lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f518791c-76a7-2e46-8815-84a2c5047e2c@foss.st.com>
Date:   Mon, 11 Oct 2021 17:37:43 +0200
From:   Arnaud POULIQUEN <arnaud.pouliquen@...s.st.com>
To:     Bjorn Andersson <bjorn.andersson@...aro.org>
CC:     Ohad Ben-Cohen <ohad@...ery.com>,
        Mathieu Poirier <mathieu.poirier@...aro.org>,
        <linux-remoteproc@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <linux-stm32@...md-mailman.stormreply.com>, <julien.massot@....bzh>
Subject: Re: [PATCH v4 4/4] rpmsg: char: Introduce the "rpmsg-raw" channel



On 10/9/21 2:06 AM, Bjorn Andersson wrote:
> On Mon 12 Jul 06:19 PDT 2021, Arnaud Pouliquen wrote:
> 
>> Allows to probe the endpoint device on a remote name service announcement,
>> by registering a rpmsg_driverfor the "rpmsg-raw" channel.
>>
>> With this patch the /dev/rpmsgX interface can be instantiated by the remote
>> firmware.
>>
>> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@...s.st.com>
>> Reviewed-by: Mathieu Poirier <mathieu.poirier@...aro.org>
>> Tested-by: Julien Massot <julien.massot@....bzh>
>> ---
>>  drivers/rpmsg/rpmsg_char.c | 75 +++++++++++++++++++++++++++++++++++++-
>>  1 file changed, 73 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/rpmsg/rpmsg_char.c b/drivers/rpmsg/rpmsg_char.c
>> index bd728d90ba4c..1b7b610e113d 100644
>> --- a/drivers/rpmsg/rpmsg_char.c
>> +++ b/drivers/rpmsg/rpmsg_char.c
>> @@ -25,6 +25,8 @@
>>  
>>  #include "rpmsg_char.h"
>>  
>> +#define RPMSG_CHAR_DEVNAME "rpmsg-raw"
>> +
>>  static dev_t rpmsg_major;
>>  static struct class *rpmsg_class;
>>  
>> @@ -421,6 +423,61 @@ int rpmsg_chrdev_eptdev_create(struct rpmsg_device *rpdev, struct device *parent
>>  }
>>  EXPORT_SYMBOL(rpmsg_chrdev_eptdev_create);
>>  
>> +static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev)
>> +{
>> +	struct rpmsg_channel_info chinfo;
>> +	struct rpmsg_eptdev *eptdev;
>> +	struct rpmsg_endpoint *ept;
>> +
>> +	memcpy(chinfo.name, RPMSG_CHAR_DEVNAME, sizeof(RPMSG_CHAR_DEVNAME));
> 
> The length should relate to the size of the destination buffer.
> This looks like an excellent job for strscpy_pad()
Thanks for pointing it, i will have alook
> 
>> +	chinfo.src = rpdev->src;
>> +	chinfo.dst = rpdev->dst;
>> +
>> +	eptdev =  __rpmsg_chrdev_eptdev_create(rpdev, &rpdev->dev, chinfo);
> 
> Note that this creates a new endpoint device as a child of the rpdev,
> while new endpoints created by RPMSG_CREATE_EPT_IOCTL are parented by
> the rpmsg_ctrl device.

Right this is probed by the rpmsg bus.

> 
> So it is possible to create two /dev/rpmsgN nodes for the same endpoint,
> I believe with the outcome that this one will be open but
> __rpmsg_create_ept() in virtio_rpmsg_bus should return NULL if the user
> tries to open the other one.

I do not observe this behavior on virtio backend. In my test I create 2
instances based on the ns announcement, /dev/rpmsg0 & /dev/rpmsg1 is created
Then I create a new instance using RPMSG_CREATE_EPT_IOCTL that create the
/dev/rpmsg2

The use of ida_simple_get in __rpmsg_chrdev_eptdev_create should prevent such
use case
Do you observe such behavior on your side, or only a concern?

> 
>> +	if (IS_ERR(eptdev))
>> +		return PTR_ERR(eptdev);
>> +
>> +	/*
>> +	 * Create the default endpoint associated to the rpmsg device and provide rpmsg_eptdev
>> +	 * structure as callback private data.
>> +	 */
>> +	ept = rpmsg_create_default_ept(rpdev, rpmsg_ept_cb, eptdev, eptdev->chinfo);
> 
> Why don't you just set rpdev->priv to eptdev and make rpmsg_ept_cb the
> callback of your rpmsg_driver?

you mean ept->priv i suppose.

Because the priv parameter is managed by the rpmsg backend, so I have to assume
that it is used for some other purposes in the backend.

> 
>> +	if (!ept) {
>> +		dev_err(&rpdev->dev, "failed to create %s\n", eptdev->chinfo.name);
>> +		put_device(&eptdev->dev);
>> +		return -EINVAL;
>> +	}
>> +
>> +	/*
>> +	 * Do not allow the creation and release of an endpoint on /dev/rpmsgX open and close,
>> +	 * reuse the default endpoint instead
>> +	 */
> 
> What happens when __rpmsg_chrdev_eptdev_create() delivers a uevent and
> user space quickly calls open() on the newly created /dev/rpmsgN, before
> the next line?

Right, here I can see 2 solutions:
- the use of a mutex to block the open
- move the rpmsg_create_default_ept in the open but in this case i need to keep
the eptdev->static_ept bool

A preference or an alternative?

> 
>> +	eptdev->static_ept = true;
>> +
>> +	return 0;
>> +}
>> +
>> +static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev)
>> +{
>> +	int ret;
>> +
>> +	ret = device_for_each_child(&rpdev->dev, NULL, rpmsg_chrdev_eptdev_destroy);
>> +	if (ret)
>> +		dev_warn(&rpdev->dev, "failed to destroy endpoints: %d\n", ret);
>> +}
>> +
>> +static struct rpmsg_device_id rpmsg_chrdev_id_table[] = {
>> +	{ .name	= RPMSG_CHAR_DEVNAME },
> 
> I would expect that this list would grow, but you hard coded
> RPMSG_CHAR_DEVNAME in probe, so that won't work.

The point here is more the use of RPMSG_CHAR_DEVNAME in
 memcpy(chinfo.name, RPMSG_CHAR_DEVNAME, sizeof(RPMSG_CHAR_DEVNAME));
right?

I can change this by rpdev->id->name and suppress RPMSG_CHAR_DEVNAME

Regards,
Arnaud

> 
> Regards,
> Bjorn
> 
>> +	{ },
>> +};
>> +
>> +static struct rpmsg_driver rpmsg_chrdev_driver = {
>> +	.probe = rpmsg_chrdev_probe,
>> +	.remove = rpmsg_chrdev_remove,
>> +	.id_table = rpmsg_chrdev_id_table,
>> +	.drv.name = "rpmsg_chrdev",
>> +};
>> +
>>  static int rpmsg_chrdev_init(void)
>>  {
>>  	int ret;
>> @@ -434,16 +491,30 @@ static int rpmsg_chrdev_init(void)
>>  	rpmsg_class = class_create(THIS_MODULE, "rpmsg");
>>  	if (IS_ERR(rpmsg_class)) {
>>  		pr_err("failed to create rpmsg class\n");
>> -		unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
>> -		return PTR_ERR(rpmsg_class);
>> +		ret = PTR_ERR(rpmsg_class);
>> +		goto free_region;
>> +	}
>> +
>> +	ret = register_rpmsg_driver(&rpmsg_chrdev_driver);
>> +	if (ret < 0) {
>> +		pr_err("rpmsg: failed to register rpmsg raw driver\n");
>> +		goto free_class;
>>  	}
>>  
>>  	return 0;
>> +
>> +free_class:
>> +	class_destroy(rpmsg_class);
>> +free_region:
>> +	unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
>> +
>> +	return ret;
>>  }
>>  postcore_initcall(rpmsg_chrdev_init);
>>  
>>  static void rpmsg_chrdev_exit(void)
>>  {
>> +	unregister_rpmsg_driver(&rpmsg_chrdev_driver);
>>  	class_destroy(rpmsg_class);
>>  	unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
>>  }
>> -- 
>> 2.17.1
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ