DPDK patches and discussions
 help / color / mirror / Atom feed
From: Ivan Malov <ivan.malov@oktetlabs.ru>
To: dev@dpdk.org
Cc: stable@dpdk.org, Andy Moreton <amoreton@xilinx.com>,
	Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Subject: [dpdk-dev] [PATCH 2/2] common/sfc_efx/base: check for MAE privilege
Date: Fri, 11 Dec 2020 18:34:21 +0300
Message-ID: <20201211153421.28382-2-ivan.malov@oktetlabs.ru> (raw)
In-Reply-To: <20201211153421.28382-1-ivan.malov@oktetlabs.ru>

VFs can't control MAE, so it's important to override the general
MAE capability bit by taking MAE privilege into account. Reorder
the code slightly to have the privileges queried before datapath
capabilities are discovered and add required MAE privilege check.

Fixes: eb4e80085fae ("common/sfc_efx/base: indicate support for MAE")
Cc: stable@dpdk.org

Signed-off-by: Ivan Malov <ivan.malov@oktetlabs.ru>
Reviewed-by: Andy Moreton <amoreton@xilinx.com>
---
 drivers/common/sfc_efx/base/ef10_nic.c | 48 ++++++++++++++++----------
 1 file changed, 29 insertions(+), 19 deletions(-)

diff --git a/drivers/common/sfc_efx/base/ef10_nic.c b/drivers/common/sfc_efx/base/ef10_nic.c
index 68414d9fa..9dccde957 100644
--- a/drivers/common/sfc_efx/base/ef10_nic.c
+++ b/drivers/common/sfc_efx/base/ef10_nic.c
@@ -1423,11 +1423,19 @@ ef10_get_datapath_caps(
 
 #if EFSYS_OPT_MAE
 	/*
-	 * Indicate support for MAE.
-	 * MAE is supported by Riverhead boards starting with R2,
-	 * and it is required that FW is built with MAE support, too.
+	 * Check support for EF100 Match Action Engine (MAE).
+	 * MAE hardware is present on Riverhead boards (from R2),
+	 * and on Keystone, and requires support in firmware.
+	 *
+	 * MAE control operations require MAE control privilege,
+	 * which is not available for VFs.
+	 *
+	 * Privileges can change dynamically at runtime: we assume
+	 * MAE support requires the privilege is granted initially,
+	 * and ignore later dynamic changes.
 	 */
-	if (CAP_FLAGS3(req, MAE_SUPPORTED))
+	if (CAP_FLAGS3(req, MAE_SUPPORTED) &&
+	    EFX_MCDI_HAVE_PRIVILEGE(encp->enc_privilege_mask, MAE))
 		encp->enc_mae_supported = B_TRUE;
 	else
 		encp->enc_mae_supported = B_FALSE;
@@ -1896,6 +1904,18 @@ efx_mcdi_nic_board_cfg(
 
 	EFX_MAC_ADDR_COPY(encp->enc_mac_addr, mac_addr);
 
+	/*
+	 * Get the current privilege mask. Note that this may be modified
+	 * dynamically, so for most cases the value is informational only.
+	 * If the privilege being discovered can't be granted dynamically,
+	 * it's fine to rely on the value. In all other cases, DO NOT use
+	 * the privilege mask to check for sufficient privileges, as that
+	 * can result in time-of-check/time-of-use bugs.
+	 */
+	if ((rc = ef10_get_privilege_mask(enp, &mask)) != 0)
+		goto fail6;
+	encp->enc_privilege_mask = mask;
+
 	/* Board configuration (legacy) */
 	rc = efx_mcdi_get_board_cfg(enp, &board_type, NULL, NULL);
 	if (rc != 0) {
@@ -1903,14 +1923,14 @@ efx_mcdi_nic_board_cfg(
 		if (rc == EACCES)
 			board_type = 0;
 		else
-			goto fail6;
+			goto fail7;
 	}
 
 	encp->enc_board_type = board_type;
 
 	/* Fill out fields in enp->en_port and enp->en_nic_cfg from MCDI */
 	if ((rc = efx_mcdi_get_phy_cfg(enp)) != 0)
-		goto fail7;
+		goto fail8;
 
 	/*
 	 * Firmware with support for *_FEC capability bits does not
@@ -1929,18 +1949,18 @@ efx_mcdi_nic_board_cfg(
 
 	/* Obtain the default PHY advertised capabilities */
 	if ((rc = ef10_phy_get_link(enp, &els)) != 0)
-		goto fail8;
+		goto fail9;
 	epp->ep_default_adv_cap_mask = els.epls.epls_adv_cap_mask;
 	epp->ep_adv_cap_mask = els.epls.epls_adv_cap_mask;
 
 	/* Check capabilities of running datapath firmware */
 	if ((rc = ef10_get_datapath_caps(enp)) != 0)
-		goto fail9;
+		goto fail10;
 
 	/* Get interrupt vector limits */
 	if ((rc = efx_mcdi_get_vector_cfg(enp, &base, &nvec, NULL)) != 0) {
 		if (EFX_PCI_FUNCTION_IS_PF(encp))
-			goto fail10;
+			goto fail11;
 
 		/* Ignore error (cannot query vector limits from a VF). */
 		base = 0;
@@ -1949,16 +1969,6 @@ efx_mcdi_nic_board_cfg(
 	encp->enc_intr_vec_base = base;
 	encp->enc_intr_limit = nvec;
 
-	/*
-	 * Get the current privilege mask. Note that this may be modified
-	 * dynamically, so this value is informational only. DO NOT use
-	 * the privilege mask to check for sufficient privileges, as that
-	 * can result in time-of-check/time-of-use bugs.
-	 */
-	if ((rc = ef10_get_privilege_mask(enp, &mask)) != 0)
-		goto fail11;
-	encp->enc_privilege_mask = mask;
-
 	return (0);
 
 fail11:
-- 
2.20.1


  reply	other threads:[~2020-12-11 15:35 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-11 15:34 [dpdk-dev] [PATCH 1/2] common/sfc_efx/base: update MCDI headers " Ivan Malov
2020-12-11 15:34 ` Ivan Malov [this message]
2020-12-11 15:38   ` [dpdk-dev] [PATCH 2/2] common/sfc_efx/base: check " Andrew Rybchenko
2020-12-11 15:37 ` [dpdk-dev] [PATCH 1/2] common/sfc_efx/base: update MCDI headers " Andrew Rybchenko
2020-12-15 17:40   ` Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201211153421.28382-2-ivan.malov@oktetlabs.ru \
    --to=ivan.malov@oktetlabs.ru \
    --cc=amoreton@xilinx.com \
    --cc=andrew.rybchenko@oktetlabs.ru \
    --cc=dev@dpdk.org \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git