mei: fix NULL dereferencing during FW initiated disconnection
[muen/linux.git] / drivers / misc / mei / interrupt.c
1 /*
2  *
3  * Intel Management Engine Interface (Intel MEI) Linux driver
4  * Copyright (c) 2003-2012, Intel Corporation.
5  *
6  * This program is free software; you can redistribute it and/or modify it
7  * under the terms and conditions of the GNU General Public License,
8  * version 2, as published by the Free Software Foundation.
9  *
10  * This program is distributed in the hope it will be useful, but WITHOUT
11  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
13  * more details.
14  *
15  */
16
17
18 #include <linux/export.h>
19 #include <linux/kthread.h>
20 #include <linux/interrupt.h>
21 #include <linux/fs.h>
22 #include <linux/jiffies.h>
23 #include <linux/slab.h>
24 #include <linux/pm_runtime.h>
25
26 #include <linux/mei.h>
27
28 #include "mei_dev.h"
29 #include "hbm.h"
30 #include "client.h"
31
32
33 /**
34  * mei_irq_compl_handler - dispatch complete handlers
35  *      for the completed callbacks
36  *
37  * @dev: mei device
38  * @compl_list: list of completed cbs
39  */
40 void mei_irq_compl_handler(struct mei_device *dev, struct mei_cl_cb *compl_list)
41 {
42         struct mei_cl_cb *cb, *next;
43         struct mei_cl *cl;
44
45         list_for_each_entry_safe(cb, next, &compl_list->list, list) {
46                 cl = cb->cl;
47                 list_del_init(&cb->list);
48
49                 dev_dbg(dev->dev, "completing call back.\n");
50                 if (cl == &dev->iamthif_cl)
51                         mei_amthif_complete(cl, cb);
52                 else
53                         mei_cl_complete(cl, cb);
54         }
55 }
56 EXPORT_SYMBOL_GPL(mei_irq_compl_handler);
57
58 /**
59  * mei_cl_hbm_equal - check if hbm is addressed to the client
60  *
61  * @cl: host client
62  * @mei_hdr: header of mei client message
63  *
64  * Return: true if matches, false otherwise
65  */
66 static inline int mei_cl_hbm_equal(struct mei_cl *cl,
67                         struct mei_msg_hdr *mei_hdr)
68 {
69         return  mei_cl_host_addr(cl) == mei_hdr->host_addr &&
70                 mei_cl_me_id(cl) == mei_hdr->me_addr;
71 }
72
73 /**
74  * mei_irq_discard_msg  - discard received message
75  *
76  * @dev: mei device
77  * @hdr: message header
78  */
79 static inline
80 void mei_irq_discard_msg(struct mei_device *dev, struct mei_msg_hdr *hdr)
81 {
82         /*
83          * no need to check for size as it is guarantied
84          * that length fits into rd_msg_buf
85          */
86         mei_read_slots(dev, dev->rd_msg_buf, hdr->length);
87         dev_dbg(dev->dev, "discarding message " MEI_HDR_FMT "\n",
88                 MEI_HDR_PRM(hdr));
89 }
90
91 /**
92  * mei_cl_irq_read_msg - process client message
93  *
94  * @cl: reading client
95  * @mei_hdr: header of mei client message
96  * @complete_list: completion list
97  *
98  * Return: always 0
99  */
100 int mei_cl_irq_read_msg(struct mei_cl *cl,
101                        struct mei_msg_hdr *mei_hdr,
102                        struct mei_cl_cb *complete_list)
103 {
104         struct mei_device *dev = cl->dev;
105         struct mei_cl_cb *cb;
106         unsigned char *buffer = NULL;
107         size_t buf_sz;
108
109         cb = list_first_entry_or_null(&cl->rd_pending, struct mei_cl_cb, list);
110         if (!cb) {
111                 cl_err(dev, cl, "pending read cb not found\n");
112                 goto out;
113         }
114
115         if (!mei_cl_is_connected(cl)) {
116                 cl_dbg(dev, cl, "not connected\n");
117                 cb->status = -ENODEV;
118                 goto out;
119         }
120
121         if (cb->buf.size == 0 || cb->buf.data == NULL) {
122                 cl_err(dev, cl, "response buffer is not allocated.\n");
123                 list_move_tail(&cb->list, &complete_list->list);
124                 cb->status = -ENOMEM;
125                 goto out;
126         }
127
128         buf_sz = mei_hdr->length + cb->buf_idx;
129         /* catch for integer overflow */
130         if (buf_sz < cb->buf_idx) {
131                 cl_err(dev, cl, "message is too big len %d idx %zu\n",
132                        mei_hdr->length, cb->buf_idx);
133
134                 list_move_tail(&cb->list, &complete_list->list);
135                 cb->status = -EMSGSIZE;
136                 goto out;
137         }
138
139         if (cb->buf.size < buf_sz) {
140                 cl_dbg(dev, cl, "message overflow. size %zu len %d idx %zu\n",
141                         cb->buf.size, mei_hdr->length, cb->buf_idx);
142                 buffer = krealloc(cb->buf.data, buf_sz, GFP_KERNEL);
143
144                 if (!buffer) {
145                         cb->status = -ENOMEM;
146                         list_move_tail(&cb->list, &complete_list->list);
147                         goto out;
148                 }
149                 cb->buf.data = buffer;
150                 cb->buf.size = buf_sz;
151         }
152
153         buffer = cb->buf.data + cb->buf_idx;
154         mei_read_slots(dev, buffer, mei_hdr->length);
155
156         cb->buf_idx += mei_hdr->length;
157
158         if (mei_hdr->msg_complete) {
159                 cl_dbg(dev, cl, "completed read length = %zu\n", cb->buf_idx);
160                 list_move_tail(&cb->list, &complete_list->list);
161         } else {
162                 pm_runtime_mark_last_busy(dev->dev);
163                 pm_request_autosuspend(dev->dev);
164         }
165
166 out:
167         if (!buffer)
168                 mei_irq_discard_msg(dev, mei_hdr);
169
170         return 0;
171 }
172
173 /**
174  * mei_cl_irq_disconnect_rsp - send disconnection response message
175  *
176  * @cl: client
177  * @cb: callback block.
178  * @cmpl_list: complete list.
179  *
180  * Return: 0, OK; otherwise, error.
181  */
182 static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb,
183                                      struct mei_cl_cb *cmpl_list)
184 {
185         struct mei_device *dev = cl->dev;
186         u32 msg_slots;
187         int slots;
188         int ret;
189
190         slots = mei_hbuf_empty_slots(dev);
191         msg_slots = mei_data2slots(sizeof(struct hbm_client_connect_response));
192
193         if (slots < msg_slots)
194                 return -EMSGSIZE;
195
196         ret = mei_hbm_cl_disconnect_rsp(dev, cl);
197         list_move_tail(&cb->list, &cmpl_list->list);
198
199         return ret;
200 }
201
202 /**
203  * mei_cl_irq_read - processes client read related operation from the
204  *      interrupt thread context - request for flow control credits
205  *
206  * @cl: client
207  * @cb: callback block.
208  * @cmpl_list: complete list.
209  *
210  * Return: 0, OK; otherwise, error.
211  */
212 static int mei_cl_irq_read(struct mei_cl *cl, struct mei_cl_cb *cb,
213                            struct mei_cl_cb *cmpl_list)
214 {
215         struct mei_device *dev = cl->dev;
216         u32 msg_slots;
217         int slots;
218         int ret;
219
220         msg_slots = mei_data2slots(sizeof(struct hbm_flow_control));
221         slots = mei_hbuf_empty_slots(dev);
222
223         if (slots < msg_slots)
224                 return -EMSGSIZE;
225
226         ret = mei_hbm_cl_flow_control_req(dev, cl);
227         if (ret) {
228                 cl->status = ret;
229                 cb->buf_idx = 0;
230                 list_move_tail(&cb->list, &cmpl_list->list);
231                 return ret;
232         }
233
234         list_move_tail(&cb->list, &cl->rd_pending);
235
236         return 0;
237 }
238
239 static inline bool hdr_is_hbm(struct mei_msg_hdr *mei_hdr)
240 {
241         return mei_hdr->host_addr == 0 && mei_hdr->me_addr == 0;
242 }
243
244 static inline bool hdr_is_fixed(struct mei_msg_hdr *mei_hdr)
245 {
246         return mei_hdr->host_addr == 0 && mei_hdr->me_addr != 0;
247 }
248
249 /**
250  * mei_irq_read_handler - bottom half read routine after ISR to
251  * handle the read processing.
252  *
253  * @dev: the device structure
254  * @cmpl_list: An instance of our list structure
255  * @slots: slots to read.
256  *
257  * Return: 0 on success, <0 on failure.
258  */
259 int mei_irq_read_handler(struct mei_device *dev,
260                 struct mei_cl_cb *cmpl_list, s32 *slots)
261 {
262         struct mei_msg_hdr *mei_hdr;
263         struct mei_cl *cl;
264         int ret;
265
266         if (!dev->rd_msg_hdr) {
267                 dev->rd_msg_hdr = mei_read_hdr(dev);
268                 (*slots)--;
269                 dev_dbg(dev->dev, "slots =%08x.\n", *slots);
270         }
271         mei_hdr = (struct mei_msg_hdr *) &dev->rd_msg_hdr;
272         dev_dbg(dev->dev, MEI_HDR_FMT, MEI_HDR_PRM(mei_hdr));
273
274         if (mei_hdr->reserved || !dev->rd_msg_hdr) {
275                 dev_err(dev->dev, "corrupted message header 0x%08X\n",
276                                 dev->rd_msg_hdr);
277                 ret = -EBADMSG;
278                 goto end;
279         }
280
281         if (mei_slots2data(*slots) < mei_hdr->length) {
282                 dev_err(dev->dev, "less data available than length=%08x.\n",
283                                 *slots);
284                 /* we can't read the message */
285                 ret = -ENODATA;
286                 goto end;
287         }
288
289         /*  HBM message */
290         if (hdr_is_hbm(mei_hdr)) {
291                 ret = mei_hbm_dispatch(dev, mei_hdr);
292                 if (ret) {
293                         dev_dbg(dev->dev, "mei_hbm_dispatch failed ret = %d\n",
294                                         ret);
295                         goto end;
296                 }
297                 goto reset_slots;
298         }
299
300         /* find recipient cl */
301         list_for_each_entry(cl, &dev->file_list, link) {
302                 if (mei_cl_hbm_equal(cl, mei_hdr)) {
303                         cl_dbg(dev, cl, "got a message\n");
304                         break;
305                 }
306         }
307
308         /* if no recipient cl was found we assume corrupted header */
309         if (&cl->link == &dev->file_list) {
310                 /* A message for not connected fixed address clients
311                  * should be silently discarded
312                  */
313                 if (hdr_is_fixed(mei_hdr)) {
314                         mei_irq_discard_msg(dev, mei_hdr);
315                         ret = 0;
316                         goto reset_slots;
317                 }
318                 dev_err(dev->dev, "no destination client found 0x%08X\n",
319                                 dev->rd_msg_hdr);
320                 ret = -EBADMSG;
321                 goto end;
322         }
323
324         if (cl == &dev->iamthif_cl) {
325                 ret = mei_amthif_irq_read_msg(cl, mei_hdr, cmpl_list);
326         } else {
327                 ret = mei_cl_irq_read_msg(cl, mei_hdr, cmpl_list);
328         }
329
330
331 reset_slots:
332         /* reset the number of slots and header */
333         *slots = mei_count_full_read_slots(dev);
334         dev->rd_msg_hdr = 0;
335
336         if (*slots == -EOVERFLOW) {
337                 /* overflow - reset */
338                 dev_err(dev->dev, "resetting due to slots overflow.\n");
339                 /* set the event since message has been read */
340                 ret = -ERANGE;
341                 goto end;
342         }
343 end:
344         return ret;
345 }
346 EXPORT_SYMBOL_GPL(mei_irq_read_handler);
347
348
349 /**
350  * mei_irq_write_handler -  dispatch write requests
351  *  after irq received
352  *
353  * @dev: the device structure
354  * @cmpl_list: An instance of our list structure
355  *
356  * Return: 0 on success, <0 on failure.
357  */
358 int mei_irq_write_handler(struct mei_device *dev, struct mei_cl_cb *cmpl_list)
359 {
360
361         struct mei_cl *cl;
362         struct mei_cl_cb *cb, *next;
363         struct mei_cl_cb *list;
364         s32 slots;
365         int ret;
366
367
368         if (!mei_hbuf_acquire(dev))
369                 return 0;
370
371         slots = mei_hbuf_empty_slots(dev);
372         if (slots <= 0)
373                 return -EMSGSIZE;
374
375         /* complete all waiting for write CB */
376         dev_dbg(dev->dev, "complete all waiting for write cb.\n");
377
378         list = &dev->write_waiting_list;
379         list_for_each_entry_safe(cb, next, &list->list, list) {
380                 cl = cb->cl;
381
382                 cl->status = 0;
383                 cl_dbg(dev, cl, "MEI WRITE COMPLETE\n");
384                 cl->writing_state = MEI_WRITE_COMPLETE;
385                 list_move_tail(&cb->list, &cmpl_list->list);
386         }
387
388         /* complete control write list CB */
389         dev_dbg(dev->dev, "complete control write list cb.\n");
390         list_for_each_entry_safe(cb, next, &dev->ctrl_wr_list.list, list) {
391                 cl = cb->cl;
392                 switch (cb->fop_type) {
393                 case MEI_FOP_DISCONNECT:
394                         /* send disconnect message */
395                         ret = mei_cl_irq_disconnect(cl, cb, cmpl_list);
396                         if (ret)
397                                 return ret;
398
399                         break;
400                 case MEI_FOP_READ:
401                         /* send flow control message */
402                         ret = mei_cl_irq_read(cl, cb, cmpl_list);
403                         if (ret)
404                                 return ret;
405
406                         break;
407                 case MEI_FOP_CONNECT:
408                         /* connect message */
409                         ret = mei_cl_irq_connect(cl, cb, cmpl_list);
410                         if (ret)
411                                 return ret;
412
413                         break;
414                 case MEI_FOP_DISCONNECT_RSP:
415                         /* send disconnect resp */
416                         ret = mei_cl_irq_disconnect_rsp(cl, cb, cmpl_list);
417                         if (ret)
418                                 return ret;
419                         break;
420
421                 case MEI_FOP_NOTIFY_START:
422                 case MEI_FOP_NOTIFY_STOP:
423                         ret = mei_cl_irq_notify(cl, cb, cmpl_list);
424                         if (ret)
425                                 return ret;
426                         break;
427                 default:
428                         BUG();
429                 }
430
431         }
432         /* complete  write list CB */
433         dev_dbg(dev->dev, "complete write list cb.\n");
434         list_for_each_entry_safe(cb, next, &dev->write_list.list, list) {
435                 cl = cb->cl;
436                 if (cl == &dev->iamthif_cl)
437                         ret = mei_amthif_irq_write(cl, cb, cmpl_list);
438                 else
439                         ret = mei_cl_irq_write(cl, cb, cmpl_list);
440                 if (ret)
441                         return ret;
442         }
443         return 0;
444 }
445 EXPORT_SYMBOL_GPL(mei_irq_write_handler);
446
447
448 /**
449  * mei_connect_timeout  - connect/disconnect timeouts
450  *
451  * @cl: host client
452  */
453 static void mei_connect_timeout(struct mei_cl *cl)
454 {
455         struct mei_device *dev = cl->dev;
456
457         if (cl->state == MEI_FILE_CONNECTING) {
458                 if (dev->hbm_f_dot_supported) {
459                         cl->state = MEI_FILE_DISCONNECT_REQUIRED;
460                         wake_up(&cl->wait);
461                         return;
462                 }
463         }
464         mei_reset(dev);
465 }
466
467 /**
468  * mei_timer - timer function.
469  *
470  * @work: pointer to the work_struct structure
471  *
472  */
473 void mei_timer(struct work_struct *work)
474 {
475         struct mei_cl *cl;
476
477         struct mei_device *dev = container_of(work,
478                                         struct mei_device, timer_work.work);
479
480
481         mutex_lock(&dev->device_lock);
482
483         /* Catch interrupt stalls during HBM init handshake */
484         if (dev->dev_state == MEI_DEV_INIT_CLIENTS &&
485             dev->hbm_state != MEI_HBM_IDLE) {
486
487                 if (dev->init_clients_timer) {
488                         if (--dev->init_clients_timer == 0) {
489                                 dev_err(dev->dev, "timer: init clients timeout hbm_state = %d.\n",
490                                         dev->hbm_state);
491                                 mei_reset(dev);
492                                 goto out;
493                         }
494                 }
495         }
496
497         if (dev->dev_state != MEI_DEV_ENABLED)
498                 goto out;
499
500         /*** connect/disconnect timeouts ***/
501         list_for_each_entry(cl, &dev->file_list, link) {
502                 if (cl->timer_count) {
503                         if (--cl->timer_count == 0) {
504                                 dev_err(dev->dev, "timer: connect/disconnect timeout.\n");
505                                 mei_connect_timeout(cl);
506                                 goto out;
507                         }
508                 }
509         }
510
511         if (!mei_cl_is_connected(&dev->iamthif_cl))
512                 goto out;
513
514         if (dev->iamthif_stall_timer) {
515                 if (--dev->iamthif_stall_timer == 0) {
516                         dev_err(dev->dev, "timer: amthif  hanged.\n");
517                         mei_reset(dev);
518                         dev->iamthif_canceled = false;
519                         dev->iamthif_state = MEI_IAMTHIF_IDLE;
520
521                         mei_io_cb_free(dev->iamthif_current_cb);
522                         dev->iamthif_current_cb = NULL;
523
524                         dev->iamthif_fp = NULL;
525                         mei_amthif_run_next_cmd(dev);
526                 }
527         }
528
529 out:
530         if (dev->dev_state != MEI_DEV_DISABLED)
531                 schedule_delayed_work(&dev->timer_work, 2 * HZ);
532         mutex_unlock(&dev->device_lock);
533 }