lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 07 Jul 2022 23:20:33 -0700 (PDT)
From:   Palmer Dabbelt <palmer@...belt.com>
To:     heiko@...ech.de, guoren@...nel.org
CC:     heiko@...ech.de, Paul Walmsley <paul.walmsley@...ive.com>,
        linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org,
        wefu@...hat.com, cmuellner@...ux.com, philipp.tomsich@...ll.eu,
        Christoph Hellwig <hch@....de>, re@...z.net
Subject:     Re: [PATCH] riscv: don't warn for sifive erratas in modules

On Thu, 09 Jun 2022 18:12:27 PDT (-0700), guoren@...nel.org wrote:
> On Thu, Jun 9, 2022 at 5:58 PM Heiko Stübner <heiko@...ech.de> wrote:
>>
>> Hi Guo,
>>
>> Am Donnerstag, 9. Juni 2022, 03:39:24 CEST schrieb Guo Ren:
>> > On Wed, Jun 8, 2022 at 8:09 PM Heiko Stuebner <heiko@...ech.de> wrote:
>> > >
>> > > The SiFive errata code contains code checking applicable erratas
>> > > vs. actually applied erratas to suggest missing erratas to the
>> > > user when their Kconfig options are not enabled.
>> > >
>> > > In the main kernel image one can be quite sure that all available
>> > > erratas appear at least once, so that check will succeed.
>> > > On the other hand modules can very well not use any errata-relevant
>> > > code, so the newly added module-alternative support may also patch
>> > > the module code, but not touch SiFive-specific erratas at all.
>> > >
>> > > So to restore the original behaviour don't warn when patching
>> > > modules. This will keep the warning if necessary for the main kernel
>> > > image but prevent spurious warnings for modules.
>> > >
>> > > Of course having such a vendor-specific warning may not be needed at
>> > > all, as CONFIG_ERRATA_SIFIVE is selected by CONFIG_SOC_SIFIVE and the
>> > > individual erratas are default-y so disabling them requires
>> > > deliberate action anyway. But for now just restore the old behaviour.
>> > >
>> > > Fixes: a8e910168bba ("riscv: implement module alternatives")
>> > > Reported-by: Ron Economos <re@...z.net>
>> > > Signed-off-by: Heiko Stuebner <heiko@...ech.de>
>> > > ---
>> > >  arch/riscv/errata/sifive/errata.c | 3 ++-
>> > >  1 file changed, 2 insertions(+), 1 deletion(-)
>> > >
>> > > diff --git a/arch/riscv/errata/sifive/errata.c b/arch/riscv/errata/sifive/errata.c
>> > > index 672f02b21ce0..1031038423e7 100644
>> > > --- a/arch/riscv/errata/sifive/errata.c
>> > > +++ b/arch/riscv/errata/sifive/errata.c
>> > > @@ -111,6 +111,7 @@ void __init_or_module sifive_errata_patch_func(struct alt_entry *begin,
>> > >                         cpu_apply_errata |= tmp;
>> > >                 }
>> > >         }
>> > > -       if (cpu_apply_errata != cpu_req_errata)
>> > > +       if (stage != RISCV_ALTERNATIVES_MODULE &&
>> > > +           cpu_apply_errata != cpu_req_errata)
>> > if (cpu_apply_errata &= ~cpu_req_errata)
>>
>> Hmm, I don't see what that changes?
> +       if (stage != RISCV_ALTERNATIVES_MODULE &&
> +           cpu_apply_errata != cpu_req_errata)
>                 warn_miss_errata(cpu_req_errata - cpu_apply_errata);
> +       else if (cpu_apply_errata &= ~cpu_req_errata)
>                 warn_miss_errata(cpu_req_errata - cpu_apply_errata);
>
> All module's errata should be a subset of the main kernel. Not just
> skip the check of MODULE.
>
>>
>>
>> > Shall we still guarantee the module's must be a subset of the main kernel.'s?
>>
>> The warning generated there is mainly to warn about some Kconfig options
>> not being enabled and in individual modules even no errata usage may be
>> required.

The problem here is really the mechanism by which that warning is 
generated: we assume that each alternative stage generates at least one 
instance of each errata, otherwise we provide the warning.  That's OK 
for the kernel, as we only have the one errata stage for SiFive stuff,
but modules might not directly include any behavior that depends on 
errata so they'll miss the check.

Having a mismatch between the kernel and a module could also cause 
issues, but there's way bigger issues than errata.  Unless I missed 
something there's no checks to make sure the kernel matches modules, but 
that's not really an arch/riscv thing.

>> The intent for the patch is to restore how things behaved before
>> module-alternatives were introduced, so I don't really want to
>> introduce functional changes ;-) .

IMO that's fine for a regression fix.  Maybe there's better ways to do 
this, but this at least gets rid of the spurious warning.

>> But also in the future we could debate if that warning is helpful at all,
>> as the erratas are enabled automatically by CONFIG_SOC_SIFIVE and
>> thus disabling individual erratas requires someone to turn them off
>> manually in their .config .

I could see arguments either way here: there's a bunch of Kconfigs 
(drivers and such) where turning them off will result in kernels that 
don't work and we don't warn for those, but errata are also likely to 
result in kernels that are subtly broken so being extra careful about 
checking for them seems reasonable.

This is on fixes.

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ