| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Nov 2020 10:22:20 -0600
From: Bjorn Andersson <bjorn.andersson@...aro.org>
To: Sibi Sankar <sibis@...eaurora.org>
Cc: ohad@...ery.com, linux-arm-msm@...r.kernel.org,
linux-remoteproc@...r.kernel.org, linux-kernel@...r.kernel.org,
agross@...nel.org, evgreen@...omium.org
Subject: Re: [PATCH 2/2] remoteproc: qcom_q6v5_mss: map/unmap MBA region
before/after use
On Wed 04 Nov 01:03 CST 2020, Sibi Sankar wrote:
> The application processor accessing the MBA region after assigning it to
> the remote Q6 would lead to an XPU violation. Fix this by un-mapping the
> MBA region post firmware copy and MBA text log dumps.
>
> Signed-off-by: Sibi Sankar <sibis@...eaurora.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@...aro.org>
I renamed "ptr" to "mba_region" throughout the patch and applied the
pair.
Thanks,
Bjorn
> ---
> drivers/remoteproc/qcom_q6v5_mss.c | 37 ++++++++++++++++++++++---------------
> 1 file changed, 22 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c
> index 2c866b6da23c..1b4a34325788 100644
> --- a/drivers/remoteproc/qcom_q6v5_mss.c
> +++ b/drivers/remoteproc/qcom_q6v5_mss.c
> @@ -189,7 +189,6 @@ struct q6v5 {
> size_t total_dump_size;
>
> phys_addr_t mba_phys;
> - void *mba_region;
> size_t mba_size;
> size_t dp_size;
>
> @@ -408,7 +407,7 @@ static int q6v5_xfer_mem_ownership(struct q6v5 *qproc, int *current_perm,
> current_perm, next, perms);
> }
>
> -static void q6v5_debug_policy_load(struct q6v5 *qproc)
> +static void q6v5_debug_policy_load(struct q6v5 *qproc, void *ptr)
> {
> const struct firmware *dp_fw;
>
> @@ -416,7 +415,7 @@ static void q6v5_debug_policy_load(struct q6v5 *qproc)
> return;
>
> if (SZ_1M + dp_fw->size <= qproc->mba_size) {
> - memcpy(qproc->mba_region + SZ_1M, dp_fw->data, dp_fw->size);
> + memcpy(ptr + SZ_1M, dp_fw->data, dp_fw->size);
> qproc->dp_size = dp_fw->size;
> }
>
> @@ -426,6 +425,7 @@ static void q6v5_debug_policy_load(struct q6v5 *qproc)
> static int q6v5_load(struct rproc *rproc, const struct firmware *fw)
> {
> struct q6v5 *qproc = rproc->priv;
> + void *ptr;
>
> /* MBA is restricted to a maximum size of 1M */
> if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
> @@ -433,8 +433,16 @@ static int q6v5_load(struct rproc *rproc, const struct firmware *fw)
> return -EINVAL;
> }
>
> - memcpy(qproc->mba_region, fw->data, fw->size);
> - q6v5_debug_policy_load(qproc);
> + ptr = memremap(qproc->mba_phys, qproc->mba_size, MEMREMAP_WC);
> + if (!ptr) {
> + dev_err(qproc->dev, "unable to map memory region: %pa+%zx\n",
> + &qproc->mba_phys, qproc->mba_size);
> + return -EBUSY;
> + }
> +
> + memcpy(ptr, fw->data, fw->size);
> + q6v5_debug_policy_load(qproc, ptr);
> + memunmap(ptr);
>
> return 0;
> }
> @@ -541,6 +549,7 @@ static void q6v5_dump_mba_logs(struct q6v5 *qproc)
> {
> struct rproc *rproc = qproc->rproc;
> void *data;
> + void *ptr;
>
> if (!qproc->has_mba_logs)
> return;
> @@ -549,12 +558,16 @@ static void q6v5_dump_mba_logs(struct q6v5 *qproc)
> qproc->mba_size))
> return;
>
> - data = vmalloc(MBA_LOG_SIZE);
> - if (!data)
> + ptr = memremap(qproc->mba_phys, qproc->mba_size, MEMREMAP_WC);
> + if (!ptr)
> return;
>
> - memcpy(data, qproc->mba_region, MBA_LOG_SIZE);
> - dev_coredumpv(&rproc->dev, data, MBA_LOG_SIZE, GFP_KERNEL);
> + data = vmalloc(MBA_LOG_SIZE);
> + if (data) {
> + memcpy(data, ptr, MBA_LOG_SIZE);
> + dev_coredumpv(&rproc->dev, data, MBA_LOG_SIZE, GFP_KERNEL);
> + }
> + memunmap(ptr);
> }
>
> static int q6v5proc_reset(struct q6v5 *qproc)
> @@ -1605,12 +1618,6 @@ static int q6v5_alloc_memory_region(struct q6v5 *qproc)
>
> qproc->mba_phys = r.start;
> qproc->mba_size = resource_size(&r);
> - qproc->mba_region = devm_ioremap_wc(qproc->dev, qproc->mba_phys, qproc->mba_size);
> - if (!qproc->mba_region) {
> - dev_err(qproc->dev, "unable to map memory region: %pa+%zx\n",
> - &r.start, qproc->mba_size);
> - return -EBUSY;
> - }
>
> if (!child) {
> node = of_parse_phandle(qproc->dev->of_node,
> --
> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
> a Linux Foundation Collaborative Project
>
Powered by blists - more mailing lists