1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (c) 2003-2020, Intel Corporation. All rights reserved.
4  * Intel Management Engine Interface (Intel MEI) Linux driver
5  */
6 
7 #include <linux/module.h>
8 #include <linux/moduleparam.h>
9 #include <linux/kernel.h>
10 #include <linux/device.h>
11 #include <linux/slab.h>
12 #include <linux/fs.h>
13 #include <linux/errno.h>
14 #include <linux/types.h>
15 #include <linux/fcntl.h>
16 #include <linux/poll.h>
17 #include <linux/init.h>
18 #include <linux/ioctl.h>
19 #include <linux/cdev.h>
20 #include <linux/sched/signal.h>
21 #include <linux/uuid.h>
22 #include <linux/compat.h>
23 #include <linux/jiffies.h>
24 #include <linux/interrupt.h>
25 
26 #include <linux/mei.h>
27 
28 #include "mei_dev.h"
29 #include "client.h"
30 
31 static struct class *mei_class;
32 static dev_t mei_devt;
33 #define MEI_MAX_DEVS  MINORMASK
34 static DEFINE_MUTEX(mei_minor_lock);
35 static DEFINE_IDR(mei_idr);
36 
37 /**
38  * mei_open - the open function
39  *
40  * @inode: pointer to inode structure
41  * @file: pointer to file structure
42  *
43  * Return: 0 on success, <0 on error
44  */
mei_open(struct inode * inode,struct file * file)45 static int mei_open(struct inode *inode, struct file *file)
46 {
47 	struct mei_device *dev;
48 	struct mei_cl *cl;
49 
50 	int err;
51 
52 	dev = container_of(inode->i_cdev, struct mei_device, cdev);
53 
54 	mutex_lock(&dev->device_lock);
55 
56 	if (dev->dev_state != MEI_DEV_ENABLED) {
57 		dev_dbg(dev->dev, "dev_state != MEI_ENABLED  dev_state = %s\n",
58 		    mei_dev_state_str(dev->dev_state));
59 		err = -ENODEV;
60 		goto err_unlock;
61 	}
62 
63 	cl = mei_cl_alloc_linked(dev);
64 	if (IS_ERR(cl)) {
65 		err = PTR_ERR(cl);
66 		goto err_unlock;
67 	}
68 
69 	cl->fp = file;
70 	file->private_data = cl;
71 
72 	mutex_unlock(&dev->device_lock);
73 
74 	return nonseekable_open(inode, file);
75 
76 err_unlock:
77 	mutex_unlock(&dev->device_lock);
78 	return err;
79 }
80 
81 /**
82  * mei_cl_vtag_remove_by_fp - remove vtag that corresponds to fp from list
83  *
84  * @cl: host client
85  * @fp: pointer to file structure
86  *
87  */
mei_cl_vtag_remove_by_fp(const struct mei_cl * cl,const struct file * fp)88 static void mei_cl_vtag_remove_by_fp(const struct mei_cl *cl,
89 				     const struct file *fp)
90 {
91 	struct mei_cl_vtag *vtag_l, *next;
92 
93 	list_for_each_entry_safe(vtag_l, next, &cl->vtag_map, list) {
94 		if (vtag_l->fp == fp) {
95 			list_del(&vtag_l->list);
96 			kfree(vtag_l);
97 			return;
98 		}
99 	}
100 }
101 
102 /**
103  * mei_release - the release function
104  *
105  * @inode: pointer to inode structure
106  * @file: pointer to file structure
107  *
108  * Return: 0 on success, <0 on error
109  */
mei_release(struct inode * inode,struct file * file)110 static int mei_release(struct inode *inode, struct file *file)
111 {
112 	struct mei_cl *cl = file->private_data;
113 	struct mei_device *dev;
114 	int rets;
115 
116 	if (WARN_ON(!cl || !cl->dev))
117 		return -ENODEV;
118 
119 	dev = cl->dev;
120 
121 	mutex_lock(&dev->device_lock);
122 
123 	mei_cl_vtag_remove_by_fp(cl, file);
124 
125 	if (!list_empty(&cl->vtag_map)) {
126 		cl_dbg(dev, cl, "not the last vtag\n");
127 		mei_cl_flush_queues(cl, file);
128 		rets = 0;
129 		goto out;
130 	}
131 
132 	rets = mei_cl_disconnect(cl);
133 	/*
134 	 * Check again: This is necessary since disconnect releases the lock
135 	 * and another client can connect in the meantime.
136 	 */
137 	if (!list_empty(&cl->vtag_map)) {
138 		cl_dbg(dev, cl, "not the last vtag after disconnect\n");
139 		mei_cl_flush_queues(cl, file);
140 		goto out;
141 	}
142 
143 	mei_cl_flush_queues(cl, NULL);
144 	cl_dbg(dev, cl, "removing\n");
145 
146 	mei_cl_unlink(cl);
147 	kfree(cl);
148 
149 out:
150 	file->private_data = NULL;
151 
152 	mutex_unlock(&dev->device_lock);
153 	return rets;
154 }
155 
156 
157 /**
158  * mei_read - the read function.
159  *
160  * @file: pointer to file structure
161  * @ubuf: pointer to user buffer
162  * @length: buffer length
163  * @offset: data offset in buffer
164  *
165  * Return: >=0 data length on success , <0 on error
166  */
mei_read(struct file * file,char __user * ubuf,size_t length,loff_t * offset)167 static ssize_t mei_read(struct file *file, char __user *ubuf,
168 			size_t length, loff_t *offset)
169 {
170 	struct mei_cl *cl = file->private_data;
171 	struct mei_device *dev;
172 	struct mei_cl_cb *cb = NULL;
173 	bool nonblock = !!(file->f_flags & O_NONBLOCK);
174 	ssize_t rets;
175 
176 	if (WARN_ON(!cl || !cl->dev))
177 		return -ENODEV;
178 
179 	dev = cl->dev;
180 
181 
182 	mutex_lock(&dev->device_lock);
183 	if (dev->dev_state != MEI_DEV_ENABLED) {
184 		rets = -ENODEV;
185 		goto out;
186 	}
187 
188 	if (length == 0) {
189 		rets = 0;
190 		goto out;
191 	}
192 
193 	if (ubuf == NULL) {
194 		rets = -EMSGSIZE;
195 		goto out;
196 	}
197 
198 	cb = mei_cl_read_cb(cl, file);
199 	if (cb)
200 		goto copy_buffer;
201 
202 	if (*offset > 0)
203 		*offset = 0;
204 
205 	rets = mei_cl_read_start(cl, length, file);
206 	if (rets && rets != -EBUSY) {
207 		cl_dbg(dev, cl, "mei start read failure status = %zd\n", rets);
208 		goto out;
209 	}
210 
211 	if (nonblock) {
212 		rets = -EAGAIN;
213 		goto out;
214 	}
215 
216 	mutex_unlock(&dev->device_lock);
217 	if (wait_event_interruptible(cl->rx_wait,
218 				     mei_cl_read_cb(cl, file) ||
219 				     !mei_cl_is_connected(cl))) {
220 		if (signal_pending(current))
221 			return -EINTR;
222 		return -ERESTARTSYS;
223 	}
224 	mutex_lock(&dev->device_lock);
225 
226 	if (!mei_cl_is_connected(cl)) {
227 		rets = -ENODEV;
228 		goto out;
229 	}
230 
231 	cb = mei_cl_read_cb(cl, file);
232 	if (!cb) {
233 		rets = 0;
234 		goto out;
235 	}
236 
237 copy_buffer:
238 	/* now copy the data to user space */
239 	if (cb->status) {
240 		rets = cb->status;
241 		cl_dbg(dev, cl, "read operation failed %zd\n", rets);
242 		goto free;
243 	}
244 
245 	cl_dbg(dev, cl, "buf.size = %zu buf.idx = %zu offset = %lld\n",
246 	       cb->buf.size, cb->buf_idx, *offset);
247 	if (*offset >= cb->buf_idx) {
248 		rets = 0;
249 		goto free;
250 	}
251 
252 	/* length is being truncated to PAGE_SIZE,
253 	 * however buf_idx may point beyond that */
254 	length = min_t(size_t, length, cb->buf_idx - *offset);
255 
256 	if (copy_to_user(ubuf, cb->buf.data + *offset, length)) {
257 		dev_dbg(dev->dev, "failed to copy data to userland\n");
258 		rets = -EFAULT;
259 		goto free;
260 	}
261 
262 	rets = length;
263 	*offset += length;
264 	/* not all data was read, keep the cb */
265 	if (*offset < cb->buf_idx)
266 		goto out;
267 
268 free:
269 	mei_cl_del_rd_completed(cl, cb);
270 	*offset = 0;
271 
272 out:
273 	cl_dbg(dev, cl, "end mei read rets = %zd\n", rets);
274 	mutex_unlock(&dev->device_lock);
275 	return rets;
276 }
277 
278 /**
279  * mei_cl_vtag_by_fp - obtain the vtag by file pointer
280  *
281  * @cl: host client
282  * @fp: pointer to file structure
283  *
284  * Return: vtag value on success, otherwise 0
285  */
mei_cl_vtag_by_fp(const struct mei_cl * cl,const struct file * fp)286 static u8 mei_cl_vtag_by_fp(const struct mei_cl *cl, const struct file *fp)
287 {
288 	struct mei_cl_vtag *cl_vtag;
289 
290 	if (!fp)
291 		return 0;
292 
293 	list_for_each_entry(cl_vtag, &cl->vtag_map, list)
294 		if (cl_vtag->fp == fp)
295 			return cl_vtag->vtag;
296 	return 0;
297 }
298 
299 /**
300  * mei_write - the write function.
301  *
302  * @file: pointer to file structure
303  * @ubuf: pointer to user buffer
304  * @length: buffer length
305  * @offset: data offset in buffer
306  *
307  * Return: >=0 data length on success , <0 on error
308  */
mei_write(struct file * file,const char __user * ubuf,size_t length,loff_t * offset)309 static ssize_t mei_write(struct file *file, const char __user *ubuf,
310 			 size_t length, loff_t *offset)
311 {
312 	struct mei_cl *cl = file->private_data;
313 	struct mei_cl_cb *cb;
314 	struct mei_device *dev;
315 	ssize_t rets;
316 
317 	if (WARN_ON(!cl || !cl->dev))
318 		return -ENODEV;
319 
320 	dev = cl->dev;
321 
322 	mutex_lock(&dev->device_lock);
323 
324 	if (dev->dev_state != MEI_DEV_ENABLED) {
325 		rets = -ENODEV;
326 		goto out;
327 	}
328 
329 	if (!mei_cl_is_connected(cl)) {
330 		cl_err(dev, cl, "is not connected");
331 		rets = -ENODEV;
332 		goto out;
333 	}
334 
335 	if (!mei_me_cl_is_active(cl->me_cl)) {
336 		rets = -ENOTTY;
337 		goto out;
338 	}
339 
340 	if (length > mei_cl_mtu(cl)) {
341 		rets = -EFBIG;
342 		goto out;
343 	}
344 
345 	if (length == 0) {
346 		rets = 0;
347 		goto out;
348 	}
349 
350 	while (cl->tx_cb_queued >= dev->tx_queue_limit) {
351 		if (file->f_flags & O_NONBLOCK) {
352 			rets = -EAGAIN;
353 			goto out;
354 		}
355 		mutex_unlock(&dev->device_lock);
356 		rets = wait_event_interruptible(cl->tx_wait,
357 				cl->writing_state == MEI_WRITE_COMPLETE ||
358 				(!mei_cl_is_connected(cl)));
359 		mutex_lock(&dev->device_lock);
360 		if (rets) {
361 			if (signal_pending(current))
362 				rets = -EINTR;
363 			goto out;
364 		}
365 		if (!mei_cl_is_connected(cl)) {
366 			rets = -ENODEV;
367 			goto out;
368 		}
369 	}
370 
371 	cb = mei_cl_alloc_cb(cl, length, MEI_FOP_WRITE, file);
372 	if (!cb) {
373 		rets = -ENOMEM;
374 		goto out;
375 	}
376 	cb->vtag = mei_cl_vtag_by_fp(cl, file);
377 
378 	rets = copy_from_user(cb->buf.data, ubuf, length);
379 	if (rets) {
380 		dev_dbg(dev->dev, "failed to copy data from userland\n");
381 		rets = -EFAULT;
382 		mei_io_cb_free(cb);
383 		goto out;
384 	}
385 
386 	rets = mei_cl_write(cl, cb);
387 out:
388 	mutex_unlock(&dev->device_lock);
389 	return rets;
390 }
391 
392 /**
393  * mei_ioctl_connect_client - the connect to fw client IOCTL function
394  *
395  * @file: private data of the file object
396  * @in_client_uuid: requested UUID for connection
397  * @client: IOCTL connect data, output parameters
398  *
399  * Locking: called under "dev->device_lock" lock
400  *
401  * Return: 0 on success, <0 on failure.
402  */
mei_ioctl_connect_client(struct file * file,const uuid_le * in_client_uuid,struct mei_client * client)403 static int mei_ioctl_connect_client(struct file *file,
404 				    const uuid_le *in_client_uuid,
405 				    struct mei_client *client)
406 {
407 	struct mei_device *dev;
408 	struct mei_me_client *me_cl;
409 	struct mei_cl *cl;
410 	int rets;
411 
412 	cl = file->private_data;
413 	dev = cl->dev;
414 
415 	if (cl->state != MEI_FILE_INITIALIZING &&
416 	    cl->state != MEI_FILE_DISCONNECTED)
417 		return  -EBUSY;
418 
419 	/* find ME client we're trying to connect to */
420 	me_cl = mei_me_cl_by_uuid(dev, in_client_uuid);
421 	if (!me_cl) {
422 		dev_dbg(dev->dev, "Cannot connect to FW Client UUID = %pUl\n",
423 			in_client_uuid);
424 		rets = -ENOTTY;
425 		goto end;
426 	}
427 
428 	if (me_cl->props.fixed_address) {
429 		bool forbidden = dev->override_fixed_address ?
430 			 !dev->allow_fixed_address : !dev->hbm_f_fa_supported;
431 		if (forbidden) {
432 			dev_dbg(dev->dev, "Connection forbidden to FW Client UUID = %pUl\n",
433 				in_client_uuid);
434 			rets = -ENOTTY;
435 			goto end;
436 		}
437 	}
438 
439 	dev_dbg(dev->dev, "Connect to FW Client ID = %d\n",
440 			me_cl->client_id);
441 	dev_dbg(dev->dev, "FW Client - Protocol Version = %d\n",
442 			me_cl->props.protocol_version);
443 	dev_dbg(dev->dev, "FW Client - Max Msg Len = %d\n",
444 			me_cl->props.max_msg_length);
445 
446 	/* prepare the output buffer */
447 	client->max_msg_length = me_cl->props.max_msg_length;
448 	client->protocol_version = me_cl->props.protocol_version;
449 	dev_dbg(dev->dev, "Can connect?\n");
450 
451 	rets = mei_cl_connect(cl, me_cl, file);
452 
453 end:
454 	mei_me_cl_put(me_cl);
455 	return rets;
456 }
457 
458 /**
459  * mei_vt_support_check - check if client support vtags
460  *
461  * Locking: called under "dev->device_lock" lock
462  *
463  * @dev: mei_device
464  * @uuid: client UUID
465  *
466  * Return:
467  *	0 - supported
468  *	-ENOTTY - no such client
469  *	-EOPNOTSUPP - vtags are not supported by client
470  */
mei_vt_support_check(struct mei_device * dev,const uuid_le * uuid)471 static int mei_vt_support_check(struct mei_device *dev, const uuid_le *uuid)
472 {
473 	struct mei_me_client *me_cl;
474 	int ret;
475 
476 	if (!dev->hbm_f_vt_supported)
477 		return -EOPNOTSUPP;
478 
479 	me_cl = mei_me_cl_by_uuid(dev, uuid);
480 	if (!me_cl) {
481 		dev_dbg(dev->dev, "Cannot connect to FW Client UUID = %pUl\n",
482 			uuid);
483 		return -ENOTTY;
484 	}
485 	ret = me_cl->props.vt_supported ? 0 : -EOPNOTSUPP;
486 	mei_me_cl_put(me_cl);
487 
488 	return ret;
489 }
490 
491 /**
492  * mei_ioctl_connect_vtag - connect to fw client with vtag IOCTL function
493  *
494  * @file: private data of the file object
495  * @in_client_uuid: requested UUID for connection
496  * @client: IOCTL connect data, output parameters
497  * @vtag: vm tag
498  *
499  * Locking: called under "dev->device_lock" lock
500  *
501  * Return: 0 on success, <0 on failure.
502  */
mei_ioctl_connect_vtag(struct file * file,const uuid_le * in_client_uuid,struct mei_client * client,u8 vtag)503 static int mei_ioctl_connect_vtag(struct file *file,
504 				  const uuid_le *in_client_uuid,
505 				  struct mei_client *client,
506 				  u8 vtag)
507 {
508 	struct mei_device *dev;
509 	struct mei_cl *cl;
510 	struct mei_cl *pos;
511 	struct mei_cl_vtag *cl_vtag;
512 
513 	cl = file->private_data;
514 	dev = cl->dev;
515 
516 	dev_dbg(dev->dev, "FW Client %pUl vtag %d\n", in_client_uuid, vtag);
517 
518 	switch (cl->state) {
519 	case MEI_FILE_DISCONNECTED:
520 		if (mei_cl_vtag_by_fp(cl, file) != vtag) {
521 			dev_err(dev->dev, "reconnect with different vtag\n");
522 			return -EINVAL;
523 		}
524 		break;
525 	case MEI_FILE_INITIALIZING:
526 		/* malicious connect from another thread may push vtag */
527 		if (!IS_ERR(mei_cl_fp_by_vtag(cl, vtag))) {
528 			dev_err(dev->dev, "vtag already filled\n");
529 			return -EINVAL;
530 		}
531 
532 		list_for_each_entry(pos, &dev->file_list, link) {
533 			if (pos == cl)
534 				continue;
535 			if (!pos->me_cl)
536 				continue;
537 
538 			/* only search for same UUID */
539 			if (uuid_le_cmp(*mei_cl_uuid(pos), *in_client_uuid))
540 				continue;
541 
542 			/* if tag already exist try another fp */
543 			if (!IS_ERR(mei_cl_fp_by_vtag(pos, vtag)))
544 				continue;
545 
546 			/* replace cl with acquired one */
547 			dev_dbg(dev->dev, "replacing with existing cl\n");
548 			mei_cl_unlink(cl);
549 			kfree(cl);
550 			file->private_data = pos;
551 			cl = pos;
552 			break;
553 		}
554 
555 		cl_vtag = mei_cl_vtag_alloc(file, vtag);
556 		if (IS_ERR(cl_vtag))
557 			return -ENOMEM;
558 
559 		list_add_tail(&cl_vtag->list, &cl->vtag_map);
560 		break;
561 	default:
562 		return -EBUSY;
563 	}
564 
565 	while (cl->state != MEI_FILE_INITIALIZING &&
566 	       cl->state != MEI_FILE_DISCONNECTED &&
567 	       cl->state != MEI_FILE_CONNECTED) {
568 		mutex_unlock(&dev->device_lock);
569 		wait_event_timeout(cl->wait,
570 				   (cl->state == MEI_FILE_CONNECTED ||
571 				    cl->state == MEI_FILE_DISCONNECTED ||
572 				    cl->state == MEI_FILE_DISCONNECT_REQUIRED ||
573 				    cl->state == MEI_FILE_DISCONNECT_REPLY),
574 				   mei_secs_to_jiffies(MEI_CL_CONNECT_TIMEOUT));
575 		mutex_lock(&dev->device_lock);
576 	}
577 
578 	if (!mei_cl_is_connected(cl))
579 		return mei_ioctl_connect_client(file, in_client_uuid, client);
580 
581 	client->max_msg_length = cl->me_cl->props.max_msg_length;
582 	client->protocol_version = cl->me_cl->props.protocol_version;
583 
584 	return 0;
585 }
586 
587 /**
588  * mei_ioctl_client_notify_request -
589  *     propagate event notification request to client
590  *
591  * @file: pointer to file structure
592  * @request: 0 - disable, 1 - enable
593  *
594  * Return: 0 on success , <0 on error
595  */
mei_ioctl_client_notify_request(const struct file * file,u32 request)596 static int mei_ioctl_client_notify_request(const struct file *file, u32 request)
597 {
598 	struct mei_cl *cl = file->private_data;
599 
600 	if (request != MEI_HBM_NOTIFICATION_START &&
601 	    request != MEI_HBM_NOTIFICATION_STOP)
602 		return -EINVAL;
603 
604 	return mei_cl_notify_request(cl, file, (u8)request);
605 }
606 
607 /**
608  * mei_ioctl_client_notify_get -  wait for notification request
609  *
610  * @file: pointer to file structure
611  * @notify_get: 0 - disable, 1 - enable
612  *
613  * Return: 0 on success , <0 on error
614  */
mei_ioctl_client_notify_get(const struct file * file,u32 * notify_get)615 static int mei_ioctl_client_notify_get(const struct file *file, u32 *notify_get)
616 {
617 	struct mei_cl *cl = file->private_data;
618 	bool notify_ev;
619 	bool block = (file->f_flags & O_NONBLOCK) == 0;
620 	int rets;
621 
622 	rets = mei_cl_notify_get(cl, block, &notify_ev);
623 	if (rets)
624 		return rets;
625 
626 	*notify_get = notify_ev ? 1 : 0;
627 	return 0;
628 }
629 
630 /**
631  * mei_ioctl - the IOCTL function
632  *
633  * @file: pointer to file structure
634  * @cmd: ioctl command
635  * @data: pointer to mei message structure
636  *
637  * Return: 0 on success , <0 on error
638  */
mei_ioctl(struct file * file,unsigned int cmd,unsigned long data)639 static long mei_ioctl(struct file *file, unsigned int cmd, unsigned long data)
640 {
641 	struct mei_device *dev;
642 	struct mei_cl *cl = file->private_data;
643 	struct mei_connect_client_data conn;
644 	struct mei_connect_client_data_vtag conn_vtag;
645 	const uuid_le *cl_uuid;
646 	struct mei_client *props;
647 	u8 vtag;
648 	u32 notify_get, notify_req;
649 	int rets;
650 
651 
652 	if (WARN_ON(!cl || !cl->dev))
653 		return -ENODEV;
654 
655 	dev = cl->dev;
656 
657 	dev_dbg(dev->dev, "IOCTL cmd = 0x%x", cmd);
658 
659 	mutex_lock(&dev->device_lock);
660 	if (dev->dev_state != MEI_DEV_ENABLED) {
661 		rets = -ENODEV;
662 		goto out;
663 	}
664 
665 	switch (cmd) {
666 	case IOCTL_MEI_CONNECT_CLIENT:
667 		dev_dbg(dev->dev, ": IOCTL_MEI_CONNECT_CLIENT.\n");
668 		if (copy_from_user(&conn, (char __user *)data, sizeof(conn))) {
669 			dev_dbg(dev->dev, "failed to copy data from userland\n");
670 			rets = -EFAULT;
671 			goto out;
672 		}
673 		cl_uuid = &conn.in_client_uuid;
674 		props = &conn.out_client_properties;
675 		vtag = 0;
676 
677 		rets = mei_vt_support_check(dev, cl_uuid);
678 		if (rets == -ENOTTY)
679 			goto out;
680 		if (!rets)
681 			rets = mei_ioctl_connect_vtag(file, cl_uuid, props,
682 						      vtag);
683 		else
684 			rets = mei_ioctl_connect_client(file, cl_uuid, props);
685 		if (rets)
686 			goto out;
687 
688 		/* if all is ok, copying the data back to user. */
689 		if (copy_to_user((char __user *)data, &conn, sizeof(conn))) {
690 			dev_dbg(dev->dev, "failed to copy data to userland\n");
691 			rets = -EFAULT;
692 			goto out;
693 		}
694 
695 		break;
696 
697 	case IOCTL_MEI_CONNECT_CLIENT_VTAG:
698 		dev_dbg(dev->dev, "IOCTL_MEI_CONNECT_CLIENT_VTAG\n");
699 		if (copy_from_user(&conn_vtag, (char __user *)data,
700 				   sizeof(conn_vtag))) {
701 			dev_dbg(dev->dev, "failed to copy data from userland\n");
702 			rets = -EFAULT;
703 			goto out;
704 		}
705 
706 		cl_uuid = &conn_vtag.connect.in_client_uuid;
707 		props = &conn_vtag.out_client_properties;
708 		vtag = conn_vtag.connect.vtag;
709 
710 		rets = mei_vt_support_check(dev, cl_uuid);
711 		if (rets == -EOPNOTSUPP)
712 			dev_dbg(dev->dev, "FW Client %pUl does not support vtags\n",
713 				cl_uuid);
714 		if (rets)
715 			goto out;
716 
717 		if (!vtag) {
718 			dev_dbg(dev->dev, "vtag can't be zero\n");
719 			rets = -EINVAL;
720 			goto out;
721 		}
722 
723 		rets = mei_ioctl_connect_vtag(file, cl_uuid, props, vtag);
724 		if (rets)
725 			goto out;
726 
727 		/* if all is ok, copying the data back to user. */
728 		if (copy_to_user((char __user *)data, &conn_vtag,
729 				 sizeof(conn_vtag))) {
730 			dev_dbg(dev->dev, "failed to copy data to userland\n");
731 			rets = -EFAULT;
732 			goto out;
733 		}
734 
735 		break;
736 
737 	case IOCTL_MEI_NOTIFY_SET:
738 		dev_dbg(dev->dev, ": IOCTL_MEI_NOTIFY_SET.\n");
739 		if (copy_from_user(&notify_req,
740 				   (char __user *)data, sizeof(notify_req))) {
741 			dev_dbg(dev->dev, "failed to copy data from userland\n");
742 			rets = -EFAULT;
743 			goto out;
744 		}
745 		rets = mei_ioctl_client_notify_request(file, notify_req);
746 		break;
747 
748 	case IOCTL_MEI_NOTIFY_GET:
749 		dev_dbg(dev->dev, ": IOCTL_MEI_NOTIFY_GET.\n");
750 		rets = mei_ioctl_client_notify_get(file, &notify_get);
751 		if (rets)
752 			goto out;
753 
754 		dev_dbg(dev->dev, "copy connect data to user\n");
755 		if (copy_to_user((char __user *)data,
756 				&notify_get, sizeof(notify_get))) {
757 			dev_dbg(dev->dev, "failed to copy data to userland\n");
758 			rets = -EFAULT;
759 			goto out;
760 
761 		}
762 		break;
763 
764 	default:
765 		rets = -ENOIOCTLCMD;
766 	}
767 
768 out:
769 	mutex_unlock(&dev->device_lock);
770 	return rets;
771 }
772 
773 /**
774  * mei_poll - the poll function
775  *
776  * @file: pointer to file structure
777  * @wait: pointer to poll_table structure
778  *
779  * Return: poll mask
780  */
mei_poll(struct file * file,poll_table * wait)781 static __poll_t mei_poll(struct file *file, poll_table *wait)
782 {
783 	__poll_t req_events = poll_requested_events(wait);
784 	struct mei_cl *cl = file->private_data;
785 	struct mei_device *dev;
786 	__poll_t mask = 0;
787 	bool notify_en;
788 
789 	if (WARN_ON(!cl || !cl->dev))
790 		return EPOLLERR;
791 
792 	dev = cl->dev;
793 
794 	mutex_lock(&dev->device_lock);
795 
796 	notify_en = cl->notify_en && (req_events & EPOLLPRI);
797 
798 	if (dev->dev_state != MEI_DEV_ENABLED ||
799 	    !mei_cl_is_connected(cl)) {
800 		mask = EPOLLERR;
801 		goto out;
802 	}
803 
804 	if (notify_en) {
805 		poll_wait(file, &cl->ev_wait, wait);
806 		if (cl->notify_ev)
807 			mask |= EPOLLPRI;
808 	}
809 
810 	if (req_events & (EPOLLIN | EPOLLRDNORM)) {
811 		poll_wait(file, &cl->rx_wait, wait);
812 
813 		if (mei_cl_read_cb(cl, file))
814 			mask |= EPOLLIN | EPOLLRDNORM;
815 		else
816 			mei_cl_read_start(cl, mei_cl_mtu(cl), file);
817 	}
818 
819 	if (req_events & (EPOLLOUT | EPOLLWRNORM)) {
820 		poll_wait(file, &cl->tx_wait, wait);
821 		if (cl->tx_cb_queued < dev->tx_queue_limit)
822 			mask |= EPOLLOUT | EPOLLWRNORM;
823 	}
824 
825 out:
826 	mutex_unlock(&dev->device_lock);
827 	return mask;
828 }
829 
830 /**
831  * mei_cl_is_write_queued - check if the client has pending writes.
832  *
833  * @cl: writing host client
834  *
835  * Return: true if client is writing, false otherwise.
836  */
mei_cl_is_write_queued(struct mei_cl * cl)837 static bool mei_cl_is_write_queued(struct mei_cl *cl)
838 {
839 	struct mei_device *dev = cl->dev;
840 	struct mei_cl_cb *cb;
841 
842 	list_for_each_entry(cb, &dev->write_list, list)
843 		if (cb->cl == cl)
844 			return true;
845 	list_for_each_entry(cb, &dev->write_waiting_list, list)
846 		if (cb->cl == cl)
847 			return true;
848 	return false;
849 }
850 
851 /**
852  * mei_fsync - the fsync handler
853  *
854  * @fp:       pointer to file structure
855  * @start:    unused
856  * @end:      unused
857  * @datasync: unused
858  *
859  * Return: 0 on success, -ENODEV if client is not connected
860  */
mei_fsync(struct file * fp,loff_t start,loff_t end,int datasync)861 static int mei_fsync(struct file *fp, loff_t start, loff_t end, int datasync)
862 {
863 	struct mei_cl *cl = fp->private_data;
864 	struct mei_device *dev;
865 	int rets;
866 
867 	if (WARN_ON(!cl || !cl->dev))
868 		return -ENODEV;
869 
870 	dev = cl->dev;
871 
872 	mutex_lock(&dev->device_lock);
873 
874 	if (dev->dev_state != MEI_DEV_ENABLED || !mei_cl_is_connected(cl)) {
875 		rets = -ENODEV;
876 		goto out;
877 	}
878 
879 	while (mei_cl_is_write_queued(cl)) {
880 		mutex_unlock(&dev->device_lock);
881 		rets = wait_event_interruptible(cl->tx_wait,
882 				cl->writing_state == MEI_WRITE_COMPLETE ||
883 				!mei_cl_is_connected(cl));
884 		mutex_lock(&dev->device_lock);
885 		if (rets) {
886 			if (signal_pending(current))
887 				rets = -EINTR;
888 			goto out;
889 		}
890 		if (!mei_cl_is_connected(cl)) {
891 			rets = -ENODEV;
892 			goto out;
893 		}
894 	}
895 	rets = 0;
896 out:
897 	mutex_unlock(&dev->device_lock);
898 	return rets;
899 }
900 
901 /**
902  * mei_fasync - asynchronous io support
903  *
904  * @fd: file descriptor
905  * @file: pointer to file structure
906  * @band: band bitmap
907  *
908  * Return: negative on error,
909  *         0 if it did no changes,
910  *         and positive a process was added or deleted
911  */
mei_fasync(int fd,struct file * file,int band)912 static int mei_fasync(int fd, struct file *file, int band)
913 {
914 
915 	struct mei_cl *cl = file->private_data;
916 
917 	if (!mei_cl_is_connected(cl))
918 		return -ENODEV;
919 
920 	return fasync_helper(fd, file, band, &cl->ev_async);
921 }
922 
923 /**
924  * trc_show - mei device trc attribute show method
925  *
926  * @device: device pointer
927  * @attr: attribute pointer
928  * @buf:  char out buffer
929  *
930  * Return: number of the bytes printed into buf or error
931  */
trc_show(struct device * device,struct device_attribute * attr,char * buf)932 static ssize_t trc_show(struct device *device,
933 			struct device_attribute *attr, char *buf)
934 {
935 	struct mei_device *dev = dev_get_drvdata(device);
936 	u32 trc;
937 	int ret;
938 
939 	ret = mei_trc_status(dev, &trc);
940 	if (ret)
941 		return ret;
942 	return sprintf(buf, "%08X\n", trc);
943 }
944 static DEVICE_ATTR_RO(trc);
945 
946 /**
947  * fw_status_show - mei device fw_status attribute show method
948  *
949  * @device: device pointer
950  * @attr: attribute pointer
951  * @buf:  char out buffer
952  *
953  * Return: number of the bytes printed into buf or error
954  */
fw_status_show(struct device * device,struct device_attribute * attr,char * buf)955 static ssize_t fw_status_show(struct device *device,
956 		struct device_attribute *attr, char *buf)
957 {
958 	struct mei_device *dev = dev_get_drvdata(device);
959 	struct mei_fw_status fw_status;
960 	int err, i;
961 	ssize_t cnt = 0;
962 
963 	mutex_lock(&dev->device_lock);
964 	err = mei_fw_status(dev, &fw_status);
965 	mutex_unlock(&dev->device_lock);
966 	if (err) {
967 		dev_err(device, "read fw_status error = %d\n", err);
968 		return err;
969 	}
970 
971 	for (i = 0; i < fw_status.count; i++)
972 		cnt += scnprintf(buf + cnt, PAGE_SIZE - cnt, "%08X\n",
973 				fw_status.status[i]);
974 	return cnt;
975 }
976 static DEVICE_ATTR_RO(fw_status);
977 
978 /**
979  * hbm_ver_show - display HBM protocol version negotiated with FW
980  *
981  * @device: device pointer
982  * @attr: attribute pointer
983  * @buf:  char out buffer
984  *
985  * Return: number of the bytes printed into buf or error
986  */
hbm_ver_show(struct device * device,struct device_attribute * attr,char * buf)987 static ssize_t hbm_ver_show(struct device *device,
988 			    struct device_attribute *attr, char *buf)
989 {
990 	struct mei_device *dev = dev_get_drvdata(device);
991 	struct hbm_version ver;
992 
993 	mutex_lock(&dev->device_lock);
994 	ver = dev->version;
995 	mutex_unlock(&dev->device_lock);
996 
997 	return sprintf(buf, "%u.%u\n", ver.major_version, ver.minor_version);
998 }
999 static DEVICE_ATTR_RO(hbm_ver);
1000 
1001 /**
1002  * hbm_ver_drv_show - display HBM protocol version advertised by driver
1003  *
1004  * @device: device pointer
1005  * @attr: attribute pointer
1006  * @buf:  char out buffer
1007  *
1008  * Return: number of the bytes printed into buf or error
1009  */
hbm_ver_drv_show(struct device * device,struct device_attribute * attr,char * buf)1010 static ssize_t hbm_ver_drv_show(struct device *device,
1011 				struct device_attribute *attr, char *buf)
1012 {
1013 	return sprintf(buf, "%u.%u\n", HBM_MAJOR_VERSION, HBM_MINOR_VERSION);
1014 }
1015 static DEVICE_ATTR_RO(hbm_ver_drv);
1016 
tx_queue_limit_show(struct device * device,struct device_attribute * attr,char * buf)1017 static ssize_t tx_queue_limit_show(struct device *device,
1018 				   struct device_attribute *attr, char *buf)
1019 {
1020 	struct mei_device *dev = dev_get_drvdata(device);
1021 	u8 size = 0;
1022 
1023 	mutex_lock(&dev->device_lock);
1024 	size = dev->tx_queue_limit;
1025 	mutex_unlock(&dev->device_lock);
1026 
1027 	return sysfs_emit(buf, "%u\n", size);
1028 }
1029 
tx_queue_limit_store(struct device * device,struct device_attribute * attr,const char * buf,size_t count)1030 static ssize_t tx_queue_limit_store(struct device *device,
1031 				    struct device_attribute *attr,
1032 				    const char *buf, size_t count)
1033 {
1034 	struct mei_device *dev = dev_get_drvdata(device);
1035 	u8 limit;
1036 	unsigned int inp;
1037 	int err;
1038 
1039 	err = kstrtouint(buf, 10, &inp);
1040 	if (err)
1041 		return err;
1042 	if (inp > MEI_TX_QUEUE_LIMIT_MAX || inp < MEI_TX_QUEUE_LIMIT_MIN)
1043 		return -EINVAL;
1044 	limit = inp;
1045 
1046 	mutex_lock(&dev->device_lock);
1047 	dev->tx_queue_limit = limit;
1048 	mutex_unlock(&dev->device_lock);
1049 
1050 	return count;
1051 }
1052 static DEVICE_ATTR_RW(tx_queue_limit);
1053 
1054 /**
1055  * fw_ver_show - display ME FW version
1056  *
1057  * @device: device pointer
1058  * @attr: attribute pointer
1059  * @buf:  char out buffer
1060  *
1061  * Return: number of the bytes printed into buf or error
1062  */
fw_ver_show(struct device * device,struct device_attribute * attr,char * buf)1063 static ssize_t fw_ver_show(struct device *device,
1064 			   struct device_attribute *attr, char *buf)
1065 {
1066 	struct mei_device *dev = dev_get_drvdata(device);
1067 	struct mei_fw_version *ver;
1068 	ssize_t cnt = 0;
1069 	int i;
1070 
1071 	ver = dev->fw_ver;
1072 
1073 	for (i = 0; i < MEI_MAX_FW_VER_BLOCKS; i++)
1074 		cnt += scnprintf(buf + cnt, PAGE_SIZE - cnt, "%u:%u.%u.%u.%u\n",
1075 				 ver[i].platform, ver[i].major, ver[i].minor,
1076 				 ver[i].hotfix, ver[i].buildno);
1077 	return cnt;
1078 }
1079 static DEVICE_ATTR_RO(fw_ver);
1080 
1081 /**
1082  * dev_state_show - display device state
1083  *
1084  * @device: device pointer
1085  * @attr: attribute pointer
1086  * @buf:  char out buffer
1087  *
1088  * Return: number of the bytes printed into buf or error
1089  */
dev_state_show(struct device * device,struct device_attribute * attr,char * buf)1090 static ssize_t dev_state_show(struct device *device,
1091 			      struct device_attribute *attr, char *buf)
1092 {
1093 	struct mei_device *dev = dev_get_drvdata(device);
1094 	enum mei_dev_state dev_state;
1095 
1096 	mutex_lock(&dev->device_lock);
1097 	dev_state = dev->dev_state;
1098 	mutex_unlock(&dev->device_lock);
1099 
1100 	return sprintf(buf, "%s", mei_dev_state_str(dev_state));
1101 }
1102 static DEVICE_ATTR_RO(dev_state);
1103 
1104 /**
1105  * mei_set_devstate: set to new device state and notify sysfs file.
1106  *
1107  * @dev: mei_device
1108  * @state: new device state
1109  */
mei_set_devstate(struct mei_device * dev,enum mei_dev_state state)1110 void mei_set_devstate(struct mei_device *dev, enum mei_dev_state state)
1111 {
1112 	struct device *clsdev;
1113 
1114 	if (dev->dev_state == state)
1115 		return;
1116 
1117 	dev->dev_state = state;
1118 
1119 	clsdev = class_find_device_by_devt(mei_class, dev->cdev.dev);
1120 	if (clsdev) {
1121 		sysfs_notify(&clsdev->kobj, NULL, "dev_state");
1122 		put_device(clsdev);
1123 	}
1124 }
1125 
1126 /**
1127  * kind_show - display device kind
1128  *
1129  * @device: device pointer
1130  * @attr: attribute pointer
1131  * @buf: char out buffer
1132  *
1133  * Return: number of the bytes printed into buf or error
1134  */
kind_show(struct device * device,struct device_attribute * attr,char * buf)1135 static ssize_t kind_show(struct device *device,
1136 			 struct device_attribute *attr, char *buf)
1137 {
1138 	struct mei_device *dev = dev_get_drvdata(device);
1139 	ssize_t ret;
1140 
1141 	if (dev->kind)
1142 		ret = sprintf(buf, "%s\n", dev->kind);
1143 	else
1144 		ret = sprintf(buf, "%s\n", "mei");
1145 
1146 	return ret;
1147 }
1148 static DEVICE_ATTR_RO(kind);
1149 
1150 static struct attribute *mei_attrs[] = {
1151 	&dev_attr_fw_status.attr,
1152 	&dev_attr_hbm_ver.attr,
1153 	&dev_attr_hbm_ver_drv.attr,
1154 	&dev_attr_tx_queue_limit.attr,
1155 	&dev_attr_fw_ver.attr,
1156 	&dev_attr_dev_state.attr,
1157 	&dev_attr_trc.attr,
1158 	&dev_attr_kind.attr,
1159 	NULL
1160 };
1161 ATTRIBUTE_GROUPS(mei);
1162 
1163 /*
1164  * file operations structure will be used for mei char device.
1165  */
1166 static const struct file_operations mei_fops = {
1167 	.owner = THIS_MODULE,
1168 	.read = mei_read,
1169 	.unlocked_ioctl = mei_ioctl,
1170 	.compat_ioctl = compat_ptr_ioctl,
1171 	.open = mei_open,
1172 	.release = mei_release,
1173 	.write = mei_write,
1174 	.poll = mei_poll,
1175 	.fsync = mei_fsync,
1176 	.fasync = mei_fasync,
1177 	.llseek = no_llseek
1178 };
1179 
1180 /**
1181  * mei_minor_get - obtain next free device minor number
1182  *
1183  * @dev:  device pointer
1184  *
1185  * Return: allocated minor, or -ENOSPC if no free minor left
1186  */
mei_minor_get(struct mei_device * dev)1187 static int mei_minor_get(struct mei_device *dev)
1188 {
1189 	int ret;
1190 
1191 	mutex_lock(&mei_minor_lock);
1192 	ret = idr_alloc(&mei_idr, dev, 0, MEI_MAX_DEVS, GFP_KERNEL);
1193 	if (ret >= 0)
1194 		dev->minor = ret;
1195 	else if (ret == -ENOSPC)
1196 		dev_err(dev->dev, "too many mei devices\n");
1197 
1198 	mutex_unlock(&mei_minor_lock);
1199 	return ret;
1200 }
1201 
1202 /**
1203  * mei_minor_free - mark device minor number as free
1204  *
1205  * @dev:  device pointer
1206  */
mei_minor_free(struct mei_device * dev)1207 static void mei_minor_free(struct mei_device *dev)
1208 {
1209 	mutex_lock(&mei_minor_lock);
1210 	idr_remove(&mei_idr, dev->minor);
1211 	mutex_unlock(&mei_minor_lock);
1212 }
1213 
mei_register(struct mei_device * dev,struct device * parent)1214 int mei_register(struct mei_device *dev, struct device *parent)
1215 {
1216 	struct device *clsdev; /* class device */
1217 	int ret, devno;
1218 
1219 	ret = mei_minor_get(dev);
1220 	if (ret < 0)
1221 		return ret;
1222 
1223 	/* Fill in the data structures */
1224 	devno = MKDEV(MAJOR(mei_devt), dev->minor);
1225 	cdev_init(&dev->cdev, &mei_fops);
1226 	dev->cdev.owner = parent->driver->owner;
1227 
1228 	/* Add the device */
1229 	ret = cdev_add(&dev->cdev, devno, 1);
1230 	if (ret) {
1231 		dev_err(parent, "unable to add device %d:%d\n",
1232 			MAJOR(mei_devt), dev->minor);
1233 		goto err_dev_add;
1234 	}
1235 
1236 	clsdev = device_create_with_groups(mei_class, parent, devno,
1237 					   dev, mei_groups,
1238 					   "mei%d", dev->minor);
1239 
1240 	if (IS_ERR(clsdev)) {
1241 		dev_err(parent, "unable to create device %d:%d\n",
1242 			MAJOR(mei_devt), dev->minor);
1243 		ret = PTR_ERR(clsdev);
1244 		goto err_dev_create;
1245 	}
1246 
1247 	mei_dbgfs_register(dev, dev_name(clsdev));
1248 
1249 	return 0;
1250 
1251 err_dev_create:
1252 	cdev_del(&dev->cdev);
1253 err_dev_add:
1254 	mei_minor_free(dev);
1255 	return ret;
1256 }
1257 EXPORT_SYMBOL_GPL(mei_register);
1258 
mei_deregister(struct mei_device * dev)1259 void mei_deregister(struct mei_device *dev)
1260 {
1261 	int devno;
1262 
1263 	devno = dev->cdev.dev;
1264 	cdev_del(&dev->cdev);
1265 
1266 	mei_dbgfs_deregister(dev);
1267 
1268 	device_destroy(mei_class, devno);
1269 
1270 	mei_minor_free(dev);
1271 }
1272 EXPORT_SYMBOL_GPL(mei_deregister);
1273 
mei_init(void)1274 static int __init mei_init(void)
1275 {
1276 	int ret;
1277 
1278 	mei_class = class_create(THIS_MODULE, "mei");
1279 	if (IS_ERR(mei_class)) {
1280 		pr_err("couldn't create class\n");
1281 		ret = PTR_ERR(mei_class);
1282 		goto err;
1283 	}
1284 
1285 	ret = alloc_chrdev_region(&mei_devt, 0, MEI_MAX_DEVS, "mei");
1286 	if (ret < 0) {
1287 		pr_err("unable to allocate char dev region\n");
1288 		goto err_class;
1289 	}
1290 
1291 	ret = mei_cl_bus_init();
1292 	if (ret < 0) {
1293 		pr_err("unable to initialize bus\n");
1294 		goto err_chrdev;
1295 	}
1296 
1297 	return 0;
1298 
1299 err_chrdev:
1300 	unregister_chrdev_region(mei_devt, MEI_MAX_DEVS);
1301 err_class:
1302 	class_destroy(mei_class);
1303 err:
1304 	return ret;
1305 }
1306 
mei_exit(void)1307 static void __exit mei_exit(void)
1308 {
1309 	unregister_chrdev_region(mei_devt, MEI_MAX_DEVS);
1310 	class_destroy(mei_class);
1311 	mei_cl_bus_exit();
1312 }
1313 
1314 module_init(mei_init);
1315 module_exit(mei_exit);
1316 
1317 MODULE_AUTHOR("Intel Corporation");
1318 MODULE_DESCRIPTION("Intel(R) Management Engine Interface");
1319 MODULE_LICENSE("GPL v2");
1320 
1321