From dd2bc5cc9e25554546f16661f8de1dcb8033dde0 Mon Sep 17 00:00:00 2001 From: Quan Nguyen Date: Tue, 4 Oct 2022 16:31:04 +0700 Subject: ipmi: ssif_bmc: Add SSIF BMC driver The SMBus system interface (SSIF) IPMI BMC driver can be used to perform in-band IPMI communication with their host in management (BMC) side. Thanks Dan for the copy_from_user() fix in the link below. Link: https://lore.kernel.org/linux-arm-kernel/20220310114119.13736-4-quan@os.amperecomputing.com/ Signed-off-by: Quan Nguyen Message-Id: <20221004093106.1653317-2-quan@os.amperecomputing.com> Signed-off-by: Corey Minyard --- drivers/char/ipmi/Kconfig | 10 + drivers/char/ipmi/Makefile | 1 + drivers/char/ipmi/ssif_bmc.c | 873 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 884 insertions(+) create mode 100644 drivers/char/ipmi/ssif_bmc.c (limited to 'drivers/char') diff --git a/drivers/char/ipmi/Kconfig b/drivers/char/ipmi/Kconfig index 39565cf74b2c..b6c0d35fc1a5 100644 --- a/drivers/char/ipmi/Kconfig +++ b/drivers/char/ipmi/Kconfig @@ -169,6 +169,16 @@ config ASPEED_BT_IPMI_BMC found on Aspeed SOCs (AST2400 and AST2500). The driver implements the BMC side of the BT interface. +config SSIF_IPMI_BMC + tristate "SSIF IPMI BMC driver" + depends on I2C && I2C_SLAVE + help + This enables the IPMI SMBus system interface (SSIF) at the + management (BMC) side. + + The driver implements the BMC side of the SMBus system + interface (SSIF). + config IPMB_DEVICE_INTERFACE tristate 'IPMB Interface handler' depends on I2C diff --git a/drivers/char/ipmi/Makefile b/drivers/char/ipmi/Makefile index 7ce790efad92..cb6138b8ded9 100644 --- a/drivers/char/ipmi/Makefile +++ b/drivers/char/ipmi/Makefile @@ -30,3 +30,4 @@ obj-$(CONFIG_ASPEED_BT_IPMI_BMC) += bt-bmc.o obj-$(CONFIG_ASPEED_KCS_IPMI_BMC) += kcs_bmc_aspeed.o obj-$(CONFIG_NPCM7XX_KCS_IPMI_BMC) += kcs_bmc_npcm7xx.o obj-$(CONFIG_IPMB_DEVICE_INTERFACE) += ipmb_dev_int.o +obj-$(CONFIG_SSIF_IPMI_BMC) += ssif_bmc.o diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c new file mode 100644 index 000000000000..a7bb4b99000e --- /dev/null +++ b/drivers/char/ipmi/ssif_bmc.c @@ -0,0 +1,873 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * The driver for BMC side of SSIF interface + * + * Copyright (c) 2022, Ampere Computing LLC + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DEVICE_NAME "ipmi-ssif-host" + +#define GET_8BIT_ADDR(addr_7bit) (((addr_7bit) << 1) & 0xff) + +/* A standard SMBus Transaction is limited to 32 data bytes */ +#define MAX_PAYLOAD_PER_TRANSACTION 32 +/* Transaction includes the address, the command, the length and the PEC byte */ +#define MAX_TRANSACTION (MAX_PAYLOAD_PER_TRANSACTION + 4) + +#define MAX_IPMI_DATA_PER_START_TRANSACTION 30 +#define MAX_IPMI_DATA_PER_MIDDLE_TRANSACTION 31 + +#define SSIF_IPMI_SINGLEPART_WRITE 0x2 +#define SSIF_IPMI_SINGLEPART_READ 0x3 +#define SSIF_IPMI_MULTIPART_WRITE_START 0x6 +#define SSIF_IPMI_MULTIPART_WRITE_MIDDLE 0x7 +#define SSIF_IPMI_MULTIPART_WRITE_END 0x8 +#define SSIF_IPMI_MULTIPART_READ_START 0x3 +#define SSIF_IPMI_MULTIPART_READ_MIDDLE 0x9 + +/* + * IPMI 2.0 Spec, section 12.7 SSIF Timing, + * Request-to-Response Time is T6max(250ms) - T1max(20ms) - 3ms = 227ms + * Recover ssif_bmc from busy state if it takes up to 500ms + */ +#define RESPONSE_TIMEOUT 500 /* ms */ + +struct ssif_part_buffer { + u8 address; + u8 smbus_cmd; + u8 length; + u8 payload[MAX_PAYLOAD_PER_TRANSACTION]; + u8 pec; + u8 index; +}; + +/* + * SSIF internal states: + * SSIF_READY 0x00 : Ready state + * SSIF_START 0x01 : Start smbus transaction + * SSIF_SMBUS_CMD 0x02 : Received SMBus command + * SSIF_REQ_RECVING 0x03 : Receiving request + * SSIF_RES_SENDING 0x04 : Sending response + * SSIF_ABORTING 0x05 : Aborting state + */ +enum ssif_state { + SSIF_READY, + SSIF_START, + SSIF_SMBUS_CMD, + SSIF_REQ_RECVING, + SSIF_RES_SENDING, + SSIF_ABORTING, + SSIF_STATE_MAX +}; + +struct ssif_bmc_ctx { + struct i2c_client *client; + struct miscdevice miscdev; + int msg_idx; + bool pec_support; + /* ssif bmc spinlock */ + spinlock_t lock; + wait_queue_head_t wait_queue; + u8 running; + enum ssif_state state; + /* Timeout waiting for response */ + struct timer_list response_timer; + bool response_timer_inited; + /* Flag to identify a Multi-part Read Transaction */ + bool is_singlepart_read; + u8 nbytes_processed; + u8 remain_len; + u8 recv_len; + /* Block Number of a Multi-part Read Transaction */ + u8 block_num; + bool request_available; + bool response_in_progress; + bool busy; + bool aborting; + /* Buffer for SSIF Transaction part*/ + struct ssif_part_buffer part_buf; + struct ipmi_ssif_msg response; + struct ipmi_ssif_msg request; +}; + +static inline struct ssif_bmc_ctx *to_ssif_bmc(struct file *file) +{ + return container_of(file->private_data, struct ssif_bmc_ctx, miscdev); +} + +static const char *state_to_string(enum ssif_state state) +{ + switch (state) { + case SSIF_READY: + return "SSIF_READY"; + case SSIF_START: + return "SSIF_START"; + case SSIF_SMBUS_CMD: + return "SSIF_SMBUS_CMD"; + case SSIF_REQ_RECVING: + return "SSIF_REQ_RECVING"; + case SSIF_RES_SENDING: + return "SSIF_RES_SENDING"; + case SSIF_ABORTING: + return "SSIF_ABORTING"; + default: + return "SSIF_STATE_UNKNOWN"; + } +} + +/* Handle SSIF message that will be sent to user */ +static ssize_t ssif_bmc_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) +{ + struct ssif_bmc_ctx *ssif_bmc = to_ssif_bmc(file); + struct ipmi_ssif_msg msg; + unsigned long flags; + ssize_t ret; + + spin_lock_irqsave(&ssif_bmc->lock, flags); + while (!ssif_bmc->request_available) { + spin_unlock_irqrestore(&ssif_bmc->lock, flags); + if (file->f_flags & O_NONBLOCK) + return -EAGAIN; + ret = wait_event_interruptible(ssif_bmc->wait_queue, + ssif_bmc->request_available); + if (ret) + return ret; + spin_lock_irqsave(&ssif_bmc->lock, flags); + } + + if (count < min_t(ssize_t, + sizeof_field(struct ipmi_ssif_msg, len) + ssif_bmc->request.len, + sizeof(struct ipmi_ssif_msg))) { + spin_unlock_irqrestore(&ssif_bmc->lock, flags); + ret = -EINVAL; + } else { + count = min_t(ssize_t, + sizeof_field(struct ipmi_ssif_msg, len) + ssif_bmc->request.len, + sizeof(struct ipmi_ssif_msg)); + memcpy(&msg, &ssif_bmc->request, count); + ssif_bmc->request_available = false; + spin_unlock_irqrestore(&ssif_bmc->lock, flags); + + ret = copy_to_user(buf, &msg, count); + } + + return (ret < 0) ? ret : count; +} + +/* Handle SSIF message that is written by user */ +static ssize_t ssif_bmc_write(struct file *file, const char __user *buf, size_t count, + loff_t *ppos) +{ + struct ssif_bmc_ctx *ssif_bmc = to_ssif_bmc(file); + struct ipmi_ssif_msg msg; + unsigned long flags; + ssize_t ret; + + if (count > sizeof(struct ipmi_ssif_msg)) + return -EINVAL; + + if (copy_from_user(&msg, buf, count)) + return -EFAULT; + + if (!msg.len || count < sizeof_field(struct ipmi_ssif_msg, len) + msg.len) + return -EINVAL; + + spin_lock_irqsave(&ssif_bmc->lock, flags); + while (ssif_bmc->response_in_progress) { + spin_unlock_irqrestore(&ssif_bmc->lock, flags); + if (file->f_flags & O_NONBLOCK) + return -EAGAIN; + ret = wait_event_interruptible(ssif_bmc->wait_queue, + !ssif_bmc->response_in_progress); + if (ret) + return ret; + spin_lock_irqsave(&ssif_bmc->lock, flags); + } + + /* + * The write must complete before the response timeout fired, otherwise + * the response is aborted and wait for next request + * Return -EINVAL if the response is aborted + */ + ret = (ssif_bmc->response_timer_inited) ? 0 : -EINVAL; + if (ret) + goto exit; + + del_timer(&ssif_bmc->response_timer); + ssif_bmc->response_timer_inited = false; + + memcpy(&ssif_bmc->response, &msg, count); + ssif_bmc->is_singlepart_read = (msg.len <= MAX_PAYLOAD_PER_TRANSACTION); + + ssif_bmc->response_in_progress = true; + + /* ssif_bmc not busy */ + ssif_bmc->busy = false; + + /* Clean old request buffer */ + memset(&ssif_bmc->request, 0, sizeof(struct ipmi_ssif_msg)); +exit: + spin_unlock_irqrestore(&ssif_bmc->lock, flags); + + return (ret < 0) ? ret : count; +} + +static int ssif_bmc_open(struct inode *inode, struct file *file) +{ + struct ssif_bmc_ctx *ssif_bmc = to_ssif_bmc(file); + int ret = 0; + + spin_lock_irq(&ssif_bmc->lock); + if (!ssif_bmc->running) + ssif_bmc->running = 1; + else + ret = -EBUSY; + spin_unlock_irq(&ssif_bmc->lock); + + return ret; +} + +static __poll_t ssif_bmc_poll(struct file *file, poll_table *wait) +{ + struct ssif_bmc_ctx *ssif_bmc = to_ssif_bmc(file); + __poll_t mask = 0; + + poll_wait(file, &ssif_bmc->wait_queue, wait); + + spin_lock_irq(&ssif_bmc->lock); + /* The request is available, userspace application can get the request */ + if (ssif_bmc->request_available) + mask |= POLLIN; + + spin_unlock_irq(&ssif_bmc->lock); + + return mask; +} + +static int ssif_bmc_release(struct inode *inode, struct file *file) +{ + struct ssif_bmc_ctx *ssif_bmc = to_ssif_bmc(file); + + spin_lock_irq(&ssif_bmc->lock); + ssif_bmc->running = 0; + spin_unlock_irq(&ssif_bmc->lock); + + return 0; +} + +/* + * System calls to device interface for user apps + */ +static const struct file_operations ssif_bmc_fops = { + .owner = THIS_MODULE, + .open = ssif_bmc_open, + .read = ssif_bmc_read, + .write = ssif_bmc_write, + .release = ssif_bmc_release, + .poll = ssif_bmc_poll, +}; + +/* Called with ssif_bmc->lock held. */ +static void complete_response(struct ssif_bmc_ctx *ssif_bmc) +{ + /* Invalidate response in buffer to denote it having been sent. */ + ssif_bmc->response.len = 0; + ssif_bmc->response_in_progress = false; + ssif_bmc->nbytes_processed = 0; + ssif_bmc->remain_len = 0; + ssif_bmc->busy = false; + memset(&ssif_bmc->part_buf, 0, sizeof(struct ssif_part_buffer)); + wake_up_all(&ssif_bmc->wait_queue); +} + +static void response_timeout(struct timer_list *t) +{ + struct ssif_bmc_ctx *ssif_bmc = from_timer(ssif_bmc, t, response_timer); + unsigned long flags; + + spin_lock_irqsave(&ssif_bmc->lock, flags); + + /* Do nothing if the response is in progress */ + if (!ssif_bmc->response_in_progress) { + /* Recover ssif_bmc from busy */ + ssif_bmc->busy = false; + ssif_bmc->response_timer_inited = false; + /* Set aborting flag */ + ssif_bmc->aborting = true; + } + + spin_unlock_irqrestore(&ssif_bmc->lock, flags); +} + +/* Called with ssif_bmc->lock held. */ +static void handle_request(struct ssif_bmc_ctx *ssif_bmc) +{ + /* set ssif_bmc to busy waiting for response */ + ssif_bmc->busy = true; + /* Request message is available to process */ + ssif_bmc->request_available = true; + /* Clean old response buffer */ + memset(&ssif_bmc->response, 0, sizeof(struct ipmi_ssif_msg)); + /* This is the new READ request.*/ + wake_up_all(&ssif_bmc->wait_queue); + + /* Armed timer to recover slave from busy state in case of no response */ + if (!ssif_bmc->response_timer_inited) { + timer_setup(&ssif_bmc->response_timer, response_timeout, 0); + ssif_bmc->response_timer_inited = true; + } + mod_timer(&ssif_bmc->response_timer, jiffies + msecs_to_jiffies(RESPONSE_TIMEOUT)); +} + +static void calculate_response_part_pec(struct ssif_part_buffer *part) +{ + u8 addr = part->address; + + /* PEC - Start Read Address */ + part->pec = i2c_smbus_pec(0, &addr, 1); + /* PEC - SSIF Command */ + part->pec = i2c_smbus_pec(part->pec, &part->smbus_cmd, 1); + /* PEC - Restart Write Address */ + addr = addr | 0x01; + part->pec = i2c_smbus_pec(part->pec, &addr, 1); + part->pec = i2c_smbus_pec(part->pec, &part->length, 1); + if (part->length) + part->pec = i2c_smbus_pec(part->pec, part->payload, part->length); +} + +static void set_singlepart_response_buffer(struct ssif_bmc_ctx *ssif_bmc) +{ + struct ssif_part_buffer *part = &ssif_bmc->part_buf; + + part->address = GET_8BIT_ADDR(ssif_bmc->client->addr); + part->length = (u8)ssif_bmc->response.len; + + /* Clear the rest to 0 */ + memset(part->payload + part->length, 0, MAX_PAYLOAD_PER_TRANSACTION - part->length); + memcpy(&part->payload[0], &ssif_bmc->response.payload[0], part->length); +} + +static void set_multipart_response_buffer(struct ssif_bmc_ctx *ssif_bmc) +{ + struct ssif_part_buffer *part = &ssif_bmc->part_buf; + u8 part_len = 0; + + part->address = GET_8BIT_ADDR(ssif_bmc->client->addr); + switch (part->smbus_cmd) { + case SSIF_IPMI_MULTIPART_READ_START: + /* + * Read Start length is 32 bytes. + * Read Start transfer first 30 bytes of IPMI response + * and 2 special code 0x00, 0x01. + */ + ssif_bmc->nbytes_processed = 0; + ssif_bmc->block_num = 0; + part->length = MAX_PAYLOAD_PER_TRANSACTION; + part_len = MAX_IPMI_DATA_PER_START_TRANSACTION; + ssif_bmc->remain_len = ssif_bmc->response.len - part_len; + + part->payload[0] = 0x00; /* Start Flag */ + part->payload[1] = 0x01; /* Start Flag */ + + memcpy(&part->payload[2], &ssif_bmc->response.payload[0], part_len); + break; + + case SSIF_IPMI_MULTIPART_READ_MIDDLE: + /* + * IPMI READ Middle or READ End messages can carry up to 31 bytes + * IPMI data plus block number byte. + */ + if (ssif_bmc->remain_len <= MAX_IPMI_DATA_PER_MIDDLE_TRANSACTION) { + /* + * This is READ End message + * Return length is the remaining response data length + * plus block number + * Block number 0xFF is to indicate this is last message + * + */ + /* Clean the buffer */ + memset(&part->payload[0], 0, MAX_PAYLOAD_PER_TRANSACTION); + part->length = ssif_bmc->remain_len + 1; + part_len = ssif_bmc->remain_len; + ssif_bmc->block_num = 0xFF; + part->payload[0] = ssif_bmc->block_num; + } else { + /* + * This is READ Middle message + * Response length is the maximum SMBUS transfer length + * Block number byte is incremented + * Return length is maximum SMBUS transfer length + */ + part->length = MAX_PAYLOAD_PER_TRANSACTION; + part_len = MAX_IPMI_DATA_PER_MIDDLE_TRANSACTION; + part->payload[0] = ssif_bmc->block_num; + ssif_bmc->block_num++; + } + + ssif_bmc->remain_len -= part_len; + memcpy(&part->payload[1], ssif_bmc->response.payload + ssif_bmc->nbytes_processed, + part_len); + break; + + default: + /* Do not expect to go to this case */ + dev_err(&ssif_bmc->client->dev, "%s: Unexpected SMBus command 0x%x\n", + __func__, part->smbus_cmd); + break; + } + + ssif_bmc->nbytes_processed += part_len; +} + +static bool supported_read_cmd(u8 cmd) +{ + if (cmd == SSIF_IPMI_SINGLEPART_READ || + cmd == SSIF_IPMI_MULTIPART_READ_START || + cmd == SSIF_IPMI_MULTIPART_READ_MIDDLE) + return true; + + return false; +} + +static bool supported_write_cmd(u8 cmd) +{ + if (cmd == SSIF_IPMI_SINGLEPART_WRITE || + cmd == SSIF_IPMI_MULTIPART_WRITE_START || + cmd == SSIF_IPMI_MULTIPART_WRITE_MIDDLE || + cmd == SSIF_IPMI_MULTIPART_WRITE_END) + return true; + + return false; +} + +/* Process the IPMI response that will be read by master */ +static void handle_read_processed(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + struct ssif_part_buffer *part = &ssif_bmc->part_buf; + + /* msg_idx start from 0 */ + if (part->index < part->length) + *val = part->payload[part->index]; + else if (part->index == part->length && ssif_bmc->pec_support) + *val = part->pec; + else + *val = 0; + + part->index++; +} + +static void handle_write_received(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + /* + * The msg_idx must be 1 when first enter SSIF_REQ_RECVING state + * And it would never exceeded 36 bytes included the 32 bytes max payload + + * the address + the command + the len and the PEC. + */ + if (ssif_bmc->msg_idx < 1 || ssif_bmc->msg_idx > MAX_TRANSACTION) + return; + + if (ssif_bmc->msg_idx == 1) { + ssif_bmc->part_buf.length = *val; + ssif_bmc->part_buf.index = 0; + } else { + ssif_bmc->part_buf.payload[ssif_bmc->part_buf.index++] = *val; + } + + ssif_bmc->msg_idx++; +} + +static bool validate_request_part(struct ssif_bmc_ctx *ssif_bmc) +{ + struct ssif_part_buffer *part = &ssif_bmc->part_buf; + bool ret = true; + u8 cpec; + u8 addr; + + if (part->index == part->length) { + /* PEC is not included */ + ssif_bmc->pec_support = false; + ret = true; + goto exit; + } + + if (part->index != part->length + 1) { + ret = false; + goto exit; + } + + /* PEC is included */ + ssif_bmc->pec_support = true; + part->pec = part->payload[part->length]; + addr = GET_8BIT_ADDR(ssif_bmc->client->addr); + cpec = i2c_smbus_pec(0, &addr, 1); + cpec = i2c_smbus_pec(cpec, &part->smbus_cmd, 1); + cpec = i2c_smbus_pec(cpec, &part->length, 1); + /* + * As SMBus specification does not allow the length + * (byte count) in the Write-Block protocol to be zero. + * Therefore, it is illegal to have the last Middle + * transaction in the sequence carry 32-byte and have + * a length of ‘0’ in the End transaction. + * But some users may try to use this way and we should + * prevent ssif_bmc driver broken in this case. + */ + if (part->length) + cpec = i2c_smbus_pec(cpec, part->payload, part->length); + + if (cpec != part->pec) + ret = false; + +exit: + return ret; +} + +static void process_request_part(struct ssif_bmc_ctx *ssif_bmc) +{ + struct ssif_part_buffer *part = &ssif_bmc->part_buf; + unsigned int len; + + switch (part->smbus_cmd) { + case SSIF_IPMI_SINGLEPART_WRITE: + /* save the whole part to request*/ + ssif_bmc->request.len = part->length; + memcpy(ssif_bmc->request.payload, part->payload, part->length); + + break; + case SSIF_IPMI_MULTIPART_WRITE_START: + ssif_bmc->request.len = 0; + + fallthrough; + case SSIF_IPMI_MULTIPART_WRITE_MIDDLE: + case SSIF_IPMI_MULTIPART_WRITE_END: + len = ssif_bmc->request.len + part->length; + /* Do the bound check here, not allow the request len exceed 254 bytes */ + if (len > IPMI_SSIF_PAYLOAD_MAX) { + dev_warn(&ssif_bmc->client->dev, + "Warn: Request exceeded 254 bytes, aborting"); + /* Request too long, aborting */ + ssif_bmc->aborting = true; + } else { + memcpy(ssif_bmc->request.payload + ssif_bmc->request.len, + part->payload, part->length); + ssif_bmc->request.len += part->length; + } + break; + default: + /* Do not expect to go to this case */ + dev_err(&ssif_bmc->client->dev, "%s: Unexpected SMBus command 0x%x\n", + __func__, part->smbus_cmd); + break; + } +} + +static void process_smbus_cmd(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + /* SMBUS command can vary (single or multi-part) */ + ssif_bmc->part_buf.smbus_cmd = *val; + ssif_bmc->msg_idx = 1; + memset(&ssif_bmc->part_buf.payload[0], 0, MAX_PAYLOAD_PER_TRANSACTION); + + if (*val == SSIF_IPMI_SINGLEPART_WRITE || *val == SSIF_IPMI_MULTIPART_WRITE_START) { + /* + * The response maybe not come in-time, causing host SSIF driver + * to timeout and resend a new request. In such case check for + * pending response and clear it + */ + if (ssif_bmc->response_in_progress) + complete_response(ssif_bmc); + + /* This is new request, flip aborting flag if set */ + if (ssif_bmc->aborting) + ssif_bmc->aborting = false; + } +} + +static void on_read_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + if (ssif_bmc->state == SSIF_READY || + ssif_bmc->state == SSIF_START || + ssif_bmc->state == SSIF_REQ_RECVING || + ssif_bmc->state == SSIF_RES_SENDING) { + dev_warn(&ssif_bmc->client->dev, + "Warn: %s unexpected READ REQUESTED in state=%s\n", + __func__, state_to_string(ssif_bmc->state)); + ssif_bmc->state = SSIF_ABORTING; + *val = 0; + return; + + } else if (ssif_bmc->state == SSIF_SMBUS_CMD) { + if (!supported_read_cmd(ssif_bmc->part_buf.smbus_cmd)) { + dev_warn(&ssif_bmc->client->dev, "Warn: Unknown SMBus read command=0x%x", + ssif_bmc->part_buf.smbus_cmd); + ssif_bmc->aborting = true; + } + + if (ssif_bmc->aborting) + ssif_bmc->state = SSIF_ABORTING; + else + ssif_bmc->state = SSIF_RES_SENDING; + } + + ssif_bmc->msg_idx = 0; + + /* Send 0 if there is nothing to send */ + if (!ssif_bmc->response_in_progress || ssif_bmc->state == SSIF_ABORTING) { + *val = 0; + return; + } + + if (ssif_bmc->is_singlepart_read) + set_singlepart_response_buffer(ssif_bmc); + else + set_multipart_response_buffer(ssif_bmc); + + calculate_response_part_pec(&ssif_bmc->part_buf); + ssif_bmc->part_buf.index = 0; + *val = ssif_bmc->part_buf.length; +} + +static void on_read_processed_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + if (ssif_bmc->state == SSIF_READY || + ssif_bmc->state == SSIF_START || + ssif_bmc->state == SSIF_REQ_RECVING || + ssif_bmc->state == SSIF_SMBUS_CMD) { + dev_warn(&ssif_bmc->client->dev, + "Warn: %s unexpected READ PROCESSED in state=%s\n", + __func__, state_to_string(ssif_bmc->state)); + ssif_bmc->state = SSIF_ABORTING; + *val = 0; + return; + } + + /* Send 0 if there is nothing to send */ + if (!ssif_bmc->response_in_progress || ssif_bmc->state == SSIF_ABORTING) { + *val = 0; + return; + } + + handle_read_processed(ssif_bmc, val); +} + +static void on_write_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + if (ssif_bmc->state == SSIF_READY || ssif_bmc->state == SSIF_SMBUS_CMD) { + ssif_bmc->state = SSIF_START; + + } else if (ssif_bmc->state == SSIF_START || + ssif_bmc->state == SSIF_REQ_RECVING || + ssif_bmc->state == SSIF_RES_SENDING) { + dev_warn(&ssif_bmc->client->dev, + "Warn: %s unexpected WRITE REQUEST in state=%s\n", + __func__, state_to_string(ssif_bmc->state)); + ssif_bmc->state = SSIF_ABORTING; + return; + } + + ssif_bmc->msg_idx = 0; + ssif_bmc->part_buf.address = *val; +} + +static void on_write_received_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + if (ssif_bmc->state == SSIF_READY || + ssif_bmc->state == SSIF_RES_SENDING) { + dev_warn(&ssif_bmc->client->dev, + "Warn: %s unexpected WRITE RECEIVED in state=%s\n", + __func__, state_to_string(ssif_bmc->state)); + ssif_bmc->state = SSIF_ABORTING; + + } else if (ssif_bmc->state == SSIF_START) { + ssif_bmc->state = SSIF_SMBUS_CMD; + + } else if (ssif_bmc->state == SSIF_SMBUS_CMD) { + if (!supported_write_cmd(ssif_bmc->part_buf.smbus_cmd)) { + dev_warn(&ssif_bmc->client->dev, "Warn: Unknown SMBus write command=0x%x", + ssif_bmc->part_buf.smbus_cmd); + ssif_bmc->aborting = true; + } + + if (ssif_bmc->aborting) + ssif_bmc->state = SSIF_ABORTING; + else + ssif_bmc->state = SSIF_REQ_RECVING; + } + + /* This is response sending state */ + if (ssif_bmc->state == SSIF_REQ_RECVING) + handle_write_received(ssif_bmc, val); + else if (ssif_bmc->state == SSIF_SMBUS_CMD) + process_smbus_cmd(ssif_bmc, val); +} + +static void on_stop_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val) +{ + if (ssif_bmc->state == SSIF_READY || + ssif_bmc->state == SSIF_START || + ssif_bmc->state == SSIF_SMBUS_CMD || + ssif_bmc->state == SSIF_ABORTING) { + dev_warn(&ssif_bmc->client->dev, + "Warn: %s unexpected SLAVE STOP in state=%s\n", + __func__, state_to_string(ssif_bmc->state)); + ssif_bmc->state = SSIF_READY; + + } else if (ssif_bmc->state == SSIF_REQ_RECVING) { + if (validate_request_part(ssif_bmc)) { + process_request_part(ssif_bmc); + if (ssif_bmc->part_buf.smbus_cmd == SSIF_IPMI_SINGLEPART_WRITE || + ssif_bmc->part_buf.smbus_cmd == SSIF_IPMI_MULTIPART_WRITE_END) + handle_request(ssif_bmc); + ssif_bmc->state = SSIF_READY; + } else { + /* + * A BMC that receives an invalid request drop the data for the write + * transaction and any further transactions (read or write) until + * the next valid read or write Start transaction is received + */ + dev_err(&ssif_bmc->client->dev, "Error: invalid pec\n"); + ssif_bmc->aborting = true; + } + } else if (ssif_bmc->state == SSIF_RES_SENDING) { + if (ssif_bmc->is_singlepart_read || ssif_bmc->block_num == 0xFF) + /* Invalidate response buffer to denote it is sent */ + complete_response(ssif_bmc); + ssif_bmc->state = SSIF_READY; + } + + /* Reset message index */ + ssif_bmc->msg_idx = 0; +} + +/* + * Callback function to handle I2C slave events + */ +static int ssif_bmc_cb(struct i2c_client *client, enum i2c_slave_event event, u8 *val) +{ + unsigned long flags; + struct ssif_bmc_ctx *ssif_bmc = i2c_get_clientdata(client); + int ret = 0; + + spin_lock_irqsave(&ssif_bmc->lock, flags); + + switch (event) { + case I2C_SLAVE_READ_REQUESTED: + on_read_requested_event(ssif_bmc, val); + break; + + case I2C_SLAVE_WRITE_REQUESTED: + on_write_requested_event(ssif_bmc, val); + break; + + case I2C_SLAVE_READ_PROCESSED: + on_read_processed_event(ssif_bmc, val); + break; + + case I2C_SLAVE_WRITE_RECEIVED: + on_write_received_event(ssif_bmc, val); + break; + + case I2C_SLAVE_STOP: + on_stop_event(ssif_bmc, val); + break; + + default: + dev_warn(&ssif_bmc->client->dev, "Warn: Unknown i2c slave event\n"); + break; + } + + if (!ssif_bmc->aborting && ssif_bmc->busy) + ret = -EBUSY; + + spin_unlock_irqrestore(&ssif_bmc->lock, flags); + + return ret; +} + +static int ssif_bmc_probe(struct i2c_client *client, const struct i2c_device_id *id) +{ + struct ssif_bmc_ctx *ssif_bmc; + int ret; + + ssif_bmc = devm_kzalloc(&client->dev, sizeof(*ssif_bmc), GFP_KERNEL); + if (!ssif_bmc) + return -ENOMEM; + + spin_lock_init(&ssif_bmc->lock); + + init_waitqueue_head(&ssif_bmc->wait_queue); + ssif_bmc->request_available = false; + ssif_bmc->response_in_progress = false; + ssif_bmc->busy = false; + ssif_bmc->response_timer_inited = false; + + /* Register misc device interface */ + ssif_bmc->miscdev.minor = MISC_DYNAMIC_MINOR; + ssif_bmc->miscdev.name = DEVICE_NAME; + ssif_bmc->miscdev.fops = &ssif_bmc_fops; + ssif_bmc->miscdev.parent = &client->dev; + ret = misc_register(&ssif_bmc->miscdev); + if (ret) + return ret; + + ssif_bmc->client = client; + ssif_bmc->client->flags |= I2C_CLIENT_SLAVE; + + /* Register I2C slave */ + i2c_set_clientdata(client, ssif_bmc); + ret = i2c_slave_register(client, ssif_bmc_cb); + if (ret) + misc_deregister(&ssif_bmc->miscdev); + + return ret; +} + +static void ssif_bmc_remove(struct i2c_client *client) +{ + struct ssif_bmc_ctx *ssif_bmc = i2c_get_clientdata(client); + + i2c_slave_unregister(client); + misc_deregister(&ssif_bmc->miscdev); +} + +static const struct of_device_id ssif_bmc_match[] = { + { .compatible = "ssif-bmc" }, + { }, +}; +MODULE_DEVICE_TABLE(of, ssif_bmc_match); + +static const struct i2c_device_id ssif_bmc_id[] = { + { DEVICE_NAME, 0 }, + { }, +}; +MODULE_DEVICE_TABLE(i2c, ssif_bmc_id); + +static struct i2c_driver ssif_bmc_driver = { + .driver = { + .name = DEVICE_NAME, + .of_match_table = ssif_bmc_match, + }, + .probe = ssif_bmc_probe, + .remove = ssif_bmc_remove, + .id_table = ssif_bmc_id, +}; + +module_i2c_driver(ssif_bmc_driver); + +MODULE_AUTHOR("Quan Nguyen "); +MODULE_AUTHOR("Chuong Tran "); +MODULE_DESCRIPTION("Linux device driver of the BMC IPMI SSIF interface."); +MODULE_LICENSE("GPL"); -- cgit v1.2.3 From f90bc0f97f2b65af233a37b2e32fc81871a1e3cf Mon Sep 17 00:00:00 2001 From: Andrew Jeffery Date: Sat, 13 Aug 2022 00:17:41 +0930 Subject: ipmi: kcs: Poll OBF briefly to reduce OBE latency The ASPEED KCS devices don't provide a BMC-side interrupt for the host reading the output data register (ODR). The act of the host reading ODR clears the output buffer full (OBF) flag in the status register (STR), informing the BMC it can transmit a subsequent byte. On the BMC side the KCS client must enable the OBE event *and* perform a subsequent read of STR anyway to avoid races - the polling provides a window for the host to read ODR if data was freshly written while minimising BMC-side latency. Fixes: 28651e6c4237 ("ipmi: kcs_bmc: Allow clients to control KCS IRQ state") Signed-off-by: Andrew Jeffery Reviewed-by: Joel Stanley Message-Id: <20220812144741.240315-1-andrew@aj.id.au> Signed-off-by: Corey Minyard --- drivers/char/ipmi/kcs_bmc_aspeed.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/kcs_bmc_aspeed.c b/drivers/char/ipmi/kcs_bmc_aspeed.c index 19c32bf50e0e..2dea8cd5a09a 100644 --- a/drivers/char/ipmi/kcs_bmc_aspeed.c +++ b/drivers/char/ipmi/kcs_bmc_aspeed.c @@ -406,13 +406,31 @@ static void aspeed_kcs_check_obe(struct timer_list *timer) static void aspeed_kcs_irq_mask_update(struct kcs_bmc_device *kcs_bmc, u8 mask, u8 state) { struct aspeed_kcs_bmc *priv = to_aspeed_kcs_bmc(kcs_bmc); + int rc; + u8 str; /* We don't have an OBE IRQ, emulate it */ if (mask & KCS_BMC_EVENT_TYPE_OBE) { - if (KCS_BMC_EVENT_TYPE_OBE & state) - mod_timer(&priv->obe.timer, jiffies + OBE_POLL_PERIOD); - else + if (KCS_BMC_EVENT_TYPE_OBE & state) { + /* + * Given we don't have an OBE IRQ, delay by polling briefly to see if we can + * observe such an event before returning to the caller. This is not + * incorrect because OBF may have already become clear before enabling the + * IRQ if we had one, under which circumstance no event will be propagated + * anyway. + * + * The onus is on the client to perform a race-free check that it hasn't + * missed the event. + */ + rc = read_poll_timeout_atomic(aspeed_kcs_inb, str, + !(str & KCS_BMC_STR_OBF), 1, 100, false, + &priv->kcs_bmc, priv->kcs_bmc.ioreg.str); + /* Time for the slow path? */ + if (rc == -ETIMEDOUT) + mod_timer(&priv->obe.timer, jiffies + OBE_POLL_PERIOD); + } else { del_timer(&priv->obe.timer); + } } if (mask & KCS_BMC_EVENT_TYPE_IBF) { -- cgit v1.2.3 From f6f1234d98cce69578bfac79df147a1f6660596c Mon Sep 17 00:00:00 2001 From: Zhang Yuchen Date: Fri, 7 Oct 2022 17:26:16 +0800 Subject: ipmi: fix long wait in unload when IPMI disconnect When fixing the problem mentioned in PATCH1, we also found the following problem: If the IPMI is disconnected and in the sending process, the uninstallation driver will be stuck for a long time. The main problem is that uninstalling the driver waits for curr_msg to be sent or HOSED. After stopping tasklet, the only place to trigger the timeout mechanism is the circular poll in shutdown_smi. The poll function delays 10us and calls smi_event_handler(smi_info,10). Smi_event_handler deducts 10us from kcs->ibf_timeout. But the poll func is followed by schedule_timeout_uninterruptible(1). The time consumed here is not counted in kcs->ibf_timeout. So when 10us is deducted from kcs->ibf_timeout, at least 1 jiffies has actually passed. The waiting time has increased by more than a hundredfold. Now instead of calling poll(). call smi_event_handler() directly and calculate the elapsed time. For verification, you can directly use ebpf to check the kcs-> ibf_timeout for each call to kcs_event() when IPMI is disconnected. Decrement at normal rate before unloading. The decrement rate becomes very slow after unloading. $ bpftrace -e 'kprobe:kcs_event {printf("kcs->ibftimeout : %d\n", *(arg0+584));}' Signed-off-by: Zhang Yuchen Message-Id: <20221007092617.87597-3-zhangyuchen.lcr@bytedance.com> Signed-off-by: Corey Minyard Cc: stable@vger.kernel.org --- drivers/char/ipmi/ipmi_si_intf.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 6e357ad76f2e..abddd7e43a9a 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -2153,6 +2153,20 @@ skip_fallback_noirq: } module_init(init_ipmi_si); +static void wait_msg_processed(struct smi_info *smi_info) +{ + unsigned long jiffies_now; + long time_diff; + + while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { + jiffies_now = jiffies; + time_diff = (((long)jiffies_now - (long)smi_info->last_timeout_jiffies) + * SI_USEC_PER_JIFFY); + smi_event_handler(smi_info, time_diff); + schedule_timeout_uninterruptible(1); + } +} + static void shutdown_smi(void *send_info) { struct smi_info *smi_info = send_info; @@ -2187,16 +2201,13 @@ static void shutdown_smi(void *send_info) * in the BMC. Note that timers and CPU interrupts are off, * so no need for locks. */ - while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { - poll(smi_info); - schedule_timeout_uninterruptible(1); - } + wait_msg_processed(smi_info); + if (smi_info->handlers) disable_si_irq(smi_info); - while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { - poll(smi_info); - schedule_timeout_uninterruptible(1); - } + + wait_msg_processed(smi_info); + if (smi_info->handlers) smi_info->handlers->cleanup(smi_info->si_sm); -- cgit v1.2.3 From 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 Mon Sep 17 00:00:00 2001 From: Zhang Yuchen Date: Fri, 7 Oct 2022 17:26:17 +0800 Subject: ipmi: fix memleak when unload ipmi driver After the IPMI disconnect problem, the memory kept rising and we tried to unload the driver to free the memory. However, only part of the free memory is recovered after the driver is uninstalled. Using ebpf to hook free functions, we find that neither ipmi_user nor ipmi_smi_msg is free, only ipmi_recv_msg is free. We find that the deliver_smi_err_response call in clean_smi_msgs does the destroy processing on each message from the xmit_msg queue without checking the return value and free ipmi_smi_msg. deliver_smi_err_response is called only at this location. Adding the free handling has no effect. To verify, try using ebpf to trace the free function. $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv %p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n", arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n", retval);} kprobe:free_smi_msg {printf("free smi %p\n",arg0)}' Signed-off-by: Zhang Yuchen Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com> [Fixed the comment above handle_one_recv_msg().] Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_msghandler.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 49a1707693c9..d5ee52be176d 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -3704,12 +3704,16 @@ static void deliver_smi_err_response(struct ipmi_smi *intf, struct ipmi_smi_msg *msg, unsigned char err) { + int rv; msg->rsp[0] = msg->data[0] | 4; msg->rsp[1] = msg->data[1]; msg->rsp[2] = err; msg->rsp_size = 3; - /* It's an error, so it will never requeue, no need to check return. */ - handle_one_recv_msg(intf, msg); + + /* This will never requeue, but it may ask us to free the message. */ + rv = handle_one_recv_msg(intf, msg); + if (rv == 0) + ipmi_free_smi_msg(msg); } static void cleanup_smi_msgs(struct ipmi_smi *intf) -- cgit v1.2.3 From c608966f3f9c2dca596967501d00753282b395fc Mon Sep 17 00:00:00 2001 From: Zhang Yuchen Date: Sun, 9 Oct 2022 17:18:09 +0800 Subject: ipmi: fix msg stack when IPMI is disconnected If you continue to access and send messages at a high frequency (once every 55s) when the IPMI is disconnected, messages will accumulate in intf->[hp_]xmit_msg. If it lasts long enough, it takes up a lot of memory. The reason is that if IPMI is disconnected, each message will be set to IDLE after it returns to HOSED through IDLE->ERROR0->HOSED. The next message goes through the same process when it comes in. This process needs to wait for IBF_TIMEOUT * (MAX_ERROR_RETRIES + 1) = 55s. Each message takes 55S to destroy. This results in a continuous increase in memory. I find that if I wait 5 seconds after the first message fails, the status changes to ERROR0 in smi_timeout(). The next message will return the error code IPMI_NOT_IN_MY_STATE_ERR directly without wait. This is more in line with our needs. So instead of setting each message state to IDLE after it reaches the state HOSED, set state to ERROR0. After testing, the problem has been solved, no matter how many consecutive sends, will not cause continuous memory growth. It also returns to normal immediately after the IPMI is restored. In addition, the HOSED state should also count as invalid. So the HOSED is removed from the invalid judgment in start_kcs_transaction(). The verification operations are as follows: 1. Use BPF to record the ipmi_alloc/free_smi_msg(). $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc %p\n",retval);} kprobe:free_recv_msg {printf("free %p\n",arg0)}' 2. Exec `date; time for x in $(seq 1 2); do ipmitool mc info; done`. 3. Record the output of `time` and when free all msgs. Before: `time` takes 120s, This is because `ipmitool mc info` send 4 msgs and waits only 15 seconds for each message. Last msg is free after 440s. $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc %p\n",retval);} kprobe:free_recv_msg {printf("free %p\n",arg0)}' Oct 05 11:40:55 Attaching 2 probes... Oct 05 11:41:12 alloc 0xffff9558a05f0c00 Oct 05 11:41:27 alloc 0xffff9558a05f1a00 Oct 05 11:41:42 alloc 0xffff9558a05f0000 Oct 05 11:41:57 alloc 0xffff9558a05f1400 Oct 05 11:42:07 free 0xffff9558a05f0c00 Oct 05 11:42:07 alloc 0xffff9558a05f7000 Oct 05 11:42:22 alloc 0xffff9558a05f2a00 Oct 05 11:42:37 alloc 0xffff9558a05f5a00 Oct 05 11:42:52 alloc 0xffff9558a05f3a00 Oct 05 11:43:02 free 0xffff9558a05f1a00 Oct 05 11:43:57 free 0xffff9558a05f0000 Oct 05 11:44:52 free 0xffff9558a05f1400 Oct 05 11:45:47 free 0xffff9558a05f7000 Oct 05 11:46:42 free 0xffff9558a05f2a00 Oct 05 11:47:37 free 0xffff9558a05f5a00 Oct 05 11:48:32 free 0xffff9558a05f3a00 $ root@dc00-pb003-t106-n078:~# date;time for x in $(seq 1 2); do ipmitool mc info; done Wed Oct 5 11:41:12 CST 2022 No data available Get Device ID command failed No data available No data available No valid response received Get Device ID command failed: Unspecified error No data available Get Device ID command failed No data available No data available No valid response received No data available Get Device ID command failed real 1m55.052s user 0m0.001s sys 0m0.001s After: `time` takes 55s, all msgs is returned and free after 55s. $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc %p\n",retval);} kprobe:free_recv_msg {printf("free %p\n",arg0)}' Oct 07 16:30:35 Attaching 2 probes... Oct 07 16:30:45 alloc 0xffff955943aa9800 Oct 07 16:31:00 alloc 0xffff955943aacc00 Oct 07 16:31:15 alloc 0xffff955943aa8c00 Oct 07 16:31:30 alloc 0xffff955943aaf600 Oct 07 16:31:40 free 0xffff955943aa9800 Oct 07 16:31:40 free 0xffff955943aacc00 Oct 07 16:31:40 free 0xffff955943aa8c00 Oct 07 16:31:40 free 0xffff955943aaf600 Oct 07 16:31:40 alloc 0xffff9558ec8f7e00 Oct 07 16:31:40 free 0xffff9558ec8f7e00 Oct 07 16:31:40 alloc 0xffff9558ec8f7800 Oct 07 16:31:40 free 0xffff9558ec8f7800 Oct 07 16:31:40 alloc 0xffff9558ec8f7e00 Oct 07 16:31:40 free 0xffff9558ec8f7e00 Oct 07 16:31:40 alloc 0xffff9558ec8f7800 Oct 07 16:31:40 free 0xffff9558ec8f7800 root@dc00-pb003-t106-n078:~# date;time for x in $(seq 1 2); do ipmitool mc info; done Fri Oct 7 16:30:45 CST 2022 No data available Get Device ID command failed No data available No data available No valid response received Get Device ID command failed: Unspecified error Get Device ID command failed: 0xd5 Command not supported in present state Get Device ID command failed: Command not supported in present state real 0m55.038s user 0m0.001s sys 0m0.001s Signed-off-by: Zhang Yuchen Message-Id: <20221009091811.40240-2-zhangyuchen.lcr@bytedance.com> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_kcs_sm.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_kcs_sm.c b/drivers/char/ipmi/ipmi_kcs_sm.c index efda90dcf5b3..ecfcb50302f6 100644 --- a/drivers/char/ipmi/ipmi_kcs_sm.c +++ b/drivers/char/ipmi/ipmi_kcs_sm.c @@ -122,10 +122,10 @@ struct si_sm_data { unsigned long error0_timeout; }; -static unsigned int init_kcs_data(struct si_sm_data *kcs, - struct si_sm_io *io) +static unsigned int init_kcs_data_with_state(struct si_sm_data *kcs, + struct si_sm_io *io, enum kcs_states state) { - kcs->state = KCS_IDLE; + kcs->state = state; kcs->io = io; kcs->write_pos = 0; kcs->write_count = 0; @@ -140,6 +140,12 @@ static unsigned int init_kcs_data(struct si_sm_data *kcs, return 2; } +static unsigned int init_kcs_data(struct si_sm_data *kcs, + struct si_sm_io *io) +{ + return init_kcs_data_with_state(kcs, io, KCS_IDLE); +} + static inline unsigned char read_status(struct si_sm_data *kcs) { return kcs->io->inputb(kcs->io, 1); @@ -270,7 +276,7 @@ static int start_kcs_transaction(struct si_sm_data *kcs, unsigned char *data, if (size > MAX_KCS_WRITE_SIZE) return IPMI_REQ_LEN_EXCEEDED_ERR; - if ((kcs->state != KCS_IDLE) && (kcs->state != KCS_HOSED)) { + if (kcs->state != KCS_IDLE) { dev_warn(kcs->io->dev, "KCS in invalid state %d\n", kcs->state); return IPMI_NOT_IN_MY_STATE_ERR; } @@ -495,7 +501,7 @@ static enum si_sm_result kcs_event(struct si_sm_data *kcs, long time) } if (kcs->state == KCS_HOSED) { - init_kcs_data(kcs, kcs->io); + init_kcs_data_with_state(kcs, kcs->io, KCS_ERROR0); return SI_SM_HOSED; } -- cgit v1.2.3 From 6dbd4341b9da2063d86cdf4ed8d051e2617506b0 Mon Sep 17 00:00:00 2001 From: Quan Nguyen Date: Mon, 24 Oct 2022 14:59:56 +0700 Subject: ipmi: ssif_bmc: Use EPOLLIN instead of POLLIN This fixes the following sparse warning: sparse warnings: (new ones prefixed by >>) >> drivers/char/ipmi/ssif_bmc.c:254:22: sparse: sparse: invalid assignment: |= >> drivers/char/ipmi/ssif_bmc.c:254:22: sparse: left side has type restricted __poll_t >> drivers/char/ipmi/ssif_bmc.c:254:22: sparse: right side has type int Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver") Reported-by: kernel test robot Link: https://lore.kernel.org/all/202210181103.ontD9tRT-lkp@intel.com/ Signed-off-by: Quan Nguyen Message-Id: <20221024075956.3312552-1-quan@os.amperecomputing.com> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ssif_bmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c index a7bb4b99000e..2d8069386398 100644 --- a/drivers/char/ipmi/ssif_bmc.c +++ b/drivers/char/ipmi/ssif_bmc.c @@ -251,7 +251,7 @@ static __poll_t ssif_bmc_poll(struct file *file, poll_table *wait) spin_lock_irq(&ssif_bmc->lock); /* The request is available, userspace application can get the request */ if (ssif_bmc->request_available) - mask |= POLLIN; + mask |= EPOLLIN; spin_unlock_irq(&ssif_bmc->lock); -- cgit v1.2.3 From cad3fe56d03e25d9d929b85aa05f208766f4c80d Mon Sep 17 00:00:00 2001 From: Bo Liu Date: Tue, 25 Oct 2022 02:04:36 -0400 Subject: ipmi: Fix some kernel-doc warnings The current code provokes some kernel-doc warnings: drivers/char/ipmi/ipmi_msghandler.c:618: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst Signed-off-by: Bo Liu Message-Id: <20221025060436.4372-1-liubo03@inspur.com> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_msghandler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index d5ee52be176d..f6b8ca6df9b5 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -614,7 +614,7 @@ static int __ipmi_bmc_register(struct ipmi_smi *intf, static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id); -/** +/* * The driver model view of the IPMI messaging driver. */ static struct platform_driver ipmidriver = { -- cgit v1.2.3 From 39721d62bbc16ebc9bb2bdc2c163658f33da3b0b Mon Sep 17 00:00:00 2001 From: Corey Minyard Date: Thu, 3 Nov 2022 15:03:11 -0500 Subject: ipmi:ssif: Increase the message retry time The spec states that the minimum message retry time is 60ms, but it was set to 20ms. Correct it. Reported by: Tony Camuso Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_ssif.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index e1072809fe31..4bfd1e306616 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -74,7 +74,7 @@ /* * Timer values */ -#define SSIF_MSG_USEC 20000 /* 20ms between message tries. */ +#define SSIF_MSG_USEC 60000 /* 60ms between message tries. */ #define SSIF_MSG_PART_USEC 5000 /* 5ms for a message part */ /* How many times to we retry sending/receiving the message. */ -- cgit v1.2.3 From 0eb1762f3c77a20f4a93f29239f0cb0a52d41dd6 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Sat, 5 Nov 2022 12:16:54 +0100 Subject: ipmi/watchdog: Include when appropriate The kstrto() functions have been moved from kernel.h to kstrtox.h. So, in order to eventually remove from , include the latter directly in the appropriate files. Signed-off-by: Christophe JAILLET Message-Id: <37daa028845d90ee77f1e547121a051a983fec2e.1667647002.git.christophe.jaillet@wanadoo.fr> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_watchdog.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c index 5b4e677929ca..47365150e431 100644 --- a/drivers/char/ipmi/ipmi_watchdog.c +++ b/drivers/char/ipmi/ipmi_watchdog.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include -- cgit v1.2.3 From a92ce570c81dc0feaeb12a429b4bc65686d17967 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 15 Nov 2022 16:17:43 +0300 Subject: ipmi: fix use after free in _ipmi_destroy_user() The intf_free() function frees the "intf" pointer so we cannot dereference it again on the next line. Fixes: cbb79863fc31 ("ipmi: Don't allow device module unload when in use") Signed-off-by: Dan Carpenter Message-Id: Cc: # 5.5+ Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_msghandler.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index f6b8ca6df9b5..186f1fee7534 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -1330,6 +1330,7 @@ static void _ipmi_destroy_user(struct ipmi_user *user) unsigned long flags; struct cmd_rcvr *rcvr; struct cmd_rcvr *rcvrs = NULL; + struct module *owner; if (!acquire_ipmi_user(user, &i)) { /* @@ -1392,8 +1393,9 @@ static void _ipmi_destroy_user(struct ipmi_user *user) kfree(rcvr); } + owner = intf->owner; kref_put(&intf->refcount, intf_free); - module_put(intf->owner); + module_put(owner); } int ipmi_destroy_user(struct ipmi_user *user) -- cgit v1.2.3 From b8fadb396414972c7e526f3f94c0b4d114d2b2a1 Mon Sep 17 00:00:00 2001 From: Uwe Kleine-König Date: Fri, 18 Nov 2022 23:45:39 +0100 Subject: ipmi: ssif_bmc: Convert to i2c's .probe_new() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The probe function doesn't make use of the i2c_device_id * parameter so it can be trivially converted. Signed-off-by: Uwe Kleine-König Message-Id: <20221118224540.619276-606-uwe@kleine-koenig.org> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ssif_bmc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c index 2d8069386398..caee848261e9 100644 --- a/drivers/char/ipmi/ssif_bmc.c +++ b/drivers/char/ipmi/ssif_bmc.c @@ -797,7 +797,7 @@ static int ssif_bmc_cb(struct i2c_client *client, enum i2c_slave_event event, u8 return ret; } -static int ssif_bmc_probe(struct i2c_client *client, const struct i2c_device_id *id) +static int ssif_bmc_probe(struct i2c_client *client) { struct ssif_bmc_ctx *ssif_bmc; int ret; @@ -860,7 +860,7 @@ static struct i2c_driver ssif_bmc_driver = { .name = DEVICE_NAME, .of_match_table = ssif_bmc_match, }, - .probe = ssif_bmc_probe, + .probe_new = ssif_bmc_probe, .remove = ssif_bmc_remove, .id_table = ssif_bmc_id, }; -- cgit v1.2.3 From c6f613e5f35b0e2154d5ca12f0e8e0be0c19be9a Mon Sep 17 00:00:00 2001 From: "yang.yang29@zte.com.cn" Date: Mon, 5 Dec 2022 19:36:40 +0800 Subject: ipmi/watchdog: use strscpy() to instead of strncpy() Xu Panda The implementation of strscpy() is more robust and safer. That's now the recommended way to copy NUL terminated strings. Signed-off-by: Xu Panda Signed-off-by: Yang Yang Message-Id: <202212051936400309332@zte.com.cn> Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_watchdog.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c index 47365150e431..0d4a8dcacfd4 100644 --- a/drivers/char/ipmi/ipmi_watchdog.c +++ b/drivers/char/ipmi/ipmi_watchdog.c @@ -213,8 +213,7 @@ static int set_param_str(const char *val, const struct kernel_param *kp) char valcp[16]; char *s; - strncpy(valcp, val, 15); - valcp[15] = '\0'; + strscpy(valcp, val, 16); s = strstrip(valcp); -- cgit v1.2.3