From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
To: <alison.schofield@intel.com>
Cc: Ben Widawsky <ben.widawsky@intel.com>,
Dan Williams <dan.j.williams@intel.com>,
Ira Weiny <ira.weiny@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
<linux-cxl@vger.kernel.org>
Subject: Re: [PATCH v3 1/9] cxl/mbox: Move cxl_mem_command construction to helper funcs
Date: Fri, 25 Mar 2022 10:27:24 +0000 [thread overview]
Message-ID: <20220325102724.0000144d@huawei.com> (raw)
In-Reply-To: <20220324011126.1144504-2-alison.schofield@intel.com>
On Wed, 23 Mar 2022 18:11:18 -0700
alison.schofield@intel.com wrote:
> From: Alison Schofield <alison.schofield@intel.com>
>
> Sanitizing and constructing a cxl_mem_command from a userspace
> command is part of the validation process prior to submitting
> the command to a CXL device. Move this work to helper functions:
> cxl_to_mem_cmd(), cxl_to_mem_cmd_raw().
>
> This declutters cxl_validate_cmd_from_user() in preparation for
> adding new validation steps.
>
> Signed-off-by: Alison Schofield <alison.schofield@intel.com>
A few trivial comments inline.
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
> drivers/cxl/core/mbox.c | 158 +++++++++++++++++++++-------------------
> 1 file changed, 85 insertions(+), 73 deletions(-)
>
> diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
> index be61a0d8016b..6612d73c37a8 100644
> --- a/drivers/cxl/core/mbox.c
> +++ b/drivers/cxl/core/mbox.c
> @@ -207,6 +207,84 @@ static bool cxl_mem_raw_command_allowed(u16 opcode)
> return true;
> }
>
> +static int cxl_to_mem_cmd_raw(struct cxl_dev_state *cxlds,
> + const struct cxl_send_command *send_cmd,
> + struct cxl_mem_command *mem_cmd)
> +{
> + if (send_cmd->raw.rsvd)
> + return -EINVAL;
trivial: Blank line here would be good.
> + /*
> + * Unlike supported commands, the output size of RAW commands
> + * gets passed along without further checking, so it must be
> + * validated here.
> + */
> + if (send_cmd->out.size > cxlds->payload_size)
> + return -EINVAL;
> +
> + if (!cxl_mem_raw_command_allowed(send_cmd->raw.opcode))
> + return -EPERM;
> +
> + *mem_cmd = (struct cxl_mem_command) {
> + .info = {
> + .id = CXL_MEM_COMMAND_ID_RAW,
> + .size_in = send_cmd->in.size,
> + .size_out = send_cmd->out.size,
> + },
> + .opcode = send_cmd->raw.opcode
> + };
> +
> + return 0;
> +}
> +
> +static int cxl_to_mem_cmd(struct cxl_dev_state *cxlds,
> + const struct cxl_send_command *send_cmd,
> + struct cxl_mem_command *mem_cmd)
> +{
> + const struct cxl_command_info *info;
> + struct cxl_mem_command *c;
> +
> + if (send_cmd->flags & ~CXL_MEM_COMMAND_FLAG_MASK)
> + return -EINVAL;
> +
> + if (send_cmd->rsvd)
> + return -EINVAL;
> +
> + if (send_cmd->in.rsvd || send_cmd->out.rsvd)
> + return -EINVAL;
> +
> + /* Convert user's command into the internal representation */
Not clear which chunk of code this applies to. Seems like we
are just getting some addresses here (obviously that applies to original
code as well) Perhaps move down to where you fill in mem_cmd?
> + c = &cxl_mem_commands[send_cmd->id];
> + info = &c->info;
I don't mind that much either way, but you could do these at
declaration of the local variables above, before doing the sanity checks.
> +
> + /* Check that the command is enabled for hardware */
> + if (!test_bit(info->id, cxlds->enabled_cmds))
> + return -ENOTTY;
> +
> + /* Check that the command is not claimed for exclusive kernel use */
> + if (test_bit(info->id, cxlds->exclusive_cmds))
> + return -EBUSY;
> +
> + /* Check the input buffer is the expected size */
> + if (info->size_in >= 0 && info->size_in != send_cmd->in.size)
> + return -ENOMEM;
> +
> + /* Check the output buffer is at least large enough */
> + if (info->size_out >= 0 && send_cmd->out.size < info->size_out)
> + return -ENOMEM;
> +
> + *mem_cmd = (struct cxl_mem_command) {
> + .info = {
> + .id = info->id,
> + .flags = info->flags,
> + .size_in = send_cmd->in.size,
> + .size_out = send_cmd->out.size,
> + },
> + .opcode = c->opcode
> + };
> +
> + return 0;
> +}
> +
> /**
> * cxl_validate_cmd_from_user() - Check fields for CXL_MEM_SEND_COMMAND.
> * @cxlds: The device data for the operation
> @@ -230,8 +308,7 @@ static int cxl_validate_cmd_from_user(struct cxl_dev_state *cxlds,
> const struct cxl_send_command *send_cmd,
> struct cxl_mem_command *out_cmd)
> {
> - const struct cxl_command_info *info;
> - struct cxl_mem_command *c;
> + int rc;
>
> if (send_cmd->id == 0 || send_cmd->id >= CXL_MEM_COMMAND_ID_MAX)
> return -ENOTTY;
> @@ -244,78 +321,13 @@ static int cxl_validate_cmd_from_user(struct cxl_dev_state *cxlds,
> if (send_cmd->in.size > cxlds->payload_size)
> return -EINVAL;
>
> - /*
> - * Checks are bypassed for raw commands but a WARN/taint will occur
> - * later in the callchain
> - */
> - if (send_cmd->id == CXL_MEM_COMMAND_ID_RAW) {
> - const struct cxl_mem_command temp = {
> - .info = {
> - .id = CXL_MEM_COMMAND_ID_RAW,
> - .flags = 0,
> - .size_in = send_cmd->in.size,
> - .size_out = send_cmd->out.size,
> - },
> - .opcode = send_cmd->raw.opcode
> - };
> + /* Sanitize and construct a cxl_mem_command */
> + if (send_cmd->id == CXL_MEM_COMMAND_ID_RAW)
> + rc = cxl_to_mem_cmd_raw(cxlds, send_cmd, out_cmd);
> + else
> + rc = cxl_to_mem_cmd(cxlds, send_cmd, out_cmd);
>
> - if (send_cmd->raw.rsvd)
> - return -EINVAL;
> -
> - /*
> - * Unlike supported commands, the output size of RAW commands
> - * gets passed along without further checking, so it must be
> - * validated here.
> - */
> - if (send_cmd->out.size > cxlds->payload_size)
> - return -EINVAL;
> -
> - if (!cxl_mem_raw_command_allowed(send_cmd->raw.opcode))
> - return -EPERM;
> -
> - memcpy(out_cmd, &temp, sizeof(temp));
> -
> - return 0;
> - }
> -
> - if (send_cmd->flags & ~CXL_MEM_COMMAND_FLAG_MASK)
> - return -EINVAL;
> -
> - if (send_cmd->rsvd)
> - return -EINVAL;
> -
> - if (send_cmd->in.rsvd || send_cmd->out.rsvd)
> - return -EINVAL;
> -
> - /* Convert user's command into the internal representation */
> - c = &cxl_mem_commands[send_cmd->id];
> - info = &c->info;
> -
> - /* Check that the command is enabled for hardware */
> - if (!test_bit(info->id, cxlds->enabled_cmds))
> - return -ENOTTY;
> -
> - /* Check that the command is not claimed for exclusive kernel use */
> - if (test_bit(info->id, cxlds->exclusive_cmds))
> - return -EBUSY;
> -
> - /* Check the input buffer is the expected size */
> - if (info->size_in >= 0 && info->size_in != send_cmd->in.size)
> - return -ENOMEM;
> -
> - /* Check the output buffer is at least large enough */
> - if (info->size_out >= 0 && send_cmd->out.size < info->size_out)
> - return -ENOMEM;
> -
> - memcpy(out_cmd, c, sizeof(*c));
> - out_cmd->info.size_in = send_cmd->in.size;
> - /*
> - * XXX: out_cmd->info.size_out will be controlled by the driver, and the
> - * specified number of bytes @send_cmd->out.size will be copied back out
> - * to userspace.
> - */
> -
> - return 0;
> + return rc;
I haven't read on yet so I'll assume there is more coming in this function as otherwise
you could just return directly in the two if / else paths.
Thanks,
Jonathan
> }
>
> int cxl_query_cmd(struct cxl_memdev *cxlmd,
next prev parent reply other threads:[~2022-03-25 10:27 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-24 1:11 [PATCH v3 0/9] Do not allow set-partition immediate mode alison.schofield
2022-03-24 1:11 ` [PATCH v3 1/9] cxl/mbox: Move cxl_mem_command construction to helper funcs alison.schofield
2022-03-25 10:27 ` Jonathan Cameron [this message]
2022-03-26 0:01 ` Alison Schofield
2022-03-24 1:11 ` [PATCH v3 2/9] cxl/mbox: Move raw command warning to raw command validation alison.schofield
2022-03-25 10:32 ` Jonathan Cameron
2022-03-24 1:11 ` [PATCH v3 3/9] cxl/mbox: Move build of user mailbox cmd to a helper function alison.schofield
2022-03-25 10:43 ` Jonathan Cameron
2022-03-24 1:11 ` [PATCH v3 4/9] cxl/mbox: Construct a users cxl_mbox_cmd in the validation path alison.schofield
2022-03-25 10:54 ` Jonathan Cameron
2022-03-26 0:37 ` Alison Schofield
2022-03-24 1:11 ` [PATCH v3 5/9] cxl/mbox: Remove dependency on cxl_mem_command for a debug msg alison.schofield
2022-03-25 10:56 ` Jonathan Cameron
2022-03-26 0:26 ` Alison Schofield
2022-03-24 1:11 ` [PATCH v3 6/9] cxl/mbox: Make handle_mailbox_cmd_from_user() use a mbox param alison.schofield
2022-03-25 11:04 ` Jonathan Cameron
2022-03-26 0:25 ` Alison Schofield
2022-03-29 10:50 ` Jonathan Cameron
2022-03-24 1:11 ` [PATCH v3 7/9] cxl/mbox: Move cxl_mem_command param to a local variable alison.schofield
2022-03-25 11:10 ` Jonathan Cameron
2022-03-24 1:11 ` [PATCH v3 8/9] cxl/mbox: Block immediate mode in SET_PARTITION_INFO command alison.schofield
2022-03-25 11:18 ` Jonathan Cameron
2022-03-26 0:31 ` Alison Schofield
2022-03-24 1:11 ` [PATCH v3 9/9] cxl/pmem: Remove CXL SET_PARTITION_INFO from exclusive_cmds list alison.schofield
2022-03-25 11:19 ` Jonathan Cameron
2022-03-25 10:34 ` [PATCH v3 0/9] Do not allow set-partition immediate mode Jonathan Cameron
2022-03-30 1:24 ` Dan Williams
2022-03-30 15:05 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220325102724.0000144d@huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=alison.schofield@intel.com \
--cc=ben.widawsky@intel.com \
--cc=dan.j.williams@intel.com \
--cc=ira.weiny@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox