diff mbox series

[RFC,11/14] cxl/mem: Add a "RAW" send command

Message ID 20201209002418.1976362-12-ben.widawsky@intel.com (mailing list archive)
State RFC, archived
Headers show
Series CXL 2.0 Support | expand

Commit Message

Ben Widawsky Dec. 9, 2020, 12:24 a.m. UTC
The CXL memory device send interface will have a number of supported
commands. The raw command is not such a command. Raw commands allow
userspace to send a specified opcode to the underlying hardware and
bypass all driver checks on the command. This is useful for a couple of
usecases, mainly:
1. Undocumented vendor specific hardware commands
2. Prototyping new hardware commands not yet supported by the driver

While this all sounds very powerful it comes with a couple of caveats:
1. Bug reports using raw commands will not get the same level of
   attention as bug reports using supported commands (via taint).
2. Supported commands will be rejected by the RAW command.

Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
---
 drivers/cxl/mem.c            | 32 ++++++++++++++++++++++++++++++++
 include/uapi/linux/cxl_mem.h | 14 ++++++++++++--
 2 files changed, 44 insertions(+), 2 deletions(-)

Comments

Dan Williams Dec. 9, 2020, 10:38 p.m. UTC | #1
On Tue, Dec 8, 2020 at 4:24 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
>
> The CXL memory device send interface will have a number of supported
> commands. The raw command is not such a command. Raw commands allow
> userspace to send a specified opcode to the underlying hardware and
> bypass all driver checks on the command. This is useful for a couple of
> usecases, mainly:
> 1. Undocumented vendor specific hardware commands
> 2. Prototyping new hardware commands not yet supported by the driver
>
> While this all sounds very powerful it comes with a couple of caveats:
> 1. Bug reports using raw commands will not get the same level of
>    attention as bug reports using supported commands (via taint).
> 2. Supported commands will be rejected by the RAW command.
>
> Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> ---
>  drivers/cxl/mem.c            | 32 ++++++++++++++++++++++++++++++++
>  include/uapi/linux/cxl_mem.h | 14 ++++++++++++--
>  2 files changed, 44 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
> index 0bf03afc0c80..a2cea7ac7cc6 100644
> --- a/drivers/cxl/mem.c
> +++ b/drivers/cxl/mem.c
> @@ -115,6 +115,7 @@ struct cxl_mem_command {
>
>  static struct cxl_mem_command mem_commands[] = {
>         CXL_CMD(INVALID, NONE, 0, 0, "Reserved", false, 0),
> +       CXL_CMD(RAW, TAINT, ~0, ~0, "Raw", true, 0),

Why is the taint indication in the ABI? It seems like it only needs to
be documented.

>  };
>
>  static int cxl_mem_wait_for_doorbell(struct cxl_mem *cxlm)
> @@ -326,6 +327,20 @@ static int cxl_mem_count_commands(void)
>         return n;
>  };
>
> +static struct cxl_mem_command *cxl_mem_find_command(u16 opcode)
> +{
> +       int i;
> +
> +       for (i = 0; i < ARRAY_SIZE(mem_commands); i++) {
> +               struct cxl_mem_command *c = &mem_commands[i];
> +
> +               if (c->opcode == opcode)
> +                       return c;
> +       }
> +
> +       return NULL;
> +};
> +
>  /**
>   * handle_mailbox_cmd_from_user() - Dispatch a mailbox command.
>   * @cxlmd: The CXL memory device to communicate with.
> @@ -421,6 +436,23 @@ static int cxl_validate_cmd_from_user(struct cxl_send_command __user *user_cmd,
>         c = &mem_commands[cmd.id];
>         info = &c->info;
>
> +       /* Checks are bypassed for raw commands but along comes the taint! */
> +       if (cmd.id == CXL_MEM_COMMAND_ID_RAW) {
> +               struct cxl_mem_command temp =
> +                       CXL_CMD(RAW, NONE, cmd.size_in, cmd.size_out, "Raw",
> +                               true, cmd.raw.opcode);

Oh, I thought CXL_CMD() was only used to populate the mem_commands
array. Feels out of place to use it here when all it is doing is
updating the size_{in,out} and opcode fields. Mainly I'm interested in
CXL_CMD() enforcing that the command-id is the mem_commands index.

> +
> +               if (cmd.raw.rsvd)
> +                       return -EINVAL;
> +
> +               if (cxl_mem_find_command(cmd.raw.opcode))
> +                       return -EPERM;
> +
> +               add_taint(TAINT_WARN, LOCKDEP_STILL_OK);

TAINT_WARN seems the wrong value, especially since no WARN has
occurred. I feel that this is more in the spirit of
TAINT_PROPRIETARY_MODULE, TAINT_OVERRIDDEN_ACPI_TABLE, and
TAINT_OOT_MODULE. How about a new TAINT_RAW_PASSTHROUGH? I could use
this for the acpi/nfit driver as well to disclaim responsibility for
system errors that can result from not using the nominal
kernel-provided commands.
Ben Widawsky Dec. 16, 2020, 8:42 p.m. UTC | #2
On 20-12-09 14:38:49, Dan Williams wrote:
> On Tue, Dec 8, 2020 at 4:24 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
> >
> > The CXL memory device send interface will have a number of supported
> > commands. The raw command is not such a command. Raw commands allow
> > userspace to send a specified opcode to the underlying hardware and
> > bypass all driver checks on the command. This is useful for a couple of
> > usecases, mainly:
> > 1. Undocumented vendor specific hardware commands
> > 2. Prototyping new hardware commands not yet supported by the driver
> >
> > While this all sounds very powerful it comes with a couple of caveats:
> > 1. Bug reports using raw commands will not get the same level of
> >    attention as bug reports using supported commands (via taint).
> > 2. Supported commands will be rejected by the RAW command.
> >
> > Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> > ---
> >  drivers/cxl/mem.c            | 32 ++++++++++++++++++++++++++++++++
> >  include/uapi/linux/cxl_mem.h | 14 ++++++++++++--
> >  2 files changed, 44 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
> > index 0bf03afc0c80..a2cea7ac7cc6 100644
> > --- a/drivers/cxl/mem.c
> > +++ b/drivers/cxl/mem.c
> > @@ -115,6 +115,7 @@ struct cxl_mem_command {
> >
> >  static struct cxl_mem_command mem_commands[] = {
> >         CXL_CMD(INVALID, NONE, 0, 0, "Reserved", false, 0),
> > +       CXL_CMD(RAW, TAINT, ~0, ~0, "Raw", true, 0),
> 
> Why is the taint indication in the ABI? It seems like it only needs to
> be documented.
> 

It's removed per the previous patch discussion.

> >  };
> >
> >  static int cxl_mem_wait_for_doorbell(struct cxl_mem *cxlm)
> > @@ -326,6 +327,20 @@ static int cxl_mem_count_commands(void)
> >         return n;
> >  };
> >
> > +static struct cxl_mem_command *cxl_mem_find_command(u16 opcode)
> > +{
> > +       int i;
> > +
> > +       for (i = 0; i < ARRAY_SIZE(mem_commands); i++) {
> > +               struct cxl_mem_command *c = &mem_commands[i];
> > +
> > +               if (c->opcode == opcode)
> > +                       return c;
> > +       }
> > +
> > +       return NULL;
> > +};
> > +
> >  /**
> >   * handle_mailbox_cmd_from_user() - Dispatch a mailbox command.
> >   * @cxlmd: The CXL memory device to communicate with.
> > @@ -421,6 +436,23 @@ static int cxl_validate_cmd_from_user(struct cxl_send_command __user *user_cmd,
> >         c = &mem_commands[cmd.id];
> >         info = &c->info;
> >
> > +       /* Checks are bypassed for raw commands but along comes the taint! */
> > +       if (cmd.id == CXL_MEM_COMMAND_ID_RAW) {
> > +               struct cxl_mem_command temp =
> > +                       CXL_CMD(RAW, NONE, cmd.size_in, cmd.size_out, "Raw",
> > +                               true, cmd.raw.opcode);
> 
> Oh, I thought CXL_CMD() was only used to populate the mem_commands
> array. Feels out of place to use it here when all it is doing is
> updating the size_{in,out} and opcode fields. Mainly I'm interested in
> CXL_CMD() enforcing that the command-id is the mem_commands index.
> 

Agreed and removed.

> > +
> > +               if (cmd.raw.rsvd)
> > +                       return -EINVAL;
> > +
> > +               if (cxl_mem_find_command(cmd.raw.opcode))
> > +                       return -EPERM;
> > +
> > +               add_taint(TAINT_WARN, LOCKDEP_STILL_OK);
> 
> TAINT_WARN seems the wrong value, especially since no WARN has
> occurred. I feel that this is more in the spirit of
> TAINT_PROPRIETARY_MODULE, TAINT_OVERRIDDEN_ACPI_TABLE, and
> TAINT_OOT_MODULE. How about a new TAINT_RAW_PASSTHROUGH? I could use
> this for the acpi/nfit driver as well to disclaim responsibility for
> system errors that can result from not using the nominal
> kernel-provided commands.

I like it.
diff mbox series

Patch

diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
index 0bf03afc0c80..a2cea7ac7cc6 100644
--- a/drivers/cxl/mem.c
+++ b/drivers/cxl/mem.c
@@ -115,6 +115,7 @@  struct cxl_mem_command {
 
 static struct cxl_mem_command mem_commands[] = {
 	CXL_CMD(INVALID, NONE, 0, 0, "Reserved", false, 0),
+	CXL_CMD(RAW, TAINT, ~0, ~0, "Raw", true, 0),
 };
 
 static int cxl_mem_wait_for_doorbell(struct cxl_mem *cxlm)
@@ -326,6 +327,20 @@  static int cxl_mem_count_commands(void)
 	return n;
 };
 
+static struct cxl_mem_command *cxl_mem_find_command(u16 opcode)
+{
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(mem_commands); i++) {
+		struct cxl_mem_command *c = &mem_commands[i];
+
+		if (c->opcode == opcode)
+			return c;
+	}
+
+	return NULL;
+};
+
 /**
  * handle_mailbox_cmd_from_user() - Dispatch a mailbox command.
  * @cxlmd: The CXL memory device to communicate with.
@@ -421,6 +436,23 @@  static int cxl_validate_cmd_from_user(struct cxl_send_command __user *user_cmd,
 	c = &mem_commands[cmd.id];
 	info = &c->info;
 
+	/* Checks are bypassed for raw commands but along comes the taint! */
+	if (cmd.id == CXL_MEM_COMMAND_ID_RAW) {
+		struct cxl_mem_command temp =
+			CXL_CMD(RAW, NONE, cmd.size_in, cmd.size_out, "Raw",
+				true, cmd.raw.opcode);
+
+		if (cmd.raw.rsvd)
+			return -EINVAL;
+
+		if (cxl_mem_find_command(cmd.raw.opcode))
+			return -EPERM;
+
+		add_taint(TAINT_WARN, LOCKDEP_STILL_OK);
+		memcpy(out_cmd, &temp, sizeof(temp));
+		return 0;
+	}
+
 	if (cmd.flags & CXL_MEM_COMMAND_FLAG_MASK)
 		return -EINVAL;
 
diff --git a/include/uapi/linux/cxl_mem.h b/include/uapi/linux/cxl_mem.h
index 189d86a13637..f2fbb0dcda06 100644
--- a/include/uapi/linux/cxl_mem.h
+++ b/include/uapi/linux/cxl_mem.h
@@ -49,7 +49,8 @@  extern "C" {
 struct cxl_command_info {
 	__u32 id;
 #define CXL_MEM_COMMAND_ID_INVALID 0
-#define CXL_MEM_COMMAND_ID_MAX (CXL_MEM_COMMAND_ID_INVALID + 1)
+#define CXL_MEM_COMMAND_ID_RAW 1
+#define CXL_MEM_COMMAND_ID_MAX (CXL_MEM_COMMAND_ID_RAW + 1)
 
 	__u32 flags;
 #define CXL_MEM_COMMAND_FLAG_NONE 0
@@ -103,6 +104,9 @@  struct cxl_mem_query_commands {
  * @id: The command to send to the memory device. This must be one of the
  *	commands returned by the query command.
  * @flags: Flags for the command
+ * @raw: Special fields for raw commands
+ * @raw.opcode: Opcode passed to hardware when using the RAW command.
+ * @raw.rsvd: Reserved for future use.
  * @rsvd: Reserved for future use.
  * @retval: Return value from the memory device (output).
  * @size_in: Size of the payload to provide to the device (input).
@@ -120,7 +124,13 @@  struct cxl_mem_query_commands {
 struct cxl_send_command {
 	__u32 id;
 	__u32 flags;
-	__u32 rsvd;
+	union {
+		struct {
+			__u16 opcode;
+			__u16 rsvd;
+		} raw;
+		__u32 rsvd;
+	};
 	__u32 retval;
 
 	struct {