Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4132513pxb; Mon, 1 Feb 2021 13:22:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJxN8rHcL6m+udR/M1w7wEu/fTvHzslxyATZ1pGIt9Kq12kCm0E1HoG3jvO79XYkZOvzA8On X-Received: by 2002:a17:906:eb88:: with SMTP id mh8mr10697474ejb.150.1612214533193; Mon, 01 Feb 2021 13:22:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612214533; cv=none; d=google.com; s=arc-20160816; b=qK8Tn3xKiJIYcTxb35DWVqY8BGfp03O/9vZhcrUgZIZUymFPCao+LcMggdHvumXPIE w3tKqScXCML+c6c/RkNmvWpL6UuPJyF7vHNM3o4OCt/A21cQ2kZ4AbT1ivxYNGPf4H6t uMVUfKs9OYGLQyoD9QSozJspiFGDIe3UN1MQcLU8hAGZhXU8M9H4wSZHfSSD5ud1jok/ X9TibUfn5bz5i69DGAABCXN6XqA75aeRhbKF7W45mCK4yE+CiVkUX/zn2n996hOA7SbK 6cfFn5E8tdoUuNmCRzDcFsBy4h0k/Bw8vXjPUtq1Hlt+puk1yS0Bh4edJjqeCcnxtUOe RegA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=RKV8tfXM/P2yr23U8IrmSV+OjOgK46IvUPsK7p0jMgk=; b=QhYDa7ixi50Nf5ZE4DUt27ezOOAP4at+apvAKAWsOrlE+tUKsm2awnq5qblij6AGB4 ML0Xm68eRHXE1E8VUF5nr1aJfO1jXw2ePS/vSAFPlxxxy2Meu3jdYMsdGrx1f/AKOR4K M8r4OR0SrD4MZKMsPeQZMyYdMsFT5AakKBbHQjiKxaRpyhUSIgym7jHHXvfGnJEaA6vK bs0D8FiZpdh2J8oM+MNnjF3vhoRwSUrUZp3beCqXVBunLDYz8UGXAwk3A5l3lSYTbIVO QQfmfRaT3d+UIMmtYs1EHedInh0zgo0Y3Pa4rDycGnN7GYmt0oDz/Tu5el3Lv/PDF4wj CTGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=jZLlF1BL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f2si11305807edy.187.2021.02.01.13.21.48; Mon, 01 Feb 2021 13:22:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=jZLlF1BL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229663AbhBAVU7 (ORCPT + 99 others); Mon, 1 Feb 2021 16:20:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229646AbhBAVU7 (ORCPT ); Mon, 1 Feb 2021 16:20:59 -0500 Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0F1AC06174A for ; Mon, 1 Feb 2021 13:20:18 -0800 (PST) Received: by mail-ej1-x62d.google.com with SMTP id p20so7289080ejb.6 for ; Mon, 01 Feb 2021 13:20:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RKV8tfXM/P2yr23U8IrmSV+OjOgK46IvUPsK7p0jMgk=; b=jZLlF1BLcZiQNvZuriBZtAzF6XOXuBz6zZN01Lb11NP+6NRYwxYB0ZMdTbEIExzDKb r/gC0LbZUA18tkBHhoxigMtqVYDxB4j+RWtLlmqHfDvcPVcvDdr3AUlNiqW2LxbOfb3O +V+GSB9O1BjCxxSnLTCxG8gvlUz2B5Itq3vnR+d9KT98zWWMdBnlW1/DAzbz4ulPCc4G nq+Wrn51F//JFhDa2w3l398dovOGhgDJhWKfhYV/ofnLxv7doKXgn3rI+ESCn2v5Ofq9 ZecFkI5v7FgvOkds/8sJojnO2M7YKnUAbPpdVdFqGTVqquOyo2GU3ijaFXNzoa5HRNf0 nLAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RKV8tfXM/P2yr23U8IrmSV+OjOgK46IvUPsK7p0jMgk=; b=Bc1qIny9Vu8ZttIulDOedr97AcILZgo+P7unJwfm19az/7hvlqlDSR2AxpLZlo2BmQ ogEtz3UT3JLBKjH0GUmjFGm18ESmIcZzParAKHv/HK8yPwsWpSHO7kfKqftWNiOAhuDm /+0sXU9FW7YBu1DbUlbJ4zzpfUJxv4mjjkGDayzUOKXSxikgbslvFCTH08e3aLDlzx1/ dLGwy0LwIN2fF4oL+FbaX89ugDF7OqEI+C/6r+BeriwYXT0N9oVt4ZmYAIJQMtuf782c w1DvIngVVzqctTRV87X/dCGgTm8vG4Qng/8rDci/ARoOZpRsAcv28KlY7Ph3haz5j6jf q4PQ== X-Gm-Message-State: AOAM533fzjz6T20YYCX+y0SnicYNZFQ1At3aznyYCBEThyvtTAr+l/FW 9kyZHDn0idICqITpbwMdYMMUMRim7HXgFE0J/ECVLAruMCp/Sw== X-Received: by 2002:a17:906:f919:: with SMTP id lc25mr20142627ejb.323.1612214417615; Mon, 01 Feb 2021 13:20:17 -0800 (PST) MIME-Version: 1.0 References: <20210130002438.1872527-1-ben.widawsky@intel.com> <20210130002438.1872527-10-ben.widawsky@intel.com> <20210201182400.GK197521@fedora> <20210201192708.5cvyecbcdrwx77de@intel.com> <20210201193453.GA308086@fedora> In-Reply-To: <20210201193453.GA308086@fedora> From: Dan Williams Date: Mon, 1 Feb 2021 13:20:14 -0800 Message-ID: Subject: Re: [PATCH 09/14] cxl/mem: Add a "RAW" send command To: Konrad Rzeszutek Wilk Cc: Ben Widawsky , linux-cxl@vger.kernel.org, Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Christoph Hellwig , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , daniel.lll@alibaba-inc.com, "John Groves (jgroves)" , "Kelley, Sean V" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 1, 2021 at 11:36 AM Konrad Rzeszutek Wilk wrote: > > On Mon, Feb 01, 2021 at 11:27:08AM -0800, Ben Widawsky wrote: > > On 21-02-01 13:24:00, Konrad Rzeszutek Wilk wrote: > > > On Fri, Jan 29, 2021 at 04:24:33PM -0800, Ben Widawsky wrote: > > > > The CXL memory device send interface will have a number of supported > > > > commands. The raw command is not such a command. Raw commands allow > > > > userspace to send a specified opcode to the underlying hardware and > > > > bypass all driver checks on the command. This is useful for a couple of > > > > usecases, mainly: > > > > 1. Undocumented vendor specific hardware commands > > > > 2. Prototyping new hardware commands not yet supported by the driver > > > > > > This sounds like a recipe for .. > > > > > > In case you really really want this may I recommend you do two things: > > > > > > - Wrap this whole thing with #ifdef > > > CONFIG_CXL_DEBUG_THIS_WILL_DESTROY_YOUR_LIFE > > > > > > (or something equivalant to make it clear this should never be > > > enabled in production kernels). > > > > > > - Add a nice big fat printk in dmesg telling the user that they > > > are creating a unstable parallel universe that will lead to their > > > blood pressure going sky-high, or perhaps something more professional > > > sounding. > > > > > > - Rethink this. Do you really really want to encourage vendors > > > to use this raw API instead of them using the proper APIs? > > > > Again, the ideal is proper APIs. Barring that they get a WARN, and a taint if > > they use the raw commands. > > Linux upstream is all about proper APIs. Just don't do this. > > > > > > > > > > > > > While this all sounds very powerful it comes with a couple of caveats: > > > > 1. Bug reports using raw commands will not get the same level of > > > > attention as bug reports using supported commands (via taint). > > > > 2. Supported commands will be rejected by the RAW command. > > > > > > > > With this comes new debugfs knob to allow full access to your toes with > > > > your weapon of choice. > > > > > > Problem is that debugfs is no longer "debug" but is enabled in > > > production kernel. > > > > I don't see this as my problem. Again, they've been WARNed and tainted. If they > > Right not your problem, nice. > > But it is going to be the problem of vendor kernel engineers who don't have this luxury. > > > want to do this, that's their business. They will be asked to reproduce without > > RAW if they file a bug report. > > > This is not how customers see the world. "If it is there, then it is > there to used right? Why else would someone give me the keys to this?" > > Just kill this. Or better yet, make it a seperate set of patches for > folks developing code but not have it as part of this patchset. In the ACPI NFIT driver, the only protection against vendor shenanigans is the requirement that any and all DSM functions be described in a public specification, so there is no unfettered access to the DSM interface However, multiple vendors just went ahead and included a "vendor passthrough" as a DSM sub-command in their implementation. The driver does have the "disable_vendor_specific" module parameter, however that does not amount to much more than a stern look from the kernel at vendors shipping functionality through that path rather than proper functions. It has been a source of bugs. The RAW command proposal Ben has here is a significant improvement on that status quo. It's built on the observation that customers pick up the phone whenever their kernel backtraces, and makes it is easy to spot broken tooling. That said, I think it is reasonable to place the RAW interface behind a configuration option and let distribution policy decide the availability.