lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201102220846.GA79198@xaphan>
Date:   Mon, 2 Nov 2020 16:08:46 -0600
From:   Michael Auchter <michael.auchter@...com>
To:     Ben Levinsky <BLEVINSK@...inx.com>
Cc:     Stefano Stabellini <stefanos@...inx.com>,
        "mathieu.poirier@...aro.org" <mathieu.poirier@...aro.org>,
        "devicetree@...r.kernel.org" <devicetree@...r.kernel.org>,
        "linux-remoteproc@...r.kernel.org" <linux-remoteproc@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>
Subject: Re: RE: [PATCH v21 5/5] remoteproc: Add initial zynqmp R5 remoteproc driver

On Mon, Nov 02, 2020 at 09:46:28PM +0000, Ben Levinsky wrote:
> Hi Michael,
> 
> > -----Original Message-----
> > From: Michael Auchter <michael.auchter@...com>
> > Sent: Monday, November 2, 2020 1:14 PM
> > To: Ben Levinsky <BLEVINSK@...inx.com>
> > Cc: Stefano Stabellini <stefanos@...inx.com>; mathieu.poirier@...aro.org;
> > devicetree@...r.kernel.org; linux-remoteproc@...r.kernel.org; linux-
> > kernel@...r.kernel.org; linux-arm-kernel@...ts.infradead.org
> > Subject: Re: [PATCH v21 5/5] remoteproc: Add initial zynqmp R5 remoteproc
> > driver
> > 
> > On Mon, Nov 02, 2020 at 11:38:59AM -0800, Ben Levinsky wrote:
> > > R5 is included in Xilinx Zynq UltraScale MPSoC so by adding this
> > > remotproc driver, we can boot the R5 sub-system in different 2
> > > configurations -
> > > 	* split
> > > 	* lock-step
> > >
> > > The Xilinx R5 Remoteproc Driver boots the R5's via calls to the Xilinx
> > > Platform Management Unit that handles the R5 configuration, memory
> > access
> > > and R5 lifecycle management. The interface to this manager is done in this
> > > driver via zynqmp_pm_* function calls.
> > >
> > > Signed-off-by: Wendy Liang <wendy.liang@...inx.com>
> > > Signed-off-by: Michal Simek <michal.simek@...inx.com>
> > > Signed-off-by: Ed Mooring <ed.mooring@...inx.com>
> > > Signed-off-by: Jason Wu <j.wu@...inx.com>
> > > Signed-off-by: Ben Levinsky <ben.levinsky@...inx.com>
> > > ---
> > > Update Xilinx R5 Remoteproc Driver as follows:
> > > - update documentation for zynqmp_r5_probe
> > > - restructure so that cluster initialization code is all in one place
> > > - add memory allocation check for cluster
> > > - add error handling in case of second core fails at probe but first core
> > succeeded.
> > >   to clean up the first core
> > > - remove unneeded lines in zynqmp_r5_remoteproc_remove
> > > ---
> > >
> > >  drivers/remoteproc/Kconfig                |   8 +
> > >  drivers/remoteproc/Makefile               |   1 +
> > >  drivers/remoteproc/zynqmp_r5_remoteproc.c | 784
> > ++++++++++++++++++++++
> > >  3 files changed, 793 insertions(+)
> > >  create mode 100644 drivers/remoteproc/zynqmp_r5_remoteproc.c
> > >
> > > diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig
> > > index c6659dfea7c7..c2fe54b1d94f 100644
> > > --- a/drivers/remoteproc/Kconfig
> > > +++ b/drivers/remoteproc/Kconfig
> > > @@ -275,6 +275,14 @@ config TI_K3_DSP_REMOTEPROC
> > >  	  It's safe to say N here if you're not interested in utilizing
> > >  	  the DSP slave processors.
> > >
> > > +config ZYNQMP_R5_REMOTEPROC
> > > +	tristate "ZynqMP R5 remoteproc support"
> > > +	depends on PM && ARCH_ZYNQMP
> > > +	select RPMSG_VIRTIO
> > > +	select ZYNQMP_IPI_MBOX
> > > +	help
> > > +	  Say y or m here to support ZynqMP R5 remote processors via the
> > remote
> > > +	  processor framework.
> > >  endif # REMOTEPROC
> > >
> > >  endmenu
> > > diff --git a/drivers/remoteproc/Makefile b/drivers/remoteproc/Makefile
> > > index 3dfa28e6c701..ef1abff654c2 100644
> > > --- a/drivers/remoteproc/Makefile
> > > +++ b/drivers/remoteproc/Makefile
> > > @@ -33,3 +33,4 @@ obj-$(CONFIG_ST_REMOTEPROC)		+=
> > st_remoteproc.o
> > >  obj-$(CONFIG_ST_SLIM_REMOTEPROC)	+= st_slim_rproc.o
> > >  obj-$(CONFIG_STM32_RPROC)		+= stm32_rproc.o
> > >  obj-$(CONFIG_TI_K3_DSP_REMOTEPROC)	+= ti_k3_dsp_remoteproc.o
> > > +obj-$(CONFIG_ZYNQMP_R5_REMOTEPROC)	+= zynqmp_r5_remoteproc.o
> > > diff --git a/drivers/remoteproc/zynqmp_r5_remoteproc.c
> > b/drivers/remoteproc/zynqmp_r5_remoteproc.c
> > > new file mode 100644
> > > index 000000000000..993bd72e5664
> > > --- /dev/null
> > > +++ b/drivers/remoteproc/zynqmp_r5_remoteproc.c
> > > @@ -0,0 +1,784 @@
> > > +// SPDX-License-Identifier: GPL-2.0
> > > +/*
> > > + * Zynq R5 Remote Processor driver
> > > + *
> > > + * Based on origin OMAP and Zynq Remote Processor driver
> > > + *
> > > + */
> > > +
> > > +#include <linux/firmware/xlnx-zynqmp.h>
> > > +#include <linux/interrupt.h>
> > > +#include <linux/kernel.h>
> > > +#include <linux/list.h>
> > > +#include <linux/mailbox_client.h>
> > > +#include <linux/mailbox/zynqmp-ipi-message.h>
> > > +#include <linux/module.h>
> > > +#include <linux/of_address.h>
> > > +#include <linux/of_platform.h>
> > > +#include <linux/of_reserved_mem.h>
> > > +#include <linux/platform_device.h>
> > > +#include <linux/remoteproc.h>
> > > +#include <linux/skbuff.h>
> > > +#include <linux/sysfs.h>
> > > +
> > > +#include "remoteproc_internal.h"
> > > +
> > > +#define MAX_RPROCS	2 /* Support up to 2 RPU */
> > > +#define MAX_MEM_PNODES	4 /* Max power nodes for one RPU memory
> > instance */
> > > +
> > > +#define BANK_LIST_PROP	"meta-memory-regions"
> > > +#define DDR_LIST_PROP	"memory-regions"
> > > +
> > > +/* IPI buffer MAX length */
> > > +#define IPI_BUF_LEN_MAX	32U
> > > +/* RX mailbox client buffer max length */
> > > +#define RX_MBOX_CLIENT_BUF_MAX	(IPI_BUF_LEN_MAX + \
> > > +				 sizeof(struct zynqmp_ipi_message))
> > > +
> > > +/**
> > > + * struct zynqmp_r5_mem - zynqmp rpu memory data
> > > + * @pnode_id: TCM power domain ids
> > > + * @res: memory resource
> > > + * @node: list node
> > > + */
> > > +struct zynqmp_r5_mem {
> > > +	u32 pnode_id[MAX_MEM_PNODES];
> > > +	struct resource res;
> > > +	struct list_head node;
> > > +};
> > > +
> > > +/**
> > > + * struct zynqmp_r5_rproc - zynqmp rpu remote processor state
> > > + *			    this is for each individual R5 core's state
> > > + *
> > > + * @rx_mc_buf: rx mailbox client buffer to save the rx message
> > > + * @tx_mc: tx mailbox client
> > > + * @rx_mc: rx mailbox client * @dev: device of RPU instance
> > > + * @mbox_work: mbox_work for the RPU remoteproc
> > > + * @tx_mc_skbs: socket buffers for tx mailbox client
> > > + * @dev: device of RPU instance
> > > + * @rproc: rproc handle
> > > + * @tx_chan: tx mailbox channel
> > > + * @rx_chan: rx mailbox channel
> > > + * @pnode_id: RPU CPU power domain id
> > > + * @elem: linked list item
> > > + * @dt_node: device tree node that holds information for 1 R5 core.
> > > + */
> > > +struct zynqmp_r5_rproc {
> > > +	unsigned char rx_mc_buf[RX_MBOX_CLIENT_BUF_MAX];
> > > +	struct mbox_client tx_mc;
> > > +	struct mbox_client rx_mc;
> > > +	struct work_struct mbox_work;
> > > +	struct sk_buff_head tx_mc_skbs;
> > > +	struct device *dev;
> > > +	struct rproc *rproc;
> > > +	struct mbox_chan *tx_chan;
> > > +	struct mbox_chan *rx_chan;
> > > +	u32 pnode_id;
> > > +	struct list_head elem;
> > > +};
> > > +
> > > +/*
> > > + * r5_set_mode - set RPU operation mode
> > > + * @z_rproc: Remote processor private data
> > > + * @rpu_mode: mode specified by device tree to configure the RPU to
> > > + *
> > > + * set RPU operation mode
> > > + *
> > > + * Return: 0 for success, negative value for failure
> > > + */
> > > +static int r5_set_mode(struct zynqmp_r5_rproc *z_rproc,
> > > +		       enum rpu_oper_mode rpu_mode)
> > > +{
> > > +	enum rpu_tcm_comb tcm_mode;
> > > +	enum rpu_oper_mode cur_rpu_mode;
> > > +	int ret;
> > > +
> > > +	ret = zynqmp_pm_get_rpu_mode(z_rproc->pnode_id,
> > &cur_rpu_mode);
> > > +	if (ret < 0)
> > > +		return ret;
> > > +
> > > +	if (rpu_mode != cur_rpu_mode) {
> > > +		ret = zynqmp_pm_set_rpu_mode(z_rproc->pnode_id,
> > > +					     rpu_mode);
> > > +		if (ret < 0)
> > > +			return ret;
> > > +	}
> > > +
> > > +	tcm_mode = (rpu_mode == PM_RPU_MODE_LOCKSTEP) ?
> > > +		    PM_RPU_TCM_COMB : PM_RPU_TCM_SPLIT;
> > > +	return zynqmp_pm_set_tcm_config(z_rproc->pnode_id, tcm_mode);
> > > +}
> > > +
> > > +/*
> > > + * release TCM banks when powering down R5 core
> > > + */
> > > +static int tcm_mem_release(struct rproc *rproc, struct rproc_mem_entry
> > *mem)
> > > +{
> > > +	u32 pnode_id = (u64)mem->priv;
> > > +
> > > +	iounmap(mem->va);
> > > +	return zynqmp_pm_release_node(pnode_id);
> > > +}
> > > +
> > > +/*
> > > + * given ID corresponding to R5 core in Xilinx Platform management (xpm)
> > API,
> > > + * try to use xpm wake call to wake R5 core
> > > + */
> > > +static int zynqmp_r5_rproc_start(struct rproc *rproc)
> > > +{
> > > +	struct zynqmp_r5_rproc *z_rproc = rproc->priv;
> > > +	enum rpu_boot_mem bootmem;
> > > +
> > > +	bootmem = (rproc->bootaddr & 0xF0000000) == 0xF0000000 ?
> > > +		  PM_RPU_BOOTMEM_HIVEC : PM_RPU_BOOTMEM_LOVEC;
> > > +
> > > +	dev_dbg(rproc->dev.parent, "RPU boot from %s.",
> > > +		bootmem == PM_RPU_BOOTMEM_HIVEC ? "OCM" : "TCM");
> > > +
> > > +	return zynqmp_pm_request_wake(z_rproc->pnode_id, 1,
> > > +				     bootmem,
> > ZYNQMP_PM_REQUEST_ACK_NO);
> > > +}
> > > +
> > > +/*
> > > + * given ID corresponding to R5 core in Xilinx Platform management (xpm)
> > API,
> > > + * try to use xpm power down call to power off R5 core
> > > + */
> > > +static int zynqmp_r5_rproc_stop(struct rproc *rproc)
> > > +{
> > > +	struct zynqmp_r5_rproc *z_rproc = rproc->priv;
> > > +
> > > +	return zynqmp_pm_force_pwrdwn(z_rproc->pnode_id,
> > > +				     ZYNQMP_PM_REQUEST_ACK_BLOCKING);
> > > +}
> > > +
> > > +/*
> > > + * map in physical addr for  DDR mem carveout in rproc
> > > + */
> > > +static int zynqmp_r5_rproc_mem_alloc(struct rproc *rproc,
> > > +				     struct rproc_mem_entry *mem)
> > > +{
> > > +	void *va;
> > > +
> > > +	va = ioremap_wc(mem->dma, mem->len);
> > > +	if (IS_ERR_OR_NULL(va))
> > > +		return -ENOMEM;
> > > +
> > > +	/* Update memory entry va */
> > > +	mem->va = va;
> > > +
> > > +	return 0;
> > > +}
> > > +
> > > +/* unmap rproc_mem_entry virtual addr */
> > > +static int zynqmp_r5_rproc_mem_release(struct rproc *rproc,
> > > +				       struct rproc_mem_entry *mem)
> > > +{
> > > +	iounmap(mem->va);
> > > +	return 0;
> > > +}
> > > +
> > > +/* construct rproc mem carveouts for DDR regions specified in device tree
> > */
> > > +static int parse_mem_regions(struct rproc *rproc)
> > > +{
> > > +	int num_mems, i;
> > > +	struct zynqmp_r5_rproc *z_rproc = rproc->priv;
> > > +	struct device *dev = &rproc->dev;
> > > +	struct device_node *np = z_rproc->dev->of_node;
> > > +	struct rproc_mem_entry *mem;
> > > +
> > > +	num_mems = of_count_phandle_with_args(np, DDR_LIST_PROP,
> > NULL);
> > > +	if (num_mems <= 0)
> > > +		return 0;
> > > +
> > > +	for (i = 0; i < num_mems; i++) {
> > > +		struct device_node *node;
> > > +		struct reserved_mem *rmem;
> > > +
> > > +		node = of_parse_phandle(np, DDR_LIST_PROP, i);
> > > +		if (!node)
> > > +			return -EINVAL;
> > > +
> > > +		rmem = of_reserved_mem_lookup(node);
> > > +		if (!rmem)
> > > +			return -EINVAL;
> > > +
> > > +		if (strstr(node->name, "vdev0vring")) {
> > > +			int vring_id;
> > > +			char name[16];
> > > +
> > > +			/*
> > > +			 * expecting form of "rpuXvdev0vringX as documented
> > > +			 * in xilinx remoteproc device tree binding
> > > +			 */
> > > +			if (strlen(node->name) < 15) {
> > > +				dev_err(dev, "%pOF is less than 14 chars",
> > > +					node);
> > > +				return -EINVAL;
> > > +			}
> > > +
> > > +			/*
> > > +			 * can be 1 of multiple vring IDs per IPC channel
> > > +			 * e.g. 'vdev0vring0' and 'vdev0vring1'
> > > +			 */
> > > +			vring_id = node->name[14] - '0';
> > > +			snprintf(name, sizeof(name), "vdev0vring%d",
> > vring_id);
> > > +			/* Register vring */
> > > +			mem = rproc_mem_entry_init(dev, NULL,
> > > +						   (dma_addr_t)rmem->base,
> > > +						   rmem->size, rmem->base,
> > > +
> > zynqmp_r5_rproc_mem_alloc,
> > > +
> > zynqmp_r5_rproc_mem_release,
> > > +						   name);
> > > +		} else {
> > > +			/* Register DMA region */
> > > +			int (*alloc)(struct rproc *r,
> > > +				     struct rproc_mem_entry *rme);
> > > +			int (*release)(struct rproc *r,
> > > +				       struct rproc_mem_entry *rme);
> > > +			char name[20];
> > > +
> > > +			if (strstr(node->name, "vdev0buffer")) {
> > > +				alloc = NULL;
> > > +				release = NULL;
> > > +				strcpy(name, "vdev0buffer");
> > > +			} else {
> > > +				alloc = zynqmp_r5_rproc_mem_alloc;
> > > +				release = zynqmp_r5_rproc_mem_release;
> > > +				strcpy(name, node->name);
> > > +			}
> > > +
> > > +			mem = rproc_mem_entry_init(dev, NULL,
> > > +						   (dma_addr_t)rmem->base,
> > > +						   rmem->size, rmem->base,
> > > +						   alloc, release, name);
> > > +		}
> > > +		if (!mem)
> > > +			return -ENOMEM;
> > > +
> > > +		rproc_add_carveout(rproc, mem);
> > > +	}
> > > +
> > > +	return 0;
> > > +}
> > > +
> > > +/* call Xilinx Platform manager to request access to TCM bank */
> > > +static int zynqmp_r5_pm_request_tcm(struct device_node *tcm_node,
> > > +				    struct device *dev, u32 *pnode_id)
> > > +{
> > > +	int ret;
> > > +
> > > +	ret = of_property_read_u32(tcm_node, "pnode-id", pnode_id);
> > > +	if (ret)
> > > +		return ret;
> > > +
> > > +	return zynqmp_pm_request_node(*pnode_id,
> > ZYNQMP_PM_CAPABILITY_ACCESS, 0,
> > > +				     ZYNQMP_PM_REQUEST_ACK_BLOCKING);
> > > +}
> > > +
> > > +/*
> > > + * Given TCM bank entry,
> > > + * this callback will set device address for R5 running on TCM
> > > + * and also setup virtual address for TCM bank remoteproc carveout
> > > + */
> > > +static int tcm_mem_alloc(struct rproc *rproc,
> > > +			 struct rproc_mem_entry *mem)
> > > +{
> > > +	void *va;
> > > +	struct device *dev = rproc->dev.parent;
> > > +
> > > +	va = ioremap_wc(mem->dma, mem->len);
> > > +	if (IS_ERR_OR_NULL(va))
> > > +		return -ENOMEM;
> > > +
> > > +	/* Update memory entry va */
> > > +	mem->va = va;
> > > +
> > > +	va = devm_ioremap_wc(dev, mem->da, mem->len);
> > > +	if (!va)
> > > +		return -ENOMEM;
> > > +	/* As R5 is 32 bit, wipe out extra high bits */
> > > +	mem->da &= 0x000fffff;
> > > +	/*
> > > +	 * TCM Banks 0A and 0B (0xffe00000 and 0xffe20000)
> > > +	 * are handled with the above line of code so do nothing
> > > +	 * for this 2 banks
> > > +	 */
> > > +
> > > +	/*
> > > +	 * TCM Banks 1A and 1B (0xffe90000 and 0xffeb0000) still
> > > +	 * need to be translated to 0x0 and 0x20000
> > > +	 */
> > > +	if (mem->da == 0x90000 || mem->da == 0xB0000)
> > > +		mem->da -= 0x90000;
> > > +
> > > +	/* if translated TCM bank address is not valid report error */
> > > +	if (mem->da != 0x0 && mem->da != 0x20000) {
> > > +		dev_err(dev, "invalid TCM bank address: %x\n", mem->da);
> > > +		return -EINVAL;
> > > +	}
> > > +
> > > +	return 0;
> > > +}
> > > +
> > > +/*
> > > + * Given R5 node in remoteproc instance
> > > + * allocate remoteproc carveout for TCM memory
> > > + * needed for firmware to be loaded
> > > + */
> > > +static int parse_tcm_banks(struct rproc *rproc)
> > > +{
> > > +	int i, num_banks;
> > > +	struct zynqmp_r5_rproc *z_rproc = rproc->priv;
> > > +	struct device *dev = &rproc->dev;
> > > +	struct device_node *r5_node = z_rproc->dev->of_node;
> > > +
> > > +	/* go through TCM banks for r5 node */
> > > +	num_banks = of_count_phandle_with_args(r5_node,
> > BANK_LIST_PROP, NULL);
> > > +	if (num_banks <= 0) {
> > > +		dev_err(dev, "need to specify TCM banks\n");
> > > +		return -EINVAL;
> > > +	}
> > > +	for (i = 0; i < num_banks; i++) {
> > > +		struct resource rsc;
> > > +		resource_size_t size;
> > > +		struct device_node *dt_node;
> > > +		struct rproc_mem_entry *mem;
> > > +		int ret;
> > > +		u32 pnode_id; /* zynqmp_pm* fn's expect u32 */
> > > +
> > > +		dt_node = of_parse_phandle(r5_node, BANK_LIST_PROP, i);
> > > +		if (!dt_node)
> > > +			return -EINVAL;
> > > +
> > > +		if (of_device_is_available(dt_node)) {
> > > +			ret = of_address_to_resource(dt_node, 0, &rsc);
> > > +			if (ret < 0)
> > > +				return ret;
> > > +
> > > +			ret = zynqmp_r5_pm_request_tcm(dt_node, dev,
> > &pnode_id);
> > > +			if (ret < 0)
> > > +				return ret;
> > > +
> > > +			/* add carveout */
> > > +			size = resource_size(&rsc);
> > > +			mem = rproc_mem_entry_init(dev, NULL, rsc.start,
> > > +						   (int)size, rsc.start,
> > > +						   tcm_mem_alloc,
> > > +						   tcm_mem_release,
> > > +						   rsc.name);
> > > +			if (!mem)
> > > +				return -ENOMEM;
> > > +
> > > +			mem->priv = (void *)(u64)pnode_id;
> > > +			rproc_add_carveout(rproc, mem);
> > > +		}
> > > +	}
> > > +
> > > +	return 0;
> > > +}
> > > +
> > > +/*
> > > + * when loading firmware, load in needed DDR, TCM memory regions and
> > wire
> > > + * these into remoteproc core's carveouts
> > > + */
> > > +static int zynqmp_r5_parse_fw(struct rproc *rproc, const struct firmware
> > *fw)
> > > +{
> > > +	int ret;
> > > +
> > > +	ret = parse_tcm_banks(rproc);
> > > +	if (ret)
> > > +		return ret;
> > > +
> > > +	ret = parse_mem_regions(rproc);
> > > +	if (ret)
> > > +		return ret;
> > > +
> > > +	ret = rproc_elf_load_rsc_table(rproc, fw);
> > > +	if (ret == -EINVAL) {
> > > +		/*
> > > +		 * resource table only required for IPC.
> > > +		 * if not present, this is not necessarily an error;
> > > +		 * for example, loading r5 hello world application
> > > +		 * so simply inform user and keep going.
> > > +		 */
> > > +		dev_info(&rproc->dev, "no resource table found.\n");
> > > +		ret = 0;
> > > +	}
> > > +	return ret;
> > > +}
> > > +
> > > +/* kick a firmware */
> > > +static void zynqmp_r5_rproc_kick(struct rproc *rproc, int vqid)
> > > +{
> > > +	struct sk_buff *skb;
> > > +	unsigned int skb_len;
> > > +	struct zynqmp_ipi_message *mb_msg;
> > > +	int ret;
> > > +
> > > +	struct device *dev = rproc->dev.parent;
> > > +	struct zynqmp_r5_rproc *z_rproc = rproc->priv;
> > > +
> > > +	skb_len = (unsigned int)(sizeof(vqid) + sizeof(mb_msg));
> > > +	skb = alloc_skb(skb_len, GFP_ATOMIC);
> > > +	if (!skb)
> > > +		return;
> > > +
> > > +	mb_msg = (struct zynqmp_ipi_message *)skb_put(skb, skb_len);
> > > +	mb_msg->len = sizeof(vqid);
> > > +	memcpy(mb_msg->data, &vqid, sizeof(vqid));
> > > +	skb_queue_tail(&z_rproc->tx_mc_skbs, skb);
> > > +	ret = mbox_send_message(z_rproc->tx_chan, mb_msg);
> > > +	if (ret < 0) {
> > > +		dev_warn(dev, "Failed to kick remote.\n");
> > > +		skb_dequeue_tail(&z_rproc->tx_mc_skbs);
> > > +		kfree_skb(skb);
> > > +	}
> > > +}
> > > +
> > > +static struct rproc_ops zynqmp_r5_rproc_ops = {
> > > +	.start		= zynqmp_r5_rproc_start,
> > > +	.stop		= zynqmp_r5_rproc_stop,
> > > +	.load		= rproc_elf_load_segments,
> > > +	.parse_fw	= zynqmp_r5_parse_fw,
> > > +	.find_loaded_rsc_table = rproc_elf_find_loaded_rsc_table,
> > > +	.sanity_check	= rproc_elf_sanity_check,
> > > +	.get_boot_addr	= rproc_elf_get_boot_addr,
> > > +	.kick		= zynqmp_r5_rproc_kick,
> > > +};
> > > +
> > > +/**
> > > + * event_notified_idr_cb() - event notified idr callback
> > > + * @id: idr id
> > > + * @ptr: pointer to idr private data
> > > + * @data: data passed to idr_for_each callback
> > > + *
> > > + * Pass notification to remoteproc virtio
> > > + *
> > > + * Return: 0. having return is to satisfy the idr_for_each() function
> > > + *          pointer input argument requirement.
> > > + **/
> > > +static int event_notified_idr_cb(int id, void *ptr, void *data)
> > > +{
> > > +	struct rproc *rproc = data;
> > > +
> > > +	(void)rproc_vq_interrupt(rproc, id);
> > > +	return 0;
> > > +}
> > > +
> > > +/**
> > > + * handle_event_notified() - remoteproc notification work funciton
> > > + * @work: pointer to the work structure
> > > + *
> > > + * It checks each registered remoteproc notify IDs.
> > > + */
> > > +static void handle_event_notified(struct work_struct *work)
> > > +{
> > > +	struct rproc *rproc;
> > > +	struct zynqmp_r5_rproc *z_rproc;
> > > +
> > > +	z_rproc = container_of(work, struct zynqmp_r5_rproc, mbox_work);
> > > +
> > > +	(void)mbox_send_message(z_rproc->rx_chan, NULL);
> > > +	rproc = z_rproc->rproc;
> > > +	/*
> > > +	 * We only use IPI for interrupt. The firmware side may or may
> > > +	 * not write the notifyid when it trigger IPI.
> > > +	 * And thus, we scan through all the registered notifyids.
> > > +	 */
> > > +	idr_for_each(&rproc->notifyids, event_notified_idr_cb, rproc);
> > > +}
> > > +
> > > +/**
> > > + * zynqmp_r5_mb_rx_cb() - Receive channel mailbox callback
> > > + * @cl: mailbox client
> > > + * @mssg: message pointer
> > > + *
> > > + * It will schedule the R5 notification work.
> > > + */
> > > +static void zynqmp_r5_mb_rx_cb(struct mbox_client *cl, void *mssg)
> > > +{
> > > +	struct zynqmp_r5_rproc *z_rproc;
> > > +
> > > +	z_rproc = container_of(cl, struct zynqmp_r5_rproc, rx_mc);
> > > +	if (mssg) {
> > > +		struct zynqmp_ipi_message *ipi_msg, *buf_msg;
> > > +		size_t len;
> > > +
> > > +		ipi_msg = (struct zynqmp_ipi_message *)mssg;
> > > +		buf_msg = (struct zynqmp_ipi_message *)z_rproc->rx_mc_buf;
> > > +		len = (ipi_msg->len >= IPI_BUF_LEN_MAX) ?
> > > +		      IPI_BUF_LEN_MAX : ipi_msg->len;
> > > +		buf_msg->len = len;
> > > +		memcpy(buf_msg->data, ipi_msg->data, len);
> > > +	}
> > > +	schedule_work(&z_rproc->mbox_work);
> > > +}
> > > +
> > > +/**
> > > + * zynqmp_r5_mb_tx_done() - Request has been sent to the remote
> > > + * @cl: mailbox client
> > > + * @mssg: pointer to the message which has been sent
> > > + * @r: status of last TX - OK or error
> > > + *
> > > + * It will be called by the mailbox framework when the last TX has done.
> > > + */
> > > +static void zynqmp_r5_mb_tx_done(struct mbox_client *cl, void *mssg, int
> > r)
> > > +{
> > > +	struct zynqmp_r5_rproc *z_rproc;
> > > +	struct sk_buff *skb;
> > > +
> > > +	if (!mssg)
> > > +		return;
> > > +	z_rproc = container_of(cl, struct zynqmp_r5_rproc, tx_mc);
> > > +	skb = skb_dequeue(&z_rproc->tx_mc_skbs);
> > > +	kfree_skb(skb);
> > > +}
> > > +
> > > +/**
> > > + * zynqmp_r5_setup_mbox() - Setup mailboxes
> > > + *			    this is used for each individual R5 core
> > > + *
> > > + * @z_rproc: pointer to the ZynqMP R5 processor platform data
> > > + * @node: pointer of the device node
> > > + *
> > > + * Function to setup mailboxes to talk to RPU.
> > > + *
> > > + * Return: 0 for success, negative value for failure.
> > > + */
> > > +static int zynqmp_r5_setup_mbox(struct zynqmp_r5_rproc *z_rproc,
> > > +				struct device_node *node)
> > > +{
> > > +	struct mbox_client *mclient;
> > > +
> > > +	/* Setup TX mailbox channel client */
> > > +	mclient = &z_rproc->tx_mc;
> > > +	mclient->rx_callback = NULL;
> > > +	mclient->tx_block = false;
> > > +	mclient->knows_txdone = false;
> > > +	mclient->tx_done = zynqmp_r5_mb_tx_done;
> > > +	mclient->dev = z_rproc->dev;
> > > +
> > > +	/* Setup TX mailbox channel client */
> > > +	mclient = &z_rproc->rx_mc;
> > > +	mclient->dev = z_rproc->dev;
> > > +	mclient->rx_callback = zynqmp_r5_mb_rx_cb;
> > > +	mclient->tx_block = false;
> > > +	mclient->knows_txdone = false;
> > > +
> > > +	INIT_WORK(&z_rproc->mbox_work, handle_event_notified);
> > > +
> > > +	/* Request TX and RX channels */
> > > +	z_rproc->tx_chan = mbox_request_channel_byname(&z_rproc-
> > >tx_mc, "tx");
> > > +	if (IS_ERR(z_rproc->tx_chan)) {
> > > +		dev_err(z_rproc->dev, "failed to request mbox tx channel.\n");
> > > +		z_rproc->tx_chan = NULL;
> > > +		return -EINVAL;
> > > +	}
> > > +
> > > +	z_rproc->rx_chan = mbox_request_channel_byname(&z_rproc-
> > >rx_mc, "rx");
> > > +	if (IS_ERR(z_rproc->rx_chan)) {
> > > +		dev_err(z_rproc->dev, "failed to request mbox rx channel.\n");
> > > +		z_rproc->rx_chan = NULL;
> > > +		return -EINVAL;
> > > +	}
> > > +	skb_queue_head_init(&z_rproc->tx_mc_skbs);
> > > +
> > > +	return 0;
> > > +}
> > > +
> > > +/**
> > > + * zynqmp_r5_probe() - Probes ZynqMP R5 processor device node
> > > + *		       this is called for each individual R5 core to
> > > + *		       set up mailbox, Xilinx platform manager unique ID,
> > > + *		       add to rproc core
> > > + *
> > > + * @z_rproc: pointer to the ZynqMP R5 processor platform data
> > > + * @pdev: domain platform device for current R5 core
> > > + * @node: pointer of the device node for current R5 core
> > > + * @rpu_mode: mode to configure RPU, split or lockstep
> > > + * @core: Xilinx specific remoteproc structure used later to link
> > > + *           in to cluster of cores
> > 
> > This still does not match the param list (there's no z_rproc)
> > 
> Isn't core in this context the z_rproc? I can change the argument name if that is what you mean

The doc lists 5 arguments (z_rproc, pdev, node, rpu_mode, core), but the
function takes 4 arguments (pdev, node, rpu_mode, core).

> > > + *
> > > + * Function to retrieve the information of the ZynqMP R5 device node.
> > > + *
> > > + * Return: 0 for success, negative value for failure.
> > > + */
> > > +static int zynqmp_r5_probe(struct platform_device *pdev,
> > > +			   struct device_node *node,
> > > +			   enum rpu_oper_mode rpu_mode,
> > > +			   struct zynqmp_r5_rproc **core)
> > > +{
> > > +	int ret;
> > > +	struct device *dev = &pdev->dev;
> > > +	struct rproc *rproc_ptr;
> > > +	struct zynqmp_r5_rproc *z_rproc;
> > > +
> > > +	/* Allocate remoteproc instance */
> > > +	/* dev here is parent device of the allocated rproc's dev field */
> > > +	rproc_ptr = rproc_alloc(dev, dev_name(dev), &zynqmp_r5_rproc_ops,
> > > +				NULL, sizeof(struct zynqmp_r5_rproc));
> > > +	if (!rproc_ptr)
> > > +		return -ENOMEM;
> > > +	z_rproc = rproc_ptr->priv;
> > > +	z_rproc->rproc = rproc_ptr;
> > > +	z_rproc->dev = dev;
> > > +	/* Set up DMA mask */
> > > +	ret = dma_set_coherent_mask(dev, DMA_BIT_MASK(32));
> > > +	if (ret)
> > > +		goto error;
> > > +	/* Get R5 power domain node */
> > > +	ret = of_property_read_u32(node, "pnode-id", &z_rproc->pnode_id);
> > > +	if (ret)
> > > +		goto error;
> > > +
> > > +	ret = r5_set_mode(z_rproc, rpu_mode);
> 	> > +	if (ret)
> > > +		return ret;
> > 
> > goto error?
> > 
> Ok will change
> > > +
> > > +	if (of_property_read_bool(node, "mboxes")) {
> > > +		ret = zynqmp_r5_setup_mbox(z_rproc, node);
> > > +		if (ret)
> > > +			goto error;
> > > +	}
> > > +	/* Add R5 remoteproc */
> > > +	ret = rproc_add(rproc_ptr);
> > > +	if (ret)
> > > +		goto error;
> > > +	*core = z_rproc;
> > > +
> > > +	return 0;
> > > +error:
> > > +	if (z_rproc->rproc)
> > 
> > How would this ever be NULL?
> Ok will change
> > 
> > > +		rproc_free(z_rproc->rproc);
> > > +	z_rproc->rproc = NULL;
> > 
> > This looks like another use-after-free, but it also seems unnecessary.
> Ok will change
> > 
> > > +	return ret;
> > > +}
> > > +
> > > +/*
> > > + * called when driver is probed, for each R5 core specified in DT,
> > > + * setup as needed to do remoteproc-related operations
> > > + */
> > > +static int zynqmp_r5_remoteproc_probe(struct platform_device *pdev)
> > > +{
> > > +	int ret, i;
> > > +	struct device *dev = &pdev->dev;
> > > +	struct device_node *nc;
> > > +	enum rpu_oper_mode rpu_mode;
> > > +	struct list_head *cluster; /* list to track each core's rproc */
> > > +	struct zynqmp_r5_rproc *z_rproc;
> > > +	struct platform_device *child_pdev;
> > > +
> > > +	rpu_mode = of_property_read_bool(dev->of_node, "lockstep-mode")
> > ?
> > > +		   PM_RPU_MODE_LOCKSTEP : PM_RPU_MODE_SPLIT;
> > > +	dev_dbg(dev, "RPU configuration: %s\n",
> > > +		rpu_mode == PM_RPU_MODE_LOCKSTEP ? "lockstep" :
> > "split");
> > > +
> > > +	/*
> > > +	 * if 2 RPUs provided but one is lockstep, then we have an
> > > +	 * invalid configuration.
> > > +	 */
> > > +	i = of_get_available_child_count(dev->of_node);
> > > +	if ((rpu_mode == PM_RPU_MODE_LOCKSTEP && i != 1) || i >
> > MAX_RPROCS)
> > > +		return -EINVAL;
> > > +
> > > +	cluster = devm_kzalloc(dev, sizeof(*cluster), GFP_KERNEL);
> > > +	if (!cluster)
> > > +		return -ENOMEM;
> > > +	INIT_LIST_HEAD(cluster);
> > > +
> > > +	ret = devm_of_platform_populate(dev);
> > > +	if (ret) {
> > > +		dev_err(dev, "devm_of_platform_populate failed, ret =
> > %d\n",
> > > +			ret);
> > > +		return ret;
> > > +	}
> > > +
> > > +	/* probe each individual r5 core's remoteproc-related info */
> > > +	i = 0;
> > > +	for_each_available_child_of_node(dev->of_node, nc) {
> > > +		child_pdev = of_find_device_by_node(nc);
> > > +		if (!child_pdev) {
> > > +			dev_err(dev, "could not get R5 core platform
> > device\n");
> > > +			ret = -ENODEV;
> > > +			goto out;
> > > +		}
> > > +		ret = zynqmp_r5_probe(child_pdev, nc, rpu_mode, &z_rproc);
> > > +		dev_dbg(dev, "%s to probe rpu %pOF\n",
> > > +			ret ? "Failed" : "Able",
> > > +			nc);
> > > +		if (!z_rproc)
> > > +			ret = -EINVAL;
> > > +		if (ret)
> > > +			goto out;
> > > +
> > > +		list_add_tail(&z_rproc->elem, cluster);
> > > +		i++;
> > > +	}
> > > +	/* wire in so each core can be cleaned up at drive remove */
> > > +	platform_set_drvdata(pdev, cluster);
> > > +	ret = 0;
> > 
> > Just return 0 here instead of resetting ret.
> Ok will change
> > 
> > > +out:
> > > +	/* undo core0 upon any failures on core1 in split-mode */
> > > +	if (rpu_mode == PM_RPU_MODE_SPLIT && i == 1 && ret != 0) {
> > > +		z_rproc = container_of(cluster, struct zynqmp_r5_rproc,
> > elem);
> > 
> > This looks very wrong to me; cluster isn't a pointer to member of
> > zynqmp_r5_rproc. Was this path tested?
> > 
> It was tested and ran, but Ok will change
> > > +		if (z_rproc->rproc) {
> > 
> > How would z_rproc->rproc be NULL here?
> 
> Good point, will remove this check
> > 
> > > +			rproc_del(z_rproc->rproc);
> > > +			rproc_free(z_rproc->rproc);
> > > +		}
> > > +
> > > +		if (z_rproc->tx_chan)
> > > +			mbox_free_channel(z_rproc->tx_chan);
> > > +		if (z_rproc->rx_chan)
> > > +			mbox_free_channel(z_rproc->rx_chan);
> > 
> > Again, this looks like a use-after-free.
> > 
> Ok will change
> > > +	}
> > > +	return ret;
> > > +}
> > > +
> > > +/*
> > > + * for each core, clean up the following:
> > > + *	single rproc entry
> > > + *	mailbox tx, rx
> > > + */
> > > +static int zynqmp_r5_remoteproc_remove(struct platform_device *pdev)
> > > +{
> > > +	struct list_head *pos, *cluster = (struct list_head *)
> > > +					  platform_get_drvdata(pdev);
> > > +	struct zynqmp_r5_rproc *z_rproc = NULL;
> > > +	struct rproc *rproc = NULL;
> > > +
> > > +	list_for_each(pos, cluster) {
> > > +		z_rproc = list_entry(pos, struct zynqmp_r5_rproc, elem);
> > > +		rproc = z_rproc->rproc;
> > > +		if (rproc) {
> > > +			rproc_del(rproc);
> > > +			rproc_free(rproc);
> > > +		}
> > > +
> > > +		if (z_rproc->tx_chan)
> > > +			mbox_free_channel(z_rproc->tx_chan);
> > > +		if (z_rproc->rx_chan)
> > > +			mbox_free_channel(z_rproc->rx_chan);
> > 
> > The use-after-free issue I pointed out on v20 is still present here (and
> > has now been replicated in probe() as well).
> > 
> So for this and the other mbox_free_channel call, is it alright to
> check if the mbox property is in the z_rproc pointer's dev->of_node?
> If so then the setup_mbox was called and ran ok if the driver got this
> far.
> E.g.	 if (of_property_read_bool(z_rproc->dev->of_node, "mboxes")) {

I'm not sure if I understand what you're proposing here... but to me,
the most obvious way to fix a use-after-free is to not free the memory
until you're actually done using it. Moving the rproc_free until the
end of this block would accomplish that.

> 
> [...]
> 
> Thanks
> Ben

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ