1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (c) 2003-2018, Intel Corporation. All rights reserved. 4 * Intel Management Engine Interface (Intel MEI) Linux driver 5 */ 6 7 #include <linux/export.h> 8 #include <linux/kthread.h> 9 #include <linux/interrupt.h> 10 #include <linux/fs.h> 11 #include <linux/jiffies.h> 12 #include <linux/slab.h> 13 #include <linux/pm_runtime.h> 14 15 #include <linux/mei.h> 16 17 #include "mei_dev.h" 18 #include "hbm.h" 19 #include "client.h" 20 21 22 /** 23 * mei_irq_compl_handler - dispatch complete handlers 24 * for the completed callbacks 25 * 26 * @dev: mei device 27 * @cmpl_list: list of completed cbs 28 */ 29 void mei_irq_compl_handler(struct mei_device *dev, struct list_head *cmpl_list) 30 { 31 struct mei_cl_cb *cb, *next; 32 struct mei_cl *cl; 33 34 list_for_each_entry_safe(cb, next, cmpl_list, list) { 35 cl = cb->cl; 36 list_del_init(&cb->list); 37 38 dev_dbg(dev->dev, "completing call back.\n"); 39 mei_cl_complete(cl, cb); 40 } 41 } 42 EXPORT_SYMBOL_GPL(mei_irq_compl_handler); 43 44 /** 45 * mei_cl_hbm_equal - check if hbm is addressed to the client 46 * 47 * @cl: host client 48 * @mei_hdr: header of mei client message 49 * 50 * Return: true if matches, false otherwise 51 */ 52 static inline int mei_cl_hbm_equal(struct mei_cl *cl, 53 struct mei_msg_hdr *mei_hdr) 54 { 55 return mei_cl_host_addr(cl) == mei_hdr->host_addr && 56 mei_cl_me_id(cl) == mei_hdr->me_addr; 57 } 58 59 /** 60 * mei_irq_discard_msg - discard received message 61 * 62 * @dev: mei device 63 * @hdr: message header 64 * @discard_len: the length of the message to discard (excluding header) 65 */ 66 static void mei_irq_discard_msg(struct mei_device *dev, struct mei_msg_hdr *hdr, 67 size_t discard_len) 68 { 69 if (hdr->dma_ring) { 70 mei_dma_ring_read(dev, NULL, 71 hdr->extension[dev->rd_msg_hdr_count - 2]); 72 discard_len = 0; 73 } 74 /* 75 * no need to check for size as it is guarantied 76 * that length fits into rd_msg_buf 77 */ 78 mei_read_slots(dev, dev->rd_msg_buf, discard_len); 79 dev_dbg(dev->dev, "discarding message " MEI_HDR_FMT "\n", 80 MEI_HDR_PRM(hdr)); 81 } 82 83 /** 84 * mei_cl_irq_read_msg - process client message 85 * 86 * @cl: reading client 87 * @mei_hdr: header of mei client message 88 * @meta: extend meta header 89 * @cmpl_list: completion list 90 * 91 * Return: always 0 92 */ 93 static int mei_cl_irq_read_msg(struct mei_cl *cl, 94 struct mei_msg_hdr *mei_hdr, 95 struct mei_ext_meta_hdr *meta, 96 struct list_head *cmpl_list) 97 { 98 struct mei_device *dev = cl->dev; 99 struct mei_cl_cb *cb; 100 101 size_t buf_sz; 102 u32 length; 103 int ext_len; 104 105 length = mei_hdr->length; 106 ext_len = 0; 107 if (mei_hdr->extended) { 108 ext_len = sizeof(*meta) + mei_slots2data(meta->size); 109 length -= ext_len; 110 } 111 112 cb = list_first_entry_or_null(&cl->rd_pending, struct mei_cl_cb, list); 113 if (!cb) { 114 if (!mei_cl_is_fixed_address(cl)) { 115 cl_err(dev, cl, "pending read cb not found\n"); 116 goto discard; 117 } 118 cb = mei_cl_alloc_cb(cl, mei_cl_mtu(cl), MEI_FOP_READ, cl->fp); 119 if (!cb) 120 goto discard; 121 list_add_tail(&cb->list, &cl->rd_pending); 122 } 123 124 if (mei_hdr->extended) { 125 struct mei_ext_hdr *ext; 126 struct mei_ext_hdr *vtag = NULL; 127 128 ext = mei_ext_begin(meta); 129 do { 130 switch (ext->type) { 131 case MEI_EXT_HDR_VTAG: 132 vtag = ext; 133 break; 134 case MEI_EXT_HDR_NONE: 135 fallthrough; 136 default: 137 cb->status = -EPROTO; 138 break; 139 } 140 141 ext = mei_ext_next(ext); 142 } while (!mei_ext_last(meta, ext)); 143 144 if (!vtag) { 145 cl_dbg(dev, cl, "vtag not found in extended header.\n"); 146 cb->status = -EPROTO; 147 goto discard; 148 } 149 150 cl_dbg(dev, cl, "vtag: %d\n", vtag->ext_payload[0]); 151 if (cb->vtag && cb->vtag != vtag->ext_payload[0]) { 152 cl_err(dev, cl, "mismatched tag: %d != %d\n", 153 cb->vtag, vtag->ext_payload[0]); 154 cb->status = -EPROTO; 155 goto discard; 156 } 157 cb->vtag = vtag->ext_payload[0]; 158 } 159 160 if (!mei_cl_is_connected(cl)) { 161 cl_dbg(dev, cl, "not connected\n"); 162 cb->status = -ENODEV; 163 goto discard; 164 } 165 166 if (mei_hdr->dma_ring) 167 length = mei_hdr->extension[mei_data2slots(ext_len)]; 168 169 buf_sz = length + cb->buf_idx; 170 /* catch for integer overflow */ 171 if (buf_sz < cb->buf_idx) { 172 cl_err(dev, cl, "message is too big len %d idx %zu\n", 173 length, cb->buf_idx); 174 cb->status = -EMSGSIZE; 175 goto discard; 176 } 177 178 if (cb->buf.size < buf_sz) { 179 cl_dbg(dev, cl, "message overflow. size %zu len %d idx %zu\n", 180 cb->buf.size, length, cb->buf_idx); 181 cb->status = -EMSGSIZE; 182 goto discard; 183 } 184 185 if (mei_hdr->dma_ring) { 186 mei_dma_ring_read(dev, cb->buf.data + cb->buf_idx, length); 187 /* for DMA read 0 length to generate interrupt to the device */ 188 mei_read_slots(dev, cb->buf.data + cb->buf_idx, 0); 189 } else { 190 mei_read_slots(dev, cb->buf.data + cb->buf_idx, length); 191 } 192 193 cb->buf_idx += length; 194 195 if (mei_hdr->msg_complete) { 196 cl_dbg(dev, cl, "completed read length = %zu\n", cb->buf_idx); 197 list_move_tail(&cb->list, cmpl_list); 198 } else { 199 pm_runtime_mark_last_busy(dev->dev); 200 pm_request_autosuspend(dev->dev); 201 } 202 203 return 0; 204 205 discard: 206 if (cb) 207 list_move_tail(&cb->list, cmpl_list); 208 mei_irq_discard_msg(dev, mei_hdr, length); 209 return 0; 210 } 211 212 /** 213 * mei_cl_irq_disconnect_rsp - send disconnection response message 214 * 215 * @cl: client 216 * @cb: callback block. 217 * @cmpl_list: complete list. 218 * 219 * Return: 0, OK; otherwise, error. 220 */ 221 static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb, 222 struct list_head *cmpl_list) 223 { 224 struct mei_device *dev = cl->dev; 225 u32 msg_slots; 226 int slots; 227 int ret; 228 229 msg_slots = mei_hbm2slots(sizeof(struct hbm_client_connect_response)); 230 slots = mei_hbuf_empty_slots(dev); 231 if (slots < 0) 232 return -EOVERFLOW; 233 234 if ((u32)slots < msg_slots) 235 return -EMSGSIZE; 236 237 ret = mei_hbm_cl_disconnect_rsp(dev, cl); 238 list_move_tail(&cb->list, cmpl_list); 239 240 return ret; 241 } 242 243 /** 244 * mei_cl_irq_read - processes client read related operation from the 245 * interrupt thread context - request for flow control credits 246 * 247 * @cl: client 248 * @cb: callback block. 249 * @cmpl_list: complete list. 250 * 251 * Return: 0, OK; otherwise, error. 252 */ 253 static int mei_cl_irq_read(struct mei_cl *cl, struct mei_cl_cb *cb, 254 struct list_head *cmpl_list) 255 { 256 struct mei_device *dev = cl->dev; 257 u32 msg_slots; 258 int slots; 259 int ret; 260 261 if (!list_empty(&cl->rd_pending)) 262 return 0; 263 264 msg_slots = mei_hbm2slots(sizeof(struct hbm_flow_control)); 265 slots = mei_hbuf_empty_slots(dev); 266 if (slots < 0) 267 return -EOVERFLOW; 268 269 if ((u32)slots < msg_slots) 270 return -EMSGSIZE; 271 272 ret = mei_hbm_cl_flow_control_req(dev, cl); 273 if (ret) { 274 cl->status = ret; 275 cb->buf_idx = 0; 276 list_move_tail(&cb->list, cmpl_list); 277 return ret; 278 } 279 280 pm_runtime_mark_last_busy(dev->dev); 281 pm_request_autosuspend(dev->dev); 282 283 list_move_tail(&cb->list, &cl->rd_pending); 284 285 return 0; 286 } 287 288 static inline bool hdr_is_hbm(struct mei_msg_hdr *mei_hdr) 289 { 290 return mei_hdr->host_addr == 0 && mei_hdr->me_addr == 0; 291 } 292 293 static inline bool hdr_is_fixed(struct mei_msg_hdr *mei_hdr) 294 { 295 return mei_hdr->host_addr == 0 && mei_hdr->me_addr != 0; 296 } 297 298 static inline int hdr_is_valid(u32 msg_hdr) 299 { 300 struct mei_msg_hdr *mei_hdr; 301 u32 expected_len = 0; 302 303 mei_hdr = (struct mei_msg_hdr *)&msg_hdr; 304 if (!msg_hdr || mei_hdr->reserved) 305 return -EBADMSG; 306 307 if (mei_hdr->dma_ring) 308 expected_len += MEI_SLOT_SIZE; 309 if (mei_hdr->extended) 310 expected_len += MEI_SLOT_SIZE; 311 if (mei_hdr->length < expected_len) 312 return -EBADMSG; 313 314 return 0; 315 } 316 317 /** 318 * mei_irq_read_handler - bottom half read routine after ISR to 319 * handle the read processing. 320 * 321 * @dev: the device structure 322 * @cmpl_list: An instance of our list structure 323 * @slots: slots to read. 324 * 325 * Return: 0 on success, <0 on failure. 326 */ 327 int mei_irq_read_handler(struct mei_device *dev, 328 struct list_head *cmpl_list, s32 *slots) 329 { 330 struct mei_msg_hdr *mei_hdr; 331 struct mei_ext_meta_hdr *meta_hdr = NULL; 332 struct mei_cl *cl; 333 int ret; 334 u32 ext_meta_hdr_u32; 335 u32 hdr_size_left; 336 u32 hdr_size_ext; 337 int i; 338 int ext_hdr_end; 339 340 if (!dev->rd_msg_hdr[0]) { 341 dev->rd_msg_hdr[0] = mei_read_hdr(dev); 342 dev->rd_msg_hdr_count = 1; 343 (*slots)--; 344 dev_dbg(dev->dev, "slots =%08x.\n", *slots); 345 346 ret = hdr_is_valid(dev->rd_msg_hdr[0]); 347 if (ret) { 348 dev_err(dev->dev, "corrupted message header 0x%08X\n", 349 dev->rd_msg_hdr[0]); 350 goto end; 351 } 352 } 353 354 mei_hdr = (struct mei_msg_hdr *)dev->rd_msg_hdr; 355 dev_dbg(dev->dev, MEI_HDR_FMT, MEI_HDR_PRM(mei_hdr)); 356 357 if (mei_slots2data(*slots) < mei_hdr->length) { 358 dev_err(dev->dev, "less data available than length=%08x.\n", 359 *slots); 360 /* we can't read the message */ 361 ret = -ENODATA; 362 goto end; 363 } 364 365 ext_hdr_end = 1; 366 hdr_size_left = mei_hdr->length; 367 368 if (mei_hdr->extended) { 369 if (!dev->rd_msg_hdr[1]) { 370 ext_meta_hdr_u32 = mei_read_hdr(dev); 371 dev->rd_msg_hdr[1] = ext_meta_hdr_u32; 372 dev->rd_msg_hdr_count++; 373 (*slots)--; 374 dev_dbg(dev->dev, "extended header is %08x\n", 375 ext_meta_hdr_u32); 376 } 377 meta_hdr = ((struct mei_ext_meta_hdr *)dev->rd_msg_hdr + 1); 378 if (check_add_overflow((u32)sizeof(*meta_hdr), 379 mei_slots2data(meta_hdr->size), 380 &hdr_size_ext)) { 381 dev_err(dev->dev, "extended message size too big %d\n", 382 meta_hdr->size); 383 return -EBADMSG; 384 } 385 if (hdr_size_left < hdr_size_ext) { 386 dev_err(dev->dev, "corrupted message header len %d\n", 387 mei_hdr->length); 388 return -EBADMSG; 389 } 390 hdr_size_left -= hdr_size_ext; 391 392 ext_hdr_end = meta_hdr->size + 2; 393 for (i = dev->rd_msg_hdr_count; i < ext_hdr_end; i++) { 394 dev->rd_msg_hdr[i] = mei_read_hdr(dev); 395 dev_dbg(dev->dev, "extended header %d is %08x\n", i, 396 dev->rd_msg_hdr[i]); 397 dev->rd_msg_hdr_count++; 398 (*slots)--; 399 } 400 } 401 402 if (mei_hdr->dma_ring) { 403 if (hdr_size_left != sizeof(dev->rd_msg_hdr[ext_hdr_end])) { 404 dev_err(dev->dev, "corrupted message header len %d\n", 405 mei_hdr->length); 406 return -EBADMSG; 407 } 408 409 dev->rd_msg_hdr[ext_hdr_end] = mei_read_hdr(dev); 410 dev->rd_msg_hdr_count++; 411 (*slots)--; 412 mei_hdr->length -= sizeof(dev->rd_msg_hdr[ext_hdr_end]); 413 } 414 415 /* HBM message */ 416 if (hdr_is_hbm(mei_hdr)) { 417 ret = mei_hbm_dispatch(dev, mei_hdr); 418 if (ret) { 419 dev_dbg(dev->dev, "mei_hbm_dispatch failed ret = %d\n", 420 ret); 421 goto end; 422 } 423 goto reset_slots; 424 } 425 426 /* find recipient cl */ 427 list_for_each_entry(cl, &dev->file_list, link) { 428 if (mei_cl_hbm_equal(cl, mei_hdr)) { 429 cl_dbg(dev, cl, "got a message\n"); 430 break; 431 } 432 } 433 434 /* if no recipient cl was found we assume corrupted header */ 435 if (&cl->link == &dev->file_list) { 436 /* A message for not connected fixed address clients 437 * should be silently discarded 438 * On power down client may be force cleaned, 439 * silently discard such messages 440 */ 441 if (hdr_is_fixed(mei_hdr) || 442 dev->dev_state == MEI_DEV_POWER_DOWN) { 443 mei_irq_discard_msg(dev, mei_hdr, mei_hdr->length); 444 ret = 0; 445 goto reset_slots; 446 } 447 dev_err(dev->dev, "no destination client found 0x%08X\n", 448 dev->rd_msg_hdr[0]); 449 ret = -EBADMSG; 450 goto end; 451 } 452 453 ret = mei_cl_irq_read_msg(cl, mei_hdr, meta_hdr, cmpl_list); 454 455 456 reset_slots: 457 /* reset the number of slots and header */ 458 memset(dev->rd_msg_hdr, 0, sizeof(dev->rd_msg_hdr)); 459 dev->rd_msg_hdr_count = 0; 460 *slots = mei_count_full_read_slots(dev); 461 if (*slots == -EOVERFLOW) { 462 /* overflow - reset */ 463 dev_err(dev->dev, "resetting due to slots overflow.\n"); 464 /* set the event since message has been read */ 465 ret = -ERANGE; 466 goto end; 467 } 468 end: 469 return ret; 470 } 471 EXPORT_SYMBOL_GPL(mei_irq_read_handler); 472 473 474 /** 475 * mei_irq_write_handler - dispatch write requests 476 * after irq received 477 * 478 * @dev: the device structure 479 * @cmpl_list: An instance of our list structure 480 * 481 * Return: 0 on success, <0 on failure. 482 */ 483 int mei_irq_write_handler(struct mei_device *dev, struct list_head *cmpl_list) 484 { 485 486 struct mei_cl *cl; 487 struct mei_cl_cb *cb, *next; 488 s32 slots; 489 int ret; 490 491 492 if (!mei_hbuf_acquire(dev)) 493 return 0; 494 495 slots = mei_hbuf_empty_slots(dev); 496 if (slots < 0) 497 return -EOVERFLOW; 498 499 if (slots == 0) 500 return -EMSGSIZE; 501 502 /* complete all waiting for write CB */ 503 dev_dbg(dev->dev, "complete all waiting for write cb.\n"); 504 505 list_for_each_entry_safe(cb, next, &dev->write_waiting_list, list) { 506 cl = cb->cl; 507 508 cl->status = 0; 509 cl_dbg(dev, cl, "MEI WRITE COMPLETE\n"); 510 cl->writing_state = MEI_WRITE_COMPLETE; 511 list_move_tail(&cb->list, cmpl_list); 512 } 513 514 /* complete control write list CB */ 515 dev_dbg(dev->dev, "complete control write list cb.\n"); 516 list_for_each_entry_safe(cb, next, &dev->ctrl_wr_list, list) { 517 cl = cb->cl; 518 switch (cb->fop_type) { 519 case MEI_FOP_DISCONNECT: 520 /* send disconnect message */ 521 ret = mei_cl_irq_disconnect(cl, cb, cmpl_list); 522 if (ret) 523 return ret; 524 525 break; 526 case MEI_FOP_READ: 527 /* send flow control message */ 528 ret = mei_cl_irq_read(cl, cb, cmpl_list); 529 if (ret) 530 return ret; 531 532 break; 533 case MEI_FOP_CONNECT: 534 /* connect message */ 535 ret = mei_cl_irq_connect(cl, cb, cmpl_list); 536 if (ret) 537 return ret; 538 539 break; 540 case MEI_FOP_DISCONNECT_RSP: 541 /* send disconnect resp */ 542 ret = mei_cl_irq_disconnect_rsp(cl, cb, cmpl_list); 543 if (ret) 544 return ret; 545 break; 546 547 case MEI_FOP_NOTIFY_START: 548 case MEI_FOP_NOTIFY_STOP: 549 ret = mei_cl_irq_notify(cl, cb, cmpl_list); 550 if (ret) 551 return ret; 552 break; 553 case MEI_FOP_DMA_MAP: 554 ret = mei_cl_irq_dma_map(cl, cb, cmpl_list); 555 if (ret) 556 return ret; 557 break; 558 case MEI_FOP_DMA_UNMAP: 559 ret = mei_cl_irq_dma_unmap(cl, cb, cmpl_list); 560 if (ret) 561 return ret; 562 break; 563 default: 564 BUG(); 565 } 566 567 } 568 /* complete write list CB */ 569 dev_dbg(dev->dev, "complete write list cb.\n"); 570 list_for_each_entry_safe(cb, next, &dev->write_list, list) { 571 cl = cb->cl; 572 ret = mei_cl_irq_write(cl, cb, cmpl_list); 573 if (ret) 574 return ret; 575 } 576 return 0; 577 } 578 EXPORT_SYMBOL_GPL(mei_irq_write_handler); 579 580 581 /** 582 * mei_connect_timeout - connect/disconnect timeouts 583 * 584 * @cl: host client 585 */ 586 static void mei_connect_timeout(struct mei_cl *cl) 587 { 588 struct mei_device *dev = cl->dev; 589 590 if (cl->state == MEI_FILE_CONNECTING) { 591 if (dev->hbm_f_dot_supported) { 592 cl->state = MEI_FILE_DISCONNECT_REQUIRED; 593 wake_up(&cl->wait); 594 return; 595 } 596 } 597 mei_reset(dev); 598 } 599 600 #define MEI_STALL_TIMER_FREQ (2 * HZ) 601 /** 602 * mei_schedule_stall_timer - re-arm stall_timer work 603 * 604 * Schedule stall timer 605 * 606 * @dev: the device structure 607 */ 608 void mei_schedule_stall_timer(struct mei_device *dev) 609 { 610 schedule_delayed_work(&dev->timer_work, MEI_STALL_TIMER_FREQ); 611 } 612 613 /** 614 * mei_timer - timer function. 615 * 616 * @work: pointer to the work_struct structure 617 * 618 */ 619 void mei_timer(struct work_struct *work) 620 { 621 struct mei_cl *cl; 622 struct mei_device *dev = container_of(work, 623 struct mei_device, timer_work.work); 624 bool reschedule_timer = false; 625 626 mutex_lock(&dev->device_lock); 627 628 /* Catch interrupt stalls during HBM init handshake */ 629 if (dev->dev_state == MEI_DEV_INIT_CLIENTS && 630 dev->hbm_state != MEI_HBM_IDLE) { 631 632 if (dev->init_clients_timer) { 633 if (--dev->init_clients_timer == 0) { 634 dev_err(dev->dev, "timer: init clients timeout hbm_state = %d.\n", 635 dev->hbm_state); 636 mei_reset(dev); 637 goto out; 638 } 639 reschedule_timer = true; 640 } 641 } 642 643 if (dev->dev_state != MEI_DEV_ENABLED) 644 goto out; 645 646 /*** connect/disconnect timeouts ***/ 647 list_for_each_entry(cl, &dev->file_list, link) { 648 if (cl->timer_count) { 649 if (--cl->timer_count == 0) { 650 dev_err(dev->dev, "timer: connect/disconnect timeout.\n"); 651 mei_connect_timeout(cl); 652 goto out; 653 } 654 reschedule_timer = true; 655 } 656 } 657 658 out: 659 if (dev->dev_state != MEI_DEV_DISABLED && reschedule_timer) 660 mei_schedule_stall_timer(dev); 661 662 mutex_unlock(&dev->device_lock); 663 } 664