From: Ben Widawsky <ben.widawsky@intel.com> To: <linux-cxl@vger.kernel.org> Cc: Ben Widawsky <ben.widawsky@intel.com>, <linux-kernel@vger.kernel.org>, <linux-pci@vger.kernel.org>, "linux-acpi@vger.kernel.org, Ira Weiny" <ira.weiny@intel.com>, Dan Williams <dan.j.williams@intel.com>, Vishal Verma <vishal.l.verma@intel.com>, "Kelley, Sean V" <sean.v.kelley@intel.com>, Rafael Wysocki <rafael.j.wysocki@intel.com>, Bjorn Helgaas <helgaas@kernel.org>, Jonathan Cameron <Jonathan.Cameron@Huawei.com>, "Jon Masters" <jcm@jonmasters.org>, Chris Browy <cbrowy@avery-design.com>, "Randy Dunlap" <rdunlap@infradead.org>, Christoph Hellwig <hch@infradead.org>, <daniel.lll@alibaba-inc.com> Subject: [RFC PATCH v3 15/16] cxl/mem: Add limited Get Log command (0401h) Date: Mon, 11 Jan 2021 14:51:20 -0800 [thread overview] Message-ID: <20210111225121.820014-17-ben.widawsky@intel.com> (raw) In-Reply-To: <20210111225121.820014-1-ben.widawsky@intel.com> The Get Log command returns the actual log entries that are advertised via the Get Supported Logs command (0400h). CXL device logs are selected by UUID which is part of the CXL spec. Because the driver tries to sanitize what is sent to hardware, there becomes a need to restrict the types of logs which can be accessed by userspace. For example, the vendor specific log might only be consumable by proprietary, or offline applications, and therefore a good candidate for userspace. The current driver infrastructure does allow basic validation for all commands, but doesn't inspect any of the payload data. Along with Get Log support comes new infrastructure to add a hook for payload validation. This infrastructure is used to filter out the CEL UUID, which the userspace driver doesn't have business knowing, and taints on invalid UUIDs being sent to hardware. Signed-off-by: Ben Widawsky <ben.widawsky@intel.com> --- drivers/cxl/mem.c | 42 +++++++++++++++++++++++++++++++++++- include/uapi/linux/cxl_mem.h | 1 + 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c index 6dfc8ff0aefb..593db737e7a4 100644 --- a/drivers/cxl/mem.c +++ b/drivers/cxl/mem.c @@ -94,7 +94,7 @@ static struct { } command_names[] = { CMDS }; #undef C -#define CXL_CMD(_id, _flags, sin, sout, f) \ +#define CXL_CMD_VALIDATE(_id, _flags, sin, sout, f, v) \ [CXL_MEM_COMMAND_ID_##_id] = { \ { \ .id = CXL_MEM_COMMAND_ID_##_id, \ @@ -104,8 +104,12 @@ static struct { }, \ .flags = CXL_CMD_INTERNAL_FLAG_##f, \ .opcode = CXL_MBOX_OP_##_id, \ + .validate_payload = v, \ } +#define CXL_CMD(_id, _flags, sin, sout, f) \ + CXL_CMD_VALIDATE(_id, _flags, sin, sout, f, NULL) + enum { CEL_UUID, DEBUG_UUID @@ -116,6 +120,8 @@ static const uuid_t log_uuid[] = { UUID_INIT(0xe1819d9, 0x11a9, 0x400c, 0x81, 0x1f, 0xd6, 0x07, 0x19, 0x40, 0x3d, 0x86) }; +static int validate_log_uuid(void __user *payload, size_t size); + /** * struct cxl_mem_command - Driver representation of a memory device command * @info: Command information as it exists for the UAPI @@ -129,6 +135,10 @@ static const uuid_t log_uuid[] = { * * %CXL_CMD_INTERNAL_FLAG_PSEUDO: This is a pseudo command which doesn't have * a direct mapping to hardware. They are implicitly always enabled. * + * @validate_payload: A function called after the command is validated but + * before it's sent to the hardware. The primary purpose is to validate, or + * fixup the actual payload. + * * The cxl_mem_command is the driver's internal representation of commands that * are supported by the driver. Some of these commands may not be supported by * the hardware. The driver will use @info to validate the fields passed in by @@ -144,6 +154,8 @@ struct cxl_mem_command { #define CXL_CMD_INTERNAL_FLAG_HIDDEN BIT(0) #define CXL_CMD_INTERNAL_FLAG_MANDATORY BIT(1) #define CXL_CMD_INTERNAL_FLAG_PSEUDO BIT(2) + + int (*validate_payload)(void __user *payload, size_t size); }; /* @@ -157,6 +169,8 @@ static struct cxl_mem_command mem_commands[] = { CXL_CMD(IDENTIFY, NONE, 0, 0x43, MANDATORY), CXL_CMD(RAW, NONE, ~0, ~0, PSEUDO), CXL_CMD(GET_SUPPORTED_LOGS, NONE, 0, ~0, MANDATORY), + CXL_CMD_VALIDATE(GET_LOG, MUTEX, 0x18, ~0, MANDATORY, + validate_log_uuid), }; #define cxl_for_each_cmd(cmd) \ @@ -515,6 +529,15 @@ static int handle_mailbox_cmd_from_user(struct cxl_memdev *cxlmd, int rc; if (cmd->info.size_in) { + if (cmd->validate_payload) { + rc = cmd->validate_payload(u64_to_user_ptr(in_payload), + cmd->info.size_in); + if (rc) { + cxl_mem_mbox_put(cxlmd->cxlm); + return -EFAULT; + } + } + /* * Directly copy the userspace payload into the hardware. UAPI * states that the buffer must already be little endian. @@ -1063,6 +1086,23 @@ struct cxl_mbox_get_log { __le32 length; } __packed; +static int validate_log_uuid(void __user *input, size_t size) +{ + struct cxl_mbox_get_log __user *get_log = input; + uuid_t payload_uuid; + + if (copy_from_user(&payload_uuid, &get_log->uuid, sizeof(uuid_t))) + return -EFAULT; + + /* All commands taint except debug vendor log */ + if (uuid_equal(&payload_uuid, &log_uuid[DEBUG_UUID])) + return 0; + + add_taint(TAINT_RAW_PASSTHROUGH, LOCKDEP_STILL_OK); + + return 0; +} + static int cxl_xfer_log(struct cxl_mem *cxlm, uuid_t *uuid, u32 size, u8 *out) { diff --git a/include/uapi/linux/cxl_mem.h b/include/uapi/linux/cxl_mem.h index b504412d1db7..4c4a12c7a4d5 100644 --- a/include/uapi/linux/cxl_mem.h +++ b/include/uapi/linux/cxl_mem.h @@ -34,6 +34,7 @@ extern "C" { C(IDENTIFY, "Identify Command"), \ C(RAW, "Raw device command"), \ C(GET_SUPPORTED_LOGS, "Get Supported Logs"), \ + C(GET_LOG, "Get Log"), \ C(MAX, "Last command") #undef C #define C(a, b) CXL_MEM_COMMAND_ID_##a -- 2.30.0
WARNING: multiple messages have this Message-ID (diff)
From: Ben Widawsky <ben.widawsky@intel.com> To: linux-cxl@vger.kernel.org Cc: Ben Widawsky <ben.widawsky@intel.com>, linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, "linux-acpi@vger.kernel.org, Ira Weiny" <ira.weiny@intel.com>, Dan Williams <dan.j.williams@intel.com>, Vishal Verma <vishal.l.verma@intel.com>, "Kelley, Sean V" <sean.v.kelley@intel.com>, Rafael Wysocki <rafael.j.wysocki@intel.com>, Bjorn Helgaas <helgaas@kernel.org>, Jonathan Cameron <Jonathan.Cameron@Huawei.com>, Jon Masters <jcm@jonmasters.org>, Chris Browy <cbrowy@avery-design.com>, Randy Dunlap <rdunlap@infradead.org>, Christoph Hellwig <hch@infradead.org>, daniel.lll@alibaba-inc.com Subject: [RFC PATCH v3 15/16] cxl/mem: Add limited Get Log command (0401h) Date: Mon, 11 Jan 2021 14:51:20 -0800 [thread overview] Message-ID: <20210111225121.820014-17-ben.widawsky@intel.com> (raw) In-Reply-To: <20210111225121.820014-1-ben.widawsky@intel.com> The Get Log command returns the actual log entries that are advertised via the Get Supported Logs command (0400h). CXL device logs are selected by UUID which is part of the CXL spec. Because the driver tries to sanitize what is sent to hardware, there becomes a need to restrict the types of logs which can be accessed by userspace. For example, the vendor specific log might only be consumable by proprietary, or offline applications, and therefore a good candidate for userspace. The current driver infrastructure does allow basic validation for all commands, but doesn't inspect any of the payload data. Along with Get Log support comes new infrastructure to add a hook for payload validation. This infrastructure is used to filter out the CEL UUID, which the userspace driver doesn't have business knowing, and taints on invalid UUIDs being sent to hardware. Signed-off-by: Ben Widawsky <ben.widawsky@intel.com> --- drivers/cxl/mem.c | 42 +++++++++++++++++++++++++++++++++++- include/uapi/linux/cxl_mem.h | 1 + 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c index 6dfc8ff0aefb..593db737e7a4 100644 --- a/drivers/cxl/mem.c +++ b/drivers/cxl/mem.c @@ -94,7 +94,7 @@ static struct { } command_names[] = { CMDS }; #undef C -#define CXL_CMD(_id, _flags, sin, sout, f) \ +#define CXL_CMD_VALIDATE(_id, _flags, sin, sout, f, v) \ [CXL_MEM_COMMAND_ID_##_id] = { \ { \ .id = CXL_MEM_COMMAND_ID_##_id, \ @@ -104,8 +104,12 @@ static struct { }, \ .flags = CXL_CMD_INTERNAL_FLAG_##f, \ .opcode = CXL_MBOX_OP_##_id, \ + .validate_payload = v, \ } +#define CXL_CMD(_id, _flags, sin, sout, f) \ + CXL_CMD_VALIDATE(_id, _flags, sin, sout, f, NULL) + enum { CEL_UUID, DEBUG_UUID @@ -116,6 +120,8 @@ static const uuid_t log_uuid[] = { UUID_INIT(0xe1819d9, 0x11a9, 0x400c, 0x81, 0x1f, 0xd6, 0x07, 0x19, 0x40, 0x3d, 0x86) }; +static int validate_log_uuid(void __user *payload, size_t size); + /** * struct cxl_mem_command - Driver representation of a memory device command * @info: Command information as it exists for the UAPI @@ -129,6 +135,10 @@ static const uuid_t log_uuid[] = { * * %CXL_CMD_INTERNAL_FLAG_PSEUDO: This is a pseudo command which doesn't have * a direct mapping to hardware. They are implicitly always enabled. * + * @validate_payload: A function called after the command is validated but + * before it's sent to the hardware. The primary purpose is to validate, or + * fixup the actual payload. + * * The cxl_mem_command is the driver's internal representation of commands that * are supported by the driver. Some of these commands may not be supported by * the hardware. The driver will use @info to validate the fields passed in by @@ -144,6 +154,8 @@ struct cxl_mem_command { #define CXL_CMD_INTERNAL_FLAG_HIDDEN BIT(0) #define CXL_CMD_INTERNAL_FLAG_MANDATORY BIT(1) #define CXL_CMD_INTERNAL_FLAG_PSEUDO BIT(2) + + int (*validate_payload)(void __user *payload, size_t size); }; /* @@ -157,6 +169,8 @@ static struct cxl_mem_command mem_commands[] = { CXL_CMD(IDENTIFY, NONE, 0, 0x43, MANDATORY), CXL_CMD(RAW, NONE, ~0, ~0, PSEUDO), CXL_CMD(GET_SUPPORTED_LOGS, NONE, 0, ~0, MANDATORY), + CXL_CMD_VALIDATE(GET_LOG, MUTEX, 0x18, ~0, MANDATORY, + validate_log_uuid), }; #define cxl_for_each_cmd(cmd) \ @@ -515,6 +529,15 @@ static int handle_mailbox_cmd_from_user(struct cxl_memdev *cxlmd, int rc; if (cmd->info.size_in) { + if (cmd->validate_payload) { + rc = cmd->validate_payload(u64_to_user_ptr(in_payload), + cmd->info.size_in); + if (rc) { + cxl_mem_mbox_put(cxlmd->cxlm); + return -EFAULT; + } + } + /* * Directly copy the userspace payload into the hardware. UAPI * states that the buffer must already be little endian. @@ -1063,6 +1086,23 @@ struct cxl_mbox_get_log { __le32 length; } __packed; +static int validate_log_uuid(void __user *input, size_t size) +{ + struct cxl_mbox_get_log __user *get_log = input; + uuid_t payload_uuid; + + if (copy_from_user(&payload_uuid, &get_log->uuid, sizeof(uuid_t))) + return -EFAULT; + + /* All commands taint except debug vendor log */ + if (uuid_equal(&payload_uuid, &log_uuid[DEBUG_UUID])) + return 0; + + add_taint(TAINT_RAW_PASSTHROUGH, LOCKDEP_STILL_OK); + + return 0; +} + static int cxl_xfer_log(struct cxl_mem *cxlm, uuid_t *uuid, u32 size, u8 *out) { diff --git a/include/uapi/linux/cxl_mem.h b/include/uapi/linux/cxl_mem.h index b504412d1db7..4c4a12c7a4d5 100644 --- a/include/uapi/linux/cxl_mem.h +++ b/include/uapi/linux/cxl_mem.h @@ -34,6 +34,7 @@ extern "C" { C(IDENTIFY, "Identify Command"), \ C(RAW, "Raw device command"), \ C(GET_SUPPORTED_LOGS, "Get Supported Logs"), \ + C(GET_LOG, "Get Log"), \ C(MAX, "Last command") #undef C #define C(a, b) CXL_MEM_COMMAND_ID_##a -- 2.30.0
next prev parent reply other threads:[~2021-01-12 0:28 UTC|newest] Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-11 22:51 [RFC PATCH v3 00/16] CXL 2.0 Support Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-11 22:51 ` [RFC PATCH v3 01/16] docs: cxl: Add basic documentation Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-11 22:51 ` [RFC PATCH v3 02/16] cxl/acpi: Add an acpi_cxl module for the CXL interconnect Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 7:08 ` Randy Dunlap 2021-01-12 18:43 ` Jonathan Cameron 2021-01-12 19:43 ` Dan Williams 2021-01-12 22:06 ` Jonathan Cameron 2021-01-13 17:55 ` Kaneda, Erik 2021-01-20 19:27 ` Dan Williams 2021-01-20 19:18 ` Verma, Vishal L 2021-01-13 12:40 ` Rafael J. Wysocki 2021-01-20 19:21 ` Verma, Vishal L 2021-01-11 22:51 ` [RFC PATCH v3 03/16] cxl/acpi: add OSC support Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 15:09 ` Rafael J. Wysocki 2021-01-12 18:48 ` Jonathan Cameron 2021-01-11 22:51 ` [RFC PATCH v3 04/16] cxl/mem: Introduce a driver for CXL-2.0-Type-3 endpoints Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 7:08 ` Randy Dunlap 2021-01-12 19:01 ` Jonathan Cameron 2021-01-12 20:06 ` Dan Williams 2021-01-11 22:51 ` [RFC PATCH v3 05/16] cxl/mem: Map memory device registers Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 19:13 ` Jonathan Cameron 2021-01-12 19:21 ` Ben Widawsky 2021-01-12 20:40 ` Dan Williams 2021-01-11 22:51 ` [RFC PATCH v3 06/16] cxl/mem: Find device capabilities Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 19:17 ` Jonathan Cameron 2021-01-12 19:22 ` Ben Widawsky 2021-01-11 22:51 ` [RFC PATCH v3 07/16] cxl/mem: Implement polled mode mailbox Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-13 18:26 ` Jonathan Cameron 2021-01-14 17:40 ` Jonathan Cameron 2021-01-14 17:50 ` Ben Widawsky 2021-01-14 18:13 ` Jonathan Cameron 2021-01-11 22:51 ` [RFC PATCH v3 08/16] cxl/mem: Register CXL memX devices Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-14 16:28 ` Jonathan Cameron 2021-01-11 22:51 ` [RFC PATCH v3 09/16] cxl/mem: Add basic IOCTL interface Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 4:39 ` kernel test robot 2021-01-14 16:19 ` Jonathan Cameron 2021-01-11 22:51 ` [RFC PATCH v3 10/16] cxl/mem: Add send command Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 6:06 ` kernel test robot 2021-01-14 17:10 ` Jonathan Cameron 2021-01-21 18:15 ` Ben Widawsky 2021-01-22 11:43 ` Jonathan Cameron 2021-01-22 17:08 ` Ben Widawsky 2021-01-11 22:51 ` [RFC PATCH v3 11/16] taint: add taint for direct hardware access Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-11 22:51 ` [RFC PATCH v3 11/16] taint: add taint for unfettered " Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 3:31 ` Ben Widawsky 2021-01-11 22:51 ` [RFC PATCH v3 12/16] cxl/mem: Add a "RAW" send command Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 7:41 ` kernel test robot 2021-01-11 22:51 ` [RFC PATCH v3 13/16] cxl/mem: Create concept of enabled commands Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-14 17:25 ` Jonathan Cameron 2021-01-21 18:40 ` Ben Widawsky 2021-01-22 11:28 ` Jonathan Cameron 2021-01-11 22:51 ` [RFC PATCH v3 14/16] cxl/mem: Use CEL for enabling commands Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-14 18:02 ` Jonathan Cameron 2021-01-14 18:13 ` Ben Widawsky 2021-01-14 18:32 ` Jonathan Cameron 2021-01-14 19:04 ` Ben Widawsky 2021-01-14 19:24 ` Jonathan Cameron 2021-01-11 22:51 ` Ben Widawsky [this message] 2021-01-11 22:51 ` [RFC PATCH v3 15/16] cxl/mem: Add limited Get Log command (0401h) Ben Widawsky 2021-01-14 18:08 ` Jonathan Cameron 2021-01-23 0:14 ` Ben Widawsky 2021-01-11 22:51 ` [RFC PATCH v3 16/16] MAINTAINERS: Add maintainers of the CXL driver Ben Widawsky 2021-01-11 22:51 ` Ben Widawsky 2021-01-12 1:12 ` Joe Perches [not found] ` <0f2a6d62-09d8-416f-e972-3e9869c3e1a6@alibaba-inc.com> 2021-01-12 15:17 ` [RFC PATCH v3 00/16] CXL 2.0 Support Ben Widawsky 2021-01-12 16:19 ` Bjorn Helgaas
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210111225121.820014-17-ben.widawsky@intel.com \ --to=ben.widawsky@intel.com \ --cc=Jonathan.Cameron@Huawei.com \ --cc=cbrowy@avery-design.com \ --cc=dan.j.williams@intel.com \ --cc=daniel.lll@alibaba-inc.com \ --cc=hch@infradead.org \ --cc=helgaas@kernel.org \ --cc=ira.weiny@intel.com \ --cc=jcm@jonmasters.org \ --cc=linux-cxl@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-pci@vger.kernel.org \ --cc=rafael.j.wysocki@intel.com \ --cc=rdunlap@infradead.org \ --cc=sean.v.kelley@intel.com \ --cc=vishal.l.verma@intel.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.