bh.c - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
bh.c (8840B)
      1// SPDX-License-Identifier: GPL-2.0-only
      2/*
      3 * Interrupt bottom half (BH).
      4 *
      5 * Copyright (c) 2017-2020, Silicon Laboratories, Inc.
      6 * Copyright (c) 2010, ST-Ericsson
      7 */
      8#include <linux/gpio/consumer.h>
      9#include <net/mac80211.h>
     10
     11#include "bh.h"
     12#include "wfx.h"
     13#include "hwio.h"
     14#include "traces.h"
     15#include "hif_rx.h"
     16#include "hif_api_cmd.h"
     17
     18static void device_wakeup(struct wfx_dev *wdev)
     19{
     20	int max_retry = 3;
     21
     22	if (!wdev->pdata.gpio_wakeup)
     23		return;
     24	if (gpiod_get_value_cansleep(wdev->pdata.gpio_wakeup) > 0)
     25		return;
     26
     27	if (wfx_api_older_than(wdev, 1, 4)) {
     28		gpiod_set_value_cansleep(wdev->pdata.gpio_wakeup, 1);
     29		if (!completion_done(&wdev->hif.ctrl_ready))
     30			usleep_range(2000, 2500);
     31		return;
     32	}
     33	for (;;) {
     34		gpiod_set_value_cansleep(wdev->pdata.gpio_wakeup, 1);
     35		/* completion.h does not provide any function to wait completion without consume it
     36		 * (a kind of wait_for_completion_done_timeout()). So we have to emulate it.
     37		 */
     38		if (wait_for_completion_timeout(&wdev->hif.ctrl_ready, msecs_to_jiffies(2))) {
     39			complete(&wdev->hif.ctrl_ready);
     40			return;
     41		} else if (max_retry-- > 0) {
     42			/* Older firmwares have a race in sleep/wake-up process.  Redo the process
     43			 * is sufficient to unfreeze the chip.
     44			 */
     45			dev_err(wdev->dev, "timeout while wake up chip\n");
     46			gpiod_set_value_cansleep(wdev->pdata.gpio_wakeup, 0);
     47			usleep_range(2000, 2500);
     48		} else {
     49			dev_err(wdev->dev, "max wake-up retries reached\n");
     50			return;
     51		}
     52	}
     53}
     54
     55static void device_release(struct wfx_dev *wdev)
     56{
     57	if (!wdev->pdata.gpio_wakeup)
     58		return;
     59
     60	gpiod_set_value_cansleep(wdev->pdata.gpio_wakeup, 0);
     61}
     62
     63static int rx_helper(struct wfx_dev *wdev, size_t read_len, int *is_cnf)
     64{
     65	struct sk_buff *skb;
     66	struct wfx_hif_msg *hif;
     67	size_t alloc_len;
     68	size_t computed_len;
     69	int release_count;
     70	int piggyback = 0;
     71
     72	WARN(read_len > round_down(0xFFF, 2) * sizeof(u16), "request exceed the chip capability");
     73
     74	/* Add 2 to take into account piggyback size */
     75	alloc_len = wdev->hwbus_ops->align_size(wdev->hwbus_priv, read_len + 2);
     76	skb = dev_alloc_skb(alloc_len);
     77	if (!skb)
     78		return -ENOMEM;
     79
     80	if (wfx_data_read(wdev, skb->data, alloc_len))
     81		goto err;
     82
     83	piggyback = le16_to_cpup((__le16 *)(skb->data + alloc_len - 2));
     84	_trace_piggyback(piggyback, false);
     85
     86	hif = (struct wfx_hif_msg *)skb->data;
     87	WARN(hif->encrypted & 0x3, "encryption is unsupported");
     88	if (WARN(read_len < sizeof(struct wfx_hif_msg), "corrupted read"))
     89		goto err;
     90	computed_len = le16_to_cpu(hif->len);
     91	computed_len = round_up(computed_len, 2);
     92	if (computed_len != read_len) {
     93		dev_err(wdev->dev, "inconsistent message length: %zu != %zu\n",
     94			computed_len, read_len);
     95		print_hex_dump(KERN_INFO, "hif: ", DUMP_PREFIX_OFFSET, 16, 1,
     96			       hif, read_len, true);
     97		goto err;
     98	}
     99
    100	if (!(hif->id & HIF_ID_IS_INDICATION)) {
    101		(*is_cnf)++;
    102		if (hif->id == HIF_CNF_ID_MULTI_TRANSMIT)
    103			release_count =
    104				((struct wfx_hif_cnf_multi_transmit *)hif->body)->num_tx_confs;
    105		else
    106			release_count = 1;
    107		WARN(wdev->hif.tx_buffers_used < release_count, "corrupted buffer counter");
    108		wdev->hif.tx_buffers_used -= release_count;
    109	}
    110	_trace_hif_recv(hif, wdev->hif.tx_buffers_used);
    111
    112	if (hif->id != HIF_IND_ID_EXCEPTION && hif->id != HIF_IND_ID_ERROR) {
    113		if (hif->seqnum != wdev->hif.rx_seqnum)
    114			dev_warn(wdev->dev, "wrong message sequence: %d != %d\n",
    115				 hif->seqnum, wdev->hif.rx_seqnum);
    116		wdev->hif.rx_seqnum = (hif->seqnum + 1) % (HIF_COUNTER_MAX + 1);
    117	}
    118
    119	skb_put(skb, le16_to_cpu(hif->len));
    120	/* wfx_handle_rx takes care on SKB livetime */
    121	wfx_handle_rx(wdev, skb);
    122	if (!wdev->hif.tx_buffers_used)
    123		wake_up(&wdev->hif.tx_buffers_empty);
    124
    125	return piggyback;
    126
    127err:
    128	if (skb)
    129		dev_kfree_skb(skb);
    130	return -EIO;
    131}
    132
    133static int bh_work_rx(struct wfx_dev *wdev, int max_msg, int *num_cnf)
    134{
    135	size_t len;
    136	int i;
    137	int ctrl_reg, piggyback;
    138
    139	piggyback = 0;
    140	for (i = 0; i < max_msg; i++) {
    141		if (piggyback & CTRL_NEXT_LEN_MASK)
    142			ctrl_reg = piggyback;
    143		else if (try_wait_for_completion(&wdev->hif.ctrl_ready))
    144			ctrl_reg = atomic_xchg(&wdev->hif.ctrl_reg, 0);
    145		else
    146			ctrl_reg = 0;
    147		if (!(ctrl_reg & CTRL_NEXT_LEN_MASK))
    148			return i;
    149		/* ctrl_reg units are 16bits words */
    150		len = (ctrl_reg & CTRL_NEXT_LEN_MASK) * 2;
    151		piggyback = rx_helper(wdev, len, num_cnf);
    152		if (piggyback < 0)
    153			return i;
    154		if (!(piggyback & CTRL_WLAN_READY))
    155			dev_err(wdev->dev, "unexpected piggyback value: ready bit not set: %04x\n",
    156				piggyback);
    157	}
    158	if (piggyback & CTRL_NEXT_LEN_MASK) {
    159		ctrl_reg = atomic_xchg(&wdev->hif.ctrl_reg, piggyback);
    160		complete(&wdev->hif.ctrl_ready);
    161		if (ctrl_reg)
    162			dev_err(wdev->dev, "unexpected IRQ happened: %04x/%04x\n",
    163				ctrl_reg, piggyback);
    164	}
    165	return i;
    166}
    167
    168static void tx_helper(struct wfx_dev *wdev, struct wfx_hif_msg *hif)
    169{
    170	int ret;
    171	void *data;
    172	bool is_encrypted = false;
    173	size_t len = le16_to_cpu(hif->len);
    174
    175	WARN(len < sizeof(*hif), "try to send corrupted data");
    176
    177	hif->seqnum = wdev->hif.tx_seqnum;
    178	wdev->hif.tx_seqnum = (wdev->hif.tx_seqnum + 1) % (HIF_COUNTER_MAX + 1);
    179
    180	data = hif;
    181	WARN(len > le16_to_cpu(wdev->hw_caps.size_inp_ch_buf),
    182	     "request exceed the chip capability: %zu > %d\n",
    183	     len, le16_to_cpu(wdev->hw_caps.size_inp_ch_buf));
    184	len = wdev->hwbus_ops->align_size(wdev->hwbus_priv, len);
    185	ret = wfx_data_write(wdev, data, len);
    186	if (ret)
    187		goto end;
    188
    189	wdev->hif.tx_buffers_used++;
    190	_trace_hif_send(hif, wdev->hif.tx_buffers_used);
    191end:
    192	if (is_encrypted)
    193		kfree(data);
    194}
    195
    196static int bh_work_tx(struct wfx_dev *wdev, int max_msg)
    197{
    198	struct wfx_hif_msg *hif;
    199	int i;
    200
    201	for (i = 0; i < max_msg; i++) {
    202		hif = NULL;
    203		if (wdev->hif.tx_buffers_used < le16_to_cpu(wdev->hw_caps.num_inp_ch_bufs)) {
    204			if (try_wait_for_completion(&wdev->hif_cmd.ready)) {
    205				WARN(!mutex_is_locked(&wdev->hif_cmd.lock), "data locking error");
    206				hif = wdev->hif_cmd.buf_send;
    207			} else {
    208				hif = wfx_tx_queues_get(wdev);
    209			}
    210		}
    211		if (!hif)
    212			return i;
    213		tx_helper(wdev, hif);
    214	}
    215	return i;
    216}
    217
    218/* In SDIO mode, it is necessary to make an access to a register to acknowledge last received
    219 * message. It could be possible to restrict this acknowledge to SDIO mode and only if last
    220 * operation was rx.
    221 */
    222static void ack_sdio_data(struct wfx_dev *wdev)
    223{
    224	u32 cfg_reg;
    225
    226	wfx_config_reg_read(wdev, &cfg_reg);
    227	if (cfg_reg & 0xFF) {
    228		dev_warn(wdev->dev, "chip reports errors: %02x\n", cfg_reg & 0xFF);
    229		wfx_config_reg_write_bits(wdev, 0xFF, 0x00);
    230	}
    231}
    232
    233static void bh_work(struct work_struct *work)
    234{
    235	struct wfx_dev *wdev = container_of(work, struct wfx_dev, hif.bh);
    236	int stats_req = 0, stats_cnf = 0, stats_ind = 0;
    237	bool release_chip = false, last_op_is_rx = false;
    238	int num_tx, num_rx;
    239
    240	device_wakeup(wdev);
    241	do {
    242		num_tx = bh_work_tx(wdev, 32);
    243		stats_req += num_tx;
    244		if (num_tx)
    245			last_op_is_rx = false;
    246		num_rx = bh_work_rx(wdev, 32, &stats_cnf);
    247		stats_ind += num_rx;
    248		if (num_rx)
    249			last_op_is_rx = true;
    250	} while (num_rx || num_tx);
    251	stats_ind -= stats_cnf;
    252
    253	if (last_op_is_rx)
    254		ack_sdio_data(wdev);
    255	if (!wdev->hif.tx_buffers_used && !work_pending(work)) {
    256		device_release(wdev);
    257		release_chip = true;
    258	}
    259	_trace_bh_stats(stats_ind, stats_req, stats_cnf, wdev->hif.tx_buffers_used, release_chip);
    260}
    261
    262/* An IRQ from chip did occur */
    263void wfx_bh_request_rx(struct wfx_dev *wdev)
    264{
    265	u32 cur, prev;
    266
    267	wfx_control_reg_read(wdev, &cur);
    268	prev = atomic_xchg(&wdev->hif.ctrl_reg, cur);
    269	complete(&wdev->hif.ctrl_ready);
    270	queue_work(wdev->bh_wq, &wdev->hif.bh);
    271
    272	if (!(cur & CTRL_NEXT_LEN_MASK))
    273		dev_err(wdev->dev, "unexpected control register value: length field is 0: %04x\n",
    274			cur);
    275	if (prev != 0)
    276		dev_err(wdev->dev, "received IRQ but previous data was not (yet) read: %04x/%04x\n",
    277			prev, cur);
    278}
    279
    280/* Driver want to send data */
    281void wfx_bh_request_tx(struct wfx_dev *wdev)
    282{
    283	queue_work(wdev->bh_wq, &wdev->hif.bh);
    284}
    285
    286/* If IRQ is not available, this function allow to manually poll the control register and simulate
    287 * an IRQ ahen an event happened.
    288 *
    289 * Note that the device has a bug: If an IRQ raise while host read control register, the IRQ is
    290 * lost. So, use this function carefully (only duing device initialisation).
    291 */
    292void wfx_bh_poll_irq(struct wfx_dev *wdev)
    293{
    294	ktime_t now, start;
    295	u32 reg;
    296
    297	WARN(!wdev->poll_irq, "unexpected IRQ polling can mask IRQ");
    298	flush_workqueue(wdev->bh_wq);
    299	start = ktime_get();
    300	for (;;) {
    301		wfx_control_reg_read(wdev, &reg);
    302		now = ktime_get();
    303		if (reg & 0xFFF)
    304			break;
    305		if (ktime_after(now, ktime_add_ms(start, 1000))) {
    306			dev_err(wdev->dev, "time out while polling control register\n");
    307			return;
    308		}
    309		udelay(200);
    310	}
    311	wfx_bh_request_rx(wdev);
    312}
    313
    314void wfx_bh_register(struct wfx_dev *wdev)
    315{
    316	INIT_WORK(&wdev->hif.bh, bh_work);
    317	init_completion(&wdev->hif.ctrl_ready);
    318	init_waitqueue_head(&wdev->hif.tx_buffers_empty);
    319}
    320
    321void wfx_bh_unregister(struct wfx_dev *wdev)
    322{
    323	flush_work(&wdev->hif.bh);
    324}