lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <14399464-919f-3834-5dea-e3b80635f0e0@intel.com>
Date:   Fri, 21 Oct 2022 10:33:54 -0700
From:   "Walker, Benjamin" <benjamin.walker@...el.com>
To:     Vinod Koul <vkoul@...nel.org>
CC:     <dmaengine@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v5 4/7] dmaengine: Add provider documentation on cookie
 assignment

On 10/19/2022 9:12 PM, Vinod Koul wrote:
> On 19-10-22, 10:21, Walker, Benjamin wrote:
>> On 10/19/2022 9:34 AM, Vinod Koul wrote:
>>> On 29-08-22, 13:35, Ben Walker wrote:
>>>> Clarify the rules on assigning cookies to DMA transactions.
>>>>
>>>> Signed-off-by: Ben Walker <benjamin.walker@...el.com>
>>>> ---
>>>>    .../driver-api/dmaengine/provider.rst         | 45 +++++++++++++++----
>>>>    1 file changed, 37 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/Documentation/driver-api/dmaengine/provider.rst b/Documentation/driver-api/dmaengine/provider.rst
>>>> index 1d0da2777921d..a5539f816d125 100644
>>>> --- a/Documentation/driver-api/dmaengine/provider.rst
>>>> +++ b/Documentation/driver-api/dmaengine/provider.rst
>>>> @@ -417,7 +417,9 @@ supported.
>>>>        - tx_submit: A pointer to a function you have to implement,
>>>>          that is supposed to push the current transaction descriptor to a
>>>> -      pending queue, waiting for issue_pending to be called.
>>>> +      pending queue, waiting for issue_pending to be called. Each
>>>> +      descriptor is given a cookie to identify it. See the section
>>>> +      "Cookie Management" below.
>>>>      - In this structure the function pointer callback_result can be
>>>>        initialized in order for the submitter to be notified that a
>>>> @@ -522,6 +524,40 @@ supported.
>>>>      - May sleep.
>>>> +Cookie Management
>>>> +------------------
>>>> +
>>>> +When a transaction is queued for submission via tx_submit(), the provider
>>>> +must assign that transaction a cookie (dma_cookie_t) to uniquely identify it.
>>>> +The provider is allowed to perform this assignment however it wants, but for
>>>
>>> We assumes that we have monotonically increasing cookie and
>>> if cookie 10 is marked complete cookie 8 is assumed complete too...
>>
>> That's exactly what this patch series is changing. The earlier patches make
>> changes to no longer report to the client the "last" or "used" cookie (to
>> compare against) in the client APIs, and it turns out that nothing in the
>> kernel actually cares about this behavior. So it's simply a documentation
>> change to indicate that the client no longer has any visibility into the
>> cookie behavior.
> 
> Not really, there are some engines which will notify that descriptor X
> completed which also implies that all descriptors before X have
> completed as well...
> 
> If we change the default behaviour, we risk breaking those.

I actually don't believe it's true that any clients rely on this 
behavior today. Certainly, that's the defined behavior prior to this 
patch series and a client could have relied on that. But I did a big 
audit and I don't believe any of them actually do. Prior to submitting 
this patch series I was thinking I needed to create new APIs that code 
could opt into and convert over to gradually, but it seems we're 
fortunate enough to get away with just changing the documentation.

As a quick justification, it's worth doing the work to audit and confirm 
all of this because this is such an important change for the future 
usefulness of the dmaengine framework. Modern DMA devices are best used 
by polling for completions, and they certainly can complete out of 
order. As more of the kernel moves to performing asynchronous operations 
(mostly via io_uring), this is becoming very important. The rest of this 
email is me repeating my big audit and taking notes along the way. I 
apologize if it's long, but it's important to document the findings.

If we look at the client-facing API, we can identify all of the points 
at which a cookie is returned to the user or consumed by the the API as 
input.


As input:
dma_submit_error
dmaengine_tx_status
dma_async_is_tx_complete
dmaengine_is_tx_complete
dma_sync_wait

As a returned value:
dmaengine_submit
dmaengine_tx_status (via the returned state parameter)
dma_async_is_tx_complete (via last/user parameters)

It's also in the following data structures (which are visible to clients):
dma_chan
dma_async_tx_descriptor (returned from the tx_submit function pointer)
dma_tx_state (only returned by dmaengine_tx_status)

So auditing all of those uses:
- dma_submit_error doesn't assume it's monotonically increasing

- dmaengine_tx_status itself doesn't assume (in the generic dmaengine 
code) it's monotonically increasing. Providers implementing this call 
may assume that, but they're in control of making it so. This call can 
also return cookies via the optional state parameter. Except every call 
either passes NULL for state to ignore it, or allocates state on the 
stack and never stores it outside of the local function. Within those 
functions, only state.residue is ever used - the cookies are never touched.

- dma_sync_wait is called in 5 places. In 3 places it's called 
immediately after a dmaengine_submit and the cookie is only ever on the 
stack and never compared to anything. The other two spots are during 
shutdown in ntb_transport_free_queue(). All it's doing here is waiting 
for the last *submitted* cookie to finish, then aborting anything that 
is still outstanding. This driver already works with devices that 
complete out of order (idxd), so it has a comment saying that waiting 
for the last submitted may not wait for all, and that's why it does the 
abort. No issue there.

- dmaengine_is_tx_complete isn't used anywhere. We just added it in this 
series. It's intended to replace dma_async_is_tx_complete.

- dma_async_is_tx_complete is called in 4 places:
-- stm32-hash.c calls dmaengine_submit to get a cookie, then calls 
dma_async_is_tx_complete with that value. The cookie only exists on the 
stack and it's value is never compared with anything. The last/used 
return values are not used.

-- rio_mport_cdev.c calls dmaengine_submit and stores the cookie into a 
request object. That's then passed into dma_async_is_tx_complete later 
and the last/used parameters are not captured. This cookie is only 
compared to other cookies using equality, so this one is safe.

-- omap_vout_vrfb.c is the same story as stm32-hash.c. The cookie is 
only used within a single function and it's never compared to another 
cookie.

-- pxa_camera.c does appear to rely on cookie values monotonically 
increasing. Except we get off easy here, because this driver only works 
with dma channels for one specific provider. It can't use just any 
provider. This particular provider elects to make it's cookies 
monotonically increasing still, so nothing breaks. In general, I have 
some real concerns on layering in this driver since the DMA engine it's 
using does not appear to be generic and instead only works with this 
particular camera device. I don't feel like it should be using the 
dmaengine framework at all.

- dmaengine_submit returns a cookie to the user, and the remaining uses 
of the cookie are embedded into structs. To audit these I created a 
patch that changes the type of dma_cookie_t to a struct like so:

typedef struct {
     s32 val;
} dma_cookie_t;

I then fixed up the utility functions in the dmaengine framework, 
commented out all of the printk stuff that was complaining about casting 
a struct to %d, and let the compiler find all of the places where math 
or comparisons were performed on it. Filtering out comparisons against 0 
to detect errors, assignments to negative values, equality comparisons 
to other cookies, and any uses by DMA providers, which all still work 
after this patch series, we're left with... nothing.

So the summary is:

- pxa_camera is the only client that cares about the cookie behavior, 
but it's tied in to exactly one provider that happens to do the cookies 
the way it wants. This patch series doesn't force any provider to change 
what it does currently.

It really is the case that none of the clients care about the cookie 
behavior, and we really can just make a documentation change to modify 
cookies to become opaque handles.

>>
>> Immediately below here the documentation then says that there's some
>> convenience functions that providers can use that do produce monotonically
>> increasing cookies. These are now optional for providers to use, if they
>> find them useful, rather than the required way to manage the cookies.
>>
>>>
>>> Completion is always in order unless we specify DMA_COMPLETION_NO_ORDER
>>
>> The final patch in this series eliminates DMA_COMPLETION_NO_ORDER entirely.
>> It was only used by the IDXD driver, and the reason I'm doing these patches
>> is so that we can poll the IDXD driver for completions even though it can
>> complete out of order.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ