1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
4 * Intel Management Engine Interface (Intel MEI) Linux driver
5 */
6
7 #include <linux/export.h>
8 #include <linux/kthread.h>
9 #include <linux/interrupt.h>
10 #include <linux/fs.h>
11 #include <linux/jiffies.h>
12 #include <linux/slab.h>
13 #include <linux/pm_runtime.h>
14
15 #include <linux/mei.h>
16
17 #include "mei_dev.h"
18 #include "hbm.h"
19 #include "client.h"
20
21
22 /**
23 * mei_irq_compl_handler - dispatch complete handlers
24 * for the completed callbacks
25 *
26 * @dev: mei device
27 * @cmpl_list: list of completed cbs
28 */
mei_irq_compl_handler(struct mei_device * dev,struct list_head * cmpl_list)29 void mei_irq_compl_handler(struct mei_device *dev, struct list_head *cmpl_list)
30 {
31 struct mei_cl_cb *cb, *next;
32 struct mei_cl *cl;
33
34 list_for_each_entry_safe(cb, next, cmpl_list, list) {
35 cl = cb->cl;
36 list_del_init(&cb->list);
37
38 dev_dbg(dev->dev, "completing call back.\n");
39 mei_cl_complete(cl, cb);
40 }
41 }
42 EXPORT_SYMBOL_GPL(mei_irq_compl_handler);
43
44 /**
45 * mei_cl_hbm_equal - check if hbm is addressed to the client
46 *
47 * @cl: host client
48 * @mei_hdr: header of mei client message
49 *
50 * Return: true if matches, false otherwise
51 */
mei_cl_hbm_equal(struct mei_cl * cl,struct mei_msg_hdr * mei_hdr)52 static inline int mei_cl_hbm_equal(struct mei_cl *cl,
53 struct mei_msg_hdr *mei_hdr)
54 {
55 return mei_cl_host_addr(cl) == mei_hdr->host_addr &&
56 mei_cl_me_id(cl) == mei_hdr->me_addr;
57 }
58
59 /**
60 * mei_irq_discard_msg - discard received message
61 *
62 * @dev: mei device
63 * @hdr: message header
64 * @discard_len: the length of the message to discard (excluding header)
65 */
mei_irq_discard_msg(struct mei_device * dev,struct mei_msg_hdr * hdr,size_t discard_len)66 static void mei_irq_discard_msg(struct mei_device *dev, struct mei_msg_hdr *hdr,
67 size_t discard_len)
68 {
69 if (hdr->dma_ring) {
70 mei_dma_ring_read(dev, NULL,
71 hdr->extension[dev->rd_msg_hdr_count - 2]);
72 discard_len = 0;
73 }
74 /*
75 * no need to check for size as it is guarantied
76 * that length fits into rd_msg_buf
77 */
78 mei_read_slots(dev, dev->rd_msg_buf, discard_len);
79 dev_dbg(dev->dev, "discarding message " MEI_HDR_FMT "\n",
80 MEI_HDR_PRM(hdr));
81 }
82
83 /**
84 * mei_cl_irq_read_msg - process client message
85 *
86 * @cl: reading client
87 * @mei_hdr: header of mei client message
88 * @meta: extend meta header
89 * @cmpl_list: completion list
90 *
91 * Return: always 0
92 */
mei_cl_irq_read_msg(struct mei_cl * cl,struct mei_msg_hdr * mei_hdr,struct mei_ext_meta_hdr * meta,struct list_head * cmpl_list)93 static int mei_cl_irq_read_msg(struct mei_cl *cl,
94 struct mei_msg_hdr *mei_hdr,
95 struct mei_ext_meta_hdr *meta,
96 struct list_head *cmpl_list)
97 {
98 struct mei_device *dev = cl->dev;
99 struct mei_cl_cb *cb;
100
101 size_t buf_sz;
102 u32 length;
103 int ext_len;
104
105 length = mei_hdr->length;
106 ext_len = 0;
107 if (mei_hdr->extended) {
108 ext_len = sizeof(*meta) + mei_slots2data(meta->size);
109 length -= ext_len;
110 }
111
112 cb = list_first_entry_or_null(&cl->rd_pending, struct mei_cl_cb, list);
113 if (!cb) {
114 if (!mei_cl_is_fixed_address(cl)) {
115 cl_err(dev, cl, "pending read cb not found\n");
116 goto discard;
117 }
118 cb = mei_cl_alloc_cb(cl, mei_cl_mtu(cl), MEI_FOP_READ, cl->fp);
119 if (!cb)
120 goto discard;
121 list_add_tail(&cb->list, &cl->rd_pending);
122 }
123
124 if (mei_hdr->extended) {
125 struct mei_ext_hdr *ext;
126 struct mei_ext_hdr_vtag *vtag_hdr = NULL;
127
128 ext = mei_ext_begin(meta);
129 do {
130 switch (ext->type) {
131 case MEI_EXT_HDR_VTAG:
132 vtag_hdr = (struct mei_ext_hdr_vtag *)ext;
133 break;
134 case MEI_EXT_HDR_NONE:
135 fallthrough;
136 default:
137 cb->status = -EPROTO;
138 break;
139 }
140
141 ext = mei_ext_next(ext);
142 } while (!mei_ext_last(meta, ext));
143
144 if (!vtag_hdr) {
145 cl_dbg(dev, cl, "vtag not found in extended header.\n");
146 cb->status = -EPROTO;
147 goto discard;
148 }
149
150 cl_dbg(dev, cl, "vtag: %d\n", vtag_hdr->vtag);
151 if (cb->vtag && cb->vtag != vtag_hdr->vtag) {
152 cl_err(dev, cl, "mismatched tag: %d != %d\n",
153 cb->vtag, vtag_hdr->vtag);
154 cb->status = -EPROTO;
155 goto discard;
156 }
157 cb->vtag = vtag_hdr->vtag;
158 }
159
160 if (!mei_cl_is_connected(cl)) {
161 cl_dbg(dev, cl, "not connected\n");
162 cb->status = -ENODEV;
163 goto discard;
164 }
165
166 if (mei_hdr->dma_ring)
167 length = mei_hdr->extension[mei_data2slots(ext_len)];
168
169 buf_sz = length + cb->buf_idx;
170 /* catch for integer overflow */
171 if (buf_sz < cb->buf_idx) {
172 cl_err(dev, cl, "message is too big len %d idx %zu\n",
173 length, cb->buf_idx);
174 cb->status = -EMSGSIZE;
175 goto discard;
176 }
177
178 if (cb->buf.size < buf_sz) {
179 cl_dbg(dev, cl, "message overflow. size %zu len %d idx %zu\n",
180 cb->buf.size, length, cb->buf_idx);
181 cb->status = -EMSGSIZE;
182 goto discard;
183 }
184
185 if (mei_hdr->dma_ring) {
186 mei_dma_ring_read(dev, cb->buf.data + cb->buf_idx, length);
187 /* for DMA read 0 length to generate interrupt to the device */
188 mei_read_slots(dev, cb->buf.data + cb->buf_idx, 0);
189 } else {
190 mei_read_slots(dev, cb->buf.data + cb->buf_idx, length);
191 }
192
193 cb->buf_idx += length;
194
195 if (mei_hdr->msg_complete) {
196 cl_dbg(dev, cl, "completed read length = %zu\n", cb->buf_idx);
197 list_move_tail(&cb->list, cmpl_list);
198 } else {
199 pm_runtime_mark_last_busy(dev->dev);
200 pm_request_autosuspend(dev->dev);
201 }
202
203 return 0;
204
205 discard:
206 if (cb)
207 list_move_tail(&cb->list, cmpl_list);
208 mei_irq_discard_msg(dev, mei_hdr, length);
209 return 0;
210 }
211
212 /**
213 * mei_cl_irq_disconnect_rsp - send disconnection response message
214 *
215 * @cl: client
216 * @cb: callback block.
217 * @cmpl_list: complete list.
218 *
219 * Return: 0, OK; otherwise, error.
220 */
mei_cl_irq_disconnect_rsp(struct mei_cl * cl,struct mei_cl_cb * cb,struct list_head * cmpl_list)221 static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb,
222 struct list_head *cmpl_list)
223 {
224 struct mei_device *dev = cl->dev;
225 u32 msg_slots;
226 int slots;
227 int ret;
228
229 msg_slots = mei_hbm2slots(sizeof(struct hbm_client_connect_response));
230 slots = mei_hbuf_empty_slots(dev);
231 if (slots < 0)
232 return -EOVERFLOW;
233
234 if ((u32)slots < msg_slots)
235 return -EMSGSIZE;
236
237 ret = mei_hbm_cl_disconnect_rsp(dev, cl);
238 list_move_tail(&cb->list, cmpl_list);
239
240 return ret;
241 }
242
243 /**
244 * mei_cl_irq_read - processes client read related operation from the
245 * interrupt thread context - request for flow control credits
246 *
247 * @cl: client
248 * @cb: callback block.
249 * @cmpl_list: complete list.
250 *
251 * Return: 0, OK; otherwise, error.
252 */
mei_cl_irq_read(struct mei_cl * cl,struct mei_cl_cb * cb,struct list_head * cmpl_list)253 static int mei_cl_irq_read(struct mei_cl *cl, struct mei_cl_cb *cb,
254 struct list_head *cmpl_list)
255 {
256 struct mei_device *dev = cl->dev;
257 u32 msg_slots;
258 int slots;
259 int ret;
260
261 if (!list_empty(&cl->rd_pending))
262 return 0;
263
264 msg_slots = mei_hbm2slots(sizeof(struct hbm_flow_control));
265 slots = mei_hbuf_empty_slots(dev);
266 if (slots < 0)
267 return -EOVERFLOW;
268
269 if ((u32)slots < msg_slots)
270 return -EMSGSIZE;
271
272 ret = mei_hbm_cl_flow_control_req(dev, cl);
273 if (ret) {
274 cl->status = ret;
275 cb->buf_idx = 0;
276 list_move_tail(&cb->list, cmpl_list);
277 return ret;
278 }
279
280 pm_runtime_mark_last_busy(dev->dev);
281 pm_request_autosuspend(dev->dev);
282
283 list_move_tail(&cb->list, &cl->rd_pending);
284
285 return 0;
286 }
287
hdr_is_hbm(struct mei_msg_hdr * mei_hdr)288 static inline bool hdr_is_hbm(struct mei_msg_hdr *mei_hdr)
289 {
290 return mei_hdr->host_addr == 0 && mei_hdr->me_addr == 0;
291 }
292
hdr_is_fixed(struct mei_msg_hdr * mei_hdr)293 static inline bool hdr_is_fixed(struct mei_msg_hdr *mei_hdr)
294 {
295 return mei_hdr->host_addr == 0 && mei_hdr->me_addr != 0;
296 }
297
hdr_is_valid(u32 msg_hdr)298 static inline int hdr_is_valid(u32 msg_hdr)
299 {
300 struct mei_msg_hdr *mei_hdr;
301 u32 expected_len = 0;
302
303 mei_hdr = (struct mei_msg_hdr *)&msg_hdr;
304 if (!msg_hdr || mei_hdr->reserved)
305 return -EBADMSG;
306
307 if (mei_hdr->dma_ring)
308 expected_len += MEI_SLOT_SIZE;
309 if (mei_hdr->extended)
310 expected_len += MEI_SLOT_SIZE;
311 if (mei_hdr->length < expected_len)
312 return -EBADMSG;
313
314 return 0;
315 }
316
317 /**
318 * mei_irq_read_handler - bottom half read routine after ISR to
319 * handle the read processing.
320 *
321 * @dev: the device structure
322 * @cmpl_list: An instance of our list structure
323 * @slots: slots to read.
324 *
325 * Return: 0 on success, <0 on failure.
326 */
mei_irq_read_handler(struct mei_device * dev,struct list_head * cmpl_list,s32 * slots)327 int mei_irq_read_handler(struct mei_device *dev,
328 struct list_head *cmpl_list, s32 *slots)
329 {
330 struct mei_msg_hdr *mei_hdr;
331 struct mei_ext_meta_hdr *meta_hdr = NULL;
332 struct mei_cl *cl;
333 int ret;
334 u32 hdr_size_left;
335 u32 hdr_size_ext;
336 int i;
337 int ext_hdr_end;
338
339 if (!dev->rd_msg_hdr[0]) {
340 dev->rd_msg_hdr[0] = mei_read_hdr(dev);
341 dev->rd_msg_hdr_count = 1;
342 (*slots)--;
343 dev_dbg(dev->dev, "slots =%08x.\n", *slots);
344
345 ret = hdr_is_valid(dev->rd_msg_hdr[0]);
346 if (ret) {
347 dev_err(dev->dev, "corrupted message header 0x%08X\n",
348 dev->rd_msg_hdr[0]);
349 goto end;
350 }
351 }
352
353 mei_hdr = (struct mei_msg_hdr *)dev->rd_msg_hdr;
354 dev_dbg(dev->dev, MEI_HDR_FMT, MEI_HDR_PRM(mei_hdr));
355
356 if (mei_slots2data(*slots) < mei_hdr->length) {
357 dev_err(dev->dev, "less data available than length=%08x.\n",
358 *slots);
359 /* we can't read the message */
360 ret = -ENODATA;
361 goto end;
362 }
363
364 ext_hdr_end = 1;
365 hdr_size_left = mei_hdr->length;
366
367 if (mei_hdr->extended) {
368 if (!dev->rd_msg_hdr[1]) {
369 dev->rd_msg_hdr[1] = mei_read_hdr(dev);
370 dev->rd_msg_hdr_count++;
371 (*slots)--;
372 dev_dbg(dev->dev, "extended header is %08x\n", dev->rd_msg_hdr[1]);
373 }
374 meta_hdr = ((struct mei_ext_meta_hdr *)&dev->rd_msg_hdr[1]);
375 if (check_add_overflow((u32)sizeof(*meta_hdr),
376 mei_slots2data(meta_hdr->size),
377 &hdr_size_ext)) {
378 dev_err(dev->dev, "extended message size too big %d\n",
379 meta_hdr->size);
380 return -EBADMSG;
381 }
382 if (hdr_size_left < hdr_size_ext) {
383 dev_err(dev->dev, "corrupted message header len %d\n",
384 mei_hdr->length);
385 return -EBADMSG;
386 }
387 hdr_size_left -= hdr_size_ext;
388
389 ext_hdr_end = meta_hdr->size + 2;
390 for (i = dev->rd_msg_hdr_count; i < ext_hdr_end; i++) {
391 dev->rd_msg_hdr[i] = mei_read_hdr(dev);
392 dev_dbg(dev->dev, "extended header %d is %08x\n", i,
393 dev->rd_msg_hdr[i]);
394 dev->rd_msg_hdr_count++;
395 (*slots)--;
396 }
397 }
398
399 if (mei_hdr->dma_ring) {
400 if (hdr_size_left != sizeof(dev->rd_msg_hdr[ext_hdr_end])) {
401 dev_err(dev->dev, "corrupted message header len %d\n",
402 mei_hdr->length);
403 return -EBADMSG;
404 }
405
406 dev->rd_msg_hdr[ext_hdr_end] = mei_read_hdr(dev);
407 dev->rd_msg_hdr_count++;
408 (*slots)--;
409 mei_hdr->length -= sizeof(dev->rd_msg_hdr[ext_hdr_end]);
410 }
411
412 /* HBM message */
413 if (hdr_is_hbm(mei_hdr)) {
414 ret = mei_hbm_dispatch(dev, mei_hdr);
415 if (ret) {
416 dev_dbg(dev->dev, "mei_hbm_dispatch failed ret = %d\n",
417 ret);
418 goto end;
419 }
420 goto reset_slots;
421 }
422
423 /* find recipient cl */
424 list_for_each_entry(cl, &dev->file_list, link) {
425 if (mei_cl_hbm_equal(cl, mei_hdr)) {
426 cl_dbg(dev, cl, "got a message\n");
427 ret = mei_cl_irq_read_msg(cl, mei_hdr, meta_hdr, cmpl_list);
428 goto reset_slots;
429 }
430 }
431
432 /* if no recipient cl was found we assume corrupted header */
433 /* A message for not connected fixed address clients
434 * should be silently discarded
435 * On power down client may be force cleaned,
436 * silently discard such messages
437 */
438 if (hdr_is_fixed(mei_hdr) ||
439 dev->dev_state == MEI_DEV_POWER_DOWN) {
440 mei_irq_discard_msg(dev, mei_hdr, mei_hdr->length);
441 ret = 0;
442 goto reset_slots;
443 }
444 dev_err(dev->dev, "no destination client found 0x%08X\n", dev->rd_msg_hdr[0]);
445 ret = -EBADMSG;
446 goto end;
447
448 reset_slots:
449 /* reset the number of slots and header */
450 memset(dev->rd_msg_hdr, 0, sizeof(dev->rd_msg_hdr));
451 dev->rd_msg_hdr_count = 0;
452 *slots = mei_count_full_read_slots(dev);
453 if (*slots == -EOVERFLOW) {
454 /* overflow - reset */
455 dev_err(dev->dev, "resetting due to slots overflow.\n");
456 /* set the event since message has been read */
457 ret = -ERANGE;
458 goto end;
459 }
460 end:
461 return ret;
462 }
463 EXPORT_SYMBOL_GPL(mei_irq_read_handler);
464
465
466 /**
467 * mei_irq_write_handler - dispatch write requests
468 * after irq received
469 *
470 * @dev: the device structure
471 * @cmpl_list: An instance of our list structure
472 *
473 * Return: 0 on success, <0 on failure.
474 */
mei_irq_write_handler(struct mei_device * dev,struct list_head * cmpl_list)475 int mei_irq_write_handler(struct mei_device *dev, struct list_head *cmpl_list)
476 {
477
478 struct mei_cl *cl;
479 struct mei_cl_cb *cb, *next;
480 s32 slots;
481 int ret;
482
483
484 if (!mei_hbuf_acquire(dev))
485 return 0;
486
487 slots = mei_hbuf_empty_slots(dev);
488 if (slots < 0)
489 return -EOVERFLOW;
490
491 if (slots == 0)
492 return -EMSGSIZE;
493
494 /* complete all waiting for write CB */
495 dev_dbg(dev->dev, "complete all waiting for write cb.\n");
496
497 list_for_each_entry_safe(cb, next, &dev->write_waiting_list, list) {
498 cl = cb->cl;
499
500 cl->status = 0;
501 cl_dbg(dev, cl, "MEI WRITE COMPLETE\n");
502 cl->writing_state = MEI_WRITE_COMPLETE;
503 list_move_tail(&cb->list, cmpl_list);
504 }
505
506 /* complete control write list CB */
507 dev_dbg(dev->dev, "complete control write list cb.\n");
508 list_for_each_entry_safe(cb, next, &dev->ctrl_wr_list, list) {
509 cl = cb->cl;
510 switch (cb->fop_type) {
511 case MEI_FOP_DISCONNECT:
512 /* send disconnect message */
513 ret = mei_cl_irq_disconnect(cl, cb, cmpl_list);
514 if (ret)
515 return ret;
516
517 break;
518 case MEI_FOP_READ:
519 /* send flow control message */
520 ret = mei_cl_irq_read(cl, cb, cmpl_list);
521 if (ret)
522 return ret;
523
524 break;
525 case MEI_FOP_CONNECT:
526 /* connect message */
527 ret = mei_cl_irq_connect(cl, cb, cmpl_list);
528 if (ret)
529 return ret;
530
531 break;
532 case MEI_FOP_DISCONNECT_RSP:
533 /* send disconnect resp */
534 ret = mei_cl_irq_disconnect_rsp(cl, cb, cmpl_list);
535 if (ret)
536 return ret;
537 break;
538
539 case MEI_FOP_NOTIFY_START:
540 case MEI_FOP_NOTIFY_STOP:
541 ret = mei_cl_irq_notify(cl, cb, cmpl_list);
542 if (ret)
543 return ret;
544 break;
545 case MEI_FOP_DMA_MAP:
546 ret = mei_cl_irq_dma_map(cl, cb, cmpl_list);
547 if (ret)
548 return ret;
549 break;
550 case MEI_FOP_DMA_UNMAP:
551 ret = mei_cl_irq_dma_unmap(cl, cb, cmpl_list);
552 if (ret)
553 return ret;
554 break;
555 default:
556 BUG();
557 }
558
559 }
560 /* complete write list CB */
561 dev_dbg(dev->dev, "complete write list cb.\n");
562 list_for_each_entry_safe(cb, next, &dev->write_list, list) {
563 cl = cb->cl;
564 ret = mei_cl_irq_write(cl, cb, cmpl_list);
565 if (ret)
566 return ret;
567 }
568 return 0;
569 }
570 EXPORT_SYMBOL_GPL(mei_irq_write_handler);
571
572
573 /**
574 * mei_connect_timeout - connect/disconnect timeouts
575 *
576 * @cl: host client
577 */
mei_connect_timeout(struct mei_cl * cl)578 static void mei_connect_timeout(struct mei_cl *cl)
579 {
580 struct mei_device *dev = cl->dev;
581
582 if (cl->state == MEI_FILE_CONNECTING) {
583 if (dev->hbm_f_dot_supported) {
584 cl->state = MEI_FILE_DISCONNECT_REQUIRED;
585 wake_up(&cl->wait);
586 return;
587 }
588 }
589 mei_reset(dev);
590 }
591
592 #define MEI_STALL_TIMER_FREQ (2 * HZ)
593 /**
594 * mei_schedule_stall_timer - re-arm stall_timer work
595 *
596 * Schedule stall timer
597 *
598 * @dev: the device structure
599 */
mei_schedule_stall_timer(struct mei_device * dev)600 void mei_schedule_stall_timer(struct mei_device *dev)
601 {
602 schedule_delayed_work(&dev->timer_work, MEI_STALL_TIMER_FREQ);
603 }
604
605 /**
606 * mei_timer - timer function.
607 *
608 * @work: pointer to the work_struct structure
609 *
610 */
mei_timer(struct work_struct * work)611 void mei_timer(struct work_struct *work)
612 {
613 struct mei_cl *cl;
614 struct mei_device *dev = container_of(work,
615 struct mei_device, timer_work.work);
616 bool reschedule_timer = false;
617
618 mutex_lock(&dev->device_lock);
619
620 /* Catch interrupt stalls during HBM init handshake */
621 if (dev->dev_state == MEI_DEV_INIT_CLIENTS &&
622 dev->hbm_state != MEI_HBM_IDLE) {
623
624 if (dev->init_clients_timer) {
625 if (--dev->init_clients_timer == 0) {
626 dev_err(dev->dev, "timer: init clients timeout hbm_state = %d.\n",
627 dev->hbm_state);
628 mei_reset(dev);
629 goto out;
630 }
631 reschedule_timer = true;
632 }
633 }
634
635 if (dev->dev_state != MEI_DEV_ENABLED)
636 goto out;
637
638 /*** connect/disconnect timeouts ***/
639 list_for_each_entry(cl, &dev->file_list, link) {
640 if (cl->timer_count) {
641 if (--cl->timer_count == 0) {
642 dev_err(dev->dev, "timer: connect/disconnect timeout.\n");
643 mei_connect_timeout(cl);
644 goto out;
645 }
646 reschedule_timer = true;
647 }
648 }
649
650 out:
651 if (dev->dev_state != MEI_DEV_DISABLED && reschedule_timer)
652 mei_schedule_stall_timer(dev);
653
654 mutex_unlock(&dev->device_lock);
655 }
656