| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jul 2020 00:01:56 +0200
From: Arnd Bergmann <arnd@...db.de>
To: Bjorn Helgaas <helgaas@...nel.org>
Cc: "Saheed O. Bolarinwa" <refactormyself@...il.com>,
bjorn@...gaas.com, Shuah Khan <skhan@...uxfoundation.org>,
linux-pci <linux-pci@...r.kernel.org>,
linux-kernel-mentees@...ts.linuxfoundation.org,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Richard Henderson <rth@...ddle.net>,
Ivan Kokshaysky <ink@...assic.park.msu.ru>,
Matt Turner <mattst88@...il.com>,
Greg Ungerer <gerg@...ux-m68k.org>,
Geert Uytterhoeven <geert@...ux-m68k.org>,
Russell King <linux@...linux.org.uk>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>,
Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
Michael Ellerman <mpe@...erman.id.au>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Paul Mackerras <paulus@...ba.org>,
linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>,
"David S. Miller" <davem@...emloft.net>,
sparclinux <sparclinux@...r.kernel.org>,
Guenter Roeck <linux@...ck-us.net>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Heiner Kallweit <hkallweit1@...il.com>,
Jakub Kicinski <kuba@...nel.org>,
Keith Busch <kbusch@...nel.org>, Jens Axboe <axboe@...com>,
Christoph Hellwig <hch@....de>,
Sagi Grimberg <sagi@...mberg.me>,
Lorenzo Pieralisi <lorenzo.pieralisi@....com>,
Rob Herring <robh@...nel.org>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Kevin Hilman <khilman@...libre.com>,
Philipp Zabel <p.zabel@...gutronix.de>,
Jingoo Han <jingoohan1@...il.com>,
Gustavo Pimentel <gustavo.pimentel@...opsys.com>,
Toan Le <toan@...amperecomputing.com>,
Ray Jui <rjui@...adcom.com>,
Scott Branden <sbranden@...adcom.com>,
Ley Foon Tan <ley.foon.tan@...el.com>,
Marek Vasut <marek.vasut+renesas@...il.com>
Subject: Re: [RFC PATCH 00/35] Move all PCIBIOS* definitions into arch/x86
On Tue, Jul 14, 2020 at 8:45 PM Bjorn Helgaas <helgaas@...nel.org> wrote:
> On Mon, Jul 13, 2020 at 05:08:10PM +0200, Arnd Bergmann wrote:
> > On Mon, Jul 13, 2020 at 3:22 PM Saheed O. Bolarinwa
> > Starting with a), my first question is whether any high-level
> > drivers even need to care about errors from these functions. I see
> > 4913 callers that ignore the return code, and 576 that actually
> > check it, and almost none care about the specific error (as you
> > found as well). Unless we conclude that most PCI drivers are wrong,
> > could we just change the return type to 'void' and assume they never
> > fail for valid arguments on a valid pci_device* ?
>
> I really like this idea.
>
> pci_write_config_*() has one return value, and only 100ish of 2500
> callers check for errors. It's sometimes possible for config
> accessors to detect PCI errors and return failure, e.g., device was
> removed or didn't respond, but most of them don't, and detecting these
> errors is not really that valuable.
>
> pci_read_config_*() is much more interesting because it returns two
> things, the function return value and the value read from the PCI
> device, and it's complicated to check both.
>
> Again it's sometimes possible for config read accessors to detect PCI
> errors, but in most cases a PCI error means the accessor returns
> success and the value from PCI is ~0.
>
> Checking the function return value catches programming errors (bad
> alignment, etc) but misses most of the interesting errors (device was
> unplugged or reported a PCI error).
My thinking was more that most of the time the error checking may
be completely bogus to start with, and I would just not check for
errors at all.
> Checking the value returned from PCI is tricky because ~0 is a valid
> value for some config registers, and only the driver knows for sure.
> If the driver knows that ~0 is a possible value, it would have to do
> something else, e.g., another config read of a register that *cannot*
> be ~0, to see whether it's really an error.
>
> I suspect that if we had a single value to look at it would be easier
> to get right. Error checking with current interface would look like
> this:
>
> err = pci_read_config_word(dev, addr, &val);
> if (err)
> return -EINVAL;
>
> if (PCI_POSSIBLE_ERROR(val)) {
> /* if driver knows ~0 is invalid */
> return -EINVAL;
>
> /* if ~0 is potentially a valid value */
> err = pci_read_config_word(dev, PCI_VENDOR_ID, &val2);
> if (err)
> return -EINVAL;
>
> if (PCI_POSSIBLE_ERROR(val2))
> return -EINVAL;
> }
>
> Error checking with a possible interface that returned only a single
> value could look like this:
>
> val = pci_config_read_word(dev, addr);
> if (PCI_POSSIBLE_ERROR(val)) {
> /* if driver knows ~0 is invalid */
> return -EINVAL;
>
> /* if ~0 is potentially a valid value */
> val2 = pci_config_read_word(dev, PCI_VENDOR_ID);
> if (PCI_POSSIBLE_ERROR(val2))
> return -EINVAL;
> }
>
> Am I understanding you correctly?
That would require changing all callers of the function, which
I think would involve changing some 700 files. What I was
suggesting was to only change the return type to void and
categorize all drivers that today check it as either
a) checking the return code is not helpful, or possibly even
wrong, so we just stop doing it. I expect those to be the
vast majority of callers, but that could be wrong.
b) Code that legitimately check the error code and need to
take an appropriate action. These could be changed to
calling a different interface such as 'pci_bus_read_config_word'
or a new 'pci_device_last_error()' function.
The reasons I suspect that most callers don't actually need
to check for errors are:
- Most error checking is static: PCIBIOS_BAD_REGISTER_NUMBER
only happens if you pass an invalid register number, but most
callers pass a compile-time constant register number that is
known to be correct, or the driver would never work. Similarly,
PCIBIOS_DEVICE_NOT_FOUND wouldn't normally happen
since you pass a valid pci_device pointer that was already
probed.
- config space accesses are very rare compared to memory
space access and on the hardware side the error handling
would be similar, but readl/writel don't return errors, they just
access wrong registers or return 0xffffffff.
arch/powerpc/kernel/eeh.c has a ton extra code written to
deal with it, but no other architectures do.
- If we add code to detect errors in pci_read_config_*
and do some of the stuff from powerpc's
eeh_dev_check_failure(), we are more likely to catch
intermittent failures when drivers don't check, or bugs
with invalid arguments in device drivers than relying on
drivers to get their error handling right when those code
paths don't ever get covered in normal testing.
Looking at a couple of random drivers that do check the
return codes, I find:
drivers/edac/amd8131_edac.c: prints the register number,
then keeps going. This is not useful
drivers/net/ethernet/mellanox/mlx4/reset.c: error handling
in mlx4_reset() seems reasonable, but it gets called
from mlx4_pci_resume(), which has a 'void' return code and
cannot propagate the error further. My guess is that it
would try to keep going after a failed resume and run into
random other problems then.
drivers/ata/pata_cs5536.c: error code gets passed to
caller and then always ignored. Can clearly be changed
drivers/net/wireless/intersil/prism54/islpci_hotplug.c:
Out of two calls, only one is checked, which seems bogus
drivers/usb/host/pci-quirks.c: only one of many instances
has a check, again this seems bogus.
drivers/leds/leds-ss4200.c: called from probe(), which
seems to correctly deal with errors by failing the probe.
Not sure this can ever fail though, since the driver only does
it after pci_enable_device() succeeds first. Note that
pci_enable_device() ignores pci_read_config_byte()
errors but sanity-checks the register contents/
Arnd
Powered by blists - more mailing lists