From: "Michael S. Tsirkin" <mst@redhat.com>
To: Gabriel Somlo <somlo@cmu.edu>
Cc: "Marc-André Lureau" <marcandre.lureau@gmail.com>,
"open list" <linux-kernel@vger.kernel.org>,
slp@redhat.com, bhe@redhat.com, xiaolong.ye@intel.com
Subject: Re: [PATCH v15 08/11] fw_cfg: handle fw_cfg_read_blob() error
Date: Thu, 1 Mar 2018 01:58:01 +0200 [thread overview]
Message-ID: <20180301015743-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20180228232551.GA23743@crash.ini.cmu.edu>
On Wed, Feb 28, 2018 at 06:25:58PM -0500, Gabriel Somlo wrote:
> On Wed, Feb 28, 2018 at 05:32:52PM +0200, Michael S. Tsirkin wrote:
> > On Wed, Feb 28, 2018 at 12:49:35PM +0100, Marc-André Lureau wrote:
> > > Hi
> > >
> > > On Tue, Feb 27, 2018 at 1:20 AM, Michael S. Tsirkin <mst@redhat.com> wrote:
> > > > On Thu, Feb 15, 2018 at 10:33:09PM +0100, Marc-André Lureau wrote:
> > > >> fw_cfg_read_blob() may fail, but does not return error. This may lead
> > > >> to undefined behaviours, such as a memcmp(sig, "QEMU") on uninitilized
> > > >> memory.
> > > >
> > > > I don't think that's true - there's a memset there that
> > > > will initialize the memory. probe is likely the only
> > > > case where it returns a slightly incorrect data.
> > >
> > > Right, I'll update the commit message.
> > >
> > > >> Return an error if ACPI locking failed. Also, the following
> > > >> DMA read/write extension will add more error paths that should be
> > > >> handled appropriately.
> > > >>
> > > >> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > > >> ---
> > > >> drivers/firmware/qemu_fw_cfg.c | 32 ++++++++++++++++++++++----------
> > > >> 1 file changed, 22 insertions(+), 10 deletions(-)
> > > >>
> > > >> diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c
> > > >> index f6f90bef604c..5e6e5ac71dab 100644
> > > >> --- a/drivers/firmware/qemu_fw_cfg.c
> > > >> +++ b/drivers/firmware/qemu_fw_cfg.c
> > > >> @@ -59,8 +59,8 @@ static void fw_cfg_sel_endianness(u16 key)
> > > >> }
> > > >>
> > > >> /* read chunk of given fw_cfg blob (caller responsible for sanity-check) */
> > > >> -static void fw_cfg_read_blob(u16 key,
> > > >> - void *buf, loff_t pos, size_t count)
> > > >> +static ssize_t fw_cfg_read_blob(u16 key,
> > > >> + void *buf, loff_t pos, size_t count)
> > > >> {
> > > >> u32 glk = -1U;
> > > >> acpi_status status;
> > > >> @@ -73,7 +73,7 @@ static void fw_cfg_read_blob(u16 key,
> > > >> /* Should never get here */
> > > >> WARN(1, "fw_cfg_read_blob: Failed to lock ACPI!\n");
> > > >> memset(buf, 0, count);
> > > >> - return;
> > > >> + return -EINVAL;
> > > >> }
> > > >>
> > > >> mutex_lock(&fw_cfg_dev_lock);
> > > >
> > > > Wouldn't something like -EBUSY be more appropriate?
> > >
> > > In theory, it would be a general failure right? I don't think we want
> > > the caller to retry. I think in EINVAL fits better, but I don't think
> > > it matters much this or EBUSY.
> > >
> > > >> @@ -84,6 +84,7 @@ static void fw_cfg_read_blob(u16 key,
> > > >> mutex_unlock(&fw_cfg_dev_lock);
> > > >>
> > > >> acpi_release_global_lock(glk);
> > > >> + return count;
> > > >> }
> > > >>
> > > >> /* clean up fw_cfg device i/o */
> > > >> @@ -165,8 +166,9 @@ static int fw_cfg_do_platform_probe(struct platform_device *pdev)
> > > >> }
> > > >>
> > > >> /* verify fw_cfg device signature */
> > > >> - fw_cfg_read_blob(FW_CFG_SIGNATURE, sig, 0, FW_CFG_SIG_SIZE);
> > > >> - if (memcmp(sig, "QEMU", FW_CFG_SIG_SIZE) != 0) {
> > > >> + if (fw_cfg_read_blob(FW_CFG_SIGNATURE, sig,
> > > >> + 0, FW_CFG_SIG_SIZE) < 0 ||
> > > >> + memcmp(sig, "QEMU", FW_CFG_SIG_SIZE) != 0) {
> > > >> fw_cfg_io_cleanup();
> > > >> return -ENODEV;
> > > >> }
> > > >> @@ -326,8 +328,7 @@ static ssize_t fw_cfg_sysfs_read_raw(struct file *filp, struct kobject *kobj,
> > > >> if (count > entry->size - pos)
> > > >> count = entry->size - pos;
> > > >>
> > > >> - fw_cfg_read_blob(entry->select, buf, pos, count);
> > > >> - return count;
> > > >> + return fw_cfg_read_blob(entry->select, buf, pos, count);
> > > >> }
> > > >>
> > > >> static struct bin_attribute fw_cfg_sysfs_attr_raw = {
> > > >> @@ -483,7 +484,11 @@ static int fw_cfg_register_dir_entries(void)
> > > >> struct fw_cfg_file *dir;
> > > >> size_t dir_size;
> > > >>
> > > >> - fw_cfg_read_blob(FW_CFG_FILE_DIR, &files_count, 0, sizeof(files_count));
> > > >> + ret = fw_cfg_read_blob(FW_CFG_FILE_DIR, &files_count,
> > > >> + 0, sizeof(files_count));
> > > >> + if (ret < 0)
> > > >> + return ret;
> > > >> +
> > > >> count = be32_to_cpu(files_count);
> > > >> dir_size = count * sizeof(struct fw_cfg_file);
> > > >>
> > > >> @@ -491,7 +496,10 @@ static int fw_cfg_register_dir_entries(void)
> > > >> if (!dir)
> > > >> return -ENOMEM;
> > > >>
> > > >> - fw_cfg_read_blob(FW_CFG_FILE_DIR, dir, sizeof(files_count), dir_size);
> > > >> + ret = fw_cfg_read_blob(FW_CFG_FILE_DIR, dir,
> > > >> + sizeof(files_count), dir_size);
> > > >> + if (ret < 0)
> > > >> + goto end;
> > > >>
> > > >> for (i = 0; i < count; i++) {
> > > >> ret = fw_cfg_register_file(&dir[i]);
> > > >> @@ -499,6 +507,7 @@ static int fw_cfg_register_dir_entries(void)
> > > >> break;
> > > >> }
> > > >>
> > > >> +end:
> > > >> kfree(dir);
> > > >> return ret;
> > > >> }
> > > >> @@ -539,7 +548,10 @@ static int fw_cfg_sysfs_probe(struct platform_device *pdev)
> > > >> goto err_probe;
> > > >>
> > > >> /* get revision number, add matching top-level attribute */
> > > >> - fw_cfg_read_blob(FW_CFG_ID, &rev, 0, sizeof(rev));
> > > >> + err = fw_cfg_read_blob(FW_CFG_ID, &rev, 0, sizeof(rev));
> > > >> + if (err < 0)
> > > >> + goto err_probe;
> > > >> +
> > > >> fw_cfg_rev = le32_to_cpu(rev);
> > > >> err = sysfs_create_file(fw_cfg_top_ko, &fw_cfg_rev_attr.attr);
> > > >> if (err)
> > > >
> > > > I think that this is the only case where it's not doing the right thing right now in
> > > > that it shows 0 as the revision to the users. Is it worth failing probe
> > > > here? We could just skip the attribute, could we not?
> > >
> > > I think it's best to fail the probe if we have a read failure at that time.
> >
> > I'd rather we just dropped this attribute completely.
> > Why is it there?
> > Does any userspace actually need it?
> > Gabriel?
>
> I'd recommend keeping it: `cat /sys/firmware/qemu_fw_cfg/rev` is how
> you can easily tell if, e.g., dma is supported :)
>
> If you end up with a '0' there, it's because locking ACPI with
> WAIT_FOREVER failed with something other than AE_NOT_CONFIGURED, which
> should never happen, so we're off the reservation, having morally
> failed the equivalent of an assertion.
>
> Perhaps memset to something other than 0 (all-Fs, so we'd get a -1 for
> rev)?
>
> Thanks,
> --Gabriel
Why not just skip adding the attribute on this error?
> >
> > > --
> > > Marc-André Lureau
next prev parent reply other threads:[~2018-02-28 23:58 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-15 21:33 [PATCH v15 00/11] fw_cfg: add DMA operations & etc/vmcoreinfo support Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 01/11] crash: export paddr_vmcoreinfo_note() Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 02/11] fw_cfg: add a public uapi header Marc-André Lureau
2018-02-27 0:06 ` Michael S. Tsirkin
2018-02-28 11:50 ` Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 03/11] fw_cfg: fix sparse warnings in fw_cfg_sel_endianness() Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 04/11] fw_cfg: fix sparse warnings with fw_cfg_file Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 05/11] fw_cfg: fix sparse warning reading FW_CFG_ID Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 06/11] fw_cfg: fix sparse warnings around FW_CFG_FILE_DIR read Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 07/11] fw_cfg: remove inline from fw_cfg_read_blob() Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 08/11] fw_cfg: handle fw_cfg_read_blob() error Marc-André Lureau
2018-02-27 0:20 ` Michael S. Tsirkin
2018-02-28 11:49 ` Marc-André Lureau
2018-02-28 13:01 ` Gabriel Somlo
2018-02-28 15:32 ` Michael S. Tsirkin
2018-02-28 23:25 ` Gabriel Somlo
2018-02-28 23:58 ` Michael S. Tsirkin [this message]
2018-02-28 23:58 ` Michael S. Tsirkin
2018-03-01 0:49 ` Gabriel Somlo
2018-03-01 0:35 ` Gabriel Somlo
2018-02-15 21:33 ` [PATCH v15 09/11] fw_cfg: add DMA register Marc-André Lureau
2018-02-15 21:33 ` [PATCH v15 10/11] fw_cfg: write vmcoreinfo details Marc-André Lureau
2018-02-27 0:28 ` Michael S. Tsirkin
2018-02-28 12:22 ` Marc-André Lureau
2018-02-28 15:34 ` Michael S. Tsirkin
2018-02-15 21:33 ` [PATCH v15 11/11] RFC: fw_cfg: do DMA read operation Marc-André Lureau
2018-02-27 0:04 ` Michael S. Tsirkin
2018-02-28 12:27 ` Marc-André Lureau
2018-02-28 15:35 ` Michael S. Tsirkin
2018-02-28 15:41 ` Marc-André Lureau
2018-02-28 15:48 ` Michael S. Tsirkin
2018-02-28 16:00 ` Marc-André Lureau
2018-02-28 17:16 ` Michael S. Tsirkin
2018-02-28 17:17 ` Michael S. Tsirkin
2018-02-28 17:22 ` Marc-André Lureau
2018-02-27 0:29 ` [PATCH v15 00/11] fw_cfg: add DMA operations & etc/vmcoreinfo support Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180301015743-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=bhe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcandre.lureau@gmail.com \
--cc=slp@redhat.com \
--cc=somlo@cmu.edu \
--cc=xiaolong.ye@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.