1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (c) 2003-2018, Intel Corporation. All rights reserved. 4 * Intel Management Engine Interface (Intel MEI) Linux driver 5 */ 6 7 #include <linux/export.h> 8 #include <linux/kthread.h> 9 #include <linux/interrupt.h> 10 #include <linux/fs.h> 11 #include <linux/jiffies.h> 12 #include <linux/slab.h> 13 #include <linux/pm_runtime.h> 14 15 #include <linux/mei.h> 16 17 #include "mei_dev.h" 18 #include "hbm.h" 19 #include "client.h" 20 21 22 /** 23 * mei_irq_compl_handler - dispatch complete handlers 24 * for the completed callbacks 25 * 26 * @dev: mei device 27 * @cmpl_list: list of completed cbs 28 */ 29 void mei_irq_compl_handler(struct mei_device *dev, struct list_head *cmpl_list) 30 { 31 struct mei_cl_cb *cb, *next; 32 struct mei_cl *cl; 33 34 list_for_each_entry_safe(cb, next, cmpl_list, list) { 35 cl = cb->cl; 36 list_del_init(&cb->list); 37 38 cl_dbg(dev, cl, "completing call back.\n"); 39 mei_cl_complete(cl, cb); 40 } 41 } 42 EXPORT_SYMBOL_GPL(mei_irq_compl_handler); 43 44 /** 45 * mei_cl_hbm_equal - check if hbm is addressed to the client 46 * 47 * @cl: host client 48 * @mei_hdr: header of mei client message 49 * 50 * Return: true if matches, false otherwise 51 */ 52 static inline int mei_cl_hbm_equal(struct mei_cl *cl, 53 struct mei_msg_hdr *mei_hdr) 54 { 55 return mei_cl_host_addr(cl) == mei_hdr->host_addr && 56 mei_cl_me_id(cl) == mei_hdr->me_addr; 57 } 58 59 /** 60 * mei_irq_discard_msg - discard received message 61 * 62 * @dev: mei device 63 * @hdr: message header 64 * @discard_len: the length of the message to discard (excluding header) 65 */ 66 static void mei_irq_discard_msg(struct mei_device *dev, struct mei_msg_hdr *hdr, 67 size_t discard_len) 68 { 69 if (hdr->dma_ring) { 70 mei_dma_ring_read(dev, NULL, 71 hdr->extension[dev->rd_msg_hdr_count - 2]); 72 discard_len = 0; 73 } 74 /* 75 * no need to check for size as it is guaranteed 76 * that length fits into rd_msg_buf 77 */ 78 mei_read_slots(dev, dev->rd_msg_buf, discard_len); 79 dev_dbg(&dev->dev, "discarding message " MEI_HDR_FMT "\n", 80 MEI_HDR_PRM(hdr)); 81 } 82 83 /** 84 * mei_cl_irq_read_msg - process client message 85 * 86 * @cl: reading client 87 * @mei_hdr: header of mei client message 88 * @meta: extend meta header 89 * @cmpl_list: completion list 90 * 91 * Return: always 0 92 */ 93 static int mei_cl_irq_read_msg(struct mei_cl *cl, 94 struct mei_msg_hdr *mei_hdr, 95 struct mei_ext_meta_hdr *meta, 96 struct list_head *cmpl_list) 97 { 98 struct mei_device *dev = cl->dev; 99 struct mei_cl_cb *cb; 100 101 struct mei_ext_hdr_vtag *vtag_hdr = NULL; 102 struct mei_ext_hdr_gsc_f2h *gsc_f2h = NULL; 103 104 size_t buf_sz; 105 u32 length; 106 u32 ext_len; 107 108 length = mei_hdr->length; 109 ext_len = 0; 110 if (mei_hdr->extended) { 111 ext_len = sizeof(*meta) + mei_slots2data(meta->size); 112 length -= ext_len; 113 } 114 115 cb = list_first_entry_or_null(&cl->rd_pending, struct mei_cl_cb, list); 116 if (!cb) { 117 if (!mei_cl_is_fixed_address(cl)) { 118 cl_err(dev, cl, "pending read cb not found\n"); 119 goto discard; 120 } 121 cb = mei_cl_alloc_cb(cl, mei_cl_mtu(cl), MEI_FOP_READ, cl->fp); 122 if (!cb) 123 goto discard; 124 list_add_tail(&cb->list, &cl->rd_pending); 125 } 126 127 if (mei_hdr->extended) { 128 struct mei_ext_hdr *ext = mei_ext_begin(meta); 129 do { 130 switch (ext->type) { 131 case MEI_EXT_HDR_VTAG: 132 vtag_hdr = (struct mei_ext_hdr_vtag *)ext; 133 break; 134 case MEI_EXT_HDR_GSC: 135 gsc_f2h = (struct mei_ext_hdr_gsc_f2h *)ext; 136 cb->ext_hdr = (struct mei_ext_hdr *)kzalloc(sizeof(*gsc_f2h), GFP_KERNEL); 137 if (!cb->ext_hdr) { 138 cb->status = -ENOMEM; 139 goto discard; 140 } 141 break; 142 case MEI_EXT_HDR_NONE: 143 fallthrough; 144 default: 145 cl_err(dev, cl, "unknown extended header\n"); 146 cb->status = -EPROTO; 147 break; 148 } 149 150 ext = mei_ext_next(ext); 151 } while (!mei_ext_last(meta, ext)); 152 153 if (!vtag_hdr && !gsc_f2h) { 154 cl_dbg(dev, cl, "no vtag or gsc found in extended header.\n"); 155 cb->status = -EPROTO; 156 goto discard; 157 } 158 } 159 160 if (vtag_hdr) { 161 cl_dbg(dev, cl, "vtag: %d\n", vtag_hdr->vtag); 162 if (cb->vtag && cb->vtag != vtag_hdr->vtag) { 163 cl_err(dev, cl, "mismatched tag: %d != %d\n", 164 cb->vtag, vtag_hdr->vtag); 165 cb->status = -EPROTO; 166 goto discard; 167 } 168 cb->vtag = vtag_hdr->vtag; 169 } 170 171 if (gsc_f2h) { 172 u32 ext_hdr_len = mei_ext_hdr_len(&gsc_f2h->hdr); 173 174 if (!dev->hbm_f_gsc_supported) { 175 cl_err(dev, cl, "gsc extended header is not supported\n"); 176 cb->status = -EPROTO; 177 goto discard; 178 } 179 180 if (length) { 181 cl_err(dev, cl, "no data allowed in cb with gsc\n"); 182 cb->status = -EPROTO; 183 goto discard; 184 } 185 if (ext_hdr_len > sizeof(*gsc_f2h)) { 186 cl_err(dev, cl, "gsc extended header is too big %u\n", ext_hdr_len); 187 cb->status = -EPROTO; 188 goto discard; 189 } 190 memcpy(cb->ext_hdr, gsc_f2h, ext_hdr_len); 191 } 192 193 if (!mei_cl_is_connected(cl)) { 194 cl_dbg(dev, cl, "not connected\n"); 195 cb->status = -ENODEV; 196 goto discard; 197 } 198 199 if (mei_hdr->dma_ring) 200 length = mei_hdr->extension[mei_data2slots(ext_len)]; 201 202 buf_sz = length + cb->buf_idx; 203 /* catch for integer overflow */ 204 if (buf_sz < cb->buf_idx) { 205 cl_err(dev, cl, "message is too big len %d idx %zu\n", 206 length, cb->buf_idx); 207 cb->status = -EMSGSIZE; 208 goto discard; 209 } 210 211 if (cb->buf.size < buf_sz) { 212 cl_dbg(dev, cl, "message overflow. size %zu len %d idx %zu\n", 213 cb->buf.size, length, cb->buf_idx); 214 cb->status = -EMSGSIZE; 215 goto discard; 216 } 217 218 if (mei_hdr->dma_ring) { 219 mei_dma_ring_read(dev, cb->buf.data + cb->buf_idx, length); 220 /* for DMA read 0 length to generate interrupt to the device */ 221 mei_read_slots(dev, cb->buf.data + cb->buf_idx, 0); 222 } else { 223 mei_read_slots(dev, cb->buf.data + cb->buf_idx, length); 224 } 225 226 cb->buf_idx += length; 227 228 if (mei_hdr->msg_complete) { 229 cl_dbg(dev, cl, "completed read length = %zu\n", cb->buf_idx); 230 list_move_tail(&cb->list, cmpl_list); 231 } else { 232 pm_request_autosuspend(dev->parent); 233 } 234 235 return 0; 236 237 discard: 238 if (cb) 239 list_move_tail(&cb->list, cmpl_list); 240 mei_irq_discard_msg(dev, mei_hdr, length); 241 return 0; 242 } 243 244 /** 245 * mei_cl_irq_disconnect_rsp - send disconnection response message 246 * 247 * @cl: client 248 * @cb: callback block. 249 * @cmpl_list: complete list. 250 * 251 * Return: 0, OK; otherwise, error. 252 */ 253 static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb, 254 struct list_head *cmpl_list) 255 { 256 struct mei_device *dev = cl->dev; 257 u32 msg_slots; 258 int slots; 259 int ret; 260 261 msg_slots = mei_hbm2slots(sizeof(struct hbm_client_connect_response)); 262 slots = mei_hbuf_empty_slots(dev); 263 if (slots < 0) 264 return -EOVERFLOW; 265 266 if ((u32)slots < msg_slots) 267 return -EMSGSIZE; 268 269 ret = mei_hbm_cl_disconnect_rsp(dev, cl); 270 list_move_tail(&cb->list, cmpl_list); 271 272 return ret; 273 } 274 275 /** 276 * mei_cl_irq_read - processes client read related operation from the 277 * interrupt thread context - request for flow control credits 278 * 279 * @cl: client 280 * @cb: callback block. 281 * @cmpl_list: complete list. 282 * 283 * Return: 0, OK; otherwise, error. 284 */ 285 static int mei_cl_irq_read(struct mei_cl *cl, struct mei_cl_cb *cb, 286 struct list_head *cmpl_list) 287 { 288 struct mei_device *dev = cl->dev; 289 u32 msg_slots; 290 int slots; 291 int ret; 292 293 if (!list_empty(&cl->rd_pending)) 294 return 0; 295 296 msg_slots = mei_hbm2slots(sizeof(struct hbm_flow_control)); 297 slots = mei_hbuf_empty_slots(dev); 298 if (slots < 0) 299 return -EOVERFLOW; 300 301 if ((u32)slots < msg_slots) 302 return -EMSGSIZE; 303 304 ret = mei_hbm_cl_flow_control_req(dev, cl); 305 if (ret) { 306 cl->status = ret; 307 cb->buf_idx = 0; 308 list_move_tail(&cb->list, cmpl_list); 309 return ret; 310 } 311 312 pm_request_autosuspend(dev->parent); 313 314 list_move_tail(&cb->list, &cl->rd_pending); 315 316 return 0; 317 } 318 319 static inline bool hdr_is_hbm(struct mei_msg_hdr *mei_hdr) 320 { 321 return mei_hdr->host_addr == 0 && mei_hdr->me_addr == 0; 322 } 323 324 static inline bool hdr_is_fixed(struct mei_msg_hdr *mei_hdr) 325 { 326 return mei_hdr->host_addr == 0 && mei_hdr->me_addr != 0; 327 } 328 329 static inline int hdr_is_valid(u32 msg_hdr) 330 { 331 struct mei_msg_hdr *mei_hdr; 332 u32 expected_len = 0; 333 334 mei_hdr = (struct mei_msg_hdr *)&msg_hdr; 335 if (!msg_hdr || mei_hdr->reserved) 336 return -EBADMSG; 337 338 if (mei_hdr->dma_ring) 339 expected_len += MEI_SLOT_SIZE; 340 if (mei_hdr->extended) 341 expected_len += MEI_SLOT_SIZE; 342 if (mei_hdr->length < expected_len) 343 return -EBADMSG; 344 345 return 0; 346 } 347 348 /** 349 * mei_irq_read_handler - bottom half read routine after ISR to 350 * handle the read processing. 351 * 352 * @dev: the device structure 353 * @cmpl_list: An instance of our list structure 354 * @slots: slots to read. 355 * 356 * Return: 0 on success, <0 on failure. 357 */ 358 int mei_irq_read_handler(struct mei_device *dev, 359 struct list_head *cmpl_list, s32 *slots) 360 { 361 struct mei_msg_hdr *mei_hdr; 362 struct mei_ext_meta_hdr *meta_hdr = NULL; 363 struct mei_cl *cl; 364 int ret; 365 u32 hdr_size_left; 366 u32 hdr_size_ext; 367 int i; 368 int ext_hdr_end; 369 370 if (!dev->rd_msg_hdr[0]) { 371 dev->rd_msg_hdr[0] = mei_read_hdr(dev); 372 dev->rd_msg_hdr_count = 1; 373 (*slots)--; 374 dev_dbg(&dev->dev, "slots =%08x.\n", *slots); 375 376 ret = hdr_is_valid(dev->rd_msg_hdr[0]); 377 if (ret) { 378 dev_err(&dev->dev, "corrupted message header 0x%08X\n", 379 dev->rd_msg_hdr[0]); 380 goto end; 381 } 382 } 383 384 mei_hdr = (struct mei_msg_hdr *)dev->rd_msg_hdr; 385 dev_dbg(&dev->dev, MEI_HDR_FMT, MEI_HDR_PRM(mei_hdr)); 386 387 if (mei_slots2data(*slots) < mei_hdr->length) { 388 dev_err(&dev->dev, "less data available than length=%08x.\n", 389 *slots); 390 /* we can't read the message */ 391 ret = -ENODATA; 392 goto end; 393 } 394 395 ext_hdr_end = 1; 396 hdr_size_left = mei_hdr->length; 397 398 if (mei_hdr->extended) { 399 if (!dev->rd_msg_hdr[1]) { 400 dev->rd_msg_hdr[1] = mei_read_hdr(dev); 401 dev->rd_msg_hdr_count++; 402 (*slots)--; 403 dev_dbg(&dev->dev, "extended header is %08x\n", dev->rd_msg_hdr[1]); 404 } 405 meta_hdr = ((struct mei_ext_meta_hdr *)&dev->rd_msg_hdr[1]); 406 if (check_add_overflow((u32)sizeof(*meta_hdr), 407 mei_slots2data(meta_hdr->size), 408 &hdr_size_ext)) { 409 dev_err(&dev->dev, "extended message size too big %d\n", 410 meta_hdr->size); 411 return -EBADMSG; 412 } 413 if (hdr_size_left < hdr_size_ext) { 414 dev_err(&dev->dev, "corrupted message header len %d\n", 415 mei_hdr->length); 416 return -EBADMSG; 417 } 418 hdr_size_left -= hdr_size_ext; 419 420 ext_hdr_end = meta_hdr->size + 2; 421 for (i = dev->rd_msg_hdr_count; i < ext_hdr_end; i++) { 422 dev->rd_msg_hdr[i] = mei_read_hdr(dev); 423 dev_dbg(&dev->dev, "extended header %d is %08x\n", i, 424 dev->rd_msg_hdr[i]); 425 dev->rd_msg_hdr_count++; 426 (*slots)--; 427 } 428 } 429 430 if (mei_hdr->dma_ring) { 431 if (hdr_size_left != sizeof(dev->rd_msg_hdr[ext_hdr_end])) { 432 dev_err(&dev->dev, "corrupted message header len %d\n", 433 mei_hdr->length); 434 return -EBADMSG; 435 } 436 437 dev->rd_msg_hdr[ext_hdr_end] = mei_read_hdr(dev); 438 dev->rd_msg_hdr_count++; 439 (*slots)--; 440 mei_hdr->length -= sizeof(dev->rd_msg_hdr[ext_hdr_end]); 441 } 442 443 /* HBM message */ 444 if (hdr_is_hbm(mei_hdr)) { 445 ret = mei_hbm_dispatch(dev, mei_hdr); 446 if (ret) { 447 dev_dbg(&dev->dev, "mei_hbm_dispatch failed ret = %d\n", ret); 448 goto end; 449 } 450 goto reset_slots; 451 } 452 453 /* find recipient cl */ 454 list_for_each_entry(cl, &dev->file_list, link) { 455 if (mei_cl_hbm_equal(cl, mei_hdr)) { 456 cl_dbg(dev, cl, "got a message\n"); 457 ret = mei_cl_irq_read_msg(cl, mei_hdr, meta_hdr, cmpl_list); 458 goto reset_slots; 459 } 460 } 461 462 /* if no recipient cl was found we assume corrupted header */ 463 /* A message for not connected fixed address clients 464 * should be silently discarded 465 * On power down client may be force cleaned, 466 * silently discard such messages 467 */ 468 if (hdr_is_fixed(mei_hdr) || 469 dev->dev_state == MEI_DEV_POWER_DOWN) { 470 mei_irq_discard_msg(dev, mei_hdr, mei_hdr->length); 471 ret = 0; 472 goto reset_slots; 473 } 474 dev_err(&dev->dev, "no destination client found 0x%08X\n", dev->rd_msg_hdr[0]); 475 ret = -EBADMSG; 476 goto end; 477 478 reset_slots: 479 /* reset the number of slots and header */ 480 memset(dev->rd_msg_hdr, 0, sizeof(dev->rd_msg_hdr)); 481 dev->rd_msg_hdr_count = 0; 482 *slots = mei_count_full_read_slots(dev); 483 if (*slots == -EOVERFLOW) { 484 /* overflow - reset */ 485 dev_err(&dev->dev, "resetting due to slots overflow.\n"); 486 /* set the event since message has been read */ 487 ret = -ERANGE; 488 goto end; 489 } 490 end: 491 return ret; 492 } 493 EXPORT_SYMBOL_GPL(mei_irq_read_handler); 494 495 496 /** 497 * mei_irq_write_handler - dispatch write requests 498 * after irq received 499 * 500 * @dev: the device structure 501 * @cmpl_list: An instance of our list structure 502 * 503 * Return: 0 on success, <0 on failure. 504 */ 505 int mei_irq_write_handler(struct mei_device *dev, struct list_head *cmpl_list) 506 { 507 508 struct mei_cl *cl; 509 struct mei_cl_cb *cb, *next; 510 s32 slots; 511 int ret; 512 513 514 if (!mei_hbuf_acquire(dev)) 515 return 0; 516 517 slots = mei_hbuf_empty_slots(dev); 518 if (slots < 0) 519 return -EOVERFLOW; 520 521 if (slots == 0) 522 return -EMSGSIZE; 523 524 /* complete all waiting for write CB */ 525 dev_dbg(&dev->dev, "complete all waiting for write cb.\n"); 526 527 list_for_each_entry_safe(cb, next, &dev->write_waiting_list, list) { 528 cl = cb->cl; 529 530 cl->status = 0; 531 cl_dbg(dev, cl, "MEI WRITE COMPLETE\n"); 532 cl->writing_state = MEI_WRITE_COMPLETE; 533 list_move_tail(&cb->list, cmpl_list); 534 } 535 536 /* complete control write list CB */ 537 dev_dbg(&dev->dev, "complete control write list cb.\n"); 538 list_for_each_entry_safe(cb, next, &dev->ctrl_wr_list, list) { 539 cl = cb->cl; 540 switch (cb->fop_type) { 541 case MEI_FOP_DISCONNECT: 542 /* send disconnect message */ 543 ret = mei_cl_irq_disconnect(cl, cb, cmpl_list); 544 if (ret) 545 return ret; 546 547 break; 548 case MEI_FOP_READ: 549 /* send flow control message */ 550 ret = mei_cl_irq_read(cl, cb, cmpl_list); 551 if (ret) 552 return ret; 553 554 break; 555 case MEI_FOP_CONNECT: 556 /* connect message */ 557 ret = mei_cl_irq_connect(cl, cb, cmpl_list); 558 if (ret) 559 return ret; 560 561 break; 562 case MEI_FOP_DISCONNECT_RSP: 563 /* send disconnect resp */ 564 ret = mei_cl_irq_disconnect_rsp(cl, cb, cmpl_list); 565 if (ret) 566 return ret; 567 break; 568 569 case MEI_FOP_NOTIFY_START: 570 case MEI_FOP_NOTIFY_STOP: 571 ret = mei_cl_irq_notify(cl, cb, cmpl_list); 572 if (ret) 573 return ret; 574 break; 575 case MEI_FOP_DMA_MAP: 576 ret = mei_cl_irq_dma_map(cl, cb, cmpl_list); 577 if (ret) 578 return ret; 579 break; 580 case MEI_FOP_DMA_UNMAP: 581 ret = mei_cl_irq_dma_unmap(cl, cb, cmpl_list); 582 if (ret) 583 return ret; 584 break; 585 default: 586 BUG(); 587 } 588 589 } 590 /* complete write list CB */ 591 dev_dbg(&dev->dev, "complete write list cb.\n"); 592 list_for_each_entry_safe(cb, next, &dev->write_list, list) { 593 cl = cb->cl; 594 ret = mei_cl_irq_write(cl, cb, cmpl_list); 595 if (ret) 596 return ret; 597 } 598 return 0; 599 } 600 EXPORT_SYMBOL_GPL(mei_irq_write_handler); 601 602 603 /** 604 * mei_connect_timeout - connect/disconnect timeouts 605 * 606 * @cl: host client 607 */ 608 static void mei_connect_timeout(struct mei_cl *cl) 609 { 610 struct mei_device *dev = cl->dev; 611 612 if (cl->state == MEI_FILE_CONNECTING) { 613 if (dev->hbm_f_dot_supported) { 614 cl->state = MEI_FILE_DISCONNECT_REQUIRED; 615 wake_up(&cl->wait); 616 return; 617 } 618 } 619 mei_reset(dev); 620 } 621 622 #define MEI_STALL_TIMER_FREQ (2 * HZ) 623 /** 624 * mei_schedule_stall_timer - re-arm stall_timer work 625 * 626 * @dev: the device structure 627 * 628 * Schedule stall timer 629 */ 630 void mei_schedule_stall_timer(struct mei_device *dev) 631 { 632 schedule_delayed_work(&dev->timer_work, MEI_STALL_TIMER_FREQ); 633 } 634 635 /** 636 * mei_timer - timer function. 637 * 638 * @work: pointer to the work_struct structure 639 * 640 */ 641 void mei_timer(struct work_struct *work) 642 { 643 struct mei_cl *cl; 644 struct mei_device *dev = container_of(work, 645 struct mei_device, timer_work.work); 646 bool reschedule_timer = false; 647 648 mutex_lock(&dev->device_lock); 649 650 /* Catch interrupt stalls during HBM init handshake */ 651 if (dev->dev_state == MEI_DEV_INIT_CLIENTS && 652 dev->hbm_state != MEI_HBM_IDLE) { 653 654 if (dev->init_clients_timer) { 655 if (--dev->init_clients_timer == 0) { 656 dev_err(&dev->dev, "timer: init clients timeout hbm_state = %d.\n", 657 dev->hbm_state); 658 mei_reset(dev); 659 goto out; 660 } 661 reschedule_timer = true; 662 } 663 } 664 665 if (dev->dev_state != MEI_DEV_ENABLED) 666 goto out; 667 668 /*** connect/disconnect timeouts ***/ 669 list_for_each_entry(cl, &dev->file_list, link) { 670 if (cl->timer_count) { 671 if (--cl->timer_count == 0) { 672 dev_err(&dev->dev, "timer: connect/disconnect timeout.\n"); 673 mei_connect_timeout(cl); 674 goto out; 675 } 676 reschedule_timer = true; 677 } 678 } 679 680 out: 681 if (dev->dev_state != MEI_DEV_DISABLED && reschedule_timer) 682 mei_schedule_stall_timer(dev); 683 684 mutex_unlock(&dev->device_lock); 685 } 686