Re: [PATCH 08/29] drivers, md: convert mddev.active from atomic_t to refcount_t
On Tue, 2017-03-14 at 12:29 +, Reshetova, Elena wrote: > > Elena Reshetovawrites: > > > > > refcount_t type and corresponding API should be > > > used instead of atomic_t when the variable is used as > > > a reference counter. This allows to avoid accidental > > > refcounter overflows that might lead to use-after-free > > > situations. > > > > > > Signed-off-by: Elena Reshetova > > > Signed-off-by: Hans Liljestrand > > > Signed-off-by: Kees Cook > > > Signed-off-by: David Windsor > > > --- > > > drivers/md/md.c | 6 +++--- > > > drivers/md/md.h | 3 ++- > > > 2 files changed, 5 insertions(+), 4 deletions(-) > > > > When booting linux-next (specifically 5be4921c9958ec) I'm seeing > > the > > backtrace below. I suspect this patch is just exposing an existing > > issue? > > Yes, we have actually been following this issue in the another > thread. > It looks like the object is re-used somehow, but I can't quite > understand how just by reading the code. > This was what I put into the previous thread: > > "The log below indicates that you are using your refcounter in a bit > weird way in mddev_find(). > However, I can't find the place (just by reading the code) where you > would increment refcounter from zero (vs. setting it to one). > It looks like you either iterate over existing nodes (and increment > their counters, which should be >= 1 at the time of increment) or > create a new node, but then mddev_init() sets the counter to 1. " > > If you can help to understand what is going on with the object > creation/destruction, would be appreciated! > > Also Shaohua Li stopped this patch coming from his tree since the > issue was caught at that time, so we are not going to merge this > until we figure it out. Asking on the correct list (dm-devel) would have got you the easy answer: The refcount behind mddev->active is a genuine atomic. It has refcount properties but only if the array fails to initialise (in that case, final put kills it). Once it's added to the system as a gendisk, it cannot be freed until md_free(). Thus its ->active count can go to zero (when it becomes inactive; usually because of an unmount). On a simple allocation regardless of outcome, the last executed statement in md_alloc is mddev_put(): that destroys the device if we didn't manage to create it or returns 0 and adds an inactive device to the system which the user can get with mddev_find(). James
Re: [Ksummit-discuss] Including images on Sphinx documents
On Mon, 2016-11-21 at 12:06 -0200, Mauro Carvalho Chehab wrote: > Em Mon, 21 Nov 2016 11:39:41 +0100 > Johannes Bergescreveu: > > On Sat, 2016-11-19 at 10:15 -0700, Jonathan Corbet wrote: > > > > > Rather than beating our heads against the wall trying to convert > > > between various image formats, maybe we need to take a step > > > back. We're trying to build better documentation, and there is > > > certainly a place for diagrams and such in that > > > documentation. Johannes was asking about it for the 802.11 docs, > > > and I know Paul has run into these issues with the RCU docs as > > > well. Might there be a tool or an extension out there that would > > > allow us to express these diagrams in a text-friendly, editable > > > form? > > > > > > With some effort, I bet we could get rid of a number of the > > > images, and perhaps end up with something that makes sense when > > > read in the .rst source files as an extra benefit. > > > > I tend to agree, and I think that having this readable in the text > > would be good. > > > > You had pointed me to this plugin before > > https://pythonhosted.org/sphinxcontrib-aafig/ > > > > but I don't think it can actually represent any of the pictures. > > No, but there are some ascii art images inside some txt/rst files > and inside some kernel-doc comments. We could either use the above > extension for them or to convert into some image. The ascii art > images I saw seem to be diagrams, so Graphviz would allow replacing > most of them, if not all. Please don't replace ASCII art that effectively conveys conceptual diagrams. If you do, we'll wind up in situations where someone hasn't built the docs and doesn't possess the tools to see a diagram that was previously shown by every text editor (or can't be bothered to dig out the now separate file). In the name of creating "prettier" diagrams (and final doc), we'll have damaged capacity to understand stuff by just reading the source if this diagram is in kernel doc comments. I think this is a good application of "if it ain't broke, don't fix it". James -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Ksummit-discuss] Including images on Sphinx documents
On Thu, 2016-11-17 at 13:16 -0200, Mauro Carvalho Chehab wrote: > Hi Ted, > > Em Thu, 17 Nov 2016 09:52:44 -0500 > Theodore Ts'oescreveu: > > > On Thu, Nov 17, 2016 at 12:07:15PM +0100, Arnd Bergmann wrote: > > > [adding Linus for clarification] > > > > > > I understood the concern as being about binary files that you > > > cannot > > > modify with classic 'patch', which is a separate issue. > > > > I think the other complaint is that the image files aren't "source" > > in > > the proper term, since they are *not* the preferred form for > > modification --- that's the svg files. Beyond the license > > compliance > > issues (which are satisified because the .svg files are included in > > the git tree), there is the SCM cleaniless argument of not > > including > > generated files in the distribution, since this increases the > > opportunites for the "real" source file and the generated source > > file > > to get out of sync. (As just one example, if the patch can't > > represent the change to binary file.) > > > > I do check in generated files on occasion --- usually because I > > don't > > trust autoconf to be a stable in terms of generating a correct > > configure file from a configure.in across different versions of > > autoconf and different macro libraries that might be installed on > > the > > system. So this isn't a hard and fast rule by any means (although > > Linus may be more strict than I on that issue). > > > > I don't understand why it's so terrible to have generate the image > > file from the .svg file in a Makefile rule, and then copy it > > somewhere > > else if Sphinx is too dumb to fetch it from the normal location? > > The images whose source are in .svg are now generated via Makefile > for the PDF output (after my patches, already applied to the docs > -next > tree). > > So, the problem that remains is for those images whose source > is a bitmap. If we want to stick with the Sphinx supported formats, > we have only two options for bitmaps: jpg or png. We could eventually > use uuencode or base64 to make sure that the patches won't use > git binary diff extension, or, as Arnd proposed, use a portable > bitmap format, in ascii, converting via Makefile, but losing > the alpha channel with makes the background transparent. If it can use svg, why not use that? SVG files can be a simple xml wrapper around a wide variety of graphic image formats which are embedded in the svg using the data-uri format, you know ... Anything that handles SVGs should be able to handle all the embeddable image formats, which should give you a way around image restrictions whatever it is would otherwise have. James -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: IR remote stopped working in kernels 4.5 and 4.6
On Mon, 2016-07-04 at 23:08 +0200, Heiner Kallweit wrote: > Am 04.07.2016 um 22:36 schrieb James Bottomley: > > This looks to be a problem with the rc subsystem. The IR > > controller in question is part of a cx8800 atsc card. In the 4.4 > > kernel, where it works, this is what ir-keytable says: > > > > Found /sys/class/rc/rc0/ (/dev/input/event12) with: > > Driver cx88xx, table rc-hauppauge > > Supported protocols: other lirc rc-5 jvc sony nec sanyo mce-kbd > > rc-6 sharp xmp > > Enabled protocols: lirc nec > > Name: cx88 IR (pcHDTV HD3000 HDTV) > > bus: 1, vendor/product: 7063:3000, version: 0x0001 > > Repeat delay = 500 ms, repeat period = 125 ms > > > > And in 4.6, where it doesn't work: > > > > Found /sys/class/rc/rc0/ (/dev/input/event12) with: > > Driver cx88xx, table rc-hauppauge > > Supported protocols: lirc > > Enabled protocols: lirc > > Name: cx88 IR (pcHDTV HD3000 HDTV) > > bus: 1, vendor/product: 7063:3000, version: 0x0001 > > Repeat delay = 500 ms, repeat period = 125 ms > > > > The particular remote in question seems to require the nec protocol > > to work and the failure in 4.5 and 4.6 is having any supported > > protocols at all. I can get the remote to start working again by > > adding the nec protocol: > > > > echo nec > /sys/class/rc/rc0/protocols > > > > But it would be nice to have this happen by default rather than > > having to add yet another work around init script. > > > Meanwhile decoder modules are loaded on demand only. This can be done > automatically w/o the need for additional init scripts. > > If /etc/rc_maps.cfg includes a keymap with type NEC then the nec > decoder module is loaded automatically. > > My rc_maps.cfg looks like this (and causes the SONY decoder module to > be loaded automatically): > > #driver tablefile > * *sony-rm-sx800 > > And the keymap: > > # table sony-rm-sx800, type SONY > 0x110030KEY_PREVIOUS > 0x110031KEY_NEXT > 0x110033KEY_BACK > .. > .. Well, to work in the 4.4 kernel, the rc_maps.cfg names a table with the nec controller, so it seems that whatever is supposed to trigger autoloading isn't. Is ir-keytable supposed to do this? The current debian testing one is Package: ir-keytable Source: v4l-utils Version: 1.10.1-1 Which seems to be the most current one. James -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
IR remote stopped working in kernels 4.5 and 4.6
This looks to be a problem with the rc subsystem. The IR controller in question is part of a cx8800 atsc card. In the 4.4 kernel, where it works, this is what ir-keytable says: Found /sys/class/rc/rc0/ (/dev/input/event12) with: Driver cx88xx, table rc-hauppauge Supported protocols: other lirc rc-5 jvc sony nec sanyo mce-kbd rc-6 sharp xmp Enabled protocols: lirc nec Name: cx88 IR (pcHDTV HD3000 HDTV) bus: 1, vendor/product: 7063:3000, version: 0x0001 Repeat delay = 500 ms, repeat period = 125 ms And in 4.6, where it doesn't work: Found /sys/class/rc/rc0/ (/dev/input/event12) with: Driver cx88xx, table rc-hauppauge Supported protocols: lirc Enabled protocols: lirc Name: cx88 IR (pcHDTV HD3000 HDTV) bus: 1, vendor/product: 7063:3000, version: 0x0001 Repeat delay = 500 ms, repeat period = 125 ms The particular remote in question seems to require the nec protocol to work and the failure in 4.5 and 4.6 is having any supported protocols at all. I can get the remote to start working again by adding the nec protocol: echo nec > /sys/class/rc/rc0/protocols But it would be nice to have this happen by default rather than having to add yet another work around init script. James -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 29/31] parisc: handle page-less SG entries
On Thu, 2015-08-13 at 20:30 -0700, Dan Williams wrote: On Thu, Aug 13, 2015 at 7:31 AM, Christoph Hellwig h...@lst.de wrote: On Wed, Aug 12, 2015 at 09:01:02AM -0700, Linus Torvalds wrote: I'm assuming that anybody who wants to use the page-less scatter-gather lists always does so on memory that isn't actually virtually mapped at all, or only does so on sane architectures that are cache coherent at a physical level, but I'd like that assumption *documented* somewhere. It's temporarily mapped by kmap-like helpers. That code isn't in this series. The most recent version of it is here: https://git.kernel.org/cgit/linux/kernel/git/djbw/nvdimm.git/commit/?h=pfnid=de8237c99fdb4352be2193f3a7610e902b9bb2f0 note that it's not doing the cache flushing it would have to do yet, but it's also only enabled for x86 at the moment. For virtually tagged caches I assume we would temporarily map with kmap_atomic_pfn_t(), similar to how drm_clflush_pages() implements powerpc support. However with DAX we could end up with multiple virtual aliases for a page-less pfn. At least on some PA architectures, you have to be very careful. Improperly managed, multiple aliases will cause the system to crash (actually a machine check in the cache chequerboard). For the most temperamental systems, we need the cache line flushed and the alias mapping ejected from the TLB cache before we access the same page at an inequivalent alias. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: RFC: prepare for struct scatterlist entries without page backing
On Wed, 2015-08-12 at 09:05 +0200, Christoph Hellwig wrote: Dan Williams started to look into addressing I/O to and from Persistent Memory in his series from June: http://thread.gmane.org/gmane.linux.kernel.cross-arch/27944 I've started looking into DMA mapping of these SGLs specifically instead of the map_pfn method in there. In addition to supporting NVDIMM backed I/O I also suspect this would be highly useful for media drivers that go through nasty hoops to be able to DMA from/to their ioremapped regions, with vb2_dc_get_userptr in drivers/media/v4l2-core/videobuf2-dma-contig.c being a prime example for the unsafe hacks currently used. It turns out most DMA mapping implementation can handle SGLs without page structures with some fairly simple mechanical work. Most of it is just about consistently using sg_phys. For implementations that need to flush caches we need a new helper that skips these cache flushes if a entry doesn't have a kernel virtual address. However the ccio (parisc) and sba_iommu (parisc ia64) IOMMUs seem to be operate mostly on virtual addresses. It's a fairly odd concept that I don't fully grasp, so I'll need some help with those if we want to bring this forward. I can explain that. I think this doesn't apply to ia64 because it's cache is PIPT, but on parisc, we have a VIPT cache. On normal physically indexed architectures, when the iommu sees a DMA transfer to/from physical memory, it also notifies the CPU to flush the internal CPU caches of those lines. This is usually an interlocking step of the transfer to make sure the page is coherent before transfer to/from the device (it's why the ia32 for instance is a coherent architecture). Because the system is physically indexed, there's no need to worry about aliases. On Virtually Indexed systems, like parisc, there is an aliasing problem. The CCIO iommu unit (and all other iommu systems on parisc) have what's called a local coherence index (LCI). You program it as part of the IOMMU page table and it tells the system which Virtual line in the cache to flush as part of the IO transaction, thus still ensuring cache coherence. That's why we have to know the virtual as well as physical addresses for the page. The problem we have in Linux is that we have two virtual addresses, which are often incoherent aliases: the user virtual address and a kernel virtual address but we can only make the page coherent with a single alias (only one LCI). The way I/O on Linux currently works is that get_user_pages actually flushes the user virtual address, so that's expected to be coherent, so the address we program into the VCI is the kernel virtual address. Usually nothing in the kernel has ever touched the page, so there's nothing to flush, but we do it just in case. In theory, for these non kernel page backed SG entries, we can make the process more efficient by not flushing in gup and instead programming the user virtual address into the local coherence index. However, simply zeroing the LCI will also work (except that poor VI zero line will get flushed repeatedly, so it's probably best to pick a known untouched line in the kernel). James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Xen-devel] RIP MTRR - status update for upcoming v4.2
On Fri, 2015-06-12 at 16:15 -0700, Andy Lutomirski wrote: On Jun 12, 2015 12:59 AM, Jan Beulich jbeul...@suse.com wrote: On 12.06.15 at 01:23, toshi.k...@hp.com wrote: There are two usages on MTRRs: 1) MTRR entries set by firmware 2) MTRR entries set by OS drivers We can obsolete 2), but we have no control over 1). As UEFI firmwares also set this up, this usage will continue to stay. So, we should not get rid of the MTRR code that looks up the MTRR entries, while we have no need to modify them. Such MTRR entries provide safe guard to /dev/mem, which allows privileged user to access a range that may require UC mapping while the /dev/mem driver blindly maps it with WB. MTRRs converts WB to UC in such a case. But it wouldn't be impossible to simply read the MTRRs upon boot, store the information, disable MTRRs, and correctly use PAT to achieve the same effect (i.e. the blindly maps part of course would need fixing). This may crash and burn badly when we call a UEFI function or an SMI happens. I think we should just leave the MTRRs alone. Wholeheartedly agree: PAT only works when the given memory map is in operation but MTRRs function everywhere. Anything that goes into real mode or installs its own memory map won't see the Linux page attributes. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [REPOST PATCH 1/8] fence: dma-buf cross-device synchronization (v17)
On Thu, 2014-06-19 at 11:19 -0700, Greg KH wrote: On Thu, Jun 19, 2014 at 01:45:30PM -0400, Rob Clark wrote: On Thu, Jun 19, 2014 at 1:00 PM, Greg KH gre...@linuxfoundation.org wrote: On Thu, Jun 19, 2014 at 10:00:18AM -0400, Rob Clark wrote: On Wed, Jun 18, 2014 at 9:13 PM, Greg KH gre...@linuxfoundation.org wrote: On Wed, Jun 18, 2014 at 12:36:54PM +0200, Maarten Lankhorst wrote: +#define CREATE_TRACE_POINTS +#include trace/events/fence.h + +EXPORT_TRACEPOINT_SYMBOL(fence_annotate_wait_on); +EXPORT_TRACEPOINT_SYMBOL(fence_emit); Are you really willing to live with these as tracepoints for forever? What is the use of them in debugging? Was it just for debugging the fence code, or for something else? +/** + * fence_context_alloc - allocate an array of fence contexts + * @num: [in]amount of contexts to allocate + * + * This function will return the first index of the number of fences allocated. + * The fence context is used for setting fence-context to a unique number. + */ +unsigned fence_context_alloc(unsigned num) +{ + BUG_ON(!num); + return atomic_add_return(num, fence_context_counter) - num; +} +EXPORT_SYMBOL(fence_context_alloc); EXPORT_SYMBOL_GPL()? Same goes for all of the exports in here. Traditionally all of the driver core exports have been with this marking, any objection to making that change here as well? tbh, I prefer EXPORT_SYMBOL().. well, I'd prefer even more if there wasn't even a need for EXPORT_SYMBOL_GPL(), but sadly it is a fact of life. We already went through this debate once with dma-buf. We aren't going to change $evil_vendor's mind about non-gpl modules. The only result will be a more flugly convoluted solution (ie. use syncpt EXPORT_SYMBOL() on top of fence EXPORT_SYMBOL_GPL()) just as a workaround, with the result that no-one benefits. It has been proven that using _GPL() exports have caused companies to release their code properly over the years, so as these really are Linux-only apis, please change them to be marked this way, it helps everyone out in the end. Well, maybe that is the true in some cases. But it certainly didn't work out that way for dma-buf. And I think the end result is worse. I don't really like coming down on the side of EXPORT_SYMBOL() instead of EXPORT_SYMBOL_GPL(), but if we do use EXPORT_SYMBOL_GPL() then the result will only be creative workarounds using the _GPL symbols indirectly by whatever is available via EXPORT_SYMBOL(). I don't really see how that will be better. You are saying that you _know_ companies will violate our license, so you should just give up? And how do you know people aren't working on preventing those indirect usages as well? :) Sorry, I'm not going to give up here, again, it has proven to work in the past in changing the ways of _very_ large companies, why stop now? When you try to train a dog, you have to be consistent about it. We're fantastically inconsistent in symbol exports. For instance, the mutex primitives are all EXPORT_SYMBOL(), so we're telling proprietary modules they can use them. However, when the kernel is built with CONFIG_DEBUG_MUTEX, they all become EXPORT_SYMBOL_GPL() ... what type of crazy message is that supposed to send? It's OK to use mutexes but it's potentially a GPL violation to debug them? We either need to decide that we have a defined and consistent part of our API that's GPL only or make the bold statement that we don't have any part of our API that's usable by non-GPL modules. Right at the minute we do neither and it confuses people no end about what is and isn't allowed. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [REPOST PATCH 1/8] fence: dma-buf cross-device synchronization (v17)
On Thu, 2014-06-19 at 15:39 -0700, H. Peter Anvin wrote: On 06/19/2014 01:01 PM, Greg KH wrote: On Thu, Jun 19, 2014 at 09:15:36PM +0200, Daniel Vetter wrote: On Thu, Jun 19, 2014 at 7:00 PM, Greg KH gre...@linuxfoundation.org wrote: + BUG_ON(f1-context != f2-context); Nice, you just crashed the kernel, making it impossible to debug or recover :( agreed, that should probably be 'if (WARN_ON(...)) return NULL;' (but at least I wouldn't expect to hit that under console_lock so you should at least see the last N lines of the backtrace on the screen ;-)) Lots of devices don't have console screens :) Aside: This is a pet peeve of mine and recently I've switched to rejecting all patch that have a BUG_ON, period. Please do, I have been for a few years now as well for the same reasons you cite. I'm actually concerned about this trend. Downgrading things to WARN_ON can allow a security bug in the kernel to continue to exist, for example, or make the error message disappear. Me too. We use BUG_ON in the I/O subsystem where we're forced to violate a guarantee. When the choice is corrupt something or panic the system, I prefer the latter every time. I am wondering if the right thing here isn't to have a user (command line?) settable policy as to how to proceed on an assert violation, instead of hardcoding it at compile time. I'd say it depends on the consequence of the assertion violation. We have assertions that are largely theoretical, ones that govern process internal state (so killing the process mostly sanitizes the system) and a few that imply data loss or data corruption. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 6/8] drivers: add Contiguous Memory Allocator
[cc to ks-discuss added, since this may be a relevant topic] On Tue, 2011-07-05 at 14:27 +0200, Arnd Bergmann wrote: On Tuesday 05 July 2011, Russell King - ARM Linux wrote: On Tue, Jul 05, 2011 at 09:41:48AM +0200, Marek Szyprowski wrote: The Contiguous Memory Allocator is a set of helper functions for DMA mapping framework that improves allocations of contiguous memory chunks. CMA grabs memory on system boot, marks it with CMA_MIGRATE_TYPE and gives back to the system. Kernel is allowed to allocate movable pages within CMA's managed memory so that it can be used for example for page cache when DMA mapping do not use it. On dma_alloc_from_contiguous() request such pages are migrated out of CMA area to free required contiguous block and fulfill the request. This allows to allocate large contiguous chunks of memory at any time assuming that there is enough free memory available in the system. This code is heavily based on earlier works by Michal Nazarewicz. And how are you addressing the technical concerns about aliasing of cache attributes which I keep bringing up with this and you keep ignoring and telling me that I'm standing in your way. Just to chime in here, parisc has an identical issue. If the CPU ever sees an alias with different attributes for the same page, it will HPMC the box (that's basically the bios will kill the system as being architecturally inconsistent), so an architecture neutral solution on this point is essential to us as well. This is of course an important issue, and it's the one item listed as TODO in the introductory mail that sent. It's also a preexisting problem as far as I can tell, and it needs to be solved in __dma_alloc for both cases, dma_alloc_from_contiguous and __alloc_system_pages as introduced in patch 7. We've discussed this back and forth, and it always comes down to one of two ugly solutions: 1. Put all of the MIGRATE_CMA and pages into highmem and change __alloc_system_pages so it also allocates only from highmem pages. The consequences of this are that we always need to build kernels with highmem enabled and that we have less lowmem on systems that are already small, both of which can be fairly expensive unless you have lots of highmem already. So this would require that systems using the API have a highmem? (parisc doesn't today). 2. Add logic to unmap pages from the linear mapping, which is very expensive because it forces the use of small pages in the linear mapping (or in parts of it), and possibly means walking all page tables to remove the PTEs on alloc and put them back in on free. I believe that Chunsang Jeong from Linaro is planning to implement both variants and post them for review, so we can decide which one to merge, or even to merge both and make it a configuration option. See also https://blueprints.launchpad.net/linaro-mm-sig/+spec/engr-mm-dma-mapping-2011.07 I don't think we need to make merging the CMA patches depending on the other patches, it's clear that both need to be solved, and they are independent enough. I assume from the above that ARM has a hardware page walker? The way I'd fix this on parisc, because we have a software based TLB, is to rely on the fact that a page may only be used either for DMA or for Page Cache, so the aliases should never be interleaved. Since you know the point at which the page flips from DMA to Cache (and vice versa), I'd purge the TLB entry and flush the page at that point and rely on the usage guarantees to ensure that the alias TLB entry doesn't reappear. This isn't inexpensive but the majority of the cost is the cache flush which is a requirement to clean the aliases anyway (a TLB entry purge is pretty cheap). Would this work for the ARM hardware walker as well? It would require you to have a TLB entry purge instruction as well as some architectural guarantees about not speculating the TLB. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/6] get rid of on-stack dma buffers
On Mon, 2011-03-21 at 22:03 +0100, Florian Mickler wrote: On Mon, 21 Mar 2011 15:26:43 -0400 Andy Walls awa...@md.metrocast.net wrote: Florian Mickler flor...@mickler.org wrote: Hi all! These patches get rid of on-stack dma buffers for some of the dvb-usb drivers. I do not own the hardware, so these are only compile tested. I would appreciate testing and review. They were previously sent to the list, but some error on my side prevented (some of?) them from beeing delivered to all parties (the lists). These changes are motivated by https://bugzilla.kernel.org/show_bug.cgi?id=15977 . The patches which got tested already were submitted to Mauro (and lkml/linux-media) yesterday seperately. Those fix this same issue for ec168, ce6230, au6610 and lmedm04. A fix for vp702x has been submitted seperately for review on the list. I have similiar fixes like the vp702x-fix for dib0700 (overlooked some on-stack buffers in there in my original submission as well) and gp8psk, but I am holding them back 'till I got time to recheck those and getting some feedback on vp702x. Please review and test. Regards, Flo Florian Mickler (6): [media] a800: get rid of on-stack dma buffers [media v2] vp7045: get rid of on-stack dma buffers [media] friio: get rid of on-stack dma buffers [media] dw2102: get rid of on-stack dma buffer [media] m920x: get rid of on-stack dma buffers [media] opera1: get rid of on-stack dma buffer drivers/media/dvb/dvb-usb/a800.c | 17 ++--- drivers/media/dvb/dvb-usb/dw2102.c | 10 ++- drivers/media/dvb/dvb-usb/friio.c | 23 ++--- drivers/media/dvb/dvb-usb/m920x.c | 33 drivers/media/dvb/dvb-usb/opera1.c | 31 +++ drivers/media/dvb/dvb-usb/vp7045.c | 47 ++-- 6 files changed, 116 insertions(+), 45 deletions(-) -- 1.7.4.1 -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Florian, For all of these, what happens when the USB call times out and you kfree() the buffer? Can the USB DMA actually complete after this kfree(), possibly corrupting space that has been reallocated off the heap, since the kfree()? This is the scenario for which I assume allocating off the stack is bad. Do these changes simply make corruption less noticable since heap gets corrupted vs stack? Regards, Andy To be blunt, I'm not shure I fully understand the requirements myself. But as far as I grasped it, the main problem is that we need memory which the processor can see as soon as the device has scribbled upon it. (think caches and the like) Somewhere down the line, the buffer to usb_control_msg get's to be a parameter to dma_map_single which is described as part of the DMA API in Documentation/DMA-API.txt The main point I filter out from that is that the memory has to begin exactly at a cache line boundary... The API will round up so that the correct region covers the API. However, if you have other structures packed into the space (as very often happens on stack), you get cache line interference in the CPU if they get accessed: The act of accessing an adjacent object pulls in cache above your object and destroys DMA coherence. This is the principle reason why DMA to stack is a bad idea. I guess (not verified), that the dma api takes sufficient precautions to abort the dma transfer if a timeout happens. So freeing _should_ not be an issue. (At least, I would expect big fat warnings everywhere if that were the case) No, it doesn't take any precautions like this. the DMA API is just mapping (possibly via an IOMMU). If the transfer times out, that's done in the DMA engine of the card, and must be cleaned up by the driver and unmapped. The general rule though is never DMA to stack. On some processors, the way stack is allocated can actually make this not work. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote: On Mon, Mar 14, 2011 at 10:26:05PM -0400, James Bottomley wrote: On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote: Vasiliy Kulikov (20): mach-ux500: mbox-db5500: world-writable sysfs fifo file leds: lp5521: world-writable sysfs engine* files leds: lp5523: world-writable engine* sysfs files misc: ep93xx_pwm: world-writable sysfs files rtc: rtc-ds1511: world-writable sysfs nvram file scsi: aic94xx: world-writable sysfs update_bios file scsi: iscsi: world-writable sysfs priv_sess file These are still not merged :( OK, so I've not been tracking where we are in the dizzying ride on security systems. However, I thought we landed up in the privilege separation arena using capabilities. That means that world writeable files aren't necessarily a problem as long as the correct capabilities checks are in place, right? There are no capability checks on sysfs files right now, so these all need to be fixed. That statement is true but irrelevant, isn't it? There can't be capabilities within sysfs files because the system that does them has no idea what the capabilities would be. If there were capabilities checks, they'd have to be in the implementing routines. I think the questions are twofold: 1. Did anyone actually check for capabilities before assuming world writeable files were wrong? 2. Even if there aren't any capabilities checks in the implementing routines, should there be (are we going the separated capabilities route vs the monolithic root route)? James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Tue, 2011-03-15 at 07:18 -0700, Greg KH wrote: On Tue, Mar 15, 2011 at 07:50:28AM -0400, James Bottomley wrote: On Mon, 2011-03-14 at 20:09 -0700, Greg KH wrote: There are no capability checks on sysfs files right now, so these all need to be fixed. That statement is true but irrelevant, isn't it? There can't be capabilities within sysfs files because the system that does them has no idea what the capabilities would be. If there were capabilities checks, they'd have to be in the implementing routines. Ah, you are correct, sorry for the misunderstanding. I think the questions are twofold: 1. Did anyone actually check for capabilities before assuming world writeable files were wrong? I do not think so as the majority (i.e. all the ones that I looked at) did no such checks. OK, as long as someone checked, I'm happy. 2. Even if there aren't any capabilities checks in the implementing routines, should there be (are we going the separated capabilities route vs the monolithic root route)? I think the general consensus is that we go the monolithic root route for sysfs files in that we do not allow them to be world writable. Do you have any exceptions that you know of that do these checks? Heh, I didn't call our security vacillations a dizzying ride for nothing. I know the goal once was to try to run a distro without root daemons (which is what required the capabilities stuff). I'm actually trying to avoid the issue ... I just want to make sure that people who care aren't all moving in different directions. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Security] [PATCH 00/20] world-writable files in sysfs and debugfs
On Tue, 2011-03-15 at 19:08 +0300, Vasiliy Kulikov wrote: On Tue, Mar 15, 2011 at 07:50 -0400, James Bottomley wrote: 1. Did anyone actually check for capabilities before assuming world writeable files were wrong? I didn't check all these files as I haven't got these hardware :-) You don't need the hardware to check ... the question becomes is a capabilities test sitting in the implementation or not. But as I can chmod a+w all sysfs files on my machine and they all become sensible to nonroot writes, I suppose there is nothing preventing nonroot users from writing to these buggy sysfs files. As you can see, there are no capable() checks in these drivers in open() or write(). 2. Even if there aren't any capabilities checks in the implementing routines, should there be (are we going the separated capabilities route vs the monolithic root route)? IMO, In any case old good DAC security model must not be obsoleted just because someone thinks that MAC or anything else is more convenient for him. If sysfs is implemented via filesystem then it must support POSIX permissions semantic. MAC is very good in _some_ cases, but not instead of DAC. Um, I'm not sure that's even an issue. capabilities have CAP_ADMIN which is precisely the same check as owner == root. We use this a lot because ioctls ignore the standard unix DAC model. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/20] world-writable files in sysfs and debugfs
On Sat, 2011-03-12 at 23:23 +0300, Vasiliy Kulikov wrote: Vasiliy Kulikov (20): mach-ux500: mbox-db5500: world-writable sysfs fifo file leds: lp5521: world-writable sysfs engine* files leds: lp5523: world-writable engine* sysfs files misc: ep93xx_pwm: world-writable sysfs files rtc: rtc-ds1511: world-writable sysfs nvram file scsi: aic94xx: world-writable sysfs update_bios file scsi: iscsi: world-writable sysfs priv_sess file These are still not merged :( OK, so I've not been tracking where we are in the dizzying ride on security systems. However, I thought we landed up in the privilege separation arena using capabilities. That means that world writeable files aren't necessarily a problem as long as the correct capabilities checks are in place, right? James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 02/15]drivers:spi:dw_spi.c Typo change diable to disable.
On Fri, 2010-12-31 at 06:17 -0800, Justin P. Mattock wrote: On 12/31/2010 01:11 AM, Dan Carpenter wrote: On Thu, Dec 30, 2010 at 10:52:30PM -0800, Justin P. Mattock wrote: On 12/30/2010 10:45 PM, Grant Likely wrote: On Thu, Dec 30, 2010 at 03:07:51PM -0800, Justin P. Mattock wrote: The below patch fixes a typo diable to disable. Please let me know if this is correct or not. Signed-off-by: Justin P. Mattockjustinmatt...@gmail.com applied, thanks. g. ahh.. thanks.. just cleared up the left out diabled that I had thought I forgotten(ended up separating comments and code and forgot) This is really just defensiveness and random grumbling and grumpiness on my part, but one reason I may have missed the first patch is because your subject lines are crap. Wrong: [PATCH 02/15]drivers:spi:dw_spi.c Typo change diable to disable. Right: [PATCH 02/15] spi/dw_spi: Typo change diable to disable regards, dan carpenter alright.. so having the backlash is alright for the subject Thanks for the pointer on this.. There is actually no specific form. Most of us edit this part of the subject line anyway to conform to whatever (nonuniform) conventions we use. I just use component: with no scsi or drivers prefix because the git tree is tagged [SCSI]; others are different. James -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html