lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dd4619e2-f96a-122f-2cf6-ec19445c6a5c@linaro.org>
Date:   Sun, 21 Mar 2021 08:21:24 -0500
From:   Alex Elder <elder@...aro.org>
To:     Leon Romanovsky <leon@...nel.org>
Cc:     davem@...emloft.net, kuba@...nel.org, andrew@...n.ch,
        bjorn.andersson@...aro.org, evgreen@...omium.org,
        cpratapa@...eaurora.org, subashab@...eaurora.org, elder@...nel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next v2 2/2] net: ipa: fix IPA validation

On 3/21/21 3:21 AM, Leon Romanovsky wrote:
> On Sat, Mar 20, 2021 at 09:17:29AM -0500, Alex Elder wrote:
>> There are blocks of IPA code that sanity-check various values, at
>> compile time where possible.  Most of these checks can be done once
>> during development but skipped for normal operation.  These checks
>> permit the driver to make certain assumptions, thereby avoiding the
>> need for runtime error checking.
>>
>> The checks are defined conditionally, but not consistently.  In
>> some cases IPA_VALIDATION enables the optional checks, while in
>> others IPA_VALIDATE is used.
>>
>> Fix this by using IPA_VALIDATION consistently.
>>
>> Signed-off-by: Alex Elder <elder@...aro.org>
>> ---
>>   drivers/net/ipa/Makefile       | 2 +-
>>   drivers/net/ipa/gsi_trans.c    | 8 ++++----
>>   drivers/net/ipa/ipa_cmd.c      | 4 ++--
>>   drivers/net/ipa/ipa_cmd.h      | 6 +++---
>>   drivers/net/ipa/ipa_endpoint.c | 6 +++---
>>   drivers/net/ipa/ipa_main.c     | 6 +++---
>>   drivers/net/ipa/ipa_mem.c      | 6 +++---
>>   drivers/net/ipa/ipa_table.c    | 6 +++---
>>   drivers/net/ipa/ipa_table.h    | 6 +++---
>>   9 files changed, 25 insertions(+), 25 deletions(-)
>>
>> diff --git a/drivers/net/ipa/Makefile b/drivers/net/ipa/Makefile
>> index afe5df1e6eeee..014ae36ac6004 100644
>> --- a/drivers/net/ipa/Makefile
>> +++ b/drivers/net/ipa/Makefile
>> @@ -1,5 +1,5 @@
>>   # Un-comment the next line if you want to validate configuration data
>> -#ccflags-y		+=	-DIPA_VALIDATE
>> +# ccflags-y		+=	-DIPA_VALIDATION
> 
> Maybe netdev folks think differently here, but general rule that dead
> code and closed code is such, is not acceptable to in Linux kernel.
> 
> <...>

What is the purpose of CONFIG_KGDB?  Or CONFIG_DEBUG_KERNEL?
Would you prefer I expose this through a kconfig option?  I
intentionally did not do that, because I really intended it
to be only for development, so defined it in the Makefile.
But I have no objection to making it configurable that way.

>> -#ifdef IPA_VALIDATE
>> +#ifdef IPA_VALIDATION
>>   	if (!size || size % 8)
>>   		return -EINVAL;
>>   	if (count < max_alloc)
>>   		return -EINVAL;
>>   	if (!max_alloc)
>>   		return -EINVAL;
>> -#endif /* IPA_VALIDATE */
>> +#endif /* IPA_VALIDATION */
> 
> If it is possible to supply those values, the check should be always and
> not only under some closed config option.

These are assertions.

There is no need to test them for working code.  If
I run the code successfully with these tests enabled
exactly once, and they are satisfied, then every time
the code is run thereafter they will pass.  So I want
to check them when debugging/developing only.  That
way there is a mistake, it gets caught, but otherwise
there's no pointless argument checking done.

I'll explain the first check; the others have similar
explanation.

In the current code, the passed size is sizeof(struct)
for three separate structures.
   - If the structure size changes, I want to be
     sure the constraint is still honored
   - The code will break of someone happens
     to pass a size of 0.  I don't expect that to
     ever happen, but this states that requirement.

This is an optimization, basically, but one that
allows the assumed conditions to be optionally
verified.

>>   	/* By allocating a few extra entries in our pool (one less
>>   	 * than the maximum number that will be requested in a
>> @@ -140,14 +140,14 @@ int gsi_trans_pool_init_dma(struct device *dev, struct gsi_trans_pool *pool,
>>   	dma_addr_t addr;
>>   	void *virt;
>>   
>> -#ifdef IPA_VALIDATE
>> +#ifdef IPA_VALIDATION
>>   	if (!size || size % 8)
>>   		return -EINVAL;
>>   	if (count < max_alloc)
>>   		return -EINVAL;
>>   	if (!max_alloc)
>>   		return -EINVAL;
>> -#endif /* IPA_VALIDATE */
>> +#endif /* IPA_VALIDATION */
> 
> Same
> 
> <...>
> 
>>   {
>> -#ifdef IPA_VALIDATE
>> +#ifdef IPA_VALIDATION
>>   	/* At one time we assumed a 64-bit build, allowing some do_div()
>>   	 * calls to be replaced by simple division or modulo operations.
>>   	 * We currently only perform divide and modulo operations on u32,
>> @@ -768,7 +768,7 @@ static void ipa_validate_build(void)
>>   	BUILD_BUG_ON(!ipa_aggr_granularity_val(IPA_AGGR_GRANULARITY));
>>   	BUILD_BUG_ON(ipa_aggr_granularity_val(IPA_AGGR_GRANULARITY) >
>>   			field_max(AGGR_GRANULARITY_FMASK));
>> -#endif /* IPA_VALIDATE */
>> +#endif /* IPA_VALIDATION */
> 
> BUILD_BUG_ON()s are checked during compilation and not during runtime
> like IPA_VALIDATION promised.

So I should update the description.  But I'm not sure where
you are referring to.  Here is the first line of the patch
description:
   There are blocks of IPA code that sanity-check various
   values, at compile time where possible.

> IMHO, the issue here is that this IPA code isn't release quality but
> some debug drop variant and it is far from expected from submitted code.

Doesn't sound very humble, IMHO.

This code was found acceptable and merged for mainline a
year ago.  At that time it supported IPA on the SDM845 SoC
(IPA v3.5.1).  Had it not been merged, I would have continued
refining the code out-of-tree until it could be merged.  But
now, it's upstream, so anything I want to do to make it better
must be done upstream.

Since last year it has undergone considerable development,
including adding support for the SC7180 SoC (IPA v4.2).  I
am now in the process of getting things posted for review
so IPA versions 4.5, 4.9, and 4.11 are supported.  With any
luck all that will be done in this merge cycle; we'll see.

Most of what I've been doing is gradually transforming
things to support the new hardware.  But in the process
I'm also improving what's there so that it is better
organized, more consistent, more understandable, and
maintainable.

I have explained this previously, but this code was derived
from Qualcomm "downstream" code.  Much was done toward
getting it into the upstream kernel, including carving out
great deal of code, and removing functionality to focus on
just *one* target platform.

Now that it's upstream, the aim is to add back functionality,
ideally to support all current and future Qualcomm IPA hardware,
and eventually (this year) to support some of the features
(hardware filtering/routing/NAT) that were removed to make
the code simpler.

I'm doing a lot of development on this driver, yes.  But
it doesn't mean it's broken, it means it's improving.

					-Alex

> Thanks
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ