lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200122231743.GA28442@google.com>
Date:   Wed, 22 Jan 2020 17:17:43 -0600
From:   Bjorn Helgaas <helgaas@...nel.org>
To:     sathyanarayanan.kuppuswamy@...ux.intel.com
Cc:     linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
        ashok.raj@...el.com, Keith Busch <keith.busch@...el.com>
Subject: Re: [PATCH v13 2/8] PCI/DPC: Allow dpc_probe() even if firmware
 first mode is enabled

On Sat, Jan 18, 2020 at 08:00:31PM -0800, sathyanarayanan.kuppuswamy@...ux.intel.com wrote:
> From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com>
> 
> As per ACPI specification v6.3, sec 5.6.6, Error Disconnect Recover
> (EDR) notification used by firmware to let OS know about the DPC event
> and permit OS to perform error recovery when processing the EDR
> notification. 

I want to clear up some of this description because this is a very
confusing area and we should follow the spec carefully so we all
understand each other.

> Also, as per PCI firmware specification r3.2 Downstream
> Port Containment Related Enhancements ECN, sec 4.5.1, table 4-6, if DPC
> is controlled by firmware (firmware first mode), it's responsible for
> initializing Downstream Port Containment Extended Capability Structures
> per firmware policy. 

The above is actually not what the ECN says.  What it does say is
this:

  If control of this feature [DPC configuration] was requested and
  denied, firmware is responsible for initializing Downstream Port
  Containment Extended Capability Structures per firmware policy.

Neither the PCI Firmware Spec (r3.2) nor the ECN contains any
reference to "firmware first".  As far as I can tell, "Firmware First"
is defined by the ACPI spec, and the FIRMWARE_FIRST bit in various
HEST entries (sec 18.3.2) is what tells us when a device is in
firmware-first mode.

That's a really long way of saying that from a spec point of view, DPC
being controlled by firmware does NOT imply anything about
firmware-first mode.

> And, OS is permitted to read or write DPC Control
> and Status registers of a port while processing an Error Disconnect
> Recover (EDR) notification from firmware on that port.
> 
> Currently, if firmware controls DPC (firmware first mode), OS will not
> create/enumerate DPC PCIe port services. But, if OS supports EDR
> feature, then as mentioned in above spec references, it should permit
> enumeration of DPC driver and also support handling ACPI EDR
> notification. So as first step, allow dpc_probe() to continue even if
> firmware first mode is enabled. Also add appropriate checks to ensure
> device registers are not modified outside EDR notification window in
> firmware first mode. This is a preparatory patch for adding EDR support.
> 
> Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com>
> Acked-by: Keith Busch <keith.busch@...el.com>
> ---
>  drivers/pci/pcie/dpc.c | 74 ++++++++++++++++++++++++++++++++++--------
>  1 file changed, 61 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
> index e06f42f58d3d..c583a90fa90d 100644
> --- a/drivers/pci/pcie/dpc.c
> +++ b/drivers/pci/pcie/dpc.c
> @@ -22,6 +22,7 @@ struct dpc_dev {
>  	u16			cap_pos;
>  	bool			rp_extensions;
>  	u8			rp_log_size;
> +	bool			edr_enabled; /* EDR mode is supported */

This needs a better name, or perhaps it should be removed completely.
EDR is not a mode that can be enabled or disabled.  The _OSC "EDR
supported" bit tells the firmware whether the OS supports EDR
notification, but there's no corresponding bit that tells the OS
whether firmware will actually *send* those notifications.

Also, EDR is an ACPI concept, and dpc.c is a generic driver not
specific to ACPI, so we should try to avoid polluting it with
ACPI-isms.

>  };
>  
>  static const char * const rp_pio_error_string[] = {
> @@ -69,6 +70,14 @@ void pci_save_dpc_state(struct pci_dev *dev)
>  	if (!dpc)
>  		return;
>  
> +	/*
> +	 * If DPC is controlled by firmware then save/restore tasks are also
> +	 * controlled by firmware. So skip rest of the function if DPC is
> +	 * controlled by firmware.
> +	 */
> +	if (dpc->edr_enabled)
> +		return;

I think this should be something like:

  if (!host->native_dpc)
    return;

That's what the spec says: if firmware does not grant control of DPC
to the OS via _OSC, the OS may not read/write the DPC capability.

The usual situation would be that if firmware doesn't grant the OS
permission to use DPC, we wouldn't use the dpc.c driver at all.

But IIUC, the point of this EDR stuff is that we're adding a case
where the OS doesn't have permission to use DPC, but we *do* want to
use parts of dpc.c in limited cases while handling EDR notifications.

I think you should probably take the DPC-related _OSC stuff from the
last patch ("PCI/ACPI: Enable EDR support") and move it before this
patch, so it *only* negotiates DPC ownership, per the ECN.  That would
probably result in dpc.c being used only if _OSC grants DPC ownership
to the OS.

Then subsequent patches like this one would relax that slightly and
allow dpc.c to be used even without DPC ownership, but it would only
touch the DPC capability in limited cases.

>  	save_state = pci_find_saved_ext_cap(dev, PCI_EXT_CAP_ID_DPC);
>  	if (!save_state)
>  		return;
> @@ -90,6 +99,14 @@ void pci_restore_dpc_state(struct pci_dev *dev)
>  	if (!dpc)
>  		return;
>  
> +	/*
> +	 * If DPC is controlled by firmware then save/restore tasks are also
> +	 * controlled by firmware. So skip rest of the function if DPC is
> +	 * controlled by firmware.
> +	 */
> +	if (dpc->edr_enabled)
> +		return;
> +
>  	save_state = pci_find_saved_ext_cap(dev, PCI_EXT_CAP_ID_DPC);
>  	if (!save_state)
>  		return;
> @@ -291,24 +308,48 @@ static int dpc_probe(struct pcie_device *dev)
>  	int status;
>  	u16 ctl, cap;
>  
> -	if (pcie_aer_get_firmware_first(pdev) && !pcie_ports_dpc_native)
> -		return -ENOTSUPP;
> -
>  	dpc = devm_kzalloc(device, sizeof(*dpc), GFP_KERNEL);
>  	if (!dpc)
>  		return -ENOMEM;
>  
>  	dpc->cap_pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_DPC);
>  	dpc->dev = dev;
> +
> +	/*
> +	 * As per PCIe r5.0, sec 6.2.10, implementation note titled
> +	 * "Determination of DPC Control", to avoid conflicts over whether
> +	 * platform firmware or the operating system have control of DPC,
> +	 * it is recommended that platform firmware and operating systems
> +	 * always link the control of DPC to the control of Advanced Error
> +	 * Reporting.
> +	 *
> +	 * So use AER FF mode check API pcie_aer_get_firmware_first() to decide
> +	 * whether DPC is controlled by software or firmware. 

AFAICT, this is not what the spec says.  Firmware-first is not what
tells us whether DPC is controlled by firmware or the OS.  For ACPI
systems, _OSC tells us whether the OS is allowed control of DPC.

> +	 * And EDR support
> +	 * can only be enabled if DPC is controlled by firmware.
> +	 */
> +
> +	if (pcie_aer_get_firmware_first(pdev) && !pcie_ports_dpc_native)
> +		dpc->edr_enabled = 1;

> +	/*
> +	 * If DPC is handled in firmware and ACPI support is not enabled
> +	 * in OS, skip probe and return error.
> +	 */
> +	if (dpc->edr_enabled && !IS_ENABLED(CONFIG_ACPI))
> +		return -ENODEV;
> +
>  	set_service_data(dev, dpc);
>  
> -	status = devm_request_threaded_irq(device, dev->irq, dpc_irq,
> -					   dpc_handler, IRQF_SHARED,
> -					   "pcie-dpc", dpc);
> -	if (status) {
> -		pci_warn(pdev, "request IRQ%d failed: %d\n", dev->irq,
> -			 status);
> -		return status;
> +	/* Register interrupt handler only if OS controls DPC */
> +	if (!dpc->edr_enabled) {
> +		status = devm_request_threaded_irq(device, dev->irq, dpc_irq,
> +						   dpc_handler, IRQF_SHARED,
> +						   "pcie-dpc", dpc);
> +		if (status) {
> +			pci_warn(pdev, "request IRQ%d failed: %d\n", dev->irq,
> +				 status);
> +			return status;
> +		}
>  	}
>  
>  	pci_read_config_word(pdev, dpc->cap_pos + PCI_EXP_DPC_CAP, &cap);
> @@ -323,9 +364,12 @@ static int dpc_probe(struct pcie_device *dev)
>  			dpc->rp_log_size = 0;
>  		}
>  	}
> -
> -	ctl = (ctl & 0xfff4) | PCI_EXP_DPC_CTL_EN_FATAL | PCI_EXP_DPC_CTL_INT_EN;
> -	pci_write_config_word(pdev, dpc->cap_pos + PCI_EXP_DPC_CTL, ctl);
> +	if (!dpc->edr_enabled) {
> +		ctl = (ctl & 0xfff4) |
> +			(PCI_EXP_DPC_CTL_EN_FATAL | PCI_EXP_DPC_CTL_INT_EN);
> +		pci_write_config_word(pdev, dpc->cap_pos + PCI_EXP_DPC_CTL,
> +				      ctl);
> +	}
>  
>  	pci_info(pdev, "error containment capabilities: Int Msg #%d, RPExt%c PoisonedTLP%c SwTrigger%c RP PIO Log %d, DL_ActiveErr%c\n",
>  		 cap & PCI_EXP_DPC_IRQ, FLAG(cap, PCI_EXP_DPC_CAP_RP_EXT),
> @@ -343,6 +387,10 @@ static void dpc_remove(struct pcie_device *dev)
>  	struct pci_dev *pdev = dev->port;
>  	u16 ctl;
>  
> +	/* Skip updating DPC registers if DPC is controlled by firmware */
> +	if (dpc->edr_enabled)
> +		return;
> +
>  	pci_read_config_word(pdev, dpc->cap_pos + PCI_EXP_DPC_CTL, &ctl);
>  	ctl &= ~(PCI_EXP_DPC_CTL_EN_FATAL | PCI_EXP_DPC_CTL_INT_EN);
>  	pci_write_config_word(pdev, dpc->cap_pos + PCI_EXP_DPC_CTL, ctl);
> -- 
> 2.21.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ