On 21-02-16 18:28:49, Jonathan Cameron wrote: > On Tue, 16 Feb 2021 09:53:14 -0800 > Ben Widawsky <ben.widaw...@intel.com> wrote: > > > On 21-02-16 15:22:23, Jonathan Cameron wrote: > > > On Mon, 15 Feb 2021 17:45:33 -0800 > > > Ben Widawsky <ben.widaw...@intel.com> wrote: > > > > > > > Add a straightforward IOCTL that provides a mechanism for userspace to > > > > query the supported memory device commands. CXL commands as they appear > > > > to userspace are described as part of the UAPI kerneldoc. The command > > > > list returned via this IOCTL will contain the full set of commands that > > > > the driver supports, however, some of those commands may not be > > > > available for use by userspace. > > > > > > > > Memory device commands first appear in the CXL 2.0 specification. They > > > > are submitted through a mailbox mechanism specified in the CXL 2.0 > > > > specification. > > > > > > > > The send command allows userspace to issue mailbox commands directly to > > > > the hardware. The list of available commands to send are the output of > > > > the query command. The driver verifies basic properties of the command > > > > and possibly inspect the input (or output) payload to determine whether > > > > or not the command is allowed (or might taint the kernel). > > > > > > > > Reported-by: kernel test robot <l...@intel.com> # bug in earlier > > > > revision > > > > Signed-off-by: Ben Widawsky <ben.widaw...@intel.com> > > > > Reviewed-by: Dan Williams <dan.j.willi...@intel.com> (v2) > > > > > > I may be missreading this but I think the logic to ensure commands > > > using a variable sized buffer have enough space is broken. > > > > > > Jonathan > > > > > > > --- > > > > .clang-format | 1 + > > > > .../userspace-api/ioctl/ioctl-number.rst | 1 + > > > > drivers/cxl/mem.c | 288 +++++++++++++++++- > > > > include/uapi/linux/cxl_mem.h | 154 ++++++++++ > > > > 4 files changed, 443 insertions(+), 1 deletion(-) > > > > create mode 100644 include/uapi/linux/cxl_mem.h > > > > > > > > diff --git a/.clang-format b/.clang-format > > > > index 10dc5a9a61b3..3f11c8901b43 100644 > > > > --- a/.clang-format > > > > +++ b/.clang-format > > > > @@ -109,6 +109,7 @@ ForEachMacros: > > > > - 'css_for_each_child' > > > > - 'css_for_each_descendant_post' > > > > - 'css_for_each_descendant_pre' > > > > + - 'cxl_for_each_cmd' > > > > - 'device_for_each_child_node' > > > > - 'dma_fence_chain_for_each' > > > > - 'do_for_each_ftrace_op' > > > > diff --git a/Documentation/userspace-api/ioctl/ioctl-number.rst > > > > b/Documentation/userspace-api/ioctl/ioctl-number.rst > > > > index a4c75a28c839..6eb8e634664d 100644 > > > > --- a/Documentation/userspace-api/ioctl/ioctl-number.rst > > > > +++ b/Documentation/userspace-api/ioctl/ioctl-number.rst > > > > @@ -352,6 +352,7 @@ Code Seq# Include File > > > > Comments > > > > > > > > <mailto:michael.kl...@puffin.lb.shuttle.de> > > > > 0xCC 00-0F drivers/misc/ibmvmc.h > > > > pseries VMC driver > > > > 0xCD 01 linux/reiserfs_fs.h > > > > +0xCE 01-02 uapi/linux/cxl_mem.h > > > > Compute Express Link Memory Devices > > > > 0xCF 02 fs/cifs/ioctl.c > > > > 0xDB 00-0F drivers/char/mwave/mwavepub.h > > > > 0xDD 00-3F > > > > ZFCP device driver see drivers/s390/scsi/ > > > > diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c > > > > index 410adb1bdffc..a4298cb1182d 100644 > > > > --- a/drivers/cxl/mem.c > > > > +++ b/drivers/cxl/mem.c > > > > @@ -1,5 +1,6 @@ > > > > // SPDX-License-Identifier: GPL-2.0-only > > > > /* Copyright(c) 2020 Intel Corporation. All rights reserved. */ > > > > +#include <uapi/linux/cxl_mem.h> > > > > #include <linux/module.h> > > > > #include <linux/mutex.h> > > > > #include <linux/cdev.h> > > > > @@ -40,6 +41,7 @@ > > > > #define CXL_MAILBOX_TIMEOUT_MS (2 * HZ) > > > > > > > > enum opcode { > > > > + CXL_MBOX_OP_INVALID = 0x0000, > > > > CXL_MBOX_OP_IDENTIFY = 0x4000, > > > > CXL_MBOX_OP_MAX = 0x10000 > > > > }; > > > > @@ -91,6 +93,49 @@ struct cxl_memdev { > > > > static int cxl_mem_major; > > > > static DEFINE_IDA(cxl_memdev_ida); > > > > > > > > +/** > > > > + * struct cxl_mem_command - Driver representation of a memory device > > > > command > > > > + * @info: Command information as it exists for the UAPI > > > > + * @opcode: The actual bits used for the mailbox protocol > > > > + * > > > > + * The cxl_mem_command is the driver's internal representation of > > > > commands that > > > > + * are supported by the driver. Some of these commands may not be > > > > supported by > > > > + * the hardware. The driver will use @info to validate the fields > > > > passed in by > > > > + * the user then submit the @opcode to the hardware. > > > > + * > > > > + * See struct cxl_command_info. > > > > + */ > > > > +struct cxl_mem_command { > > > > + struct cxl_command_info info; > > > > + enum opcode opcode; > > > > +}; > > > > + > > > > +#define CXL_CMD(_id, sin, sout) > > > > \ > > > > + [CXL_MEM_COMMAND_ID_##_id] = { > > > > \ > > > > + .info = { > > > > \ > > > > + .id = CXL_MEM_COMMAND_ID_##_id, > > > > \ > > > > + .size_in = sin, > > > > \ > > > > + .size_out = sout, > > > > \ > > > > + }, > > > > \ > > > > + .opcode = CXL_MBOX_OP_##_id, > > > > \ > > > > + } > > > > + > > > > +/* > > > > + * This table defines the supported mailbox commands for the driver. > > > > This table > > > > + * is made up of a UAPI structure. Non-negative values as parameters > > > > in the > > > > + * table will be validated against the user's input. For example, if > > > > size_in is > > > > + * 0, and the user passed in 1, it is an error. > > > > + */ > > > > +static struct cxl_mem_command mem_commands[] = { > > > > + CXL_CMD(IDENTIFY, 0, 0x43), > > > > +}; > > > > + > > > > +#define cxl_for_each_cmd(cmd) > > > > \ > > > > + for ((cmd) = &mem_commands[0]; > > > > \ > > > > + ((cmd) - mem_commands) < ARRAY_SIZE(mem_commands); (cmd)++) > > > > + > > > > +#define cxl_cmd_count ARRAY_SIZE(mem_commands) > > > > + > > > > static int cxl_mem_wait_for_doorbell(struct cxl_mem *cxlm) > > > > { > > > > const unsigned long start = jiffies; > > > > @@ -312,6 +357,247 @@ static void cxl_mem_mbox_put(struct cxl_mem *cxlm) > > > > mutex_unlock(&cxlm->mbox_mutex); > > > > } > > > > > > > > +/** > > > > + * handle_mailbox_cmd_from_user() - Dispatch a mailbox command for > > > > userspace. > > > > + * @cxlm: The CXL memory device to communicate with. > > > > + * @cmd: The validated command. > > > > + * @in_payload: Pointer to userspace's input payload. > > > > + * @out_payload: Pointer to userspace's output payload. > > > > + * @size_out: (Input) Max payload size to copy out. > > > > + * (Output) Payload size hardware generated. > > > > + * @retval: Hardware generated return code from the operation. > > > > + * > > > > + * Return: > > > > + * * %0 - Mailbox transaction succeeded. This implies the > > > > mailbox > > > > + * protocol completed successfully not that the > > > > operation itself > > > > + * was successful. > > > > + * * %-ENOMEM - Couldn't allocate a bounce buffer. > > > > + * * %-EFAULT - Something happened with copy_to/from_user. > > > > + * * %-EINTR - Mailbox acquisition interrupted. > > > > + * * %-* - Transaction level failures. > > > > + * > > > > + * Creates the appropriate mailbox command and dispatches it on behalf > > > > of a > > > > + * userspace request. The input and output payloads are copied between > > > > + * userspace. > > > > + * > > > > + * See cxl_send_cmd(). > > > > + */ > > > > +static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm, > > > > + const struct cxl_mem_command > > > > *cmd, > > > > + u64 in_payload, u64 out_payload, > > > > + s32 *size_out, u32 *retval) > > > > +{ > > > > + struct device *dev = &cxlm->pdev->dev; > > > > + struct mbox_cmd mbox_cmd = { > > > > + .opcode = cmd->opcode, > > > > + .size_in = cmd->info.size_in, > > > > + }; > > > > + int rc; > > > > + > > > > + if (cmd->info.size_out) { > > > > + mbox_cmd.payload_out = kvzalloc(cmd->info.size_out, > > > > GFP_KERNEL); > > > > + if (!mbox_cmd.payload_out) > > > > + return -ENOMEM; > > > > + } > > > > + > > > > + if (cmd->info.size_in) { > > > > + mbox_cmd.payload_in = kvzalloc(cmd->info.size_in, > > > > GFP_KERNEL); > > > > + if (!mbox_cmd.payload_in) { > > > > + rc = -ENOMEM; > > > > + goto out; > > > > + } > > > > + > > > > + if (copy_from_user(mbox_cmd.payload_in, > > > > + u64_to_user_ptr(in_payload), > > > > + cmd->info.size_in)) { > > > > + rc = -EFAULT; > > > > + goto out; > > > > + } > > > > + } > > > > + > > > > + rc = cxl_mem_mbox_get(cxlm); > > > > + if (rc) > > > > + goto out; > > > > + > > > > + dev_dbg(dev, > > > > + "Submitting %s command for user\n" > > > > + "\topcode: %x\n" > > > > + "\tsize: %ub\n", > > > > + cxl_command_names[cmd->info.id].name, mbox_cmd.opcode, > > > > + cmd->info.size_in); > > > > + > > > > + rc = __cxl_mem_mbox_send_cmd(cxlm, &mbox_cmd); > > > > + cxl_mem_mbox_put(cxlm); > > > > + if (rc) > > > > + goto out; > > > > + > > > > + /* > > > > + * @size_out contains the max size that's allowed to be written > > > > back out > > > > + * to userspace. While the payload may have written more output > > > > than > > > > + * this it will have to be ignored. > > > > + */ > > > > > > See below for why I don't think this works. The size of > > > mbox_cmd.payload_out > > > seems to always be the size userspace specified, never the 1MB this code > > > is assuming. So if the hardware returns more than userspace asks for you > > > have a buffer overrun. > > > > > > > > > > + if (mbox_cmd.size_out) { > > > > + if (copy_to_user(u64_to_user_ptr(out_payload), > > > > + mbox_cmd.payload_out, *size_out)) { > > > > + rc = -EFAULT; > > > > + goto out; > > > > + } > > > > + } > > > > + > > > > + /* > > > > + * Reporting the actual size, even if it was greater than > > > > @size_out > > > > + * allows userspace to try the command again with a bigger > > > > buffer. > > > > + */ > > > > + *size_out = mbox_cmd.size_out; > > > > + *retval = mbox_cmd.return_code; > > > > + > > > > +out: > > > > + kvfree(mbox_cmd.payload_in); > > > > + kvfree(mbox_cmd.payload_out); > > > > + return rc; > > > > +} > > > > + > > > > +/** > > > > + * cxl_validate_cmd_from_user() - Check fields for > > > > CXL_MEM_SEND_COMMAND. > > > > + * @cxlm: &struct cxl_mem device whose mailbox will be used. > > > > + * @send_cmd: &struct cxl_send_command copied in from userspace. > > > > + * @out_cmd: Sanitized and populated &struct cxl_mem_command. > > > > + * > > > > + * Return: > > > > + * * %0 - @out_cmd is ready to send. > > > > + * * %-ENOTTY - Invalid command specified. > > > > + * * %-EINVAL - Reserved fields or invalid values were used. > > > > + * * %-ENOMEM - Input or output buffer wasn't sized properly. > > > > + * > > > > + * The result of this command is a fully validated command in @out_cmd > > > > that is > > > > + * safe to send to the hardware. > > > > + * > > > > + * See handle_mailbox_cmd_from_user() > > > > + */ > > > > +static int cxl_validate_cmd_from_user(struct cxl_mem *cxlm, > > > > + const struct cxl_send_command > > > > *send_cmd, > > > > + struct cxl_mem_command *out_cmd) > > > > +{ > > > > + const struct cxl_command_info *info; > > > > + struct cxl_mem_command *c; > > > > + > > > > + if (send_cmd->id == 0 || send_cmd->id >= CXL_MEM_COMMAND_ID_MAX) > > > > + return -ENOTTY; > > > > + > > > > + /* > > > > + * The user can never specify an input payload larger than what > > > > hardware > > > > + * supports, but output can be arbitrarily large (simply write > > > > out as > > > > + * much data as the hardware provides). > > > > + */ > > > > + if (send_cmd->in.size > cxlm->payload_size) > > > > + return -EINVAL; > > > > + > > > > + if (send_cmd->flags & ~CXL_MEM_COMMAND_FLAG_MASK) > > > > + return -EINVAL; > > > > + > > > > + if (send_cmd->rsvd) > > > > + return -EINVAL; > > > > + > > > > + if (send_cmd->in.rsvd || send_cmd->out.rsvd) > > > > + return -EINVAL; > > > > + > > > > + /* Convert user's command into the internal representation */ > > > > + c = &mem_commands[send_cmd->id]; > > > > + info = &c->info; > > > > + > > > > + /* Check the input buffer is the expected size */ > > > > + if (info->size_in >= 0 && info->size_in != send_cmd->in.size) > > > > + return -ENOMEM; > > > > + > > > > + /* Check the output buffer is at least large enough */ > > > > + if (info->size_out >= 0 && send_cmd->out.size < info->size_out) > > > > + return -ENOMEM; > > > > + > > > > + memcpy(out_cmd, c, sizeof(*c)); > > > > + out_cmd->info.size_in = send_cmd->in.size; > > > > + out_cmd->info.size_out = send_cmd->out.size; > > > > + > > > > + return 0; > > > > +} > > > > + > > > > +static int cxl_query_cmd(struct cxl_memdev *cxlmd, > > > > + struct cxl_mem_query_commands __user *q) > > > > +{ > > > > + struct device *dev = &cxlmd->dev; > > > > + struct cxl_mem_command *cmd; > > > > + u32 n_commands; > > > > + int j = 0; > > > > + > > > > + dev_dbg(dev, "Query IOCTL\n"); > > > > + > > > > + if (get_user(n_commands, &q->n_commands)) > > > > + return -EFAULT; > > > > + > > > > + /* returns the total number if 0 elements are requested. */ > > > > + if (n_commands == 0) > > > > + return put_user(cxl_cmd_count, &q->n_commands); > > > > + > > > > + /* > > > > + * otherwise, return max(n_commands, total commands) > > > > cxl_command_info > > > > + * structures. > > > > + */ > > > > + cxl_for_each_cmd(cmd) { > > > > + const struct cxl_command_info *info = &cmd->info; > > > > + > > > > + if (copy_to_user(&q->commands[j++], info, > > > > sizeof(*info))) > > > > + return -EFAULT; > > > > + > > > > + if (j == n_commands) > > > > + break; > > > > + } > > > > + > > > > + return 0; > > > > +} > > > > + > > > > +static int cxl_send_cmd(struct cxl_memdev *cxlmd, > > > > + struct cxl_send_command __user *s) > > > > +{ > > > > + struct cxl_mem *cxlm = cxlmd->cxlm; > > > > + struct device *dev = &cxlmd->dev; > > > > + struct cxl_send_command send; > > > > + struct cxl_mem_command c; > > > > + int rc; > > > > + > > > > + dev_dbg(dev, "Send IOCTL\n"); > > > > + > > > > + if (copy_from_user(&send, s, sizeof(send))) > > > > + return -EFAULT; > > > > + > > > > + rc = cxl_validate_cmd_from_user(cxlmd->cxlm, &send, &c); > > > > + if (rc) > > > > + return rc; > > > > > > Userspace will pass in send.out set to the size of it's available buffer. > > > Then cxl_validate_cmd_from_user() will fill > > > c.info.size_out with send.out.size > > > > > > > + > > > > + /* Prepare to handle a full payload for variable sized output */ > > > > + if (c.info.size_out < 0) > > > > > > So this check only works if userspace set the command to have variable > > > size. > > > That's not what the docs below suggest should happen. > > > > > > > Another good catch. This bug was introduced after the last change was made. > > I > > still don't want to have a size_out as part of the mailbox command. > > > > Validate should not alter the size_out field except in the case of RAW > > commands. > > > > I believe this is the right fix, handle_mailbox_cmd_from_user() already will > > only copy_to the right number of byte, but your eyes on it are appreciated. > > > > diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c > > index 237b956f0be0..4ca4f5afd9d2 100644 > > --- a/drivers/cxl/mem.c > > +++ b/drivers/cxl/mem.c > > @@ -686,7 +686,11 @@ static int cxl_validate_cmd_from_user(struct cxl_mem > > *cxlm, > > > > memcpy(out_cmd, c, sizeof(*c)); > > out_cmd->info.size_in = send_cmd->in.size; > > - out_cmd->info.size_out = send_cmd->out.size; > > + /* > > + * XXX: out_cmd->info.size_out will be controlled by the driver, > > and the > > + * specified number of bytes @send_cmd->out.size will be copied > > back out > > + * to userspace. > > + */ > > > > return 0; > > } > > This deals with the buffer overflow being triggered from userspace. > > I'm still nervous. I really don't like assuming hardware will do the right > thing and never send us more data than we expect. > > Given the check that it will fit in the target buffer is simple, > I'd prefer to harden it and know we can't have a problem. > > Jonathan
I'm working on hardening __cxl_mem_mbox_send_cmd now per your request. With that, I think this solves the issue, right? > > > > > > > > + c.info.size_out = cxlm->payload_size; > > > > + > > > > + rc = handle_mailbox_cmd_from_user(cxlm, &c, send.in.payload, > > > > + send.out.payload, > > > > &send.out.size, > > > > + &send.retval); > > > > + if (rc) > > > > + return rc; > > > > + > > > > + return copy_to_user(s, &send, sizeof(send)); > > > > +} > > > > + > > > > +static long __cxl_memdev_ioctl(struct cxl_memdev *cxlmd, unsigned int > > > > cmd, > > > > + unsigned long arg) > > > > +{ > > > > + switch (cmd) { > > > > + case CXL_MEM_QUERY_COMMANDS: > > > > + return cxl_query_cmd(cxlmd, (void __user *)arg); > > > > + case CXL_MEM_SEND_COMMAND: > > > > + return cxl_send_cmd(cxlmd, (void __user *)arg); > > > > + default: > > > > + return -ENOTTY; > > > > + } > > > > +} > > > > + > > > > static long cxl_memdev_ioctl(struct file *file, unsigned int cmd, > > > > unsigned long arg) > > > > { > > > > @@ -325,7 +611,7 @@ static long cxl_memdev_ioctl(struct file *file, > > > > unsigned int cmd, > > > > if (!percpu_ref_tryget_live(&cxlmd->ops_active)) > > > > return -ENXIO; > > > > > > > > - /* TODO: ioctl body */ > > > > + rc = __cxl_memdev_ioctl(cxlmd, cmd, arg); > > > > > > > > percpu_ref_put(&cxlmd->ops_active); > > > > > > > > diff --git a/include/uapi/linux/cxl_mem.h b/include/uapi/linux/cxl_mem.h > > > > new file mode 100644 > > > > index 000000000000..18cea908ad0b > > > > --- /dev/null > > > > +++ b/include/uapi/linux/cxl_mem.h > > > > @@ -0,0 +1,154 @@ > > > > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ > > > > +/* > > > > + * CXL IOCTLs for Memory Devices > > > > + */ > > > > + > > > > +#ifndef _UAPI_CXL_MEM_H_ > > > > +#define _UAPI_CXL_MEM_H_ > > > > + > > > > +#include <linux/types.h> > > > > + > > > > +/** > > > > + * DOC: UAPI > > > > + * > > > > + * Not all of all commands that the driver supports are always > > > > available for use > > > > + * by userspace. Userspace must check the results from the QUERY > > > > command in > > > > + * order to determine the live set of commands. > > > > + */ > > > > + > > > > +#define CXL_MEM_QUERY_COMMANDS _IOR(0xCE, 1, struct > > > > cxl_mem_query_commands) > > > > +#define CXL_MEM_SEND_COMMAND _IOWR(0xCE, 2, struct cxl_send_command) > > > > + > > > > +#define CXL_CMDS > > > > \ > > > > + ___C(INVALID, "Invalid Command"), > > > > \ > > > > + ___C(IDENTIFY, "Identify Command"), > > > > \ > > > > + ___C(MAX, "invalid / last command") > > > > + > > > > +#define ___C(a, b) CXL_MEM_COMMAND_ID_##a > > > > +enum { CXL_CMDS }; > > > > + > > > > +#undef ___C > > > > +#define ___C(a, b) { b } > > > > +static const struct { > > > > + const char *name; > > > > +} cxl_command_names[] = { CXL_CMDS }; > > > > + > > > > +/* > > > > + * Here's how this actually breaks out: > > > > + * cxl_command_names[] = { > > > > + * [CXL_MEM_COMMAND_ID_INVALID] = { "Invalid Command" }, > > > > + * [CXL_MEM_COMMAND_ID_IDENTIFY] = { "Identify Command" }, > > > > + * ... > > > > + * [CXL_MEM_COMMAND_ID_MAX] = { "invalid / last command" }, > > > > + * }; > > > > + */ > > > > > > Thanks, this is great. > > > > > > > + > > > > +#undef ___C > > > > + > > > > +/** > > > > + * struct cxl_command_info - Command information returned from a query. > > > > + * @id: ID number for the command. > > > > + * @flags: Flags that specify command behavior. > > > > + * @size_in: Expected input size, or -1 if variable length. > > > > + * @size_out: Expected output size, or -1 if variable length. > > > > + * > > > > + * Represents a single command that is supported by both the driver > > > > and the > > > > + * hardware. This is returned as part of an array from the query > > > > ioctl. The > > > > + * following would be a command that takes a variable length input and > > > > returns 0 > > > > + * bytes of output. > > > > + * > > > > + * - @id = 10 > > > > + * - @flags = 0 > > > > + * - @size_in = -1 > > > > + * - @size_out = 0 > > > > + * > > > > + * See struct cxl_mem_query_commands. > > > > + */ > > > > +struct cxl_command_info { > > > > + __u32 id; > > > > + > > > > + __u32 flags; > > > > +#define CXL_MEM_COMMAND_FLAG_MASK GENMASK(0, 0) > > > > + > > > > + __s32 size_in; > > > > + __s32 size_out; > > > > +}; > > > > + > > > > +/** > > > > + * struct cxl_mem_query_commands - Query supported commands. > > > > + * @n_commands: In/out parameter. When @n_commands is > 0, the driver > > > > will > > > > + * return min(num_support_commands, n_commands). When > > > > @n_commands > > > > + * is 0, driver will return the number of total supported > > > > commands. > > > > + * @rsvd: Reserved for future use. > > > > + * @commands: Output array of supported commands. This array must be > > > > allocated > > > > + * by userspace to be at least min(num_support_commands, > > > > @n_commands) > > > > + * > > > > + * Allow userspace to query the available commands supported by both > > > > the driver, > > > > + * and the hardware. Commands that aren't supported by either the > > > > driver, or the > > > > + * hardware are not returned in the query. > > > > + * > > > > + * Examples: > > > > + * > > > > + * - { .n_commands = 0 } // Get number of supported commands > > > > + * - { .n_commands = 15, .commands = buf } // Return first 15 (or > > > > less) > > > > + * supported commands > > > > + * > > > > + * See struct cxl_command_info. > > > > + */ > > > > +struct cxl_mem_query_commands { > > > > + /* > > > > + * Input: Number of commands to return (space allocated by user) > > > > + * Output: Number of commands supported by the driver/hardware > > > > + * > > > > + * If n_commands is 0, kernel will only return number of > > > > commands and > > > > + * not try to populate commands[], thus allowing userspace to > > > > know how > > > > + * much space to allocate > > > > + */ > > > > > > This is fairly well described in the docs above the structure. > > > Perhaps combine the two. > > > > > > > + __u32 n_commands; > > > > + __u32 rsvd; > > > > + > > > > + struct cxl_command_info __user commands[]; /* out: supported > > > > commands */ > > > > +}; > > > > + > > > > +/** > > > > + * struct cxl_send_command - Send a command to a memory device. > > > > + * @id: The command to send to the memory device. This must be one of > > > > the > > > > + * commands returned by the query command. > > > > + * @flags: Flags for the command (input). > > > > + * @rsvd: Must be zero. > > > > + * @retval: Return value from the memory device (output). > > > > + * @in.size: Size of the payload to provide to the device (input). > > > > + * @in.rsvd: Must be zero. > > > > + * @in.payload: Pointer to memory for payload input, payload is little > > > > endian. > > > > + * @out.size: Size of the payload received from the device > > > > (input/output). This > > > > + * field is filled in by userspace to let the driver know > > > > how much > > > > + * space was allocated for output. It is populated by the > > > > driver to > > > > + * let userspace know how large the output payload actually > > > > was. > > > > + * @out.rsvd: Must be zero. > > > > + * @out.payload: Pointer to memory for payload output, payload is > > > > little endian. > > > > + * > > > > + * Mechanism for userspace to send a command to the hardware for > > > > processing. The > > > > + * driver will do basic validation on the command sizes. In some cases > > > > even the > > > > + * payload may be introspected. Userspace is required to allocate > > > > large enough > > > > + * buffers for size_out which can be variable length in certain > > > > situations. > > > > + */ > > > > +struct cxl_send_command { > > > > + __u32 id; > > > > + __u32 flags; > > > > + __u32 rsvd; > > > > + __u32 retval; > > > > + > > > > + struct { > > > > + __s32 size; > > > > + __u32 rsvd; > > > > + __u64 payload; > > > > + } in; > > > > + > > > > + struct { > > > > + __s32 size; > > > > + __u32 rsvd; > > > > + __u64 payload; > > > > + } out; > > > > +}; > > > > + > > > > +#endif > > > >