >>> => can be done through char device
> >>> - stop some other related processes and/or generate a remote proc crash dump for
> >>> debug
> >>> => /sysfs and/or debugfs
> >>> - do nothing as you want a silence application reboot and re-attach to the
> >>> running firmware
> >>> => use sysfs
> >>>
> >>> I'm challenging the solution because splitting the API seems to me not a good
> >>> solution.
> >>
> >> Completely ok with that, we have to fully understand the targeted usecase to
> >> avoid implemented a flawed interface.
> >>
> >>> Now i wonder how it works for the other applications that are relying on some
> >>> other
> >>> kernel frameworks...
> >>
> >> For some other device, there is a chardev. The watchdog for intance uses a
> >> /dev/watchdog. Regarding the gpio, it seems they are also using a chardev
> >> and the sysfs interface is deprecated.
> >>
> >>> Perhaps the answer is that these frameworks don't use sysfs but char device.
> >>> That would means that the sysfs solution is not the more adapted solution and
> >>> perhaps we should migrate to a char device.
> >>> But in this case, i think that it should implement the whole API and be
> >>> exclusive with
> >>> the syfs legacy API (so no sysfs or sysfs in read-only).
> >>
> >> I agree with that, if another interface must be defined, then it should
> >> implement everything that is supported right now with the sysfs.
> >>
> > The other fields that sysfs exposes right now are firmware_name, name(rproc name),
> > state. The targeted usecase was that these are configuration parameters specific
> > to the remoteproc and should stay in the sysfs interface. Whereas char device
> > should provide direct access to remoteproc device.
> > It would make sense to use this interface in conjunction with sysfs
> > interface, where you use /dev/remoteproc0 to boot/shutdown the remote processor
> > sysfs entries to fine tune the parameters.
> > Adding ioctls to implement all sysfs functionality seems like overkill to me. Let
> > me know what you guys think.
>
> In my opinion if we open the possibility of accessing to remoteproc through a char
> device, we should move torwards a solution that would replace the sysfs.
> In this case sysfs fields could be read-only, and the char devices would have to
> support the different shutdown modes. This means that the auto shutdown should be
> configurable (IOCTL?).
> But I assume that the minimum could be to only disable write access on the "state" field
> and handle the "auto shutdown" as an option of the char device.
>
> Anyway it only my opinion, let Bjorn an Mathieu comment and decide :)
>
I have two concerns with migrating things to a character device:
1) Operating an ioctl based interface requires specialized tooling. E.g.
today whatever your installation is you can change firmware name and
start a core with the user space tools you have. Further more allowing
you to change firmware name before powering on the core would imply that
both of these would have to be ioctls (we can't just boot the core on
open) - so we would end up duplicating all parts of the sysfs interface
in ioctls.
2) Reducing the functionality of the sysfs interface would break
compatibility with existing user space, which is verboten. So we would
at best duplicate the existing features.
That said, per the same argument I don't really like duplicating the
state controls in a character device (i.e. Rishabh's patch), but this
really does provide something that we can't do with the current
interface.
Regards,
Bjorn
Powered by blists - more mailing lists