Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3086306imm; Tue, 29 May 2018 00:17:44 -0700 (PDT) X-Google-Smtp-Source: AB8JxZonaBeZdLztWMd7QoRiPU15HKBoQ5Ym8odyt7vtAFaBMz3/dmIZ4lUhefKNvt4PdGQIH7UE X-Received: by 2002:a17:902:e85:: with SMTP id 5-v6mr16624233plx.318.1527578264802; Tue, 29 May 2018 00:17:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527578264; cv=none; d=google.com; s=arc-20160816; b=FaiMskABGFngy+BtwRamJ0Ze6iO+hqCjJtU7nm3DiEzI3jSi4jYOWgiQWlwCvmgwFt mS1/r5JZy0MOjugwIDplkAXXdULLd5EglhYbWVfRisx3ESaYauIgNabLTWaOwdUDj7BY 7bw6WB7LAosZf6avFAi9u0Q0ZWnTq+aTUlYgZfUbVRsC1aYgCUts62gnwdya2fO1irZx VBcyAhjx8alzoi8slNLt4S9pjGg4XeHOUZooDfmNMYFtaLm1oIf8OJUEym/IVZ8wdV3A UChppkl09YhAloIGp/NkBsxtHfrQ+TQ/pT1C/H2NNYVKRsZXPAD6jTP1yUtYKGuc5Sll hHsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=BiabAh8f9zgLAtdUN2zPcc60vzVLLvl+yoy3MTi1Oms=; b=QS9/eaqk5JPf9EW4PXPnbNGkl+zEqaLi3+vOk0uGV4/87eYGpZEeGmw+Z1y9gxC6Du Pq/QFWO69YX59wswFf6Speg8/BttuXB03FYoxbfw6wEguSgSCM+SpX0tk9B32Rh0c5lz jsfsvBXO9ET2adHdLn9X+4nnfRLxJgZsWjArmnYVQ00dPVHXiFNzLyvJNqNpwFMIEjbi nxezpdckN1i56/7YPsn01ycjGrc9ygOzvisGLFepiwi1Oz3CsY+1f2lFG8PCcmbeFDzS slLi1YIqZfWb/JwXFVDjhPN1nnatkd2+S/lEAQW+Z58gZE0ZSVLMoK1T6R3nbYxAi0zm d/SQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cJMQJx6l; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m21-v6si8007945pls.217.2018.05.29.00.17.30; Tue, 29 May 2018 00:17:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cJMQJx6l; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754763AbeE2HQ4 (ORCPT + 99 others); Tue, 29 May 2018 03:16:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:38208 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750831AbeE2HQy (ORCPT ); Tue, 29 May 2018 03:16:54 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ED21E20842; Tue, 29 May 2018 07:16:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527578213; bh=V0PAqC+aydYXox+8iYNm1m7R/OMNr6CrcYTD+vFOiOM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=cJMQJx6lnBaYS1ZaiQeG4RsZP3MbpB2ix91npdtOQSdSeb6rUGooRVUIWQ6Tb6Tag k/fpza9bXWooNZS29J0vIDzzK+11wsoLoxZWi5c902XndTeUaZAvii/T/jXQj6PJhf EBi2hu3OZNoEXTP4skfzzBieTW9kQQVP9LQybQxw= Date: Tue, 29 May 2018 09:16:33 +0200 From: Greg KH To: Oleksandr Shamray Cc: "arnd@arndb.de" , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , "devicetree@vger.kernel.org" , "openbmc@lists.ozlabs.org" , "joel@jms.id.au" , "jiri@resnulli.us" , "tklauser@distanz.ch" , "linux-serial@vger.kernel.org" , Vadim Pasternak , system-sw-low-level , "robh+dt@kernel.org" , "openocd-devel-owner@lists.sourceforge.net" , "linux-api@vger.kernel.org" , "davem@davemloft.net" , "mchehab@kernel.org" Subject: Re: [patch v22 1/4] drivers: jtag: Add JTAG core driver Message-ID: <20180529071633.GB20427@kroah.com> References: <1527503652-21975-1-git-send-email-oleksandrs@mellanox.com> <1527503652-21975-2-git-send-email-oleksandrs@mellanox.com> <20180528123527.GA17613@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.0 (2018-05-17) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 28, 2018 at 03:59:46PM +0000, Oleksandr Shamray wrote: > > > + const struct jtag_ops *ops; > > > + int id; > > > + bool opened; > > > > You shouldn't care about this, but ok... > > Jtag HW not support to using with multiple requests from different users. So we prohibit this. Ok, but then that's a userspace problem, not your driver's problem. Serial ports can't handle multiple requests in a sane way either, and so it's a userspace bug if they do that. It's not up to the kernel to try to prevent it, and really, you are not preventing this from happening at all, you are only keeping more than one open() call from happening. You aren't serializing the device access at all. So you are giving yourself a false sense of "We are protecting the device" here. Just drop the whole "only one open() call" logic entirely. It will make your kernel code simpler and you aren't giving yourself false-hope that you really prevented userspace from doing something stupid :) > > > + case JTAG_IOCRUNTEST: > > > + if (copy_from_user(&idle, (const void __user *)arg, > > > + sizeof(struct jtag_run_test_idle))) > > > + return -EFAULT; > > > + > > > + if (idle.endstate > JTAG_STATE_PAUSEDR) > > > + return -EINVAL; > > > > No validation that idle contains sane values? Don't make every jtag driver > > have to do this type of validation please. > > > > I have partially validation of idle structure (if (idle.endstate > JTAG_STATE_PAUSEDR)). > But I will add more validation. Go to the nearest whiteboard and write this at the top: ALL INPUT IS EVIL Don't erase it. You have to validate all the things, otherwise something bad will happen, I guarantee it. Wait until the syzbot gets ahold of this layer if you don't believe me :) > > > +static int jtag_open(struct inode *inode, struct file *file) { > > > + struct jtag *jtag = container_of(file->private_data, struct jtag, > > > +miscdev); > > > + > > > + if (mutex_lock_interruptible(&jtag->open_lock)) > > > + return -ERESTARTSYS; > > > > Why restart? Just grab the lock, you don't want to have to do restartable > > logic in userspace, right? > > Will change like: > > ret = mutex_lock_interruptible(&jtag->open_lock); > if (ret) > return ret; No, what's wrong with a simple: mutex_lock(); ? You are only holding it for a very short time, people can wait, there is no rush here or "fast path" happening. Anyway, this whole lock should just go away entirely, due to the lack of needing to track open() calls. But in the future, keep locks simple, no need to add complexity when it is not warranted. > > > + if (jtag->opened) { > > > + mutex_unlock(&jtag->open_lock); > > > + return -EBUSY; > > > > Why do you care about only 1 userspace open call? What does that buy you? > > Userspace can always pass around that file descriptor and use it in multiple > > places, so you are not really "protecting" yourself from anything. > > > > Accessing to JTAG HW from multiple processes will make confusion in the work of the JTAG protocol. > And I want to prohibit this. See my previous comments for why your attempt at protecting open() does not prevent this from happening. Hint, you forgot about dup(3) :( thanks, greg k-h