Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp4037077ybh; Tue, 6 Aug 2019 05:23:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqz8qZJlYPM7yFTeS8yrSd1iWLdjeWsdUuuxVgNt+rrW6Ii5KeyZjOuaWHEZCsC/po8WOpOL X-Received: by 2002:a62:e515:: with SMTP id n21mr3462112pff.186.1565094239104; Tue, 06 Aug 2019 05:23:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565094239; cv=none; d=google.com; s=arc-20160816; b=SCM6ZwxLTnG0zl3jKDG4kfwYTfp/oI9SwB0Mo2XT3TxBDL6heYKThjDfrBC2ACDfXG 5xWF4vVpKPlByk5yoljXfJLkap2f3ucnomKbIgIzu4PBaV5tWAQquOEvQ7+v1ZX9M9d8 1afAuHP6qXgj7rOhhNxYh6NveZ84Lw0ePj3H4hMJvG5z4H+tb81zd3pIN7LR6evYv4Lj /qPB/YMlZqB8LoDlQnEAHbQI9R4jfupYavJ/nE3vCWx16XCvMTigQ3kpSw5SOIBBmp6r 1x/hlYct61jKCQ2vh847y8yTJIv0uBSznhSnOf1L6Zcdf5D0UE6OHVglAQnPXDGvRCwZ p2KQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=+qkPzD5ZstkzXENQiQ7/WVVv/CJFX6ERUgX33y9U5XI=; b=vRp0kJD+I6zCqFKrwql4HJQLNHK9lpU0z5YeSeOVVIyBYSzqhnHPApzcLYdSbuM8tW yhWvF9WUhUZILvAhVWakSrqyD4lYwi5mMq4Duh38oLV2pjtUK1P+4EoZqMMGqexkylCq gnlD8MI3RC+X5Tz/Tf/FmUOvNLYnssKm1qqNAEZGRu7CC+Vb1yjvEOTGIX5G94whqplk zsD4CIYjMPlVxxFBZr/1T1NXqS0Kms8beZRGybTjD62fRWeEscNBmYjA1eanm7Kj2Q0/ kvbkZNElq9izR0wFwH3Lw/2JbSe9LWT2jk/brlSuexxTG/K85jdE4Nl63Jpi10RgFYQh /a9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=rqSzf3Lo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x13si51071074pgf.275.2019.08.06.05.23.42; Tue, 06 Aug 2019 05:23:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=rqSzf3Lo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728560AbfHFMXD (ORCPT + 99 others); Tue, 6 Aug 2019 08:23:03 -0400 Received: from mail-ua1-f67.google.com ([209.85.222.67]:39569 "EHLO mail-ua1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726036AbfHFMXD (ORCPT ); Tue, 6 Aug 2019 08:23:03 -0400 Received: by mail-ua1-f67.google.com with SMTP id j8so33532066uan.6 for ; Tue, 06 Aug 2019 05:23:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+qkPzD5ZstkzXENQiQ7/WVVv/CJFX6ERUgX33y9U5XI=; b=rqSzf3LovTCT5TOlpnWglo2f2Hd6htoZ/VskGnovrHxK/kFejcxFbxb25PALTYXOJ3 JOl3zQy0pgg5zMStaPBe5yFrUzaqOzQE+RWlMjxFitWjToVaIPldDQ3j3OZJeG9l+Mvt RadBV08QiaHMPuGqEZHAAxb7U7r5Z5fvvP9kkwyTZPitBWghsDxCMpN92bhuU60FX1Gy rXS7wVoKxVWni2wmE2AhH/9sgnnt2twDSW5zgZwA2DxxvL3CS94YMStvRagGXPooDVep OrU7t4zcYQKITXFHQksD3Rsss6yItvOpJksh6fhG8g0dOroWLTuHq94WFOKvcmmoPZrE SRYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+qkPzD5ZstkzXENQiQ7/WVVv/CJFX6ERUgX33y9U5XI=; b=Te5mRNt/5QGcflDaI0QynhIoBRe/7arHlZ3JDVeVgtgkZIO4ahFCoy8gw/Zqb50cvj FmisfZ/u2kb8toYslZLfe/4QQXGOKIi/FaEJbeGxmcU0HMNmjDquqmNMaD6ndPF2o1kr 93cHIcMMGz1XtQdVa37eMtc8eVSj+nH7oKgSEECcOTppySMtbK62S5eiQaAxKxDGPGBm SWzNLebP9mIVxX1hCbBYzuUPhvXMAH7VfZH0FDKX5jLPXfCg2/OUgxYHL/cN+IV1Y4Sz vPRQoon5LIQ6TpKLNe5MXHQffCzcka433tBhYbPrKC5RLLGdPqWZ5RIPPmszzOhQntcx oJYg== X-Gm-Message-State: APjAAAXTWam0zTL6z+0QnMPYZBmg/mcoRD5y4jrRXsijOIei9ErPd4rM 8LLDN5grmajAXks7uo8lLKhiZCe3Is5cvQ43B69sEQ== X-Received: by 2002:ab0:20cc:: with SMTP id z12mr450898ual.32.1565094181929; Tue, 06 Aug 2019 05:23:01 -0700 (PDT) MIME-Version: 1.0 References: <20190806073743.31575-1-oshpigelman@habana.ai> <20190806073743.31575-2-oshpigelman@habana.ai> In-Reply-To: <20190806073743.31575-2-oshpigelman@habana.ai> From: Oded Gabbay Date: Tue, 6 Aug 2019 15:22:35 +0300 Message-ID: Subject: Re: [PATCH 2/2] habanalabs: improve security in Debug IOCTL To: Omer Shpigelman Cc: "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 6, 2019 at 10:38 AM Omer Shpigelman wrote: > > This patch improves the security in the Debug IOCTL. > It adds checks that: > - The register index value is in the allowed range for all opcodes. > - The event types number is in the allowed range in SPMU enable. > - The events number is in the allowed range in SPMU disable. > > Signed-off-by: Omer Shpigelman > --- > drivers/misc/habanalabs/goya/goya_coresight.c | 72 ++++++++++++++++--- > 1 file changed, 63 insertions(+), 9 deletions(-) > > diff --git a/drivers/misc/habanalabs/goya/goya_coresight.c b/drivers/misc/habanalabs/goya/goya_coresight.c > index d7ec7ad84cc6..4f7ffc137ab7 100644 > --- a/drivers/misc/habanalabs/goya/goya_coresight.c > +++ b/drivers/misc/habanalabs/goya/goya_coresight.c > @@ -15,6 +15,12 @@ > > #define GOYA_PLDM_CORESIGHT_TIMEOUT_USEC (CORESIGHT_TIMEOUT_USEC * 100) > > +#define SPMU_SECTION_SIZE DMA_CH_0_CS_SPMU_MAX_OFFSET > +#define SPMU_EVENT_TYPES_OFFSET 0x400 > +#define SPMU_MAX_EVENT_TYPES ((SPMU_SECTION_SIZE - \ > + SPMU_EVENT_TYPES_OFFSET) / 4) > +#define SPMU_MAX_EVENTS (SPMU_SECTION_SIZE / 4) > + > static u64 debug_stm_regs[GOYA_STM_LAST + 1] = { > [GOYA_STM_CPU] = mmCPU_STM_BASE, > [GOYA_STM_DMA_CH_0_CS] = mmDMA_CH_0_CS_STM_BASE, > @@ -226,9 +232,16 @@ static int goya_config_stm(struct hl_device *hdev, > struct hl_debug_params *params) > { > struct hl_debug_params_stm *input; > - u64 base_reg = debug_stm_regs[params->reg_idx] - CFG_BASE; > + u64 base_reg; > int rc; > > + if (params->reg_idx >= ARRAY_SIZE(debug_stm_regs)) { > + dev_err(hdev->dev, "Invalid register index in STM\n"); > + return -EINVAL; > + } > + > + base_reg = debug_stm_regs[params->reg_idx] - CFG_BASE; > + > WREG32(base_reg + 0xFB0, CORESIGHT_UNLOCK); > > if (params->enable) { > @@ -288,10 +301,17 @@ static int goya_config_etf(struct hl_device *hdev, > struct hl_debug_params *params) > { > struct hl_debug_params_etf *input; > - u64 base_reg = debug_etf_regs[params->reg_idx] - CFG_BASE; > + u64 base_reg; > u32 val; > int rc; > > + if (params->reg_idx >= ARRAY_SIZE(debug_etf_regs)) { > + dev_err(hdev->dev, "Invalid register index in ETF\n"); > + return -EINVAL; > + } > + > + base_reg = debug_etf_regs[params->reg_idx] - CFG_BASE; > + > WREG32(base_reg + 0xFB0, CORESIGHT_UNLOCK); > > val = RREG32(base_reg + 0x304); > @@ -445,11 +465,18 @@ static int goya_config_etr(struct hl_device *hdev, > static int goya_config_funnel(struct hl_device *hdev, > struct hl_debug_params *params) > { > - WREG32(debug_funnel_regs[params->reg_idx] - CFG_BASE + 0xFB0, > - CORESIGHT_UNLOCK); > + u64 base_reg; > + > + if (params->reg_idx >= ARRAY_SIZE(debug_funnel_regs)) { > + dev_err(hdev->dev, "Invalid register index in FUNNEL\n"); > + return -EINVAL; > + } > > - WREG32(debug_funnel_regs[params->reg_idx] - CFG_BASE, > - params->enable ? 0x33F : 0); > + base_reg = debug_funnel_regs[params->reg_idx] - CFG_BASE; > + > + WREG32(base_reg + 0xFB0, CORESIGHT_UNLOCK); > + > + WREG32(base_reg, params->enable ? 0x33F : 0); > > return 0; > } > @@ -458,9 +485,16 @@ static int goya_config_bmon(struct hl_device *hdev, > struct hl_debug_params *params) > { > struct hl_debug_params_bmon *input; > - u64 base_reg = debug_bmon_regs[params->reg_idx] - CFG_BASE; > + u64 base_reg; > u32 pcie_base = 0; > > + if (params->reg_idx >= ARRAY_SIZE(debug_bmon_regs)) { > + dev_err(hdev->dev, "Invalid register index in BMON\n"); > + return -EINVAL; > + } > + > + base_reg = debug_bmon_regs[params->reg_idx] - CFG_BASE; > + > WREG32(base_reg + 0x104, 1); > > if (params->enable) { > @@ -522,7 +556,7 @@ static int goya_config_bmon(struct hl_device *hdev, > static int goya_config_spmu(struct hl_device *hdev, > struct hl_debug_params *params) > { > - u64 base_reg = debug_spmu_regs[params->reg_idx] - CFG_BASE; > + u64 base_reg; > struct hl_debug_params_spmu *input = params->input; > u64 *output; > u32 output_arr_len; > @@ -531,6 +565,13 @@ static int goya_config_spmu(struct hl_device *hdev, > u32 cycle_cnt_idx; > int i; > > + if (params->reg_idx >= ARRAY_SIZE(debug_spmu_regs)) { > + dev_err(hdev->dev, "Invalid register index in SPMU\n"); > + return -EINVAL; > + } > + > + base_reg = debug_spmu_regs[params->reg_idx] - CFG_BASE; > + > if (params->enable) { > input = params->input; > > @@ -543,11 +584,18 @@ static int goya_config_spmu(struct hl_device *hdev, > return -EINVAL; > } > > + if (input->event_types_num > SPMU_MAX_EVENT_TYPES) { > + dev_err(hdev->dev, > + "too many event types values for SPMU enable\n"); > + return -EINVAL; > + } > + > WREG32(base_reg + 0xE04, 0x41013046); > WREG32(base_reg + 0xE04, 0x41013040); > > for (i = 0 ; i < input->event_types_num ; i++) > - WREG32(base_reg + 0x400 + i * 4, input->event_types[i]); > + WREG32(base_reg + SPMU_EVENT_TYPES_OFFSET + i * 4, > + input->event_types[i]); > > WREG32(base_reg + 0xE04, 0x41013041); > WREG32(base_reg + 0xC00, 0x8000003F); > @@ -567,6 +615,12 @@ static int goya_config_spmu(struct hl_device *hdev, > return -EINVAL; > } > > + if (events_num > SPMU_MAX_EVENTS) { > + dev_err(hdev->dev, > + "too many events values for SPMU disable\n"); > + return -EINVAL; > + } > + > WREG32(base_reg + 0xE04, 0x41013040); > > for (i = 0 ; i < events_num ; i++) > -- > 2.17.1 > Both patches are: Reviewed-by: Oded Gabbay