ext4: fix possible use-after-free in ext4_remove_li_request()
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / drivers / acpi / acpi_ipmi.c
blobf40acef80269fa9e6a38435b1c328a7c80552b34
1 /*
2 * acpi_ipmi.c - ACPI IPMI opregion
4 * Copyright (C) 2010 Intel Corporation
5 * Copyright (C) 2010 Zhao Yakui <yakui.zhao@intel.com>
7 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or (at
12 * your option) any later version.
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
23 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26 #include <linux/kernel.h>
27 #include <linux/module.h>
28 #include <linux/init.h>
29 #include <linux/types.h>
30 #include <linux/delay.h>
31 #include <linux/proc_fs.h>
32 #include <linux/seq_file.h>
33 #include <linux/interrupt.h>
34 #include <linux/list.h>
35 #include <linux/spinlock.h>
36 #include <linux/io.h>
37 #include <acpi/acpi_bus.h>
38 #include <acpi/acpi_drivers.h>
39 #include <linux/ipmi.h>
40 #include <linux/device.h>
41 #include <linux/pnp.h>
43 MODULE_AUTHOR("Zhao Yakui");
44 MODULE_DESCRIPTION("ACPI IPMI Opregion driver");
45 MODULE_LICENSE("GPL");
47 #define IPMI_FLAGS_HANDLER_INSTALL 0
49 #define ACPI_IPMI_OK 0
50 #define ACPI_IPMI_TIMEOUT 0x10
51 #define ACPI_IPMI_UNKNOWN 0x07
52 /* the IPMI timeout is 5s */
53 #define IPMI_TIMEOUT (5 * HZ)
55 struct acpi_ipmi_device {
56 /* the device list attached to driver_data.ipmi_devices */
57 struct list_head head;
58 /* the IPMI request message list */
59 struct list_head tx_msg_list;
60 struct mutex tx_msg_lock;
61 acpi_handle handle;
62 struct pnp_dev *pnp_dev;
63 ipmi_user_t user_interface;
64 int ipmi_ifnum; /* IPMI interface number */
65 long curr_msgid;
66 unsigned long flags;
67 struct ipmi_smi_info smi_data;
70 struct ipmi_driver_data {
71 struct list_head ipmi_devices;
72 struct ipmi_smi_watcher bmc_events;
73 struct ipmi_user_hndl ipmi_hndlrs;
74 struct mutex ipmi_lock;
77 struct acpi_ipmi_msg {
78 struct list_head head;
80 * General speaking the addr type should be SI_ADDR_TYPE. And
81 * the addr channel should be BMC.
82 * In fact it can also be IPMB type. But we will have to
83 * parse it from the Netfn command buffer. It is so complex
84 * that it is skipped.
86 struct ipmi_addr addr;
87 long tx_msgid;
88 /* it is used to track whether the IPMI message is finished */
89 struct completion tx_complete;
90 struct kernel_ipmi_msg tx_message;
91 int msg_done;
92 /* tx data . And copy it from ACPI object buffer */
93 u8 tx_data[64];
94 int tx_len;
95 u8 rx_data[64];
96 int rx_len;
97 struct acpi_ipmi_device *device;
100 /* IPMI request/response buffer per ACPI 4.0, sec 5.5.2.4.3.2 */
101 struct acpi_ipmi_buffer {
102 u8 status;
103 u8 length;
104 u8 data[64];
107 static void ipmi_register_bmc(int iface, struct device *dev);
108 static void ipmi_bmc_gone(int iface);
109 static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data);
110 static void acpi_add_ipmi_device(struct acpi_ipmi_device *ipmi_device);
111 static void acpi_remove_ipmi_device(struct acpi_ipmi_device *ipmi_device);
113 static struct ipmi_driver_data driver_data = {
114 .ipmi_devices = LIST_HEAD_INIT(driver_data.ipmi_devices),
115 .bmc_events = {
116 .owner = THIS_MODULE,
117 .new_smi = ipmi_register_bmc,
118 .smi_gone = ipmi_bmc_gone,
120 .ipmi_hndlrs = {
121 .ipmi_recv_hndl = ipmi_msg_handler,
125 static struct acpi_ipmi_msg *acpi_alloc_ipmi_msg(struct acpi_ipmi_device *ipmi)
127 struct acpi_ipmi_msg *ipmi_msg;
128 struct pnp_dev *pnp_dev = ipmi->pnp_dev;
130 ipmi_msg = kzalloc(sizeof(struct acpi_ipmi_msg), GFP_KERNEL);
131 if (!ipmi_msg) {
132 dev_warn(&pnp_dev->dev, "Can't allocate memory for ipmi_msg\n");
133 return NULL;
135 init_completion(&ipmi_msg->tx_complete);
136 INIT_LIST_HEAD(&ipmi_msg->head);
137 ipmi_msg->device = ipmi;
138 return ipmi_msg;
141 #define IPMI_OP_RGN_NETFN(offset) ((offset >> 8) & 0xff)
142 #define IPMI_OP_RGN_CMD(offset) (offset & 0xff)
143 static void acpi_format_ipmi_msg(struct acpi_ipmi_msg *tx_msg,
144 acpi_physical_address address,
145 acpi_integer *value)
147 struct kernel_ipmi_msg *msg;
148 struct acpi_ipmi_buffer *buffer;
149 struct acpi_ipmi_device *device;
151 msg = &tx_msg->tx_message;
153 * IPMI network function and command are encoded in the address
154 * within the IPMI OpRegion; see ACPI 4.0, sec 5.5.2.4.3.
156 msg->netfn = IPMI_OP_RGN_NETFN(address);
157 msg->cmd = IPMI_OP_RGN_CMD(address);
158 msg->data = tx_msg->tx_data;
160 * value is the parameter passed by the IPMI opregion space handler.
161 * It points to the IPMI request message buffer
163 buffer = (struct acpi_ipmi_buffer *)value;
164 /* copy the tx message data */
165 msg->data_len = buffer->length;
166 memcpy(tx_msg->tx_data, buffer->data, msg->data_len);
168 * now the default type is SYSTEM_INTERFACE and channel type is BMC.
169 * If the netfn is APP_REQUEST and the cmd is SEND_MESSAGE,
170 * the addr type should be changed to IPMB. Then we will have to parse
171 * the IPMI request message buffer to get the IPMB address.
172 * If so, please fix me.
174 tx_msg->addr.addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
175 tx_msg->addr.channel = IPMI_BMC_CHANNEL;
176 tx_msg->addr.data[0] = 0;
178 /* Get the msgid */
179 device = tx_msg->device;
180 mutex_lock(&device->tx_msg_lock);
181 device->curr_msgid++;
182 tx_msg->tx_msgid = device->curr_msgid;
183 mutex_unlock(&device->tx_msg_lock);
186 static void acpi_format_ipmi_response(struct acpi_ipmi_msg *msg,
187 acpi_integer *value, int rem_time)
189 struct acpi_ipmi_buffer *buffer;
192 * value is also used as output parameter. It represents the response
193 * IPMI message returned by IPMI command.
195 buffer = (struct acpi_ipmi_buffer *)value;
196 if (!rem_time && !msg->msg_done) {
197 buffer->status = ACPI_IPMI_TIMEOUT;
198 return;
201 * If the flag of msg_done is not set or the recv length is zero, it
202 * means that the IPMI command is not executed correctly.
203 * The status code will be ACPI_IPMI_UNKNOWN.
205 if (!msg->msg_done || !msg->rx_len) {
206 buffer->status = ACPI_IPMI_UNKNOWN;
207 return;
210 * If the IPMI response message is obtained correctly, the status code
211 * will be ACPI_IPMI_OK
213 buffer->status = ACPI_IPMI_OK;
214 buffer->length = msg->rx_len;
215 memcpy(buffer->data, msg->rx_data, msg->rx_len);
218 static void ipmi_flush_tx_msg(struct acpi_ipmi_device *ipmi)
220 struct acpi_ipmi_msg *tx_msg, *temp;
221 int count = HZ / 10;
222 struct pnp_dev *pnp_dev = ipmi->pnp_dev;
224 list_for_each_entry_safe(tx_msg, temp, &ipmi->tx_msg_list, head) {
225 /* wake up the sleep thread on the Tx msg */
226 complete(&tx_msg->tx_complete);
229 /* wait for about 100ms to flush the tx message list */
230 while (count--) {
231 if (list_empty(&ipmi->tx_msg_list))
232 break;
233 schedule_timeout(1);
235 if (!list_empty(&ipmi->tx_msg_list))
236 dev_warn(&pnp_dev->dev, "tx msg list is not NULL\n");
239 static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
241 struct acpi_ipmi_device *ipmi_device = user_msg_data;
242 int msg_found = 0;
243 struct acpi_ipmi_msg *tx_msg;
244 struct pnp_dev *pnp_dev = ipmi_device->pnp_dev;
246 if (msg->user != ipmi_device->user_interface) {
247 dev_warn(&pnp_dev->dev, "Unexpected response is returned. "
248 "returned user %p, expected user %p\n",
249 msg->user, ipmi_device->user_interface);
250 ipmi_free_recv_msg(msg);
251 return;
253 mutex_lock(&ipmi_device->tx_msg_lock);
254 list_for_each_entry(tx_msg, &ipmi_device->tx_msg_list, head) {
255 if (msg->msgid == tx_msg->tx_msgid) {
256 msg_found = 1;
257 break;
261 mutex_unlock(&ipmi_device->tx_msg_lock);
262 if (!msg_found) {
263 dev_warn(&pnp_dev->dev, "Unexpected response (msg id %ld) is "
264 "returned.\n", msg->msgid);
265 ipmi_free_recv_msg(msg);
266 return;
269 if (msg->msg.data_len) {
270 /* copy the response data to Rx_data buffer */
271 memcpy(tx_msg->rx_data, msg->msg_data, msg->msg.data_len);
272 tx_msg->rx_len = msg->msg.data_len;
273 tx_msg->msg_done = 1;
275 complete(&tx_msg->tx_complete);
276 ipmi_free_recv_msg(msg);
279 static void ipmi_register_bmc(int iface, struct device *dev)
281 struct acpi_ipmi_device *ipmi_device, *temp;
282 struct pnp_dev *pnp_dev;
283 ipmi_user_t user;
284 int err;
285 struct ipmi_smi_info smi_data;
286 acpi_handle handle;
288 err = ipmi_get_smi_info(iface, &smi_data);
290 if (err)
291 return;
293 if (smi_data.addr_src != SI_ACPI) {
294 put_device(smi_data.dev);
295 return;
298 handle = smi_data.addr_info.acpi_info.acpi_handle;
300 mutex_lock(&driver_data.ipmi_lock);
301 list_for_each_entry(temp, &driver_data.ipmi_devices, head) {
303 * if the corresponding ACPI handle is already added
304 * to the device list, don't add it again.
306 if (temp->handle == handle)
307 goto out;
310 ipmi_device = kzalloc(sizeof(*ipmi_device), GFP_KERNEL);
312 if (!ipmi_device)
313 goto out;
315 pnp_dev = to_pnp_dev(smi_data.dev);
316 ipmi_device->handle = handle;
317 ipmi_device->pnp_dev = pnp_dev;
319 err = ipmi_create_user(iface, &driver_data.ipmi_hndlrs,
320 ipmi_device, &user);
321 if (err) {
322 dev_warn(&pnp_dev->dev, "Can't create IPMI user interface\n");
323 kfree(ipmi_device);
324 goto out;
326 acpi_add_ipmi_device(ipmi_device);
327 ipmi_device->user_interface = user;
328 ipmi_device->ipmi_ifnum = iface;
329 mutex_unlock(&driver_data.ipmi_lock);
330 memcpy(&ipmi_device->smi_data, &smi_data, sizeof(struct ipmi_smi_info));
331 return;
333 out:
334 mutex_unlock(&driver_data.ipmi_lock);
335 put_device(smi_data.dev);
336 return;
339 static void ipmi_bmc_gone(int iface)
341 struct acpi_ipmi_device *ipmi_device, *temp;
343 mutex_lock(&driver_data.ipmi_lock);
344 list_for_each_entry_safe(ipmi_device, temp,
345 &driver_data.ipmi_devices, head) {
346 if (ipmi_device->ipmi_ifnum != iface)
347 continue;
349 acpi_remove_ipmi_device(ipmi_device);
350 put_device(ipmi_device->smi_data.dev);
351 kfree(ipmi_device);
352 break;
354 mutex_unlock(&driver_data.ipmi_lock);
356 /* --------------------------------------------------------------------------
357 * Address Space Management
358 * -------------------------------------------------------------------------- */
360 * This is the IPMI opregion space handler.
361 * @function: indicates the read/write. In fact as the IPMI message is driven
362 * by command, only write is meaningful.
363 * @address: This contains the netfn/command of IPMI request message.
364 * @bits : not used.
365 * @value : it is an in/out parameter. It points to the IPMI message buffer.
366 * Before the IPMI message is sent, it represents the actual request
367 * IPMI message. After the IPMI message is finished, it represents
368 * the response IPMI message returned by IPMI command.
369 * @handler_context: IPMI device context.
372 static acpi_status
373 acpi_ipmi_space_handler(u32 function, acpi_physical_address address,
374 u32 bits, acpi_integer *value,
375 void *handler_context, void *region_context)
377 struct acpi_ipmi_msg *tx_msg;
378 struct acpi_ipmi_device *ipmi_device = handler_context;
379 int err, rem_time;
380 acpi_status status;
382 * IPMI opregion message.
383 * IPMI message is firstly written to the BMC and system software
384 * can get the respsonse. So it is unmeaningful for the read access
385 * of IPMI opregion.
387 if ((function & ACPI_IO_MASK) == ACPI_READ)
388 return AE_TYPE;
390 if (!ipmi_device->user_interface)
391 return AE_NOT_EXIST;
393 tx_msg = acpi_alloc_ipmi_msg(ipmi_device);
394 if (!tx_msg)
395 return AE_NO_MEMORY;
397 acpi_format_ipmi_msg(tx_msg, address, value);
398 mutex_lock(&ipmi_device->tx_msg_lock);
399 list_add_tail(&tx_msg->head, &ipmi_device->tx_msg_list);
400 mutex_unlock(&ipmi_device->tx_msg_lock);
401 err = ipmi_request_settime(ipmi_device->user_interface,
402 &tx_msg->addr,
403 tx_msg->tx_msgid,
404 &tx_msg->tx_message,
405 NULL, 0, 0, 0);
406 if (err) {
407 status = AE_ERROR;
408 goto end_label;
410 rem_time = wait_for_completion_timeout(&tx_msg->tx_complete,
411 IPMI_TIMEOUT);
412 acpi_format_ipmi_response(tx_msg, value, rem_time);
413 status = AE_OK;
415 end_label:
416 mutex_lock(&ipmi_device->tx_msg_lock);
417 list_del(&tx_msg->head);
418 mutex_unlock(&ipmi_device->tx_msg_lock);
419 kfree(tx_msg);
420 return status;
423 static void ipmi_remove_space_handler(struct acpi_ipmi_device *ipmi)
425 if (!test_bit(IPMI_FLAGS_HANDLER_INSTALL, &ipmi->flags))
426 return;
428 acpi_remove_address_space_handler(ipmi->handle,
429 ACPI_ADR_SPACE_IPMI, &acpi_ipmi_space_handler);
431 clear_bit(IPMI_FLAGS_HANDLER_INSTALL, &ipmi->flags);
434 static int ipmi_install_space_handler(struct acpi_ipmi_device *ipmi)
436 acpi_status status;
438 if (test_bit(IPMI_FLAGS_HANDLER_INSTALL, &ipmi->flags))
439 return 0;
441 status = acpi_install_address_space_handler(ipmi->handle,
442 ACPI_ADR_SPACE_IPMI,
443 &acpi_ipmi_space_handler,
444 NULL, ipmi);
445 if (ACPI_FAILURE(status)) {
446 struct pnp_dev *pnp_dev = ipmi->pnp_dev;
447 dev_warn(&pnp_dev->dev, "Can't register IPMI opregion space "
448 "handle\n");
449 return -EINVAL;
451 set_bit(IPMI_FLAGS_HANDLER_INSTALL, &ipmi->flags);
452 return 0;
455 static void acpi_add_ipmi_device(struct acpi_ipmi_device *ipmi_device)
458 INIT_LIST_HEAD(&ipmi_device->head);
460 mutex_init(&ipmi_device->tx_msg_lock);
461 INIT_LIST_HEAD(&ipmi_device->tx_msg_list);
462 ipmi_install_space_handler(ipmi_device);
464 list_add_tail(&ipmi_device->head, &driver_data.ipmi_devices);
467 static void acpi_remove_ipmi_device(struct acpi_ipmi_device *ipmi_device)
470 * If the IPMI user interface is created, it should be
471 * destroyed.
473 if (ipmi_device->user_interface) {
474 ipmi_destroy_user(ipmi_device->user_interface);
475 ipmi_device->user_interface = NULL;
477 /* flush the Tx_msg list */
478 if (!list_empty(&ipmi_device->tx_msg_list))
479 ipmi_flush_tx_msg(ipmi_device);
481 list_del(&ipmi_device->head);
482 ipmi_remove_space_handler(ipmi_device);
485 static int __init acpi_ipmi_init(void)
487 int result = 0;
489 if (acpi_disabled)
490 return result;
492 mutex_init(&driver_data.ipmi_lock);
494 result = ipmi_smi_watcher_register(&driver_data.bmc_events);
496 return result;
499 static void __exit acpi_ipmi_exit(void)
501 struct acpi_ipmi_device *ipmi_device, *temp;
503 if (acpi_disabled)
504 return;
506 ipmi_smi_watcher_unregister(&driver_data.bmc_events);
509 * When one smi_watcher is unregistered, it is only deleted
510 * from the smi_watcher list. But the smi_gone callback function
511 * is not called. So explicitly uninstall the ACPI IPMI oregion
512 * handler and free it.
514 mutex_lock(&driver_data.ipmi_lock);
515 list_for_each_entry_safe(ipmi_device, temp,
516 &driver_data.ipmi_devices, head) {
517 acpi_remove_ipmi_device(ipmi_device);
518 put_device(ipmi_device->smi_data.dev);
519 kfree(ipmi_device);
521 mutex_unlock(&driver_data.ipmi_lock);
524 module_init(acpi_ipmi_init);
525 module_exit(acpi_ipmi_exit);