From: Greg KH <gregkh@linuxfoundation.org>
To: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: robh+dt@kernel.org, arnd@arndb.de, mark.rutland@arm.com,
devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
bjorn.andersson@linaro.org, bkumar@qti.qualcomm.com,
linux-arm-msm@vger.kernel.org, thierry.escande@linaro.org
Subject: Re: [PATCH v4 3/5] misc: fastrpc: Add support for context Invoke method
Date: Thu, 31 Jan 2019 16:34:19 +0100 [thread overview]
Message-ID: <20190131153419.GA18667@kroah.com> (raw)
In-Reply-To: <20190124152412.10503-4-srinivas.kandagatla@linaro.org>
On Thu, Jan 24, 2019 at 03:24:10PM +0000, Srinivas Kandagatla wrote:
> This patch adds support to compute context invoke method
> on the remote processor (DSP).
> This involves setting up the functions input and output arguments,
> input and output handles and mapping the dmabuf fd for the
> argument/handle buffers.
>
This says _what_ this code does, but not why. What about all of that
explaination you had in the 0/5 patch, shouldn't that be here, or on
patch 2/5?
Some nits below:
> +static int fastrpc_invoke(struct fastrpc_user *fl, char __user *argp)
> +{
> + struct fastrpc_invoke_args *args = NULL;
> + struct fastrpc_invoke inv;
> + u32 nscalars;
> + int err;
> +
> + if (copy_from_user(&inv, argp, sizeof(inv)))
> + return -EFAULT;
> +
> + nscalars = REMOTE_SCALARS_LENGTH(inv.sc);
> + if (nscalars) {
> + args = kcalloc(nscalars, sizeof(*args), GFP_KERNEL);
Yeah, let's not bounds check the input variables and suck up all of the
kernel memory!
Remember:
ALL INPUT IS EVIL
> + if (!args)
> + return -ENOMEM;
> +
> + if (copy_from_user(args, (void __user *)(uintptr_t)inv.args,
> + nscalars * sizeof(*args))) {
That could be very big, again, check the input.
> + kfree(args);
> + return -EFAULT;
> + }
> + }
> +
> + err = fastrpc_internal_invoke(fl, false, inv.handle, inv.sc, args);
What's the odds you check the input values here... :(
> +static long fastrpc_device_ioctl(struct file *file, unsigned int cmd,
> + unsigned long arg)
> +{
> + struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
> + char __user *argp = (char __user *)arg;
> + int err;
> +
> + switch (cmd) {
> + case FASTRPC_IOCTL_INVOKE:
> + err = fastrpc_invoke(fl, argp);
> + break;
> + default:
> + err = -ENOTTY;
> + dev_err(fl->sctx->dev, "bad ioctl: %d\n", cmd);
Don't spam the syslog if someone sends you an invalid ioctl. That's a
sure way to DoS the system.
> + break;
> + }
> +
> + if (err)
> + dev_dbg(fl->sctx->dev, "Error: IOCTL Failed with %d\n", err);
> +
> + return err;
> +}
> +
> static const struct file_operations fastrpc_fops = {
> .open = fastrpc_device_open,
> .release = fastrpc_device_release,
> + .unlocked_ioctl = fastrpc_device_ioctl,
> + .compat_ioctl = fastrpc_device_ioctl,
> };
>
> static int fastrpc_cb_probe(struct platform_device *pdev)
> @@ -260,9 +932,25 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *rpdev)
> return of_platform_populate(rdev->of_node, NULL, NULL, rdev);
> }
>
> +static void fastrpc_notify_users(struct fastrpc_user *user)
> +{
> + struct fastrpc_invoke_ctx *ctx, *n;
> +
> + spin_lock(&user->lock);
> + list_for_each_entry_safe(ctx, n, &user->pending, node)
> + complete(&ctx->work);
Why safe? You aren't deleting the list here.
> + spin_unlock(&user->lock);
> +}
> +
> static void fastrpc_rpmsg_remove(struct rpmsg_device *rpdev)
> {
> struct fastrpc_channel_ctx *cctx = dev_get_drvdata(&rpdev->dev);
> + struct fastrpc_user *user, *n;
> +
> + spin_lock(&cctx->lock);
> + list_for_each_entry_safe(user, n, &cctx->users, user)
> + fastrpc_notify_users(user);
Same here.
> + spin_unlock(&cctx->lock);
>
> misc_deregister(&cctx->miscdev);
> of_platform_depopulate(&rpdev->dev);
> @@ -272,6 +960,31 @@ static void fastrpc_rpmsg_remove(struct rpmsg_device *rpdev)
> static int fastrpc_rpmsg_callback(struct rpmsg_device *rpdev, void *data,
> int len, void *priv, u32 addr)
> {
> + struct fastrpc_channel_ctx *cctx = dev_get_drvdata(&rpdev->dev);
> + struct fastrpc_invoke_rsp *rsp = data;
> + struct fastrpc_invoke_ctx *ctx;
> + unsigned long flags;
> + unsigned long ctxid;
> +
> + if (len < sizeof(*rsp)) {
> + dev_err(&rpdev->dev, "invalid response or context\n");
> + return -EINVAL;
> + }
Again, don't allow userspace to spam the syslog.
> +
> + ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4);
> +
> + spin_lock_irqsave(&cctx->lock, flags);
> + ctx = idr_find(&cctx->ctx_idr, ctxid);
> + spin_unlock_irqrestore(&cctx->lock, flags);
> +
> + if (!ctx) {
> + dev_err(&rpdev->dev, "No context ID matches response\n");
> + return -ENOENT;
> + }
> +
> + ctx->retval = rsp->retval;
> + complete(&ctx->work);
> +
> return 0;
> }
>
> diff --git a/include/uapi/misc/fastrpc.h b/include/uapi/misc/fastrpc.h
> new file mode 100644
> index 000000000000..a69ef33dc37e
> --- /dev/null
> +++ b/include/uapi/misc/fastrpc.h
> @@ -0,0 +1,23 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +
> +#ifndef __QCOM_FASTRPC_H__
> +#define __QCOM_FASTRPC_H__
> +
> +#include <linux/types.h>
> +
> +#define FASTRPC_IOCTL_INVOKE _IOWR('R', 3, struct fastrpc_invoke)
> +
> +struct fastrpc_invoke_args {
> + __u64 ptr;
> + __u64 length;
> + __s32 fd;
> + __u32 reserved;
Are you checking that reserved is all 0 now?
> +};
> +
> +struct fastrpc_invoke {
> + __u32 handle;
> + __u32 sc;
> + __u64 args;
> +};
Do you need packed here? What about endian issues?
thanks,
greg k-h
next prev parent reply other threads:[~2019-01-31 15:34 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-24 15:24 [PATCH v4 0/5] misc: Add support to Qualcomm FastRPC driver Srinivas Kandagatla
2019-01-24 15:24 ` [PATCH v4 1/5] misc: dt-bindings: Add Qualcomm Fastrpc bindings Srinivas Kandagatla
2019-01-30 16:37 ` Rob Herring
2019-01-30 16:37 ` Rob Herring
2019-01-24 15:24 ` [PATCH v4 2/5] misc: fastrpc: Add Qualcomm fastrpc basic driver model Srinivas Kandagatla
2019-01-24 15:24 ` [PATCH v4 3/5] misc: fastrpc: Add support for context Invoke method Srinivas Kandagatla
2019-01-31 15:34 ` Greg KH [this message]
2019-01-31 17:55 ` Srinivas Kandagatla
2019-01-24 15:24 ` [PATCH v4 4/5] misc: fastrpc: Add support for create remote init process Srinivas Kandagatla
2019-01-24 15:24 ` [PATCH v4 5/5] misc: fastrpc: Add support for dmabuf exporter Srinivas Kandagatla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190131153419.GA18667@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=bjorn.andersson@linaro.org \
--cc=bkumar@qti.qualcomm.com \
--cc=devicetree@vger.kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=robh+dt@kernel.org \
--cc=srinivas.kandagatla@linaro.org \
--cc=thierry.escande@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.