lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20201124162220.GN9177@builder.lan>
Date:   Tue, 24 Nov 2020 10:22:20 -0600
From:   Bjorn Andersson <bjorn.andersson@...aro.org>
To:     Sibi Sankar <sibis@...eaurora.org>
Cc:     ohad@...ery.com, linux-arm-msm@...r.kernel.org,
        linux-remoteproc@...r.kernel.org, linux-kernel@...r.kernel.org,
        agross@...nel.org, evgreen@...omium.org
Subject: Re: [PATCH 2/2] remoteproc: qcom_q6v5_mss: map/unmap MBA region
 before/after use

On Wed 04 Nov 01:03 CST 2020, Sibi Sankar wrote:

> The application processor accessing the MBA region after assigning it to
> the remote Q6 would lead to an XPU violation. Fix this by un-mapping the
> MBA region post firmware copy and MBA text log dumps.
> 
> Signed-off-by: Sibi Sankar <sibis@...eaurora.org>

Reviewed-by: Bjorn Andersson <bjorn.andersson@...aro.org>

I renamed "ptr" to "mba_region" throughout the patch and applied the
pair.

Thanks,
Bjorn

> ---
>  drivers/remoteproc/qcom_q6v5_mss.c | 37 ++++++++++++++++++++++---------------
>  1 file changed, 22 insertions(+), 15 deletions(-)
> 
> diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c
> index 2c866b6da23c..1b4a34325788 100644
> --- a/drivers/remoteproc/qcom_q6v5_mss.c
> +++ b/drivers/remoteproc/qcom_q6v5_mss.c
> @@ -189,7 +189,6 @@ struct q6v5 {
>  	size_t total_dump_size;
>  
>  	phys_addr_t mba_phys;
> -	void *mba_region;
>  	size_t mba_size;
>  	size_t dp_size;
>  
> @@ -408,7 +407,7 @@ static int q6v5_xfer_mem_ownership(struct q6v5 *qproc, int *current_perm,
>  				   current_perm, next, perms);
>  }
>  
> -static void q6v5_debug_policy_load(struct q6v5 *qproc)
> +static void q6v5_debug_policy_load(struct q6v5 *qproc, void *ptr)
>  {
>  	const struct firmware *dp_fw;
>  
> @@ -416,7 +415,7 @@ static void q6v5_debug_policy_load(struct q6v5 *qproc)
>  		return;
>  
>  	if (SZ_1M + dp_fw->size <= qproc->mba_size) {
> -		memcpy(qproc->mba_region + SZ_1M, dp_fw->data, dp_fw->size);
> +		memcpy(ptr + SZ_1M, dp_fw->data, dp_fw->size);
>  		qproc->dp_size = dp_fw->size;
>  	}
>  
> @@ -426,6 +425,7 @@ static void q6v5_debug_policy_load(struct q6v5 *qproc)
>  static int q6v5_load(struct rproc *rproc, const struct firmware *fw)
>  {
>  	struct q6v5 *qproc = rproc->priv;
> +	void *ptr;
>  
>  	/* MBA is restricted to a maximum size of 1M */
>  	if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
> @@ -433,8 +433,16 @@ static int q6v5_load(struct rproc *rproc, const struct firmware *fw)
>  		return -EINVAL;
>  	}
>  
> -	memcpy(qproc->mba_region, fw->data, fw->size);
> -	q6v5_debug_policy_load(qproc);
> +	ptr = memremap(qproc->mba_phys, qproc->mba_size, MEMREMAP_WC);
> +	if (!ptr) {
> +		dev_err(qproc->dev, "unable to map memory region: %pa+%zx\n",
> +			&qproc->mba_phys, qproc->mba_size);
> +		return -EBUSY;
> +	}
> +
> +	memcpy(ptr, fw->data, fw->size);
> +	q6v5_debug_policy_load(qproc, ptr);
> +	memunmap(ptr);
>  
>  	return 0;
>  }
> @@ -541,6 +549,7 @@ static void q6v5_dump_mba_logs(struct q6v5 *qproc)
>  {
>  	struct rproc *rproc = qproc->rproc;
>  	void *data;
> +	void *ptr;
>  
>  	if (!qproc->has_mba_logs)
>  		return;
> @@ -549,12 +558,16 @@ static void q6v5_dump_mba_logs(struct q6v5 *qproc)
>  				    qproc->mba_size))
>  		return;
>  
> -	data = vmalloc(MBA_LOG_SIZE);
> -	if (!data)
> +	ptr = memremap(qproc->mba_phys, qproc->mba_size, MEMREMAP_WC);
> +	if (!ptr)
>  		return;
>  
> -	memcpy(data, qproc->mba_region, MBA_LOG_SIZE);
> -	dev_coredumpv(&rproc->dev, data, MBA_LOG_SIZE, GFP_KERNEL);
> +	data = vmalloc(MBA_LOG_SIZE);
> +	if (data) {
> +		memcpy(data, ptr, MBA_LOG_SIZE);
> +		dev_coredumpv(&rproc->dev, data, MBA_LOG_SIZE, GFP_KERNEL);
> +	}
> +	memunmap(ptr);
>  }
>  
>  static int q6v5proc_reset(struct q6v5 *qproc)
> @@ -1605,12 +1618,6 @@ static int q6v5_alloc_memory_region(struct q6v5 *qproc)
>  
>  	qproc->mba_phys = r.start;
>  	qproc->mba_size = resource_size(&r);
> -	qproc->mba_region = devm_ioremap_wc(qproc->dev, qproc->mba_phys, qproc->mba_size);
> -	if (!qproc->mba_region) {
> -		dev_err(qproc->dev, "unable to map memory region: %pa+%zx\n",
> -			&r.start, qproc->mba_size);
> -		return -EBUSY;
> -	}
>  
>  	if (!child) {
>  		node = of_parse_phandle(qproc->dev->of_node,
> -- 
> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
> a Linux Foundation Collaborative Project
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ