1	// SPDX-License-Identifier: GPL-2.0+
2	/*
3	* ipmi_msghandler.c
4	*
5	* Incoming and outgoing message routing for an IPMI interface.
6	*
7	* Author: MontaVista Software, Inc.
8	* Corey Minyard <minyard@mvista.com>
9	* source@mvista.com
10	*
11	* Copyright 2002 MontaVista Software Inc.
12	*/
13
14	#define pr_fmt(fmt) "IPMI message handler: " fmt
15	#define dev_fmt(fmt) pr_fmt(fmt)
16
17	#include <linux/module.h>
18	#include <linux/errno.h>
19	#include <linux/panic_notifier.h>
20	#include <linux/poll.h>
21	#include <linux/sched.h>
22	#include <linux/seq_file.h>
23	#include <linux/spinlock.h>
24	#include <linux/mutex.h>
25	#include <linux/slab.h>
26	#include <linux/ipmi.h>
27	#include <linux/ipmi_smi.h>
28	#include <linux/notifier.h>
29	#include <linux/init.h>
30	#include <linux/proc_fs.h>
31	#include <linux/rcupdate.h>
32	#include <linux/interrupt.h>
33	#include <linux/moduleparam.h>
34	#include <linux/workqueue.h>
35	#include <linux/uuid.h>
36	#include <linux/nospec.h>
37	#include <linux/vmalloc.h>
38	#include <linux/delay.h>
39
40	#define IPMI_DRIVER_VERSION "39.2"
41
42	static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void);
43	static int ipmi_init_msghandler(void);
44	static void smi_recv_tasklet(struct tasklet_struct *t);
45	static void handle_new_recv_msgs(struct ipmi_smi *intf);
46	static void need_waiter(struct ipmi_smi *intf);
47	static int handle_one_recv_msg(struct ipmi_smi *intf,
48	struct ipmi_smi_msg *msg);
49
50	static bool initialized;
51	static bool drvregistered;
52
53	/* Numbers in this enumerator should be mapped to ipmi_panic_event_str */
54	enum ipmi_panic_event_op {
55	IPMI_SEND_PANIC_EVENT_NONE,
56	IPMI_SEND_PANIC_EVENT,
57	IPMI_SEND_PANIC_EVENT_STRING,
58	IPMI_SEND_PANIC_EVENT_MAX
59	};
60
61	/* Indices in this array should be mapped to enum ipmi_panic_event_op */
62	static const char *const ipmi_panic_event_str[] = { "none", "event", "string", NULL };
63
64	#ifdef CONFIG_IPMI_PANIC_STRING
65	#define IPMI_PANIC_DEFAULT IPMI_SEND_PANIC_EVENT_STRING
66	#elif defined(CONFIG_IPMI_PANIC_EVENT)
67	#define IPMI_PANIC_DEFAULT IPMI_SEND_PANIC_EVENT
68	#else
69	#define IPMI_PANIC_DEFAULT IPMI_SEND_PANIC_EVENT_NONE
70	#endif
71
72	static enum ipmi_panic_event_op ipmi_send_panic_event = IPMI_PANIC_DEFAULT;
73
74	static int panic_op_write_handler(const char *val,
75	const struct kernel_param *kp)
76	{
77	char valcp[16];
78	int e;
79
80	strscpy(valcp, val, sizeof(valcp));
81	e = match_string(array: ipmi_panic_event_str, n: -1, string: strstrip(str: valcp));
82	if (e < 0)
83	return e;
84
85	ipmi_send_panic_event = e;
86	return 0;
87	}
88
89	static int panic_op_read_handler(char *buffer, const struct kernel_param *kp)
90	{
91	const char *event_str;
92
93	if (ipmi_send_panic_event >= IPMI_SEND_PANIC_EVENT_MAX)
94	event_str = "???";
95	else
96	event_str = ipmi_panic_event_str[ipmi_send_panic_event];
97
98	return sprintf(buf: buffer, fmt: "%s\n", event_str);
99	}
100
101	static const struct kernel_param_ops panic_op_ops = {
102	.set = panic_op_write_handler,
103	.get = panic_op_read_handler
104	};
105	module_param_cb(panic_op, &panic_op_ops, NULL, 0600);
106	MODULE_PARM_DESC(panic_op, "Sets if the IPMI driver will attempt to store panic information in the event log in the event of a panic. Set to 'none' for no, 'event' for a single event, or 'string' for a generic event and the panic string in IPMI OEM events.");
107
108
109	#define MAX_EVENTS_IN_QUEUE 25
110
111	/* Remain in auto-maintenance mode for this amount of time (in ms). */
112	static unsigned long maintenance_mode_timeout_ms = 30000;
113	module_param(maintenance_mode_timeout_ms, ulong, 0644);
114	MODULE_PARM_DESC(maintenance_mode_timeout_ms,
115	"The time (milliseconds) after the last maintenance message that the connection stays in maintenance mode.");
116
117	/*
118	* Don't let a message sit in a queue forever, always time it with at lest
119	* the max message timer. This is in milliseconds.
120	*/
121	#define MAX_MSG_TIMEOUT 60000
122
123	/*
124	* Timeout times below are in milliseconds, and are done off a 1
125	* second timer. So setting the value to 1000 would mean anything
126	* between 0 and 1000ms. So really the only reasonable minimum
127	* setting it 2000ms, which is between 1 and 2 seconds.
128	*/
129
130	/* The default timeout for message retries. */
131	static unsigned long default_retry_ms = 2000;
132	module_param(default_retry_ms, ulong, 0644);
133	MODULE_PARM_DESC(default_retry_ms,
134	"The time (milliseconds) between retry sends");
135
136	/* The default timeout for maintenance mode message retries. */
137	static unsigned long default_maintenance_retry_ms = 3000;
138	module_param(default_maintenance_retry_ms, ulong, 0644);
139	MODULE_PARM_DESC(default_maintenance_retry_ms,
140	"The time (milliseconds) between retry sends in maintenance mode");
141
142	/* The default maximum number of retries */
143	static unsigned int default_max_retries = 4;
144	module_param(default_max_retries, uint, 0644);
145	MODULE_PARM_DESC(default_max_retries,
146	"The time (milliseconds) between retry sends in maintenance mode");
147
148	/* The default maximum number of users that may register. */
149	static unsigned int max_users = 30;
150	module_param(max_users, uint, 0644);
151	MODULE_PARM_DESC(max_users,
152	"The most users that may use the IPMI stack at one time.");
153
154	/* The default maximum number of message a user may have outstanding. */
155	static unsigned int max_msgs_per_user = 100;
156	module_param(max_msgs_per_user, uint, 0644);
157	MODULE_PARM_DESC(max_msgs_per_user,
158	"The most message a user may have outstanding.");
159
160	/* Call every ~1000 ms. */
161	#define IPMI_TIMEOUT_TIME 1000
162
163	/* How many jiffies does it take to get to the timeout time. */
164	#define IPMI_TIMEOUT_JIFFIES ((IPMI_TIMEOUT_TIME * HZ) / 1000)
165
166	/*
167	* Request events from the queue every second (this is the number of
168	* IPMI_TIMEOUT_TIMES between event requests). Hopefully, in the
169	* future, IPMI will add a way to know immediately if an event is in
170	* the queue and this silliness can go away.
171	*/
172	#define IPMI_REQUEST_EV_TIME (1000 / (IPMI_TIMEOUT_TIME))
173
174	/* How long should we cache dynamic device IDs? */
175	#define IPMI_DYN_DEV_ID_EXPIRY (10 * HZ)
176
177	/*
178	* The main "user" data structure.
179	*/
180	struct ipmi_user {
181	struct list_head link;
182
183	/*
184	* Set to NULL when the user is destroyed, a pointer to myself
185	* so srcu_dereference can be used on it.
186	*/
187	struct ipmi_user *self;
188	struct srcu_struct release_barrier;
189
190	struct kref refcount;
191
192	/* The upper layer that handles receive messages. */
193	const struct ipmi_user_hndl *handler;
194	void *handler_data;
195
196	/* The interface this user is bound to. */
197	struct ipmi_smi *intf;
198
199	/* Does this interface receive IPMI events? */
200	bool gets_events;
201
202	atomic_t nr_msgs;
203
204	/* Free must run in process context for RCU cleanup. */
205	struct work_struct remove_work;
206	};
207
208	static struct workqueue_struct *remove_work_wq;
209
210	static struct ipmi_user *acquire_ipmi_user(struct ipmi_user *user, int *index)
211	__acquires(user->release_barrier)
212	{
213	struct ipmi_user *ruser;
214
215	*index = srcu_read_lock(ssp: &user->release_barrier);
216	ruser = srcu_dereference(user->self, &user->release_barrier);
217	if (!ruser)
218	srcu_read_unlock(ssp: &user->release_barrier, idx: *index);
219	return ruser;
220	}
221
222	static void release_ipmi_user(struct ipmi_user *user, int index)
223	{
224	srcu_read_unlock(ssp: &user->release_barrier, idx: index);
225	}
226
227	struct cmd_rcvr {
228	struct list_head link;
229
230	struct ipmi_user *user;
231	unsigned char netfn;
232	unsigned char cmd;
233	unsigned int chans;
234
235	/*
236	* This is used to form a linked lised during mass deletion.
237	* Since this is in an RCU list, we cannot use the link above
238	* or change any data until the RCU period completes. So we
239	* use this next variable during mass deletion so we can have
240	* a list and don't have to wait and restart the search on
241	* every individual deletion of a command.
242	*/
243	struct cmd_rcvr *next;
244	};
245
246	struct seq_table {
247	unsigned int inuse : 1;
248	unsigned int broadcast : 1;
249
250	unsigned long timeout;
251	unsigned long orig_timeout;
252	unsigned int retries_left;
253
254	/*
255	* To verify on an incoming send message response that this is
256	* the message that the response is for, we keep a sequence id
257	* and increment it every time we send a message.
258	*/
259	long seqid;
260
261	/*
262	* This is held so we can properly respond to the message on a
263	* timeout, and it is used to hold the temporary data for
264	* retransmission, too.
265	*/
266	struct ipmi_recv_msg *recv_msg;
267	};
268
269	/*
270	* Store the information in a msgid (long) to allow us to find a
271	* sequence table entry from the msgid.
272	*/
273	#define STORE_SEQ_IN_MSGID(seq, seqid) \
274	((((seq) & 0x3f) << 26) | ((seqid) & 0x3ffffff))
275
276	#define GET_SEQ_FROM_MSGID(msgid, seq, seqid) \
277	do { \
278	seq = (((msgid) >> 26) & 0x3f); \
279	seqid = ((msgid) & 0x3ffffff); \
280	} while (0)
281
282	#define NEXT_SEQID(seqid) (((seqid) + 1) & 0x3ffffff)
283
284	#define IPMI_MAX_CHANNELS 16
285	struct ipmi_channel {
286	unsigned char medium;
287	unsigned char protocol;
288	};
289
290	struct ipmi_channel_set {
291	struct ipmi_channel c[IPMI_MAX_CHANNELS];
292	};
293
294	struct ipmi_my_addrinfo {
295	/*
296	* My slave address. This is initialized to IPMI_BMC_SLAVE_ADDR,
297	* but may be changed by the user.
298	*/
299	unsigned char address;
300
301	/*
302	* My LUN. This should generally stay the SMS LUN, but just in
303	* case...
304	*/
305	unsigned char lun;
306	};
307
308	/*
309	* Note that the product id, manufacturer id, guid, and device id are
310	* immutable in this structure, so dyn_mutex is not required for
311	* accessing those. If those change on a BMC, a new BMC is allocated.
312	*/
313	struct bmc_device {
314	struct platform_device pdev;
315	struct list_head intfs; /* Interfaces on this BMC. */
316	struct ipmi_device_id id;
317	struct ipmi_device_id fetch_id;
318	int dyn_id_set;
319	unsigned long dyn_id_expiry;
320	struct mutex dyn_mutex; /* Protects id, intfs, & dyn* */
321	guid_t guid;
322	guid_t fetch_guid;
323	int dyn_guid_set;
324	struct kref usecount;
325	struct work_struct remove_work;
326	unsigned char cc; /* completion code */
327	};
328	#define to_bmc_device(x) container_of((x), struct bmc_device, pdev.dev)
329
330	static int bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
331	struct ipmi_device_id *id,
332	bool *guid_set, guid_t *guid);
333
334	/*
335	* Various statistics for IPMI, these index stats[] in the ipmi_smi
336	* structure.
337	*/
338	enum ipmi_stat_indexes {
339	/* Commands we got from the user that were invalid. */
340	IPMI_STAT_sent_invalid_commands = 0,
341
342	/* Commands we sent to the MC. */
343	IPMI_STAT_sent_local_commands,
344
345	/* Responses from the MC that were delivered to a user. */
346	IPMI_STAT_handled_local_responses,
347
348	/* Responses from the MC that were not delivered to a user. */
349	IPMI_STAT_unhandled_local_responses,
350
351	/* Commands we sent out to the IPMB bus. */
352	IPMI_STAT_sent_ipmb_commands,
353
354	/* Commands sent on the IPMB that had errors on the SEND CMD */
355	IPMI_STAT_sent_ipmb_command_errs,
356
357	/* Each retransmit increments this count. */
358	IPMI_STAT_retransmitted_ipmb_commands,
359
360	/*
361	* When a message times out (runs out of retransmits) this is
362	* incremented.
363	*/
364	IPMI_STAT_timed_out_ipmb_commands,
365
366	/*
367	* This is like above, but for broadcasts. Broadcasts are
368	* *not* included in the above count (they are expected to
369	* time out).
370	*/
371	IPMI_STAT_timed_out_ipmb_broadcasts,
372
373	/* Responses I have sent to the IPMB bus. */
374	IPMI_STAT_sent_ipmb_responses,
375
376	/* The response was delivered to the user. */
377	IPMI_STAT_handled_ipmb_responses,
378
379	/* The response had invalid data in it. */
380	IPMI_STAT_invalid_ipmb_responses,
381
382	/* The response didn't have anyone waiting for it. */
383	IPMI_STAT_unhandled_ipmb_responses,
384
385	/* Commands we sent out to the IPMB bus. */
386	IPMI_STAT_sent_lan_commands,
387
388	/* Commands sent on the IPMB that had errors on the SEND CMD */
389	IPMI_STAT_sent_lan_command_errs,
390
391	/* Each retransmit increments this count. */
392	IPMI_STAT_retransmitted_lan_commands,
393
394	/*
395	* When a message times out (runs out of retransmits) this is
396	* incremented.
397	*/
398	IPMI_STAT_timed_out_lan_commands,
399
400	/* Responses I have sent to the IPMB bus. */
401	IPMI_STAT_sent_lan_responses,
402
403	/* The response was delivered to the user. */
404	IPMI_STAT_handled_lan_responses,
405
406	/* The response had invalid data in it. */
407	IPMI_STAT_invalid_lan_responses,
408
409	/* The response didn't have anyone waiting for it. */
410	IPMI_STAT_unhandled_lan_responses,
411
412	/* The command was delivered to the user. */
413	IPMI_STAT_handled_commands,
414
415	/* The command had invalid data in it. */
416	IPMI_STAT_invalid_commands,
417
418	/* The command didn't have anyone waiting for it. */
419	IPMI_STAT_unhandled_commands,
420
421	/* Invalid data in an event. */
422	IPMI_STAT_invalid_events,
423
424	/* Events that were received with the proper format. */
425	IPMI_STAT_events,
426
427	/* Retransmissions on IPMB that failed. */
428	IPMI_STAT_dropped_rexmit_ipmb_commands,
429
430	/* Retransmissions on LAN that failed. */
431	IPMI_STAT_dropped_rexmit_lan_commands,
432
433	/* This *must* remain last, add new values above this. */
434	IPMI_NUM_STATS
435	};
436
437
438	#define IPMI_IPMB_NUM_SEQ 64
439	struct ipmi_smi {
440	struct module *owner;
441
442	/* What interface number are we? */
443	int intf_num;
444
445	struct kref refcount;
446
447	/* Set when the interface is being unregistered. */
448	bool in_shutdown;
449
450	/* Used for a list of interfaces. */
451	struct list_head link;
452
453	/*
454	* The list of upper layers that are using me. seq_lock write
455	* protects this. Read protection is with srcu.
456	*/
457	struct list_head users;
458	struct srcu_struct users_srcu;
459	atomic_t nr_users;
460	struct device_attribute nr_users_devattr;
461	struct device_attribute nr_msgs_devattr;
462
463
464	/* Used for wake ups at startup. */
465	wait_queue_head_t waitq;
466
467	/*
468	* Prevents the interface from being unregistered when the
469	* interface is used by being looked up through the BMC
470	* structure.
471	*/
472	struct mutex bmc_reg_mutex;
473
474	struct bmc_device tmp_bmc;
475	struct bmc_device *bmc;
476	bool bmc_registered;
477	struct list_head bmc_link;
478	char *my_dev_name;
479	bool in_bmc_register; /* Handle recursive situations. Yuck. */
480	struct work_struct bmc_reg_work;
481
482	const struct ipmi_smi_handlers *handlers;
483	void *send_info;
484
485	/* Driver-model device for the system interface. */
486	struct device *si_dev;
487
488	/*
489	* A table of sequence numbers for this interface. We use the
490	* sequence numbers for IPMB messages that go out of the
491	* interface to match them up with their responses. A routine
492	* is called periodically to time the items in this list.
493	*/
494	spinlock_t seq_lock;
495	struct seq_table seq_table[IPMI_IPMB_NUM_SEQ];
496	int curr_seq;
497
498	/*
499	* Messages queued for delivery. If delivery fails (out of memory
500	* for instance), They will stay in here to be processed later in a
501	* periodic timer interrupt. The tasklet is for handling received
502	* messages directly from the handler.
503	*/
504	spinlock_t waiting_rcv_msgs_lock;
505	struct list_head waiting_rcv_msgs;
506	atomic_t watchdog_pretimeouts_to_deliver;
507	struct tasklet_struct recv_tasklet;
508
509	spinlock_t xmit_msgs_lock;
510	struct list_head xmit_msgs;
511	struct ipmi_smi_msg *curr_msg;
512	struct list_head hp_xmit_msgs;
513
514	/*
515	* The list of command receivers that are registered for commands
516	* on this interface.
517	*/
518	struct mutex cmd_rcvrs_mutex;
519	struct list_head cmd_rcvrs;
520
521	/*
522	* Events that were queues because no one was there to receive
523	* them.
524	*/
525	spinlock_t events_lock; /* For dealing with event stuff. */
526	struct list_head waiting_events;
527	unsigned int waiting_events_count; /* How many events in queue? */
528	char delivering_events;
529	char event_msg_printed;
530
531	/* How many users are waiting for events? */
532	atomic_t event_waiters;
533	unsigned int ticks_to_req_ev;
534
535	spinlock_t watch_lock; /* For dealing with watch stuff below. */
536
537	/* How many users are waiting for commands? */
538	unsigned int command_waiters;
539
540	/* How many users are waiting for watchdogs? */
541	unsigned int watchdog_waiters;
542
543	/* How many users are waiting for message responses? */
544	unsigned int response_waiters;
545
546	/*
547	* Tells what the lower layer has last been asked to watch for,
548	* messages and/or watchdogs. Protected by watch_lock.
549	*/
550	unsigned int last_watch_mask;
551
552	/*
553	* The event receiver for my BMC, only really used at panic
554	* shutdown as a place to store this.
555	*/
556	unsigned char event_receiver;
557	unsigned char event_receiver_lun;
558	unsigned char local_sel_device;
559	unsigned char local_event_generator;
560
561	/* For handling of maintenance mode. */
562	int maintenance_mode;
563	bool maintenance_mode_enable;
564	int auto_maintenance_timeout;
565	spinlock_t maintenance_mode_lock; /* Used in a timer... */
566
567	/*
568	* If we are doing maintenance on something on IPMB, extend
569	* the timeout time to avoid timeouts writing firmware and
570	* such.
571	*/
572	int ipmb_maintenance_mode_timeout;
573
574	/*
575	* A cheap hack, if this is non-null and a message to an
576	* interface comes in with a NULL user, call this routine with
577	* it. Note that the message will still be freed by the
578	* caller. This only works on the system interface.
579	*
580	* Protected by bmc_reg_mutex.
581	*/
582	void (*null_user_handler)(struct ipmi_smi *intf,
583	struct ipmi_recv_msg *msg);
584
585	/*
586	* When we are scanning the channels for an SMI, this will
587	* tell which channel we are scanning.
588	*/
589	int curr_channel;
590
591	/* Channel information */
592	struct ipmi_channel_set *channel_list;
593	unsigned int curr_working_cset; /* First index into the following. */
594	struct ipmi_channel_set wchannels[2];
595	struct ipmi_my_addrinfo addrinfo[IPMI_MAX_CHANNELS];
596	bool channels_ready;
597
598	atomic_t stats[IPMI_NUM_STATS];
599
600	/*
601	* run_to_completion duplicate of smb_info, smi_info
602	* and ipmi_serial_info structures. Used to decrease numbers of
603	* parameters passed by "low" level IPMI code.
604	*/
605	int run_to_completion;
606	};
607	#define to_si_intf_from_dev(device) container_of(device, struct ipmi_smi, dev)
608
609	static void __get_guid(struct ipmi_smi *intf);
610	static void __ipmi_bmc_unregister(struct ipmi_smi *intf);
611	static int __ipmi_bmc_register(struct ipmi_smi *intf,
612	struct ipmi_device_id *id,
613	bool guid_set, guid_t *guid, int intf_num);
614	static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id);
615
616
617	/*
618	* The driver model view of the IPMI messaging driver.
619	*/
620	static struct platform_driver ipmidriver = {
621	.driver = {
622	.name = "ipmi",
623	.bus = &platform_bus_type
624	}
625	};
626	/*
627	* This mutex keeps us from adding the same BMC twice.
628	*/
629	static DEFINE_MUTEX(ipmidriver_mutex);
630
631	static LIST_HEAD(ipmi_interfaces);
632	static DEFINE_MUTEX(ipmi_interfaces_mutex);
633	#define ipmi_interfaces_mutex_held() \
634	lockdep_is_held(&ipmi_interfaces_mutex)
635	static struct srcu_struct ipmi_interfaces_srcu;
636
637	/*
638	* List of watchers that want to know when smi's are added and deleted.
639	*/
640	static LIST_HEAD(smi_watchers);
641	static DEFINE_MUTEX(smi_watchers_mutex);
642
643	#define ipmi_inc_stat(intf, stat) \
644	atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
645	#define ipmi_get_stat(intf, stat) \
646	((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
647
648	static const char * const addr_src_to_str[] = {
649	"invalid", "hotmod", "hardcoded", "SPMI", "ACPI", "SMBIOS", "PCI",
650	"device-tree", "platform"
651	};
652
653	const char *ipmi_addr_src_to_str(enum ipmi_addr_src src)
654	{
655	if (src >= SI_LAST)
656	src = 0; /* Invalid */
657	return addr_src_to_str[src];
658	}
659	EXPORT_SYMBOL(ipmi_addr_src_to_str);
660
661	static int is_lan_addr(struct ipmi_addr *addr)
662	{
663	return addr->addr_type == IPMI_LAN_ADDR_TYPE;
664	}
665
666	static int is_ipmb_addr(struct ipmi_addr *addr)
667	{
668	return addr->addr_type == IPMI_IPMB_ADDR_TYPE;
669	}
670
671	static int is_ipmb_bcast_addr(struct ipmi_addr *addr)
672	{
673	return addr->addr_type == IPMI_IPMB_BROADCAST_ADDR_TYPE;
674	}
675
676	static int is_ipmb_direct_addr(struct ipmi_addr *addr)
677	{
678	return addr->addr_type == IPMI_IPMB_DIRECT_ADDR_TYPE;
679	}
680
681	static void free_recv_msg_list(struct list_head *q)
682	{
683	struct ipmi_recv_msg *msg, *msg2;
684
685	list_for_each_entry_safe(msg, msg2, q, link) {
686	list_del(entry: &msg->link);
687	ipmi_free_recv_msg(msg);
688	}
689	}
690
691	static void free_smi_msg_list(struct list_head *q)
692	{
693	struct ipmi_smi_msg *msg, *msg2;
694
695	list_for_each_entry_safe(msg, msg2, q, link) {
696	list_del(entry: &msg->link);
697	ipmi_free_smi_msg(msg);
698	}
699	}
700
701	static void clean_up_interface_data(struct ipmi_smi *intf)
702	{
703	int i;
704	struct cmd_rcvr *rcvr, *rcvr2;
705	struct list_head list;
706
707	tasklet_kill(t: &intf->recv_tasklet);
708
709	free_smi_msg_list(q: &intf->waiting_rcv_msgs);
710	free_recv_msg_list(q: &intf->waiting_events);
711
712	/*
713	* Wholesale remove all the entries from the list in the
714	* interface and wait for RCU to know that none are in use.
715	*/
716	mutex_lock(&intf->cmd_rcvrs_mutex);
717	INIT_LIST_HEAD(list: &list);
718	list_splice_init_rcu(list: &intf->cmd_rcvrs, head: &list, sync: synchronize_rcu);
719	mutex_unlock(lock: &intf->cmd_rcvrs_mutex);
720
721	list_for_each_entry_safe(rcvr, rcvr2, &list, link)
722	kfree(objp: rcvr);
723
724	for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++) {
725	if ((intf->seq_table[i].inuse)
726	&& (intf->seq_table[i].recv_msg))
727	ipmi_free_recv_msg(msg: intf->seq_table[i].recv_msg);
728	}
729	}
730
731	static void intf_free(struct kref *ref)
732	{
733	struct ipmi_smi *intf = container_of(ref, struct ipmi_smi, refcount);
734
735	clean_up_interface_data(intf);
736	kfree(objp: intf);
737	}
738
739	int ipmi_smi_watcher_register(struct ipmi_smi_watcher *watcher)
740	{
741	struct ipmi_smi *intf;
742	int index, rv;
743
744	/*
745	* Make sure the driver is actually initialized, this handles
746	* problems with initialization order.
747	*/
748	rv = ipmi_init_msghandler();
749	if (rv)
750	return rv;
751
752	mutex_lock(&smi_watchers_mutex);
753
754	list_add(new: &watcher->link, head: &smi_watchers);
755
756	index = srcu_read_lock(ssp: &ipmi_interfaces_srcu);
757	list_for_each_entry_rcu(intf, &ipmi_interfaces, link,
758	lockdep_is_held(&smi_watchers_mutex)) {
759	int intf_num = READ_ONCE(intf->intf_num);
760
761	if (intf_num == -1)
762	continue;
763	watcher->new_smi(intf_num, intf->si_dev);
764	}
765	srcu_read_unlock(ssp: &ipmi_interfaces_srcu, idx: index);
766
767	mutex_unlock(lock: &smi_watchers_mutex);
768
769	return 0;
770	}
771	EXPORT_SYMBOL(ipmi_smi_watcher_register);
772
773	int ipmi_smi_watcher_unregister(struct ipmi_smi_watcher *watcher)
774	{
775	mutex_lock(&smi_watchers_mutex);
776	list_del(entry: &watcher->link);
777	mutex_unlock(lock: &smi_watchers_mutex);
778	return 0;
779	}
780	EXPORT_SYMBOL(ipmi_smi_watcher_unregister);
781
782	/*
783	* Must be called with smi_watchers_mutex held.
784	*/
785	static void
786	call_smi_watchers(int i, struct device *dev)
787	{
788	struct ipmi_smi_watcher *w;
789
790	mutex_lock(&smi_watchers_mutex);
791	list_for_each_entry(w, &smi_watchers, link) {
792	if (try_module_get(module: w->owner)) {
793	w->new_smi(i, dev);
794	module_put(module: w->owner);
795	}
796	}
797	mutex_unlock(lock: &smi_watchers_mutex);
798	}
799
800	static int
801	ipmi_addr_equal(struct ipmi_addr *addr1, struct ipmi_addr *addr2)
802	{
803	if (addr1->addr_type != addr2->addr_type)
804	return 0;
805
806	if (addr1->channel != addr2->channel)
807	return 0;
808
809	if (addr1->addr_type == IPMI_SYSTEM_INTERFACE_ADDR_TYPE) {
810	struct ipmi_system_interface_addr *smi_addr1
811	= (struct ipmi_system_interface_addr *) addr1;
812	struct ipmi_system_interface_addr *smi_addr2
813	= (struct ipmi_system_interface_addr *) addr2;
814	return (smi_addr1->lun == smi_addr2->lun);
815	}
816
817	if (is_ipmb_addr(addr: addr1) || is_ipmb_bcast_addr(addr: addr1)) {
818	struct ipmi_ipmb_addr *ipmb_addr1
819	= (struct ipmi_ipmb_addr *) addr1;
820	struct ipmi_ipmb_addr *ipmb_addr2
821	= (struct ipmi_ipmb_addr *) addr2;
822
823	return ((ipmb_addr1->slave_addr == ipmb_addr2->slave_addr)
824	&& (ipmb_addr1->lun == ipmb_addr2->lun));
825	}
826
827	if (is_ipmb_direct_addr(addr: addr1)) {
828	struct ipmi_ipmb_direct_addr *daddr1
829	= (struct ipmi_ipmb_direct_addr *) addr1;
830	struct ipmi_ipmb_direct_addr *daddr2
831	= (struct ipmi_ipmb_direct_addr *) addr2;
832
833	return daddr1->slave_addr == daddr2->slave_addr &&
834	daddr1->rq_lun == daddr2->rq_lun &&
835	daddr1->rs_lun == daddr2->rs_lun;
836	}
837
838	if (is_lan_addr(addr: addr1)) {
839	struct ipmi_lan_addr *lan_addr1
840	= (struct ipmi_lan_addr *) addr1;
841	struct ipmi_lan_addr *lan_addr2
842	= (struct ipmi_lan_addr *) addr2;
843
844	return ((lan_addr1->remote_SWID == lan_addr2->remote_SWID)
845	&& (lan_addr1->local_SWID == lan_addr2->local_SWID)
846	&& (lan_addr1->session_handle
847	== lan_addr2->session_handle)
848	&& (lan_addr1->lun == lan_addr2->lun));
849	}
850
851	return 1;
852	}
853
854	int ipmi_validate_addr(struct ipmi_addr *addr, int len)
855	{
856	if (len < sizeof(struct ipmi_system_interface_addr))
857	return -EINVAL;
858
859	if (addr->addr_type == IPMI_SYSTEM_INTERFACE_ADDR_TYPE) {
860	if (addr->channel != IPMI_BMC_CHANNEL)
861	return -EINVAL;
862	return 0;
863	}
864
865	if ((addr->channel == IPMI_BMC_CHANNEL)
866	|| (addr->channel >= IPMI_MAX_CHANNELS)
867	|| (addr->channel < 0))
868	return -EINVAL;
869
870	if (is_ipmb_addr(addr) || is_ipmb_bcast_addr(addr)) {
871	if (len < sizeof(struct ipmi_ipmb_addr))
872	return -EINVAL;
873	return 0;
874	}
875
876	if (is_ipmb_direct_addr(addr)) {
877	struct ipmi_ipmb_direct_addr *daddr = (void *) addr;
878
879	if (addr->channel != 0)
880	return -EINVAL;
881	if (len < sizeof(struct ipmi_ipmb_direct_addr))
882	return -EINVAL;
883
884	if (daddr->slave_addr & 0x01)
885	return -EINVAL;
886	if (daddr->rq_lun >= 4)
887	return -EINVAL;
888	if (daddr->rs_lun >= 4)
889	return -EINVAL;
890	return 0;
891	}
892
893	if (is_lan_addr(addr)) {
894	if (len < sizeof(struct ipmi_lan_addr))
895	return -EINVAL;
896	return 0;
897	}
898
899	return -EINVAL;
900	}
901	EXPORT_SYMBOL(ipmi_validate_addr);
902
903	unsigned int ipmi_addr_length(int addr_type)
904	{
905	if (addr_type == IPMI_SYSTEM_INTERFACE_ADDR_TYPE)
906	return sizeof(struct ipmi_system_interface_addr);
907
908	if ((addr_type == IPMI_IPMB_ADDR_TYPE)
909	|| (addr_type == IPMI_IPMB_BROADCAST_ADDR_TYPE))
910	return sizeof(struct ipmi_ipmb_addr);
911
912	if (addr_type == IPMI_IPMB_DIRECT_ADDR_TYPE)
913	return sizeof(struct ipmi_ipmb_direct_addr);
914
915	if (addr_type == IPMI_LAN_ADDR_TYPE)
916	return sizeof(struct ipmi_lan_addr);
917
918	return 0;
919	}
920	EXPORT_SYMBOL(ipmi_addr_length);
921
922	static int deliver_response(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
923	{
924	int rv = 0;
925
926	if (!msg->user) {
927	/* Special handling for NULL users. */
928	if (intf->null_user_handler) {
929	intf->null_user_handler(intf, msg);
930	} else {
931	/* No handler, so give up. */
932	rv = -EINVAL;
933	}
934	ipmi_free_recv_msg(msg);
935	} else if (oops_in_progress) {
936	/*
937	* If we are running in the panic context, calling the
938	* receive handler doesn't much meaning and has a deadlock
939	* risk. At this moment, simply skip it in that case.
940	*/
941	ipmi_free_recv_msg(msg);
942	atomic_dec(v: &msg->user->nr_msgs);
943	} else {
944	int index;
945	struct ipmi_user *user = acquire_ipmi_user(user: msg->user, index: &index);
946
947	if (user) {
948	atomic_dec(v: &user->nr_msgs);
949	user->handler->ipmi_recv_hndl(msg, user->handler_data);
950	release_ipmi_user(user, index);
951	} else {
952	/* User went away, give up. */
953	ipmi_free_recv_msg(msg);
954	rv = -EINVAL;
955	}
956	}
957
958	return rv;
959	}
960
961	static void deliver_local_response(struct ipmi_smi *intf,
962	struct ipmi_recv_msg *msg)
963	{
964	if (deliver_response(intf, msg))
965	ipmi_inc_stat(intf, unhandled_local_responses);
966	else
967	ipmi_inc_stat(intf, handled_local_responses);
968	}
969
970	static void deliver_err_response(struct ipmi_smi *intf,
971	struct ipmi_recv_msg *msg, int err)
972	{
973	msg->recv_type = IPMI_RESPONSE_RECV_TYPE;
974	msg->msg_data[0] = err;
975	msg->msg.netfn |= 1; /* Convert to a response. */
976	msg->msg.data_len = 1;
977	msg->msg.data = msg->msg_data;
978	deliver_local_response(intf, msg);
979	}
980
981	static void smi_add_watch(struct ipmi_smi *intf, unsigned int flags)
982	{
983	unsigned long iflags;
984
985	if (!intf->handlers->set_need_watch)
986	return;
987
988	spin_lock_irqsave(&intf->watch_lock, iflags);
989	if (flags & IPMI_WATCH_MASK_CHECK_MESSAGES)
990	intf->response_waiters++;
991
992	if (flags & IPMI_WATCH_MASK_CHECK_WATCHDOG)
993	intf->watchdog_waiters++;
994
995	if (flags & IPMI_WATCH_MASK_CHECK_COMMANDS)
996	intf->command_waiters++;
997
998	if ((intf->last_watch_mask & flags) != flags) {
999	intf->last_watch_mask |= flags;
1000	intf->handlers->set_need_watch(intf->send_info,
1001	intf->last_watch_mask);
1002	}
1003	spin_unlock_irqrestore(lock: &intf->watch_lock, flags: iflags);
1004	}
1005
1006	static void smi_remove_watch(struct ipmi_smi *intf, unsigned int flags)
1007	{
1008	unsigned long iflags;
1009
1010	if (!intf->handlers->set_need_watch)
1011	return;
1012
1013	spin_lock_irqsave(&intf->watch_lock, iflags);
1014	if (flags & IPMI_WATCH_MASK_CHECK_MESSAGES)
1015	intf->response_waiters--;
1016
1017	if (flags & IPMI_WATCH_MASK_CHECK_WATCHDOG)
1018	intf->watchdog_waiters--;
1019
1020	if (flags & IPMI_WATCH_MASK_CHECK_COMMANDS)
1021	intf->command_waiters--;
1022
1023	flags = 0;
1024	if (intf->response_waiters)
1025	flags |= IPMI_WATCH_MASK_CHECK_MESSAGES;
1026	if (intf->watchdog_waiters)
1027	flags |= IPMI_WATCH_MASK_CHECK_WATCHDOG;
1028	if (intf->command_waiters)
1029	flags |= IPMI_WATCH_MASK_CHECK_COMMANDS;
1030
1031	if (intf->last_watch_mask != flags) {
1032	intf->last_watch_mask = flags;
1033	intf->handlers->set_need_watch(intf->send_info,
1034	intf->last_watch_mask);
1035	}
1036	spin_unlock_irqrestore(lock: &intf->watch_lock, flags: iflags);
1037	}
1038
1039	/*
1040	* Find the next sequence number not being used and add the given
1041	* message with the given timeout to the sequence table. This must be
1042	* called with the interface's seq_lock held.
1043	*/
1044	static int intf_next_seq(struct ipmi_smi *intf,
1045	struct ipmi_recv_msg *recv_msg,
1046	unsigned long timeout,
1047	int retries,
1048	int broadcast,
1049	unsigned char *seq,
1050	long *seqid)
1051	{
1052	int rv = 0;
1053	unsigned int i;
1054
1055	if (timeout == 0)
1056	timeout = default_retry_ms;
1057	if (retries < 0)
1058	retries = default_max_retries;
1059
1060	for (i = intf->curr_seq; (i+1)%IPMI_IPMB_NUM_SEQ != intf->curr_seq;
1061	i = (i+1)%IPMI_IPMB_NUM_SEQ) {
1062	if (!intf->seq_table[i].inuse)
1063	break;
1064	}
1065
1066	if (!intf->seq_table[i].inuse) {
1067	intf->seq_table[i].recv_msg = recv_msg;
1068
1069	/*
1070	* Start with the maximum timeout, when the send response
1071	* comes in we will start the real timer.
1072	*/
1073	intf->seq_table[i].timeout = MAX_MSG_TIMEOUT;
1074	intf->seq_table[i].orig_timeout = timeout;
1075	intf->seq_table[i].retries_left = retries;
1076	intf->seq_table[i].broadcast = broadcast;
1077	intf->seq_table[i].inuse = 1;
1078	intf->seq_table[i].seqid = NEXT_SEQID(intf->seq_table[i].seqid);
1079	*seq = i;
1080	*seqid = intf->seq_table[i].seqid;
1081	intf->curr_seq = (i+1)%IPMI_IPMB_NUM_SEQ;
1082	smi_add_watch(intf, IPMI_WATCH_MASK_CHECK_MESSAGES);
1083	need_waiter(intf);
1084	} else {
1085	rv = -EAGAIN;
1086	}
1087
1088	return rv;
1089	}
1090
1091	/*
1092	* Return the receive message for the given sequence number and
1093	* release the sequence number so it can be reused. Some other data
1094	* is passed in to be sure the message matches up correctly (to help
1095	* guard against message coming in after their timeout and the
1096	* sequence number being reused).
1097	*/
1098	static int intf_find_seq(struct ipmi_smi *intf,
1099	unsigned char seq,
1100	short channel,
1101	unsigned char cmd,
1102	unsigned char netfn,
1103	struct ipmi_addr *addr,
1104	struct ipmi_recv_msg **recv_msg)
1105	{
1106	int rv = -ENODEV;
1107	unsigned long flags;
1108
1109	if (seq >= IPMI_IPMB_NUM_SEQ)
1110	return -EINVAL;
1111
1112	spin_lock_irqsave(&intf->seq_lock, flags);
1113	if (intf->seq_table[seq].inuse) {
1114	struct ipmi_recv_msg *msg = intf->seq_table[seq].recv_msg;
1115
1116	if ((msg->addr.channel == channel) && (msg->msg.cmd == cmd)
1117	&& (msg->msg.netfn == netfn)
1118	&& (ipmi_addr_equal(addr1: addr, addr2: &msg->addr))) {
1119	*recv_msg = msg;
1120	intf->seq_table[seq].inuse = 0;
1121	smi_remove_watch(intf, IPMI_WATCH_MASK_CHECK_MESSAGES);
1122	rv = 0;
1123	}
1124	}
1125	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
1126
1127	return rv;
1128	}
1129
1130
1131	/* Start the timer for a specific sequence table entry. */
1132	static int intf_start_seq_timer(struct ipmi_smi *intf,
1133	long msgid)
1134	{
1135	int rv = -ENODEV;
1136	unsigned long flags;
1137	unsigned char seq;
1138	unsigned long seqid;
1139
1140
1141	GET_SEQ_FROM_MSGID(msgid, seq, seqid);
1142
1143	spin_lock_irqsave(&intf->seq_lock, flags);
1144	/*
1145	* We do this verification because the user can be deleted
1146	* while a message is outstanding.
1147	*/
1148	if ((intf->seq_table[seq].inuse)
1149	&& (intf->seq_table[seq].seqid == seqid)) {
1150	struct seq_table *ent = &intf->seq_table[seq];
1151	ent->timeout = ent->orig_timeout;
1152	rv = 0;
1153	}
1154	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
1155
1156	return rv;
1157	}
1158
1159	/* Got an error for the send message for a specific sequence number. */
1160	static int intf_err_seq(struct ipmi_smi *intf,
1161	long msgid,
1162	unsigned int err)
1163	{
1164	int rv = -ENODEV;
1165	unsigned long flags;
1166	unsigned char seq;
1167	unsigned long seqid;
1168	struct ipmi_recv_msg *msg = NULL;
1169
1170
1171	GET_SEQ_FROM_MSGID(msgid, seq, seqid);
1172
1173	spin_lock_irqsave(&intf->seq_lock, flags);
1174	/*
1175	* We do this verification because the user can be deleted
1176	* while a message is outstanding.
1177	*/
1178	if ((intf->seq_table[seq].inuse)
1179	&& (intf->seq_table[seq].seqid == seqid)) {
1180	struct seq_table *ent = &intf->seq_table[seq];
1181
1182	ent->inuse = 0;
1183	smi_remove_watch(intf, IPMI_WATCH_MASK_CHECK_MESSAGES);
1184	msg = ent->recv_msg;
1185	rv = 0;
1186	}
1187	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
1188
1189	if (msg)
1190	deliver_err_response(intf, msg, err);
1191
1192	return rv;
1193	}
1194
1195	static void free_user_work(struct work_struct *work)
1196	{
1197	struct ipmi_user *user = container_of(work, struct ipmi_user,
1198	remove_work);
1199
1200	cleanup_srcu_struct(ssp: &user->release_barrier);
1201	vfree(addr: user);
1202	}
1203
1204	int ipmi_create_user(unsigned int if_num,
1205	const struct ipmi_user_hndl *handler,
1206	void *handler_data,
1207	struct ipmi_user **user)
1208	{
1209	unsigned long flags;
1210	struct ipmi_user *new_user;
1211	int rv, index;
1212	struct ipmi_smi *intf;
1213
1214	/*
1215	* There is no module usecount here, because it's not
1216	* required. Since this can only be used by and called from
1217	* other modules, they will implicitly use this module, and
1218	* thus this can't be removed unless the other modules are
1219	* removed.
1220	*/
1221
1222	if (handler == NULL)
1223	return -EINVAL;
1224
1225	/*
1226	* Make sure the driver is actually initialized, this handles
1227	* problems with initialization order.
1228	*/
1229	rv = ipmi_init_msghandler();
1230	if (rv)
1231	return rv;
1232
1233	new_user = vzalloc(size: sizeof(*new_user));
1234	if (!new_user)
1235	return -ENOMEM;
1236
1237	index = srcu_read_lock(ssp: &ipmi_interfaces_srcu);
1238	list_for_each_entry_rcu(intf, &ipmi_interfaces, link) {
1239	if (intf->intf_num == if_num)
1240	goto found;
1241	}
1242	/* Not found, return an error */
1243	rv = -EINVAL;
1244	goto out_kfree;
1245
1246	found:
1247	if (atomic_add_return(i: 1, v: &intf->nr_users) > max_users) {
1248	rv = -EBUSY;
1249	goto out_kfree;
1250	}
1251
1252	INIT_WORK(&new_user->remove_work, free_user_work);
1253
1254	rv = init_srcu_struct(&new_user->release_barrier);
1255	if (rv)
1256	goto out_kfree;
1257
1258	if (!try_module_get(module: intf->owner)) {
1259	rv = -ENODEV;
1260	goto out_kfree;
1261	}
1262
1263	/* Note that each existing user holds a refcount to the interface. */
1264	kref_get(kref: &intf->refcount);
1265
1266	atomic_set(v: &new_user->nr_msgs, i: 0);
1267	kref_init(kref: &new_user->refcount);
1268	new_user->handler = handler;
1269	new_user->handler_data = handler_data;
1270	new_user->intf = intf;
1271	new_user->gets_events = false;
1272
1273	rcu_assign_pointer(new_user->self, new_user);
1274	spin_lock_irqsave(&intf->seq_lock, flags);
1275	list_add_rcu(new: &new_user->link, head: &intf->users);
1276	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
1277	if (handler->ipmi_watchdog_pretimeout)
1278	/* User wants pretimeouts, so make sure to watch for them. */
1279	smi_add_watch(intf, IPMI_WATCH_MASK_CHECK_WATCHDOG);
1280	srcu_read_unlock(ssp: &ipmi_interfaces_srcu, idx: index);
1281	*user = new_user;
1282	return 0;
1283
1284	out_kfree:
1285	atomic_dec(v: &intf->nr_users);
1286	srcu_read_unlock(ssp: &ipmi_interfaces_srcu, idx: index);
1287	vfree(addr: new_user);
1288	return rv;
1289	}
1290	EXPORT_SYMBOL(ipmi_create_user);
1291
1292	int ipmi_get_smi_info(int if_num, struct ipmi_smi_info *data)
1293	{
1294	int rv, index;
1295	struct ipmi_smi *intf;
1296
1297	index = srcu_read_lock(ssp: &ipmi_interfaces_srcu);
1298	list_for_each_entry_rcu(intf, &ipmi_interfaces, link) {
1299	if (intf->intf_num == if_num)
1300	goto found;
1301	}
1302	srcu_read_unlock(ssp: &ipmi_interfaces_srcu, idx: index);
1303
1304	/* Not found, return an error */
1305	return -EINVAL;
1306
1307	found:
1308	if (!intf->handlers->get_smi_info)
1309	rv = -ENOTTY;
1310	else
1311	rv = intf->handlers->get_smi_info(intf->send_info, data);
1312	srcu_read_unlock(ssp: &ipmi_interfaces_srcu, idx: index);
1313
1314	return rv;
1315	}
1316	EXPORT_SYMBOL(ipmi_get_smi_info);
1317
1318	static void free_user(struct kref *ref)
1319	{
1320	struct ipmi_user *user = container_of(ref, struct ipmi_user, refcount);
1321
1322	/* SRCU cleanup must happen in task context. */
1323	queue_work(wq: remove_work_wq, work: &user->remove_work);
1324	}
1325
1326	static void _ipmi_destroy_user(struct ipmi_user *user)
1327	{
1328	struct ipmi_smi *intf = user->intf;
1329	int i;
1330	unsigned long flags;
1331	struct cmd_rcvr *rcvr;
1332	struct cmd_rcvr *rcvrs = NULL;
1333	struct module *owner;
1334
1335	if (!acquire_ipmi_user(user, index: &i)) {
1336	/*
1337	* The user has already been cleaned up, just make sure
1338	* nothing is using it and return.
1339	*/
1340	synchronize_srcu(ssp: &user->release_barrier);
1341	return;
1342	}
1343
1344	rcu_assign_pointer(user->self, NULL);
1345	release_ipmi_user(user, index: i);
1346
1347	synchronize_srcu(ssp: &user->release_barrier);
1348
1349	if (user->handler->shutdown)
1350	user->handler->shutdown(user->handler_data);
1351
1352	if (user->handler->ipmi_watchdog_pretimeout)
1353	smi_remove_watch(intf, IPMI_WATCH_MASK_CHECK_WATCHDOG);
1354
1355	if (user->gets_events)
1356	atomic_dec(v: &intf->event_waiters);
1357
1358	/* Remove the user from the interface's sequence table. */
1359	spin_lock_irqsave(&intf->seq_lock, flags);
1360	list_del_rcu(entry: &user->link);
1361	atomic_dec(v: &intf->nr_users);
1362
1363	for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++) {
1364	if (intf->seq_table[i].inuse
1365	&& (intf->seq_table[i].recv_msg->user == user)) {
1366	intf->seq_table[i].inuse = 0;
1367	smi_remove_watch(intf, IPMI_WATCH_MASK_CHECK_MESSAGES);
1368	ipmi_free_recv_msg(msg: intf->seq_table[i].recv_msg);
1369	}
1370	}
1371	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
1372
1373	/*
1374	* Remove the user from the command receiver's table. First
1375	* we build a list of everything (not using the standard link,
1376	* since other things may be using it till we do
1377	* synchronize_srcu()) then free everything in that list.
1378	*/
1379	mutex_lock(&intf->cmd_rcvrs_mutex);
1380	list_for_each_entry_rcu(rcvr, &intf->cmd_rcvrs, link,
1381	lockdep_is_held(&intf->cmd_rcvrs_mutex)) {
1382	if (rcvr->user == user) {
1383	list_del_rcu(entry: &rcvr->link);
1384	rcvr->next = rcvrs;
1385	rcvrs = rcvr;
1386	}
1387	}
1388	mutex_unlock(lock: &intf->cmd_rcvrs_mutex);
1389	synchronize_rcu();
1390	while (rcvrs) {
1391	rcvr = rcvrs;
1392	rcvrs = rcvr->next;
1393	kfree(objp: rcvr);
1394	}
1395
1396	owner = intf->owner;
1397	kref_put(kref: &intf->refcount, release: intf_free);
1398	module_put(module: owner);
1399	}
1400
1401	int ipmi_destroy_user(struct ipmi_user *user)
1402	{
1403	_ipmi_destroy_user(user);
1404
1405	kref_put(kref: &user->refcount, release: free_user);
1406
1407	return 0;
1408	}
1409	EXPORT_SYMBOL(ipmi_destroy_user);
1410
1411	int ipmi_get_version(struct ipmi_user *user,
1412	unsigned char *major,
1413	unsigned char *minor)
1414	{
1415	struct ipmi_device_id id;
1416	int rv, index;
1417
1418	user = acquire_ipmi_user(user, index: &index);
1419	if (!user)
1420	return -ENODEV;
1421
1422	rv = bmc_get_device_id(intf: user->intf, NULL, id: &id, NULL, NULL);
1423	if (!rv) {
1424	*major = ipmi_version_major(&id);
1425	*minor = ipmi_version_minor(&id);
1426	}
1427	release_ipmi_user(user, index);
1428
1429	return rv;
1430	}
1431	EXPORT_SYMBOL(ipmi_get_version);
1432
1433	int ipmi_set_my_address(struct ipmi_user *user,
1434	unsigned int channel,
1435	unsigned char address)
1436	{
1437	int index, rv = 0;
1438
1439	user = acquire_ipmi_user(user, index: &index);
1440	if (!user)
1441	return -ENODEV;
1442
1443	if (channel >= IPMI_MAX_CHANNELS) {
1444	rv = -EINVAL;
1445	} else {
1446	channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
1447	user->intf->addrinfo[channel].address = address;
1448	}
1449	release_ipmi_user(user, index);
1450
1451	return rv;
1452	}
1453	EXPORT_SYMBOL(ipmi_set_my_address);
1454
1455	int ipmi_get_my_address(struct ipmi_user *user,
1456	unsigned int channel,
1457	unsigned char *address)
1458	{
1459	int index, rv = 0;
1460
1461	user = acquire_ipmi_user(user, index: &index);
1462	if (!user)
1463	return -ENODEV;
1464
1465	if (channel >= IPMI_MAX_CHANNELS) {
1466	rv = -EINVAL;
1467	} else {
1468	channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
1469	*address = user->intf->addrinfo[channel].address;
1470	}
1471	release_ipmi_user(user, index);
1472
1473	return rv;
1474	}
1475	EXPORT_SYMBOL(ipmi_get_my_address);
1476
1477	int ipmi_set_my_LUN(struct ipmi_user *user,
1478	unsigned int channel,
1479	unsigned char LUN)
1480	{
1481	int index, rv = 0;
1482
1483	user = acquire_ipmi_user(user, index: &index);
1484	if (!user)
1485	return -ENODEV;
1486
1487	if (channel >= IPMI_MAX_CHANNELS) {
1488	rv = -EINVAL;
1489	} else {
1490	channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
1491	user->intf->addrinfo[channel].lun = LUN & 0x3;
1492	}
1493	release_ipmi_user(user, index);
1494
1495	return rv;
1496	}
1497	EXPORT_SYMBOL(ipmi_set_my_LUN);
1498
1499	int ipmi_get_my_LUN(struct ipmi_user *user,
1500	unsigned int channel,
1501	unsigned char *address)
1502	{
1503	int index, rv = 0;
1504
1505	user = acquire_ipmi_user(user, index: &index);
1506	if (!user)
1507	return -ENODEV;
1508
1509	if (channel >= IPMI_MAX_CHANNELS) {
1510	rv = -EINVAL;
1511	} else {
1512	channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
1513	*address = user->intf->addrinfo[channel].lun;
1514	}
1515	release_ipmi_user(user, index);
1516
1517	return rv;
1518	}
1519	EXPORT_SYMBOL(ipmi_get_my_LUN);
1520
1521	int ipmi_get_maintenance_mode(struct ipmi_user *user)
1522	{
1523	int mode, index;
1524	unsigned long flags;
1525
1526	user = acquire_ipmi_user(user, index: &index);
1527	if (!user)
1528	return -ENODEV;
1529
1530	spin_lock_irqsave(&user->intf->maintenance_mode_lock, flags);
1531	mode = user->intf->maintenance_mode;
1532	spin_unlock_irqrestore(lock: &user->intf->maintenance_mode_lock, flags);
1533	release_ipmi_user(user, index);
1534
1535	return mode;
1536	}
1537	EXPORT_SYMBOL(ipmi_get_maintenance_mode);
1538
1539	static void maintenance_mode_update(struct ipmi_smi *intf)
1540	{
1541	if (intf->handlers->set_maintenance_mode)
1542	intf->handlers->set_maintenance_mode(
1543	intf->send_info, intf->maintenance_mode_enable);
1544	}
1545
1546	int ipmi_set_maintenance_mode(struct ipmi_user *user, int mode)
1547	{
1548	int rv = 0, index;
1549	unsigned long flags;
1550	struct ipmi_smi *intf = user->intf;
1551
1552	user = acquire_ipmi_user(user, index: &index);
1553	if (!user)
1554	return -ENODEV;
1555
1556	spin_lock_irqsave(&intf->maintenance_mode_lock, flags);
1557	if (intf->maintenance_mode != mode) {
1558	switch (mode) {
1559	case IPMI_MAINTENANCE_MODE_AUTO:
1560	intf->maintenance_mode_enable
1561	= (intf->auto_maintenance_timeout > 0);
1562	break;
1563
1564	case IPMI_MAINTENANCE_MODE_OFF:
1565	intf->maintenance_mode_enable = false;
1566	break;
1567
1568	case IPMI_MAINTENANCE_MODE_ON:
1569	intf->maintenance_mode_enable = true;
1570	break;
1571
1572	default:
1573	rv = -EINVAL;
1574	goto out_unlock;
1575	}
1576	intf->maintenance_mode = mode;
1577
1578	maintenance_mode_update(intf);
1579	}
1580	out_unlock:
1581	spin_unlock_irqrestore(lock: &intf->maintenance_mode_lock, flags);
1582	release_ipmi_user(user, index);
1583
1584	return rv;
1585	}
1586	EXPORT_SYMBOL(ipmi_set_maintenance_mode);
1587
1588	int ipmi_set_gets_events(struct ipmi_user *user, bool val)
1589	{
1590	unsigned long flags;
1591	struct ipmi_smi *intf = user->intf;
1592	struct ipmi_recv_msg *msg, *msg2;
1593	struct list_head msgs;
1594	int index;
1595
1596	user = acquire_ipmi_user(user, index: &index);
1597	if (!user)
1598	return -ENODEV;
1599
1600	INIT_LIST_HEAD(list: &msgs);
1601
1602	spin_lock_irqsave(&intf->events_lock, flags);
1603	if (user->gets_events == val)
1604	goto out;
1605
1606	user->gets_events = val;
1607
1608	if (val) {
1609	if (atomic_inc_return(v: &intf->event_waiters) == 1)
1610	need_waiter(intf);
1611	} else {
1612	atomic_dec(v: &intf->event_waiters);
1613	}
1614
1615	if (intf->delivering_events)
1616	/*
1617	* Another thread is delivering events for this, so
1618	* let it handle any new events.
1619	*/
1620	goto out;
1621
1622	/* Deliver any queued events. */
1623	while (user->gets_events && !list_empty(head: &intf->waiting_events)) {
1624	list_for_each_entry_safe(msg, msg2, &intf->waiting_events, link)
1625	list_move_tail(list: &msg->link, head: &msgs);
1626	intf->waiting_events_count = 0;
1627	if (intf->event_msg_printed) {
1628	dev_warn(intf->si_dev, "Event queue no longer full\n");
1629	intf->event_msg_printed = 0;
1630	}
1631
1632	intf->delivering_events = 1;
1633	spin_unlock_irqrestore(lock: &intf->events_lock, flags);
1634
1635	list_for_each_entry_safe(msg, msg2, &msgs, link) {
1636	msg->user = user;
1637	kref_get(kref: &user->refcount);
1638	deliver_local_response(intf, msg);
1639	}
1640
1641	spin_lock_irqsave(&intf->events_lock, flags);
1642	intf->delivering_events = 0;
1643	}
1644
1645	out:
1646	spin_unlock_irqrestore(lock: &intf->events_lock, flags);
1647	release_ipmi_user(user, index);
1648
1649	return 0;
1650	}
1651	EXPORT_SYMBOL(ipmi_set_gets_events);
1652
1653	static struct cmd_rcvr *find_cmd_rcvr(struct ipmi_smi *intf,
1654	unsigned char netfn,
1655	unsigned char cmd,
1656	unsigned char chan)
1657	{
1658	struct cmd_rcvr *rcvr;
1659
1660	list_for_each_entry_rcu(rcvr, &intf->cmd_rcvrs, link,
1661	lockdep_is_held(&intf->cmd_rcvrs_mutex)) {
1662	if ((rcvr->netfn == netfn) && (rcvr->cmd == cmd)
1663	&& (rcvr->chans & (1 << chan)))
1664	return rcvr;
1665	}
1666	return NULL;
1667	}
1668
1669	static int is_cmd_rcvr_exclusive(struct ipmi_smi *intf,
1670	unsigned char netfn,
1671	unsigned char cmd,
1672	unsigned int chans)
1673	{
1674	struct cmd_rcvr *rcvr;
1675
1676	list_for_each_entry_rcu(rcvr, &intf->cmd_rcvrs, link,
1677	lockdep_is_held(&intf->cmd_rcvrs_mutex)) {
1678	if ((rcvr->netfn == netfn) && (rcvr->cmd == cmd)
1679	&& (rcvr->chans & chans))
1680	return 0;
1681	}
1682	return 1;
1683	}
1684
1685	int ipmi_register_for_cmd(struct ipmi_user *user,
1686	unsigned char netfn,
1687	unsigned char cmd,
1688	unsigned int chans)
1689	{
1690	struct ipmi_smi *intf = user->intf;
1691	struct cmd_rcvr *rcvr;
1692	int rv = 0, index;
1693
1694	user = acquire_ipmi_user(user, index: &index);
1695	if (!user)
1696	return -ENODEV;
1697
1698	rcvr = kmalloc(size: sizeof(*rcvr), GFP_KERNEL);
1699	if (!rcvr) {
1700	rv = -ENOMEM;
1701	goto out_release;
1702	}
1703	rcvr->cmd = cmd;
1704	rcvr->netfn = netfn;
1705	rcvr->chans = chans;
1706	rcvr->user = user;
1707
1708	mutex_lock(&intf->cmd_rcvrs_mutex);
1709	/* Make sure the command/netfn is not already registered. */
1710	if (!is_cmd_rcvr_exclusive(intf, netfn, cmd, chans)) {
1711	rv = -EBUSY;
1712	goto out_unlock;
1713	}
1714
1715	smi_add_watch(intf, IPMI_WATCH_MASK_CHECK_COMMANDS);
1716
1717	list_add_rcu(new: &rcvr->link, head: &intf->cmd_rcvrs);
1718
1719	out_unlock:
1720	mutex_unlock(lock: &intf->cmd_rcvrs_mutex);
1721	if (rv)
1722	kfree(objp: rcvr);
1723	out_release:
1724	release_ipmi_user(user, index);
1725
1726	return rv;
1727	}
1728	EXPORT_SYMBOL(ipmi_register_for_cmd);
1729
1730	int ipmi_unregister_for_cmd(struct ipmi_user *user,
1731	unsigned char netfn,
1732	unsigned char cmd,
1733	unsigned int chans)
1734	{
1735	struct ipmi_smi *intf = user->intf;
1736	struct cmd_rcvr *rcvr;
1737	struct cmd_rcvr *rcvrs = NULL;
1738	int i, rv = -ENOENT, index;
1739
1740	user = acquire_ipmi_user(user, index: &index);
1741	if (!user)
1742	return -ENODEV;
1743
1744	mutex_lock(&intf->cmd_rcvrs_mutex);
1745	for (i = 0; i < IPMI_NUM_CHANNELS; i++) {
1746	if (((1 << i) & chans) == 0)
1747	continue;
1748	rcvr = find_cmd_rcvr(intf, netfn, cmd, chan: i);
1749	if (rcvr == NULL)
1750	continue;
1751	if (rcvr->user == user) {
1752	rv = 0;
1753	rcvr->chans &= ~chans;
1754	if (rcvr->chans == 0) {
1755	list_del_rcu(entry: &rcvr->link);
1756	rcvr->next = rcvrs;
1757	rcvrs = rcvr;
1758	}
1759	}
1760	}
1761	mutex_unlock(lock: &intf->cmd_rcvrs_mutex);
1762	synchronize_rcu();
1763	release_ipmi_user(user, index);
1764	while (rcvrs) {
1765	smi_remove_watch(intf, IPMI_WATCH_MASK_CHECK_COMMANDS);
1766	rcvr = rcvrs;
1767	rcvrs = rcvr->next;
1768	kfree(objp: rcvr);
1769	}
1770
1771	return rv;
1772	}
1773	EXPORT_SYMBOL(ipmi_unregister_for_cmd);
1774
1775	unsigned char
1776	ipmb_checksum(unsigned char *data, int size)
1777	{
1778	unsigned char csum = 0;
1779
1780	for (; size > 0; size--, data++)
1781	csum += *data;
1782
1783	return -csum;
1784	}
1785	EXPORT_SYMBOL(ipmb_checksum);
1786
1787	static inline void format_ipmb_msg(struct ipmi_smi_msg *smi_msg,
1788	struct kernel_ipmi_msg *msg,
1789	struct ipmi_ipmb_addr *ipmb_addr,
1790	long msgid,
1791	unsigned char ipmb_seq,
1792	int broadcast,
1793	unsigned char source_address,
1794	unsigned char source_lun)
1795	{
1796	int i = broadcast;
1797
1798	/* Format the IPMB header data. */
1799	smi_msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
1800	smi_msg->data[1] = IPMI_SEND_MSG_CMD;
1801	smi_msg->data[2] = ipmb_addr->channel;
1802	if (broadcast)
1803	smi_msg->data[3] = 0;
1804	smi_msg->data[i+3] = ipmb_addr->slave_addr;
1805	smi_msg->data[i+4] = (msg->netfn << 2) | (ipmb_addr->lun & 0x3);
1806	smi_msg->data[i+5] = ipmb_checksum(&smi_msg->data[i + 3], 2);
1807	smi_msg->data[i+6] = source_address;
1808	smi_msg->data[i+7] = (ipmb_seq << 2) | source_lun;
1809	smi_msg->data[i+8] = msg->cmd;
1810
1811	/* Now tack on the data to the message. */
1812	if (msg->data_len > 0)
1813	memcpy(&smi_msg->data[i + 9], msg->data, msg->data_len);
1814	smi_msg->data_size = msg->data_len + 9;
1815
1816	/* Now calculate the checksum and tack it on. */
1817	smi_msg->data[i+smi_msg->data_size]
1818	= ipmb_checksum(&smi_msg->data[i + 6], smi_msg->data_size - 6);
1819
1820	/*
1821	* Add on the checksum size and the offset from the
1822	* broadcast.
1823	*/
1824	smi_msg->data_size += 1 + i;
1825
1826	smi_msg->msgid = msgid;
1827	}
1828
1829	static inline void format_lan_msg(struct ipmi_smi_msg *smi_msg,
1830	struct kernel_ipmi_msg *msg,
1831	struct ipmi_lan_addr *lan_addr,
1832	long msgid,
1833	unsigned char ipmb_seq,
1834	unsigned char source_lun)
1835	{
1836	/* Format the IPMB header data. */
1837	smi_msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
1838	smi_msg->data[1] = IPMI_SEND_MSG_CMD;
1839	smi_msg->data[2] = lan_addr->channel;
1840	smi_msg->data[3] = lan_addr->session_handle;
1841	smi_msg->data[4] = lan_addr->remote_SWID;
1842	smi_msg->data[5] = (msg->netfn << 2) | (lan_addr->lun & 0x3);
1843	smi_msg->data[6] = ipmb_checksum(&smi_msg->data[4], 2);
1844	smi_msg->data[7] = lan_addr->local_SWID;
1845	smi_msg->data[8] = (ipmb_seq << 2) | source_lun;
1846	smi_msg->data[9] = msg->cmd;
1847
1848	/* Now tack on the data to the message. */
1849	if (msg->data_len > 0)
1850	memcpy(&smi_msg->data[10], msg->data, msg->data_len);
1851	smi_msg->data_size = msg->data_len + 10;
1852
1853	/* Now calculate the checksum and tack it on. */
1854	smi_msg->data[smi_msg->data_size]
1855	= ipmb_checksum(&smi_msg->data[7], smi_msg->data_size - 7);
1856
1857	/*
1858	* Add on the checksum size and the offset from the
1859	* broadcast.
1860	*/
1861	smi_msg->data_size += 1;
1862
1863	smi_msg->msgid = msgid;
1864	}
1865
1866	static struct ipmi_smi_msg *smi_add_send_msg(struct ipmi_smi *intf,
1867	struct ipmi_smi_msg *smi_msg,
1868	int priority)
1869	{
1870	if (intf->curr_msg) {
1871	if (priority > 0)
1872	list_add_tail(new: &smi_msg->link, head: &intf->hp_xmit_msgs);
1873	else
1874	list_add_tail(new: &smi_msg->link, head: &intf->xmit_msgs);
1875	smi_msg = NULL;
1876	} else {
1877	intf->curr_msg = smi_msg;
1878	}
1879
1880	return smi_msg;
1881	}
1882
1883	static void smi_send(struct ipmi_smi *intf,
1884	const struct ipmi_smi_handlers *handlers,
1885	struct ipmi_smi_msg *smi_msg, int priority)
1886	{
1887	int run_to_completion = intf->run_to_completion;
1888	unsigned long flags = 0;
1889
1890	if (!run_to_completion)
1891	spin_lock_irqsave(&intf->xmit_msgs_lock, flags);
1892	smi_msg = smi_add_send_msg(intf, smi_msg, priority);
1893
1894	if (!run_to_completion)
1895	spin_unlock_irqrestore(lock: &intf->xmit_msgs_lock, flags);
1896
1897	if (smi_msg)
1898	handlers->sender(intf->send_info, smi_msg);
1899	}
1900
1901	static bool is_maintenance_mode_cmd(struct kernel_ipmi_msg *msg)
1902	{
1903	return (((msg->netfn == IPMI_NETFN_APP_REQUEST)
1904	&& ((msg->cmd == IPMI_COLD_RESET_CMD)
1905	|| (msg->cmd == IPMI_WARM_RESET_CMD)))
1906	|| (msg->netfn == IPMI_NETFN_FIRMWARE_REQUEST));
1907	}
1908
1909	static int i_ipmi_req_sysintf(struct ipmi_smi *intf,
1910	struct ipmi_addr *addr,
1911	long msgid,
1912	struct kernel_ipmi_msg *msg,
1913	struct ipmi_smi_msg *smi_msg,
1914	struct ipmi_recv_msg *recv_msg,
1915	int retries,
1916	unsigned int retry_time_ms)
1917	{
1918	struct ipmi_system_interface_addr *smi_addr;
1919
1920	if (msg->netfn & 1)
1921	/* Responses are not allowed to the SMI. */
1922	return -EINVAL;
1923
1924	smi_addr = (struct ipmi_system_interface_addr *) addr;
1925	if (smi_addr->lun > 3) {
1926	ipmi_inc_stat(intf, sent_invalid_commands);
1927	return -EINVAL;
1928	}
1929
1930	memcpy(&recv_msg->addr, smi_addr, sizeof(*smi_addr));
1931
1932	if ((msg->netfn == IPMI_NETFN_APP_REQUEST)
1933	&& ((msg->cmd == IPMI_SEND_MSG_CMD)
1934	|| (msg->cmd == IPMI_GET_MSG_CMD)
1935	|| (msg->cmd == IPMI_READ_EVENT_MSG_BUFFER_CMD))) {
1936	/*
1937	* We don't let the user do these, since we manage
1938	* the sequence numbers.
1939	*/
1940	ipmi_inc_stat(intf, sent_invalid_commands);
1941	return -EINVAL;
1942	}
1943
1944	if (is_maintenance_mode_cmd(msg)) {
1945	unsigned long flags;
1946
1947	spin_lock_irqsave(&intf->maintenance_mode_lock, flags);
1948	intf->auto_maintenance_timeout
1949	= maintenance_mode_timeout_ms;
1950	if (!intf->maintenance_mode
1951	&& !intf->maintenance_mode_enable) {
1952	intf->maintenance_mode_enable = true;
1953	maintenance_mode_update(intf);
1954	}
1955	spin_unlock_irqrestore(lock: &intf->maintenance_mode_lock,
1956	flags);
1957	}
1958
1959	if (msg->data_len + 2 > IPMI_MAX_MSG_LENGTH) {
1960	ipmi_inc_stat(intf, sent_invalid_commands);
1961	return -EMSGSIZE;
1962	}
1963
1964	smi_msg->data[0] = (msg->netfn << 2) | (smi_addr->lun & 0x3);
1965	smi_msg->data[1] = msg->cmd;
1966	smi_msg->msgid = msgid;
1967	smi_msg->user_data = recv_msg;
1968	if (msg->data_len > 0)
1969	memcpy(&smi_msg->data[2], msg->data, msg->data_len);
1970	smi_msg->data_size = msg->data_len + 2;
1971	ipmi_inc_stat(intf, sent_local_commands);
1972
1973	return 0;
1974	}
1975
1976	static int i_ipmi_req_ipmb(struct ipmi_smi *intf,
1977	struct ipmi_addr *addr,
1978	long msgid,
1979	struct kernel_ipmi_msg *msg,
1980	struct ipmi_smi_msg *smi_msg,
1981	struct ipmi_recv_msg *recv_msg,
1982	unsigned char source_address,
1983	unsigned char source_lun,
1984	int retries,
1985	unsigned int retry_time_ms)
1986	{
1987	struct ipmi_ipmb_addr *ipmb_addr;
1988	unsigned char ipmb_seq;
1989	long seqid;
1990	int broadcast = 0;
1991	struct ipmi_channel *chans;
1992	int rv = 0;
1993
1994	if (addr->channel >= IPMI_MAX_CHANNELS) {
1995	ipmi_inc_stat(intf, sent_invalid_commands);
1996	return -EINVAL;
1997	}
1998
1999	chans = READ_ONCE(intf->channel_list)->c;
2000
2001	if (chans[addr->channel].medium != IPMI_CHANNEL_MEDIUM_IPMB) {
2002	ipmi_inc_stat(intf, sent_invalid_commands);
2003	return -EINVAL;
2004	}
2005
2006	if (addr->addr_type == IPMI_IPMB_BROADCAST_ADDR_TYPE) {
2007	/*
2008	* Broadcasts add a zero at the beginning of the
2009	* message, but otherwise is the same as an IPMB
2010	* address.
2011	*/
2012	addr->addr_type = IPMI_IPMB_ADDR_TYPE;
2013	broadcast = 1;
2014	retries = 0; /* Don't retry broadcasts. */
2015	}
2016
2017	/*
2018	* 9 for the header and 1 for the checksum, plus
2019	* possibly one for the broadcast.
2020	*/
2021	if ((msg->data_len + 10 + broadcast) > IPMI_MAX_MSG_LENGTH) {
2022	ipmi_inc_stat(intf, sent_invalid_commands);
2023	return -EMSGSIZE;
2024	}
2025
2026	ipmb_addr = (struct ipmi_ipmb_addr *) addr;
2027	if (ipmb_addr->lun > 3) {
2028	ipmi_inc_stat(intf, sent_invalid_commands);
2029	return -EINVAL;
2030	}
2031
2032	memcpy(&recv_msg->addr, ipmb_addr, sizeof(*ipmb_addr));
2033
2034	if (recv_msg->msg.netfn & 0x1) {
2035	/*
2036	* It's a response, so use the user's sequence
2037	* from msgid.
2038	*/
2039	ipmi_inc_stat(intf, sent_ipmb_responses);
2040	format_ipmb_msg(smi_msg, msg, ipmb_addr, msgid,
2041	ipmb_seq: msgid, broadcast,
2042	source_address, source_lun);
2043
2044	/*
2045	* Save the receive message so we can use it
2046	* to deliver the response.
2047	*/
2048	smi_msg->user_data = recv_msg;
2049	} else {
2050	/* It's a command, so get a sequence for it. */
2051	unsigned long flags;
2052
2053	spin_lock_irqsave(&intf->seq_lock, flags);
2054
2055	if (is_maintenance_mode_cmd(msg))
2056	intf->ipmb_maintenance_mode_timeout =
2057	maintenance_mode_timeout_ms;
2058
2059	if (intf->ipmb_maintenance_mode_timeout && retry_time_ms == 0)
2060	/* Different default in maintenance mode */
2061	retry_time_ms = default_maintenance_retry_ms;
2062
2063	/*
2064	* Create a sequence number with a 1 second
2065	* timeout and 4 retries.
2066	*/
2067	rv = intf_next_seq(intf,
2068	recv_msg,
2069	timeout: retry_time_ms,
2070	retries,
2071	broadcast,
2072	seq: &ipmb_seq,
2073	seqid: &seqid);
2074	if (rv)
2075	/*
2076	* We have used up all the sequence numbers,
2077	* probably, so abort.
2078	*/
2079	goto out_err;
2080
2081	ipmi_inc_stat(intf, sent_ipmb_commands);
2082
2083	/*
2084	* Store the sequence number in the message,
2085	* so that when the send message response
2086	* comes back we can start the timer.
2087	*/
2088	format_ipmb_msg(smi_msg, msg, ipmb_addr,
2089	STORE_SEQ_IN_MSGID(ipmb_seq, seqid),
2090	ipmb_seq, broadcast,
2091	source_address, source_lun);
2092
2093	/*
2094	* Copy the message into the recv message data, so we
2095	* can retransmit it later if necessary.
2096	*/
2097	memcpy(recv_msg->msg_data, smi_msg->data,
2098	smi_msg->data_size);
2099	recv_msg->msg.data = recv_msg->msg_data;
2100	recv_msg->msg.data_len = smi_msg->data_size;
2101
2102	/*
2103	* We don't unlock until here, because we need
2104	* to copy the completed message into the
2105	* recv_msg before we release the lock.
2106	* Otherwise, race conditions may bite us. I
2107	* know that's pretty paranoid, but I prefer
2108	* to be correct.
2109	*/
2110	out_err:
2111	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
2112	}
2113
2114	return rv;
2115	}
2116
2117	static int i_ipmi_req_ipmb_direct(struct ipmi_smi *intf,
2118	struct ipmi_addr *addr,
2119	long msgid,
2120	struct kernel_ipmi_msg *msg,
2121	struct ipmi_smi_msg *smi_msg,
2122	struct ipmi_recv_msg *recv_msg,
2123	unsigned char source_lun)
2124	{
2125	struct ipmi_ipmb_direct_addr *daddr;
2126	bool is_cmd = !(recv_msg->msg.netfn & 0x1);
2127
2128	if (!(intf->handlers->flags & IPMI_SMI_CAN_HANDLE_IPMB_DIRECT))
2129	return -EAFNOSUPPORT;
2130
2131	/* Responses must have a completion code. */
2132	if (!is_cmd && msg->data_len < 1) {
2133	ipmi_inc_stat(intf, sent_invalid_commands);
2134	return -EINVAL;
2135	}
2136
2137	if ((msg->data_len + 4) > IPMI_MAX_MSG_LENGTH) {
2138	ipmi_inc_stat(intf, sent_invalid_commands);
2139	return -EMSGSIZE;
2140	}
2141
2142	daddr = (struct ipmi_ipmb_direct_addr *) addr;
2143	if (daddr->rq_lun > 3 || daddr->rs_lun > 3) {
2144	ipmi_inc_stat(intf, sent_invalid_commands);
2145	return -EINVAL;
2146	}
2147
2148	smi_msg->type = IPMI_SMI_MSG_TYPE_IPMB_DIRECT;
2149	smi_msg->msgid = msgid;
2150
2151	if (is_cmd) {
2152	smi_msg->data[0] = msg->netfn << 2 | daddr->rs_lun;
2153	smi_msg->data[2] = recv_msg->msgid << 2 | daddr->rq_lun;
2154	} else {
2155	smi_msg->data[0] = msg->netfn << 2 | daddr->rq_lun;
2156	smi_msg->data[2] = recv_msg->msgid << 2 | daddr->rs_lun;
2157	}
2158	smi_msg->data[1] = daddr->slave_addr;
2159	smi_msg->data[3] = msg->cmd;
2160
2161	memcpy(smi_msg->data + 4, msg->data, msg->data_len);
2162	smi_msg->data_size = msg->data_len + 4;
2163
2164	smi_msg->user_data = recv_msg;
2165
2166	return 0;
2167	}
2168
2169	static int i_ipmi_req_lan(struct ipmi_smi *intf,
2170	struct ipmi_addr *addr,
2171	long msgid,
2172	struct kernel_ipmi_msg *msg,
2173	struct ipmi_smi_msg *smi_msg,
2174	struct ipmi_recv_msg *recv_msg,
2175	unsigned char source_lun,
2176	int retries,
2177	unsigned int retry_time_ms)
2178	{
2179	struct ipmi_lan_addr *lan_addr;
2180	unsigned char ipmb_seq;
2181	long seqid;
2182	struct ipmi_channel *chans;
2183	int rv = 0;
2184
2185	if (addr->channel >= IPMI_MAX_CHANNELS) {
2186	ipmi_inc_stat(intf, sent_invalid_commands);
2187	return -EINVAL;
2188	}
2189
2190	chans = READ_ONCE(intf->channel_list)->c;
2191
2192	if ((chans[addr->channel].medium
2193	!= IPMI_CHANNEL_MEDIUM_8023LAN)
2194	&& (chans[addr->channel].medium
2195	!= IPMI_CHANNEL_MEDIUM_ASYNC)) {
2196	ipmi_inc_stat(intf, sent_invalid_commands);
2197	return -EINVAL;
2198	}
2199
2200	/* 11 for the header and 1 for the checksum. */
2201	if ((msg->data_len + 12) > IPMI_MAX_MSG_LENGTH) {
2202	ipmi_inc_stat(intf, sent_invalid_commands);
2203	return -EMSGSIZE;
2204	}
2205
2206	lan_addr = (struct ipmi_lan_addr *) addr;
2207	if (lan_addr->lun > 3) {
2208	ipmi_inc_stat(intf, sent_invalid_commands);
2209	return -EINVAL;
2210	}
2211
2212	memcpy(&recv_msg->addr, lan_addr, sizeof(*lan_addr));
2213
2214	if (recv_msg->msg.netfn & 0x1) {
2215	/*
2216	* It's a response, so use the user's sequence
2217	* from msgid.
2218	*/
2219	ipmi_inc_stat(intf, sent_lan_responses);
2220	format_lan_msg(smi_msg, msg, lan_addr, msgid,
2221	ipmb_seq: msgid, source_lun);
2222
2223	/*
2224	* Save the receive message so we can use it
2225	* to deliver the response.
2226	*/
2227	smi_msg->user_data = recv_msg;
2228	} else {
2229	/* It's a command, so get a sequence for it. */
2230	unsigned long flags;
2231
2232	spin_lock_irqsave(&intf->seq_lock, flags);
2233
2234	/*
2235	* Create a sequence number with a 1 second
2236	* timeout and 4 retries.
2237	*/
2238	rv = intf_next_seq(intf,
2239	recv_msg,
2240	timeout: retry_time_ms,
2241	retries,
2242	broadcast: 0,
2243	seq: &ipmb_seq,
2244	seqid: &seqid);
2245	if (rv)
2246	/*
2247	* We have used up all the sequence numbers,
2248	* probably, so abort.
2249	*/
2250	goto out_err;
2251
2252	ipmi_inc_stat(intf, sent_lan_commands);
2253
2254	/*
2255	* Store the sequence number in the message,
2256	* so that when the send message response
2257	* comes back we can start the timer.
2258	*/
2259	format_lan_msg(smi_msg, msg, lan_addr,
2260	STORE_SEQ_IN_MSGID(ipmb_seq, seqid),
2261	ipmb_seq, source_lun);
2262
2263	/*
2264	* Copy the message into the recv message data, so we
2265	* can retransmit it later if necessary.
2266	*/
2267	memcpy(recv_msg->msg_data, smi_msg->data,
2268	smi_msg->data_size);
2269	recv_msg->msg.data = recv_msg->msg_data;
2270	recv_msg->msg.data_len = smi_msg->data_size;
2271
2272	/*
2273	* We don't unlock until here, because we need
2274	* to copy the completed message into the
2275	* recv_msg before we release the lock.
2276	* Otherwise, race conditions may bite us. I
2277	* know that's pretty paranoid, but I prefer
2278	* to be correct.
2279	*/
2280	out_err:
2281	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
2282	}
2283
2284	return rv;
2285	}
2286
2287	/*
2288	* Separate from ipmi_request so that the user does not have to be
2289	* supplied in certain circumstances (mainly at panic time). If
2290	* messages are supplied, they will be freed, even if an error
2291	* occurs.
2292	*/
2293	static int i_ipmi_request(struct ipmi_user *user,
2294	struct ipmi_smi *intf,
2295	struct ipmi_addr *addr,
2296	long msgid,
2297	struct kernel_ipmi_msg *msg,
2298	void *user_msg_data,
2299	void *supplied_smi,
2300	struct ipmi_recv_msg *supplied_recv,
2301	int priority,
2302	unsigned char source_address,
2303	unsigned char source_lun,
2304	int retries,
2305	unsigned int retry_time_ms)
2306	{
2307	struct ipmi_smi_msg *smi_msg;
2308	struct ipmi_recv_msg *recv_msg;
2309	int rv = 0;
2310
2311	if (user) {
2312	if (atomic_add_return(i: 1, v: &user->nr_msgs) > max_msgs_per_user) {
2313	/* Decrement will happen at the end of the routine. */
2314	rv = -EBUSY;
2315	goto out;
2316	}
2317	}
2318
2319	if (supplied_recv)
2320	recv_msg = supplied_recv;
2321	else {
2322	recv_msg = ipmi_alloc_recv_msg();
2323	if (recv_msg == NULL) {
2324	rv = -ENOMEM;
2325	goto out;
2326	}
2327	}
2328	recv_msg->user_msg_data = user_msg_data;
2329
2330	if (supplied_smi)
2331	smi_msg = supplied_smi;
2332	else {
2333	smi_msg = ipmi_alloc_smi_msg();
2334	if (smi_msg == NULL) {
2335	if (!supplied_recv)
2336	ipmi_free_recv_msg(msg: recv_msg);
2337	rv = -ENOMEM;
2338	goto out;
2339	}
2340	}
2341
2342	rcu_read_lock();
2343	if (intf->in_shutdown) {
2344	rv = -ENODEV;
2345	goto out_err;
2346	}
2347
2348	recv_msg->user = user;
2349	if (user)
2350	/* The put happens when the message is freed. */
2351	kref_get(kref: &user->refcount);
2352	recv_msg->msgid = msgid;
2353	/*
2354	* Store the message to send in the receive message so timeout
2355	* responses can get the proper response data.
2356	*/
2357	recv_msg->msg = *msg;
2358
2359	if (addr->addr_type == IPMI_SYSTEM_INTERFACE_ADDR_TYPE) {
2360	rv = i_ipmi_req_sysintf(intf, addr, msgid, msg, smi_msg,
2361	recv_msg, retries, retry_time_ms);
2362	} else if (is_ipmb_addr(addr) || is_ipmb_bcast_addr(addr)) {
2363	rv = i_ipmi_req_ipmb(intf, addr, msgid, msg, smi_msg, recv_msg,
2364	source_address, source_lun,
2365	retries, retry_time_ms);
2366	} else if (is_ipmb_direct_addr(addr)) {
2367	rv = i_ipmi_req_ipmb_direct(intf, addr, msgid, msg, smi_msg,
2368	recv_msg, source_lun);
2369	} else if (is_lan_addr(addr)) {
2370	rv = i_ipmi_req_lan(intf, addr, msgid, msg, smi_msg, recv_msg,
2371	source_lun, retries, retry_time_ms);
2372	} else {
2373	/* Unknown address type. */
2374	ipmi_inc_stat(intf, sent_invalid_commands);
2375	rv = -EINVAL;
2376	}
2377
2378	if (rv) {
2379	out_err:
2380	ipmi_free_smi_msg(msg: smi_msg);
2381	ipmi_free_recv_msg(msg: recv_msg);
2382	} else {
2383	dev_dbg(intf->si_dev, "Send: %*ph\n",
2384	smi_msg->data_size, smi_msg->data);
2385
2386	smi_send(intf, handlers: intf->handlers, smi_msg, priority);
2387	}
2388	rcu_read_unlock();
2389
2390	out:
2391	if (rv && user)
2392	atomic_dec(v: &user->nr_msgs);
2393	return rv;
2394	}
2395
2396	static int check_addr(struct ipmi_smi *intf,
2397	struct ipmi_addr *addr,
2398	unsigned char *saddr,
2399	unsigned char *lun)
2400	{
2401	if (addr->channel >= IPMI_MAX_CHANNELS)
2402	return -EINVAL;
2403	addr->channel = array_index_nospec(addr->channel, IPMI_MAX_CHANNELS);
2404	*lun = intf->addrinfo[addr->channel].lun;
2405	*saddr = intf->addrinfo[addr->channel].address;
2406	return 0;
2407	}
2408
2409	int ipmi_request_settime(struct ipmi_user *user,
2410	struct ipmi_addr *addr,
2411	long msgid,
2412	struct kernel_ipmi_msg *msg,
2413	void *user_msg_data,
2414	int priority,
2415	int retries,
2416	unsigned int retry_time_ms)
2417	{
2418	unsigned char saddr = 0, lun = 0;
2419	int rv, index;
2420
2421	if (!user)
2422	return -EINVAL;
2423
2424	user = acquire_ipmi_user(user, index: &index);
2425	if (!user)
2426	return -ENODEV;
2427
2428	rv = check_addr(intf: user->intf, addr, saddr: &saddr, lun: &lun);
2429	if (!rv)
2430	rv = i_ipmi_request(user,
2431	intf: user->intf,
2432	addr,
2433	msgid,
2434	msg,
2435	user_msg_data,
2436	NULL, NULL,
2437	priority,
2438	source_address: saddr,
2439	source_lun: lun,
2440	retries,
2441	retry_time_ms);
2442
2443	release_ipmi_user(user, index);
2444	return rv;
2445	}
2446	EXPORT_SYMBOL(ipmi_request_settime);
2447
2448	int ipmi_request_supply_msgs(struct ipmi_user *user,
2449	struct ipmi_addr *addr,
2450	long msgid,
2451	struct kernel_ipmi_msg *msg,
2452	void *user_msg_data,
2453	void *supplied_smi,
2454	struct ipmi_recv_msg *supplied_recv,
2455	int priority)
2456	{
2457	unsigned char saddr = 0, lun = 0;
2458	int rv, index;
2459
2460	if (!user)
2461	return -EINVAL;
2462
2463	user = acquire_ipmi_user(user, index: &index);
2464	if (!user)
2465	return -ENODEV;
2466
2467	rv = check_addr(intf: user->intf, addr, saddr: &saddr, lun: &lun);
2468	if (!rv)
2469	rv = i_ipmi_request(user,
2470	intf: user->intf,
2471	addr,
2472	msgid,
2473	msg,
2474	user_msg_data,
2475	supplied_smi,
2476	supplied_recv,
2477	priority,
2478	source_address: saddr,
2479	source_lun: lun,
2480	retries: -1, retry_time_ms: 0);
2481
2482	release_ipmi_user(user, index);
2483	return rv;
2484	}
2485	EXPORT_SYMBOL(ipmi_request_supply_msgs);
2486
2487	static void bmc_device_id_handler(struct ipmi_smi *intf,
2488	struct ipmi_recv_msg *msg)
2489	{
2490	int rv;
2491
2492	if ((msg->addr.addr_type != IPMI_SYSTEM_INTERFACE_ADDR_TYPE)
2493	|| (msg->msg.netfn != IPMI_NETFN_APP_RESPONSE)
2494	|| (msg->msg.cmd != IPMI_GET_DEVICE_ID_CMD)) {
2495	dev_warn(intf->si_dev,
2496	"invalid device_id msg: addr_type=%d netfn=%x cmd=%x\n",
2497	msg->addr.addr_type, msg->msg.netfn, msg->msg.cmd);
2498	return;
2499	}
2500
2501	if (msg->msg.data[0]) {
2502	dev_warn(intf->si_dev, "device id fetch failed: 0x%2.2x\n",
2503	msg->msg.data[0]);
2504	intf->bmc->dyn_id_set = 0;
2505	goto out;
2506	}
2507
2508	rv = ipmi_demangle_device_id(netfn: msg->msg.netfn, cmd: msg->msg.cmd,
2509	data: msg->msg.data, data_len: msg->msg.data_len, id: &intf->bmc->fetch_id);
2510	if (rv) {
2511	dev_warn(intf->si_dev, "device id demangle failed: %d\n", rv);
2512	/* record completion code when error */
2513	intf->bmc->cc = msg->msg.data[0];
2514	intf->bmc->dyn_id_set = 0;
2515	} else {
2516	/*
2517	* Make sure the id data is available before setting
2518	* dyn_id_set.
2519	*/
2520	smp_wmb();
2521	intf->bmc->dyn_id_set = 1;
2522	}
2523	out:
2524	wake_up(&intf->waitq);
2525	}
2526
2527	static int
2528	send_get_device_id_cmd(struct ipmi_smi *intf)
2529	{
2530	struct ipmi_system_interface_addr si;
2531	struct kernel_ipmi_msg msg;
2532
2533	si.addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
2534	si.channel = IPMI_BMC_CHANNEL;
2535	si.lun = 0;
2536
2537	msg.netfn = IPMI_NETFN_APP_REQUEST;
2538	msg.cmd = IPMI_GET_DEVICE_ID_CMD;
2539	msg.data = NULL;
2540	msg.data_len = 0;
2541
2542	return i_ipmi_request(NULL,
2543	intf,
2544	addr: (struct ipmi_addr *) &si,
2545	msgid: 0,
2546	msg: &msg,
2547	user_msg_data: intf,
2548	NULL,
2549	NULL,
2550	priority: 0,
2551	source_address: intf->addrinfo[0].address,
2552	source_lun: intf->addrinfo[0].lun,
2553	retries: -1, retry_time_ms: 0);
2554	}
2555
2556	static int __get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc)
2557	{
2558	int rv;
2559	unsigned int retry_count = 0;
2560
2561	intf->null_user_handler = bmc_device_id_handler;
2562
2563	retry:
2564	bmc->cc = 0;
2565	bmc->dyn_id_set = 2;
2566
2567	rv = send_get_device_id_cmd(intf);
2568	if (rv)
2569	goto out_reset_handler;
2570
2571	wait_event(intf->waitq, bmc->dyn_id_set != 2);
2572
2573	if (!bmc->dyn_id_set) {
2574	if (bmc->cc != IPMI_CC_NO_ERROR &&
2575	++retry_count <= GET_DEVICE_ID_MAX_RETRY) {
2576	msleep(msecs: 500);
2577	dev_warn(intf->si_dev,
2578	"BMC returned 0x%2.2x, retry get bmc device id\n",
2579	bmc->cc);
2580	goto retry;
2581	}
2582
2583	rv = -EIO; /* Something went wrong in the fetch. */
2584	}
2585
2586	/* dyn_id_set makes the id data available. */
2587	smp_rmb();
2588
2589	out_reset_handler:
2590	intf->null_user_handler = NULL;
2591
2592	return rv;
2593	}
2594
2595	/*
2596	* Fetch the device id for the bmc/interface. You must pass in either
2597	* bmc or intf, this code will get the other one. If the data has
2598	* been recently fetched, this will just use the cached data. Otherwise
2599	* it will run a new fetch.
2600	*
2601	* Except for the first time this is called (in ipmi_add_smi()),
2602	* this will always return good data;
2603	*/
2604	static int __bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
2605	struct ipmi_device_id *id,
2606	bool *guid_set, guid_t *guid, int intf_num)
2607	{
2608	int rv = 0;
2609	int prev_dyn_id_set, prev_guid_set;
2610	bool intf_set = intf != NULL;
2611
2612	if (!intf) {
2613	mutex_lock(&bmc->dyn_mutex);
2614	retry_bmc_lock:
2615	if (list_empty(head: &bmc->intfs)) {
2616	mutex_unlock(lock: &bmc->dyn_mutex);
2617	return -ENOENT;
2618	}
2619	intf = list_first_entry(&bmc->intfs, struct ipmi_smi,
2620	bmc_link);
2621	kref_get(kref: &intf->refcount);
2622	mutex_unlock(lock: &bmc->dyn_mutex);
2623	mutex_lock(&intf->bmc_reg_mutex);
2624	mutex_lock(&bmc->dyn_mutex);
2625	if (intf != list_first_entry(&bmc->intfs, struct ipmi_smi,
2626	bmc_link)) {
2627	mutex_unlock(lock: &intf->bmc_reg_mutex);
2628	kref_put(kref: &intf->refcount, release: intf_free);
2629	goto retry_bmc_lock;
2630	}
2631	} else {
2632	mutex_lock(&intf->bmc_reg_mutex);
2633	bmc = intf->bmc;
2634	mutex_lock(&bmc->dyn_mutex);
2635	kref_get(kref: &intf->refcount);
2636	}
2637
2638	/* If we have a valid and current ID, just return that. */
2639	if (intf->in_bmc_register ||
2640	(bmc->dyn_id_set && time_is_after_jiffies(bmc->dyn_id_expiry)))
2641	goto out_noprocessing;
2642
2643	prev_guid_set = bmc->dyn_guid_set;
2644	__get_guid(intf);
2645
2646	prev_dyn_id_set = bmc->dyn_id_set;
2647	rv = __get_device_id(intf, bmc);
2648	if (rv)
2649	goto out;
2650
2651	/*
2652	* The guid, device id, manufacturer id, and product id should
2653	* not change on a BMC. If it does we have to do some dancing.
2654	*/
2655	if (!intf->bmc_registered
2656	|| (!prev_guid_set && bmc->dyn_guid_set)
2657	|| (!prev_dyn_id_set && bmc->dyn_id_set)
2658	|| (prev_guid_set && bmc->dyn_guid_set
2659	&& !guid_equal(u1: &bmc->guid, u2: &bmc->fetch_guid))
2660	|| bmc->id.device_id != bmc->fetch_id.device_id
2661	|| bmc->id.manufacturer_id != bmc->fetch_id.manufacturer_id
2662	|| bmc->id.product_id != bmc->fetch_id.product_id) {
2663	struct ipmi_device_id id = bmc->fetch_id;
2664	int guid_set = bmc->dyn_guid_set;
2665	guid_t guid;
2666
2667	guid = bmc->fetch_guid;
2668	mutex_unlock(lock: &bmc->dyn_mutex);
2669
2670	__ipmi_bmc_unregister(intf);
2671	/* Fill in the temporary BMC for good measure. */
2672	intf->bmc->id = id;
2673	intf->bmc->dyn_guid_set = guid_set;
2674	intf->bmc->guid = guid;
2675	if (__ipmi_bmc_register(intf, id: &id, guid_set, guid: &guid, intf_num))
2676	need_waiter(intf); /* Retry later on an error. */
2677	else
2678	__scan_channels(intf, id: &id);
2679
2680
2681	if (!intf_set) {
2682	/*
2683	* We weren't given the interface on the
2684	* command line, so restart the operation on
2685	* the next interface for the BMC.
2686	*/
2687	mutex_unlock(lock: &intf->bmc_reg_mutex);
2688	mutex_lock(&bmc->dyn_mutex);
2689	goto retry_bmc_lock;
2690	}
2691
2692	/* We have a new BMC, set it up. */
2693	bmc = intf->bmc;
2694	mutex_lock(&bmc->dyn_mutex);
2695	goto out_noprocessing;
2696	} else if (memcmp(p: &bmc->fetch_id, q: &bmc->id, size: sizeof(bmc->id)))
2697	/* Version info changes, scan the channels again. */
2698	__scan_channels(intf, id: &bmc->fetch_id);
2699
2700	bmc->dyn_id_expiry = jiffies + IPMI_DYN_DEV_ID_EXPIRY;
2701
2702	out:
2703	if (rv && prev_dyn_id_set) {
2704	rv = 0; /* Ignore failures if we have previous data. */
2705	bmc->dyn_id_set = prev_dyn_id_set;
2706	}
2707	if (!rv) {
2708	bmc->id = bmc->fetch_id;
2709	if (bmc->dyn_guid_set)
2710	bmc->guid = bmc->fetch_guid;
2711	else if (prev_guid_set)
2712	/*
2713	* The guid used to be valid and it failed to fetch,
2714	* just use the cached value.
2715	*/
2716	bmc->dyn_guid_set = prev_guid_set;
2717	}
2718	out_noprocessing:
2719	if (!rv) {
2720	if (id)
2721	*id = bmc->id;
2722
2723	if (guid_set)
2724	*guid_set = bmc->dyn_guid_set;
2725
2726	if (guid && bmc->dyn_guid_set)
2727	*guid = bmc->guid;
2728	}
2729
2730	mutex_unlock(lock: &bmc->dyn_mutex);
2731	mutex_unlock(lock: &intf->bmc_reg_mutex);
2732
2733	kref_put(kref: &intf->refcount, release: intf_free);
2734	return rv;
2735	}
2736
2737	static int bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
2738	struct ipmi_device_id *id,
2739	bool *guid_set, guid_t *guid)
2740	{
2741	return __bmc_get_device_id(intf, bmc, id, guid_set, guid, intf_num: -1);
2742	}
2743
2744	static ssize_t device_id_show(struct device *dev,
2745	struct device_attribute *attr,
2746	char *buf)
2747	{
2748	struct bmc_device *bmc = to_bmc_device(dev);
2749	struct ipmi_device_id id;
2750	int rv;
2751
2752	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2753	if (rv)
2754	return rv;
2755
2756	return sysfs_emit(buf, fmt: "%u\n", id.device_id);
2757	}
2758	static DEVICE_ATTR_RO(device_id);
2759
2760	static ssize_t provides_device_sdrs_show(struct device *dev,
2761	struct device_attribute *attr,
2762	char *buf)
2763	{
2764	struct bmc_device *bmc = to_bmc_device(dev);
2765	struct ipmi_device_id id;
2766	int rv;
2767
2768	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2769	if (rv)
2770	return rv;
2771
2772	return sysfs_emit(buf, fmt: "%u\n", (id.device_revision & 0x80) >> 7);
2773	}
2774	static DEVICE_ATTR_RO(provides_device_sdrs);
2775
2776	static ssize_t revision_show(struct device *dev, struct device_attribute *attr,
2777	char *buf)
2778	{
2779	struct bmc_device *bmc = to_bmc_device(dev);
2780	struct ipmi_device_id id;
2781	int rv;
2782
2783	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2784	if (rv)
2785	return rv;
2786
2787	return sysfs_emit(buf, fmt: "%u\n", id.device_revision & 0x0F);
2788	}
2789	static DEVICE_ATTR_RO(revision);
2790
2791	static ssize_t firmware_revision_show(struct device *dev,
2792	struct device_attribute *attr,
2793	char *buf)
2794	{
2795	struct bmc_device *bmc = to_bmc_device(dev);
2796	struct ipmi_device_id id;
2797	int rv;
2798
2799	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2800	if (rv)
2801	return rv;
2802
2803	return sysfs_emit(buf, fmt: "%u.%x\n", id.firmware_revision_1,
2804	id.firmware_revision_2);
2805	}
2806	static DEVICE_ATTR_RO(firmware_revision);
2807
2808	static ssize_t ipmi_version_show(struct device *dev,
2809	struct device_attribute *attr,
2810	char *buf)
2811	{
2812	struct bmc_device *bmc = to_bmc_device(dev);
2813	struct ipmi_device_id id;
2814	int rv;
2815
2816	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2817	if (rv)
2818	return rv;
2819
2820	return sysfs_emit(buf, fmt: "%u.%u\n",
2821	ipmi_version_major(&id),
2822	ipmi_version_minor(&id));
2823	}
2824	static DEVICE_ATTR_RO(ipmi_version);
2825
2826	static ssize_t add_dev_support_show(struct device *dev,
2827	struct device_attribute *attr,
2828	char *buf)
2829	{
2830	struct bmc_device *bmc = to_bmc_device(dev);
2831	struct ipmi_device_id id;
2832	int rv;
2833
2834	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2835	if (rv)
2836	return rv;
2837
2838	return sysfs_emit(buf, fmt: "0x%02x\n", id.additional_device_support);
2839	}
2840	static DEVICE_ATTR(additional_device_support, S_IRUGO, add_dev_support_show,
2841	NULL);
2842
2843	static ssize_t manufacturer_id_show(struct device *dev,
2844	struct device_attribute *attr,
2845	char *buf)
2846	{
2847	struct bmc_device *bmc = to_bmc_device(dev);
2848	struct ipmi_device_id id;
2849	int rv;
2850
2851	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2852	if (rv)
2853	return rv;
2854
2855	return sysfs_emit(buf, fmt: "0x%6.6x\n", id.manufacturer_id);
2856	}
2857	static DEVICE_ATTR_RO(manufacturer_id);
2858
2859	static ssize_t product_id_show(struct device *dev,
2860	struct device_attribute *attr,
2861	char *buf)
2862	{
2863	struct bmc_device *bmc = to_bmc_device(dev);
2864	struct ipmi_device_id id;
2865	int rv;
2866
2867	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2868	if (rv)
2869	return rv;
2870
2871	return sysfs_emit(buf, fmt: "0x%4.4x\n", id.product_id);
2872	}
2873	static DEVICE_ATTR_RO(product_id);
2874
2875	static ssize_t aux_firmware_rev_show(struct device *dev,
2876	struct device_attribute *attr,
2877	char *buf)
2878	{
2879	struct bmc_device *bmc = to_bmc_device(dev);
2880	struct ipmi_device_id id;
2881	int rv;
2882
2883	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2884	if (rv)
2885	return rv;
2886
2887	return sysfs_emit(buf, fmt: "0x%02x 0x%02x 0x%02x 0x%02x\n",
2888	id.aux_firmware_revision[3],
2889	id.aux_firmware_revision[2],
2890	id.aux_firmware_revision[1],
2891	id.aux_firmware_revision[0]);
2892	}
2893	static DEVICE_ATTR(aux_firmware_revision, S_IRUGO, aux_firmware_rev_show, NULL);
2894
2895	static ssize_t guid_show(struct device *dev, struct device_attribute *attr,
2896	char *buf)
2897	{
2898	struct bmc_device *bmc = to_bmc_device(dev);
2899	bool guid_set;
2900	guid_t guid;
2901	int rv;
2902
2903	rv = bmc_get_device_id(NULL, bmc, NULL, guid_set: &guid_set, guid: &guid);
2904	if (rv)
2905	return rv;
2906	if (!guid_set)
2907	return -ENOENT;
2908
2909	return sysfs_emit(buf, fmt: "%pUl\n", &guid);
2910	}
2911	static DEVICE_ATTR_RO(guid);
2912
2913	static struct attribute *bmc_dev_attrs[] = {
2914	&dev_attr_device_id.attr,
2915	&dev_attr_provides_device_sdrs.attr,
2916	&dev_attr_revision.attr,
2917	&dev_attr_firmware_revision.attr,
2918	&dev_attr_ipmi_version.attr,
2919	&dev_attr_additional_device_support.attr,
2920	&dev_attr_manufacturer_id.attr,
2921	&dev_attr_product_id.attr,
2922	&dev_attr_aux_firmware_revision.attr,
2923	&dev_attr_guid.attr,
2924	NULL
2925	};
2926
2927	static umode_t bmc_dev_attr_is_visible(struct kobject *kobj,
2928	struct attribute *attr, int idx)
2929	{
2930	struct device *dev = kobj_to_dev(kobj);
2931	struct bmc_device *bmc = to_bmc_device(dev);
2932	umode_t mode = attr->mode;
2933	int rv;
2934
2935	if (attr == &dev_attr_aux_firmware_revision.attr) {
2936	struct ipmi_device_id id;
2937
2938	rv = bmc_get_device_id(NULL, bmc, id: &id, NULL, NULL);
2939	return (!rv && id.aux_firmware_revision_set) ? mode : 0;
2940	}
2941	if (attr == &dev_attr_guid.attr) {
2942	bool guid_set;
2943
2944	rv = bmc_get_device_id(NULL, bmc, NULL, guid_set: &guid_set, NULL);
2945	return (!rv && guid_set) ? mode : 0;
2946	}
2947	return mode;
2948	}
2949
2950	static const struct attribute_group bmc_dev_attr_group = {
2951	.attrs = bmc_dev_attrs,
2952	.is_visible = bmc_dev_attr_is_visible,
2953	};
2954
2955	static const struct attribute_group *bmc_dev_attr_groups[] = {
2956	&bmc_dev_attr_group,
2957	NULL
2958	};
2959
2960	static const struct device_type bmc_device_type = {
2961	.groups = bmc_dev_attr_groups,
2962	};
2963
2964	static int __find_bmc_guid(struct device *dev, const void *data)
2965	{
2966	const guid_t *guid = data;
2967	struct bmc_device *bmc;
2968	int rv;
2969
2970	if (dev->type != &bmc_device_type)
2971	return 0;
2972
2973	bmc = to_bmc_device(dev);
2974	rv = bmc->dyn_guid_set && guid_equal(u1: &bmc->guid, u2: guid);
2975	if (rv)
2976	rv = kref_get_unless_zero(kref: &bmc->usecount);
2977	return rv;
2978	}
2979
2980	/*
2981	* Returns with the bmc's usecount incremented, if it is non-NULL.
2982	*/
2983	static struct bmc_device *ipmi_find_bmc_guid(struct device_driver *drv,
2984	guid_t *guid)
2985	{
2986	struct device *dev;
2987	struct bmc_device *bmc = NULL;
2988
2989	dev = driver_find_device(drv, NULL, data: guid, match: __find_bmc_guid);
2990	if (dev) {
2991	bmc = to_bmc_device(dev);
2992	put_device(dev);
2993	}
2994	return bmc;
2995	}
2996
2997	struct prod_dev_id {
2998	unsigned int product_id;
2999	unsigned char device_id;
3000	};
3001
3002	static int __find_bmc_prod_dev_id(struct device *dev, const void *data)
3003	{
3004	const struct prod_dev_id *cid = data;
3005	struct bmc_device *bmc;
3006	int rv;
3007
3008	if (dev->type != &bmc_device_type)
3009	return 0;
3010
3011	bmc = to_bmc_device(dev);
3012	rv = (bmc->id.product_id == cid->product_id
3013	&& bmc->id.device_id == cid->device_id);
3014	if (rv)
3015	rv = kref_get_unless_zero(kref: &bmc->usecount);
3016	return rv;
3017	}
3018
3019	/*
3020	* Returns with the bmc's usecount incremented, if it is non-NULL.
3021	*/
3022	static struct bmc_device *ipmi_find_bmc_prod_dev_id(
3023	struct device_driver *drv,
3024	unsigned int product_id, unsigned char device_id)
3025	{
3026	struct prod_dev_id id = {
3027	.product_id = product_id,
3028	.device_id = device_id,
3029	};
3030	struct device *dev;
3031	struct bmc_device *bmc = NULL;
3032
3033	dev = driver_find_device(drv, NULL, data: &id, match: __find_bmc_prod_dev_id);
3034	if (dev) {
3035	bmc = to_bmc_device(dev);
3036	put_device(dev);
3037	}
3038	return bmc;
3039	}
3040
3041	static DEFINE_IDA(ipmi_bmc_ida);
3042
3043	static void
3044	release_bmc_device(struct device *dev)
3045	{
3046	kfree(to_bmc_device(dev));
3047	}
3048
3049	static void cleanup_bmc_work(struct work_struct *work)
3050	{
3051	struct bmc_device *bmc = container_of(work, struct bmc_device,
3052	remove_work);
3053	int id = bmc->pdev.id; /* Unregister overwrites id */
3054
3055	platform_device_unregister(&bmc->pdev);
3056	ida_free(&ipmi_bmc_ida, id);
3057	}
3058
3059	static void
3060	cleanup_bmc_device(struct kref *ref)
3061	{
3062	struct bmc_device *bmc = container_of(ref, struct bmc_device, usecount);
3063
3064	/*
3065	* Remove the platform device in a work queue to avoid issues
3066	* with removing the device attributes while reading a device
3067	* attribute.
3068	*/
3069	queue_work(wq: remove_work_wq, work: &bmc->remove_work);
3070	}
3071
3072	/*
3073	* Must be called with intf->bmc_reg_mutex held.
3074	*/
3075	static void __ipmi_bmc_unregister(struct ipmi_smi *intf)
3076	{
3077	struct bmc_device *bmc = intf->bmc;
3078
3079	if (!intf->bmc_registered)
3080	return;
3081
3082	sysfs_remove_link(kobj: &intf->si_dev->kobj, name: "bmc");
3083	sysfs_remove_link(kobj: &bmc->pdev.dev.kobj, name: intf->my_dev_name);
3084	kfree(objp: intf->my_dev_name);
3085	intf->my_dev_name = NULL;
3086
3087	mutex_lock(&bmc->dyn_mutex);
3088	list_del(entry: &intf->bmc_link);
3089	mutex_unlock(lock: &bmc->dyn_mutex);
3090	intf->bmc = &intf->tmp_bmc;
3091	kref_put(kref: &bmc->usecount, release: cleanup_bmc_device);
3092	intf->bmc_registered = false;
3093	}
3094
3095	static void ipmi_bmc_unregister(struct ipmi_smi *intf)
3096	{
3097	mutex_lock(&intf->bmc_reg_mutex);
3098	__ipmi_bmc_unregister(intf);
3099	mutex_unlock(lock: &intf->bmc_reg_mutex);
3100	}
3101
3102	/*
3103	* Must be called with intf->bmc_reg_mutex held.
3104	*/
3105	static int __ipmi_bmc_register(struct ipmi_smi *intf,
3106	struct ipmi_device_id *id,
3107	bool guid_set, guid_t *guid, int intf_num)
3108	{
3109	int rv;
3110	struct bmc_device *bmc;
3111	struct bmc_device *old_bmc;
3112
3113	/*
3114	* platform_device_register() can cause bmc_reg_mutex to
3115	* be claimed because of the is_visible functions of
3116	* the attributes. Eliminate possible recursion and
3117	* release the lock.
3118	*/
3119	intf->in_bmc_register = true;
3120	mutex_unlock(lock: &intf->bmc_reg_mutex);
3121
3122	/*
3123	* Try to find if there is an bmc_device struct
3124	* representing the interfaced BMC already
3125	*/
3126	mutex_lock(&ipmidriver_mutex);
3127	if (guid_set)
3128	old_bmc = ipmi_find_bmc_guid(drv: &ipmidriver.driver, guid);
3129	else
3130	old_bmc = ipmi_find_bmc_prod_dev_id(drv: &ipmidriver.driver,
3131	product_id: id->product_id,
3132	device_id: id->device_id);
3133
3134	/*
3135	* If there is already an bmc_device, free the new one,
3136	* otherwise register the new BMC device
3137	*/
3138	if (old_bmc) {
3139	bmc = old_bmc;
3140	/*
3141	* Note: old_bmc already has usecount incremented by
3142	* the BMC find functions.
3143	*/
3144	intf->bmc = old_bmc;
3145	mutex_lock(&bmc->dyn_mutex);
3146	list_add_tail(new: &intf->bmc_link, head: &bmc->intfs);
3147	mutex_unlock(lock: &bmc->dyn_mutex);
3148
3149	dev_info(intf->si_dev,
3150	"interfacing existing BMC (man_id: 0x%6.6x, prod_id: 0x%4.4x, dev_id: 0x%2.2x)\n",
3151	bmc->id.manufacturer_id,
3152	bmc->id.product_id,
3153	bmc->id.device_id);
3154	} else {
3155	bmc = kzalloc(size: sizeof(*bmc), GFP_KERNEL);
3156	if (!bmc) {
3157	rv = -ENOMEM;
3158	goto out;
3159	}
3160	INIT_LIST_HEAD(list: &bmc->intfs);
3161	mutex_init(&bmc->dyn_mutex);
3162	INIT_WORK(&bmc->remove_work, cleanup_bmc_work);
3163
3164	bmc->id = *id;
3165	bmc->dyn_id_set = 1;
3166	bmc->dyn_guid_set = guid_set;
3167	bmc->guid = *guid;
3168	bmc->dyn_id_expiry = jiffies + IPMI_DYN_DEV_ID_EXPIRY;
3169
3170	bmc->pdev.name = "ipmi_bmc";
3171
3172	rv = ida_alloc(ida: &ipmi_bmc_ida, GFP_KERNEL);
3173	if (rv < 0) {
3174	kfree(objp: bmc);
3175	goto out;
3176	}
3177
3178	bmc->pdev.dev.driver = &ipmidriver.driver;
3179	bmc->pdev.id = rv;
3180	bmc->pdev.dev.release = release_bmc_device;
3181	bmc->pdev.dev.type = &bmc_device_type;
3182	kref_init(kref: &bmc->usecount);
3183
3184	intf->bmc = bmc;
3185	mutex_lock(&bmc->dyn_mutex);
3186	list_add_tail(new: &intf->bmc_link, head: &bmc->intfs);
3187	mutex_unlock(lock: &bmc->dyn_mutex);
3188
3189	rv = platform_device_register(&bmc->pdev);
3190	if (rv) {
3191	dev_err(intf->si_dev,
3192	"Unable to register bmc device: %d\n",
3193	rv);
3194	goto out_list_del;
3195	}
3196
3197	dev_info(intf->si_dev,
3198	"Found new BMC (man_id: 0x%6.6x, prod_id: 0x%4.4x, dev_id: 0x%2.2x)\n",
3199	bmc->id.manufacturer_id,
3200	bmc->id.product_id,
3201	bmc->id.device_id);
3202	}
3203
3204	/*
3205	* create symlink from system interface device to bmc device
3206	* and back.
3207	*/
3208	rv = sysfs_create_link(kobj: &intf->si_dev->kobj, target: &bmc->pdev.dev.kobj, name: "bmc");
3209	if (rv) {
3210	dev_err(intf->si_dev, "Unable to create bmc symlink: %d\n", rv);
3211	goto out_put_bmc;
3212	}
3213
3214	if (intf_num == -1)
3215	intf_num = intf->intf_num;
3216	intf->my_dev_name = kasprintf(GFP_KERNEL, fmt: "ipmi%d", intf_num);
3217	if (!intf->my_dev_name) {
3218	rv = -ENOMEM;
3219	dev_err(intf->si_dev, "Unable to allocate link from BMC: %d\n",
3220	rv);
3221	goto out_unlink1;
3222	}
3223
3224	rv = sysfs_create_link(kobj: &bmc->pdev.dev.kobj, target: &intf->si_dev->kobj,
3225	name: intf->my_dev_name);
3226	if (rv) {
3227	dev_err(intf->si_dev, "Unable to create symlink to bmc: %d\n",
3228	rv);
3229	goto out_free_my_dev_name;
3230	}
3231
3232	intf->bmc_registered = true;
3233
3234	out:
3235	mutex_unlock(lock: &ipmidriver_mutex);
3236	mutex_lock(&intf->bmc_reg_mutex);
3237	intf->in_bmc_register = false;
3238	return rv;
3239
3240
3241	out_free_my_dev_name:
3242	kfree(objp: intf->my_dev_name);
3243	intf->my_dev_name = NULL;
3244
3245	out_unlink1:
3246	sysfs_remove_link(kobj: &intf->si_dev->kobj, name: "bmc");
3247
3248	out_put_bmc:
3249	mutex_lock(&bmc->dyn_mutex);
3250	list_del(entry: &intf->bmc_link);
3251	mutex_unlock(lock: &bmc->dyn_mutex);
3252	intf->bmc = &intf->tmp_bmc;
3253	kref_put(kref: &bmc->usecount, release: cleanup_bmc_device);
3254	goto out;
3255
3256	out_list_del:
3257	mutex_lock(&bmc->dyn_mutex);
3258	list_del(entry: &intf->bmc_link);
3259	mutex_unlock(lock: &bmc->dyn_mutex);
3260	intf->bmc = &intf->tmp_bmc;
3261	put_device(dev: &bmc->pdev.dev);
3262	goto out;
3263	}
3264
3265	static int
3266	send_guid_cmd(struct ipmi_smi *intf, int chan)
3267	{
3268	struct kernel_ipmi_msg msg;
3269	struct ipmi_system_interface_addr si;
3270
3271	si.addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
3272	si.channel = IPMI_BMC_CHANNEL;
3273	si.lun = 0;
3274
3275	msg.netfn = IPMI_NETFN_APP_REQUEST;
3276	msg.cmd = IPMI_GET_DEVICE_GUID_CMD;
3277	msg.data = NULL;
3278	msg.data_len = 0;
3279	return i_ipmi_request(NULL,
3280	intf,
3281	addr: (struct ipmi_addr *) &si,
3282	msgid: 0,
3283	msg: &msg,
3284	user_msg_data: intf,
3285	NULL,
3286	NULL,
3287	priority: 0,
3288	source_address: intf->addrinfo[0].address,
3289	source_lun: intf->addrinfo[0].lun,
3290	retries: -1, retry_time_ms: 0);
3291	}
3292
3293	static void guid_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
3294	{
3295	struct bmc_device *bmc = intf->bmc;
3296
3297	if ((msg->addr.addr_type != IPMI_SYSTEM_INTERFACE_ADDR_TYPE)
3298	|| (msg->msg.netfn != IPMI_NETFN_APP_RESPONSE)
3299	|| (msg->msg.cmd != IPMI_GET_DEVICE_GUID_CMD))
3300	/* Not for me */
3301	return;
3302
3303	if (msg->msg.data[0] != 0) {
3304	/* Error from getting the GUID, the BMC doesn't have one. */
3305	bmc->dyn_guid_set = 0;
3306	goto out;
3307	}
3308
3309	if (msg->msg.data_len < UUID_SIZE + 1) {
3310	bmc->dyn_guid_set = 0;
3311	dev_warn(intf->si_dev,
3312	"The GUID response from the BMC was too short, it was %d but should have been %d. Assuming GUID is not available.\n",
3313	msg->msg.data_len, UUID_SIZE + 1);
3314	goto out;
3315	}
3316
3317	import_guid(dst: &bmc->fetch_guid, src: msg->msg.data + 1);
3318	/*
3319	* Make sure the guid data is available before setting
3320	* dyn_guid_set.
3321	*/
3322	smp_wmb();
3323	bmc->dyn_guid_set = 1;
3324	out:
3325	wake_up(&intf->waitq);
3326	}
3327
3328	static void __get_guid(struct ipmi_smi *intf)
3329	{
3330	int rv;
3331	struct bmc_device *bmc = intf->bmc;
3332
3333	bmc->dyn_guid_set = 2;
3334	intf->null_user_handler = guid_handler;
3335	rv = send_guid_cmd(intf, chan: 0);
3336	if (rv)
3337	/* Send failed, no GUID available. */
3338	bmc->dyn_guid_set = 0;
3339	else
3340	wait_event(intf->waitq, bmc->dyn_guid_set != 2);
3341
3342	/* dyn_guid_set makes the guid data available. */
3343	smp_rmb();
3344
3345	intf->null_user_handler = NULL;
3346	}
3347
3348	static int
3349	send_channel_info_cmd(struct ipmi_smi *intf, int chan)
3350	{
3351	struct kernel_ipmi_msg msg;
3352	unsigned char data[1];
3353	struct ipmi_system_interface_addr si;
3354
3355	si.addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
3356	si.channel = IPMI_BMC_CHANNEL;
3357	si.lun = 0;
3358
3359	msg.netfn = IPMI_NETFN_APP_REQUEST;
3360	msg.cmd = IPMI_GET_CHANNEL_INFO_CMD;
3361	msg.data = data;
3362	msg.data_len = 1;
3363	data[0] = chan;
3364	return i_ipmi_request(NULL,
3365	intf,
3366	addr: (struct ipmi_addr *) &si,
3367	msgid: 0,
3368	msg: &msg,
3369	user_msg_data: intf,
3370	NULL,
3371	NULL,
3372	priority: 0,
3373	source_address: intf->addrinfo[0].address,
3374	source_lun: intf->addrinfo[0].lun,
3375	retries: -1, retry_time_ms: 0);
3376	}
3377
3378	static void
3379	channel_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
3380	{
3381	int rv = 0;
3382	int ch;
3383	unsigned int set = intf->curr_working_cset;
3384	struct ipmi_channel *chans;
3385
3386	if ((msg->addr.addr_type == IPMI_SYSTEM_INTERFACE_ADDR_TYPE)
3387	&& (msg->msg.netfn == IPMI_NETFN_APP_RESPONSE)
3388	&& (msg->msg.cmd == IPMI_GET_CHANNEL_INFO_CMD)) {
3389	/* It's the one we want */
3390	if (msg->msg.data[0] != 0) {
3391	/* Got an error from the channel, just go on. */
3392	if (msg->msg.data[0] == IPMI_INVALID_COMMAND_ERR) {
3393	/*
3394	* If the MC does not support this
3395	* command, that is legal. We just
3396	* assume it has one IPMB at channel
3397	* zero.
3398	*/
3399	intf->wchannels[set].c[0].medium
3400	= IPMI_CHANNEL_MEDIUM_IPMB;
3401	intf->wchannels[set].c[0].protocol
3402	= IPMI_CHANNEL_PROTOCOL_IPMB;
3403
3404	intf->channel_list = intf->wchannels + set;
3405	intf->channels_ready = true;
3406	wake_up(&intf->waitq);
3407	goto out;
3408	}
3409	goto next_channel;
3410	}
3411	if (msg->msg.data_len < 4) {
3412	/* Message not big enough, just go on. */
3413	goto next_channel;
3414	}
3415	ch = intf->curr_channel;
3416	chans = intf->wchannels[set].c;
3417	chans[ch].medium = msg->msg.data[2] & 0x7f;
3418	chans[ch].protocol = msg->msg.data[3] & 0x1f;
3419
3420	next_channel:
3421	intf->curr_channel++;
3422	if (intf->curr_channel >= IPMI_MAX_CHANNELS) {
3423	intf->channel_list = intf->wchannels + set;
3424	intf->channels_ready = true;
3425	wake_up(&intf->waitq);
3426	} else {
3427	intf->channel_list = intf->wchannels + set;
3428	intf->channels_ready = true;
3429	rv = send_channel_info_cmd(intf, chan: intf->curr_channel);
3430	}
3431
3432	if (rv) {
3433	/* Got an error somehow, just give up. */
3434	dev_warn(intf->si_dev,
3435	"Error sending channel information for channel %d: %d\n",
3436	intf->curr_channel, rv);
3437
3438	intf->channel_list = intf->wchannels + set;
3439	intf->channels_ready = true;
3440	wake_up(&intf->waitq);
3441	}
3442	}
3443	out:
3444	return;
3445	}
3446
3447	/*
3448	* Must be holding intf->bmc_reg_mutex to call this.
3449	*/
3450	static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id)
3451	{
3452	int rv;
3453
3454	if (ipmi_version_major(id) > 1
3455	|| (ipmi_version_major(id) == 1
3456	&& ipmi_version_minor(id) >= 5)) {
3457	unsigned int set;
3458
3459	/*
3460	* Start scanning the channels to see what is
3461	* available.
3462	*/
3463	set = !intf->curr_working_cset;
3464	intf->curr_working_cset = set;
3465	memset(&intf->wchannels[set], 0,
3466	sizeof(struct ipmi_channel_set));
3467
3468	intf->null_user_handler = channel_handler;
3469	intf->curr_channel = 0;
3470	rv = send_channel_info_cmd(intf, chan: 0);
3471	if (rv) {
3472	dev_warn(intf->si_dev,
3473	"Error sending channel information for channel 0, %d\n",
3474	rv);
3475	intf->null_user_handler = NULL;
3476	return -EIO;
3477	}
3478
3479	/* Wait for the channel info to be read. */
3480	wait_event(intf->waitq, intf->channels_ready);
3481	intf->null_user_handler = NULL;
3482	} else {
3483	unsigned int set = intf->curr_working_cset;
3484
3485	/* Assume a single IPMB channel at zero. */
3486	intf->wchannels[set].c[0].medium = IPMI_CHANNEL_MEDIUM_IPMB;
3487	intf->wchannels[set].c[0].protocol = IPMI_CHANNEL_PROTOCOL_IPMB;
3488	intf->channel_list = intf->wchannels + set;
3489	intf->channels_ready = true;
3490	}
3491
3492	return 0;
3493	}
3494
3495	static void ipmi_poll(struct ipmi_smi *intf)
3496	{
3497	if (intf->handlers->poll)
3498	intf->handlers->poll(intf->send_info);
3499	/* In case something came in */
3500	handle_new_recv_msgs(intf);
3501	}
3502
3503	void ipmi_poll_interface(struct ipmi_user *user)
3504	{
3505	ipmi_poll(intf: user->intf);
3506	}
3507	EXPORT_SYMBOL(ipmi_poll_interface);
3508
3509	static ssize_t nr_users_show(struct device *dev,
3510	struct device_attribute *attr,
3511	char *buf)
3512	{
3513	struct ipmi_smi *intf = container_of(attr,
3514	struct ipmi_smi, nr_users_devattr);
3515
3516	return sysfs_emit(buf, fmt: "%d\n", atomic_read(v: &intf->nr_users));
3517	}
3518	static DEVICE_ATTR_RO(nr_users);
3519
3520	static ssize_t nr_msgs_show(struct device *dev,
3521	struct device_attribute *attr,
3522	char *buf)
3523	{
3524	struct ipmi_smi *intf = container_of(attr,
3525	struct ipmi_smi, nr_msgs_devattr);
3526	struct ipmi_user *user;
3527	int index;
3528	unsigned int count = 0;
3529
3530	index = srcu_read_lock(ssp: &intf->users_srcu);
3531	list_for_each_entry_rcu(user, &intf->users, link)
3532	count += atomic_read(v: &user->nr_msgs);
3533	srcu_read_unlock(ssp: &intf->users_srcu, idx: index);
3534
3535	return sysfs_emit(buf, fmt: "%u\n", count);
3536	}
3537	static DEVICE_ATTR_RO(nr_msgs);
3538
3539	static void redo_bmc_reg(struct work_struct *work)
3540	{
3541	struct ipmi_smi *intf = container_of(work, struct ipmi_smi,
3542	bmc_reg_work);
3543
3544	if (!intf->in_shutdown)
3545	bmc_get_device_id(intf, NULL, NULL, NULL, NULL);
3546
3547	kref_put(kref: &intf->refcount, release: intf_free);
3548	}
3549
3550	int ipmi_add_smi(struct module *owner,
3551	const struct ipmi_smi_handlers *handlers,
3552	void *send_info,
3553	struct device *si_dev,
3554	unsigned char slave_addr)
3555	{
3556	int i, j;
3557	int rv;
3558	struct ipmi_smi *intf, *tintf;
3559	struct list_head *link;
3560	struct ipmi_device_id id;
3561
3562	/*
3563	* Make sure the driver is actually initialized, this handles
3564	* problems with initialization order.
3565	*/
3566	rv = ipmi_init_msghandler();
3567	if (rv)
3568	return rv;
3569
3570	intf = kzalloc(size: sizeof(*intf), GFP_KERNEL);
3571	if (!intf)
3572	return -ENOMEM;
3573
3574	rv = init_srcu_struct(&intf->users_srcu);
3575	if (rv) {
3576	kfree(objp: intf);
3577	return rv;
3578	}
3579
3580	intf->owner = owner;
3581	intf->bmc = &intf->tmp_bmc;
3582	INIT_LIST_HEAD(list: &intf->bmc->intfs);
3583	mutex_init(&intf->bmc->dyn_mutex);
3584	INIT_LIST_HEAD(list: &intf->bmc_link);
3585	mutex_init(&intf->bmc_reg_mutex);
3586	intf->intf_num = -1; /* Mark it invalid for now. */
3587	kref_init(kref: &intf->refcount);
3588	INIT_WORK(&intf->bmc_reg_work, redo_bmc_reg);
3589	intf->si_dev = si_dev;
3590	for (j = 0; j < IPMI_MAX_CHANNELS; j++) {
3591	intf->addrinfo[j].address = IPMI_BMC_SLAVE_ADDR;
3592	intf->addrinfo[j].lun = 2;
3593	}
3594	if (slave_addr != 0)
3595	intf->addrinfo[0].address = slave_addr;
3596	INIT_LIST_HEAD(list: &intf->users);
3597	atomic_set(v: &intf->nr_users, i: 0);
3598	intf->handlers = handlers;
3599	intf->send_info = send_info;
3600	spin_lock_init(&intf->seq_lock);
3601	for (j = 0; j < IPMI_IPMB_NUM_SEQ; j++) {
3602	intf->seq_table[j].inuse = 0;
3603	intf->seq_table[j].seqid = 0;
3604	}
3605	intf->curr_seq = 0;
3606	spin_lock_init(&intf->waiting_rcv_msgs_lock);
3607	INIT_LIST_HEAD(list: &intf->waiting_rcv_msgs);
3608	tasklet_setup(t: &intf->recv_tasklet,
3609	callback: smi_recv_tasklet);
3610	atomic_set(v: &intf->watchdog_pretimeouts_to_deliver, i: 0);
3611	spin_lock_init(&intf->xmit_msgs_lock);
3612	INIT_LIST_HEAD(list: &intf->xmit_msgs);
3613	INIT_LIST_HEAD(list: &intf->hp_xmit_msgs);
3614	spin_lock_init(&intf->events_lock);
3615	spin_lock_init(&intf->watch_lock);
3616	atomic_set(v: &intf->event_waiters, i: 0);
3617	intf->ticks_to_req_ev = IPMI_REQUEST_EV_TIME;
3618	INIT_LIST_HEAD(list: &intf->waiting_events);
3619	intf->waiting_events_count = 0;
3620	mutex_init(&intf->cmd_rcvrs_mutex);
3621	spin_lock_init(&intf->maintenance_mode_lock);
3622	INIT_LIST_HEAD(list: &intf->cmd_rcvrs);
3623	init_waitqueue_head(&intf->waitq);
3624	for (i = 0; i < IPMI_NUM_STATS; i++)
3625	atomic_set(v: &intf->stats[i], i: 0);
3626
3627	mutex_lock(&ipmi_interfaces_mutex);
3628	/* Look for a hole in the numbers. */
3629	i = 0;
3630	link = &ipmi_interfaces;
3631	list_for_each_entry_rcu(tintf, &ipmi_interfaces, link,
3632	ipmi_interfaces_mutex_held()) {
3633	if (tintf->intf_num != i) {
3634	link = &tintf->link;
3635	break;
3636	}
3637	i++;
3638	}
3639	/* Add the new interface in numeric order. */
3640	if (i == 0)
3641	list_add_rcu(new: &intf->link, head: &ipmi_interfaces);
3642	else
3643	list_add_tail_rcu(new: &intf->link, head: link);
3644
3645	rv = handlers->start_processing(send_info, intf);
3646	if (rv)
3647	goto out_err;
3648
3649	rv = __bmc_get_device_id(intf, NULL, id: &id, NULL, NULL, intf_num: i);
3650	if (rv) {
3651	dev_err(si_dev, "Unable to get the device id: %d\n", rv);
3652	goto out_err_started;
3653	}
3654
3655	mutex_lock(&intf->bmc_reg_mutex);
3656	rv = __scan_channels(intf, id: &id);
3657	mutex_unlock(lock: &intf->bmc_reg_mutex);
3658	if (rv)
3659	goto out_err_bmc_reg;
3660
3661	intf->nr_users_devattr = dev_attr_nr_users;
3662	sysfs_attr_init(&intf->nr_users_devattr.attr);
3663	rv = device_create_file(device: intf->si_dev, entry: &intf->nr_users_devattr);
3664	if (rv)
3665	goto out_err_bmc_reg;
3666
3667	intf->nr_msgs_devattr = dev_attr_nr_msgs;
3668	sysfs_attr_init(&intf->nr_msgs_devattr.attr);
3669	rv = device_create_file(device: intf->si_dev, entry: &intf->nr_msgs_devattr);
3670	if (rv) {
3671	device_remove_file(dev: intf->si_dev, attr: &intf->nr_users_devattr);
3672	goto out_err_bmc_reg;
3673	}
3674
3675	/*
3676	* Keep memory order straight for RCU readers. Make
3677	* sure everything else is committed to memory before
3678	* setting intf_num to mark the interface valid.
3679	*/
3680	smp_wmb();
3681	intf->intf_num = i;
3682	mutex_unlock(lock: &ipmi_interfaces_mutex);
3683
3684	/* After this point the interface is legal to use. */
3685	call_smi_watchers(i, dev: intf->si_dev);
3686
3687	return 0;
3688
3689	out_err_bmc_reg:
3690	ipmi_bmc_unregister(intf);
3691	out_err_started:
3692	if (intf->handlers->shutdown)
3693	intf->handlers->shutdown(intf->send_info);
3694	out_err:
3695	list_del_rcu(entry: &intf->link);
3696	mutex_unlock(lock: &ipmi_interfaces_mutex);
3697	synchronize_srcu(ssp: &ipmi_interfaces_srcu);
3698	cleanup_srcu_struct(ssp: &intf->users_srcu);
3699	kref_put(kref: &intf->refcount, release: intf_free);
3700
3701	return rv;
3702	}
3703	EXPORT_SYMBOL(ipmi_add_smi);
3704
3705	static void deliver_smi_err_response(struct ipmi_smi *intf,
3706	struct ipmi_smi_msg *msg,
3707	unsigned char err)
3708	{
3709	int rv;
3710	msg->rsp[0] = msg->data[0] | 4;
3711	msg->rsp[1] = msg->data[1];
3712	msg->rsp[2] = err;
3713	msg->rsp_size = 3;
3714
3715	/* This will never requeue, but it may ask us to free the message. */
3716	rv = handle_one_recv_msg(intf, msg);
3717	if (rv == 0)
3718	ipmi_free_smi_msg(msg);
3719	}
3720
3721	static void cleanup_smi_msgs(struct ipmi_smi *intf)
3722	{
3723	int i;
3724	struct seq_table *ent;
3725	struct ipmi_smi_msg *msg;
3726	struct list_head *entry;
3727	struct list_head tmplist;
3728
3729	/* Clear out our transmit queues and hold the messages. */
3730	INIT_LIST_HEAD(list: &tmplist);
3731	list_splice_tail(list: &intf->hp_xmit_msgs, head: &tmplist);
3732	list_splice_tail(list: &intf->xmit_msgs, head: &tmplist);
3733
3734	/* Current message first, to preserve order */
3735	while (intf->curr_msg && !list_empty(head: &intf->waiting_rcv_msgs)) {
3736	/* Wait for the message to clear out. */
3737	schedule_timeout(timeout: 1);
3738	}
3739
3740	/* No need for locks, the interface is down. */
3741
3742	/*
3743	* Return errors for all pending messages in queue and in the
3744	* tables waiting for remote responses.
3745	*/
3746	while (!list_empty(head: &tmplist)) {
3747	entry = tmplist.next;
3748	list_del(entry);
3749	msg = list_entry(entry, struct ipmi_smi_msg, link);
3750	deliver_smi_err_response(intf, msg, IPMI_ERR_UNSPECIFIED);
3751	}
3752
3753	for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++) {
3754	ent = &intf->seq_table[i];
3755	if (!ent->inuse)
3756	continue;
3757	deliver_err_response(intf, msg: ent->recv_msg, IPMI_ERR_UNSPECIFIED);
3758	}
3759	}
3760
3761	void ipmi_unregister_smi(struct ipmi_smi *intf)
3762	{
3763	struct ipmi_smi_watcher *w;
3764	int intf_num, index;
3765
3766	if (!intf)
3767	return;
3768	intf_num = intf->intf_num;
3769	mutex_lock(&ipmi_interfaces_mutex);
3770	intf->intf_num = -1;
3771	intf->in_shutdown = true;
3772	list_del_rcu(entry: &intf->link);
3773	mutex_unlock(lock: &ipmi_interfaces_mutex);
3774	synchronize_srcu(ssp: &ipmi_interfaces_srcu);
3775
3776	/* At this point no users can be added to the interface. */
3777
3778	device_remove_file(dev: intf->si_dev, attr: &intf->nr_msgs_devattr);
3779	device_remove_file(dev: intf->si_dev, attr: &intf->nr_users_devattr);
3780
3781	/*
3782	* Call all the watcher interfaces to tell them that
3783	* an interface is going away.
3784	*/
3785	mutex_lock(&smi_watchers_mutex);
3786	list_for_each_entry(w, &smi_watchers, link)
3787	w->smi_gone(intf_num);
3788	mutex_unlock(lock: &smi_watchers_mutex);
3789
3790	index = srcu_read_lock(ssp: &intf->users_srcu);
3791	while (!list_empty(head: &intf->users)) {
3792	struct ipmi_user *user =
3793	container_of(list_next_rcu(&intf->users),
3794	struct ipmi_user, link);
3795
3796	_ipmi_destroy_user(user);
3797	}
3798	srcu_read_unlock(ssp: &intf->users_srcu, idx: index);
3799
3800	if (intf->handlers->shutdown)
3801	intf->handlers->shutdown(intf->send_info);
3802
3803	cleanup_smi_msgs(intf);
3804
3805	ipmi_bmc_unregister(intf);
3806
3807	cleanup_srcu_struct(ssp: &intf->users_srcu);
3808	kref_put(kref: &intf->refcount, release: intf_free);
3809	}
3810	EXPORT_SYMBOL(ipmi_unregister_smi);
3811
3812	static int handle_ipmb_get_msg_rsp(struct ipmi_smi *intf,
3813	struct ipmi_smi_msg *msg)
3814	{
3815	struct ipmi_ipmb_addr ipmb_addr;
3816	struct ipmi_recv_msg *recv_msg;
3817
3818	/*
3819	* This is 11, not 10, because the response must contain a
3820	* completion code.
3821	*/
3822	if (msg->rsp_size < 11) {
3823	/* Message not big enough, just ignore it. */
3824	ipmi_inc_stat(intf, invalid_ipmb_responses);
3825	return 0;
3826	}
3827
3828	if (msg->rsp[2] != 0) {
3829	/* An error getting the response, just ignore it. */
3830	return 0;
3831	}
3832
3833	ipmb_addr.addr_type = IPMI_IPMB_ADDR_TYPE;
3834	ipmb_addr.slave_addr = msg->rsp[6];
3835	ipmb_addr.channel = msg->rsp[3] & 0x0f;
3836	ipmb_addr.lun = msg->rsp[7] & 3;
3837
3838	/*
3839	* It's a response from a remote entity. Look up the sequence
3840	* number and handle the response.
3841	*/
3842	if (intf_find_seq(intf,
3843	seq: msg->rsp[7] >> 2,
3844	channel: msg->rsp[3] & 0x0f,
3845	cmd: msg->rsp[8],
3846	netfn: (msg->rsp[4] >> 2) & (~1),
3847	addr: (struct ipmi_addr *) &ipmb_addr,
3848	recv_msg: &recv_msg)) {
3849	/*
3850	* We were unable to find the sequence number,
3851	* so just nuke the message.
3852	*/
3853	ipmi_inc_stat(intf, unhandled_ipmb_responses);
3854	return 0;
3855	}
3856
3857	memcpy(recv_msg->msg_data, &msg->rsp[9], msg->rsp_size - 9);
3858	/*
3859	* The other fields matched, so no need to set them, except
3860	* for netfn, which needs to be the response that was
3861	* returned, not the request value.
3862	*/
3863	recv_msg->msg.netfn = msg->rsp[4] >> 2;
3864	recv_msg->msg.data = recv_msg->msg_data;
3865	recv_msg->msg.data_len = msg->rsp_size - 10;
3866	recv_msg->recv_type = IPMI_RESPONSE_RECV_TYPE;
3867	if (deliver_response(intf, msg: recv_msg))
3868	ipmi_inc_stat(intf, unhandled_ipmb_responses);
3869	else
3870	ipmi_inc_stat(intf, handled_ipmb_responses);
3871
3872	return 0;
3873	}
3874
3875	static int handle_ipmb_get_msg_cmd(struct ipmi_smi *intf,
3876	struct ipmi_smi_msg *msg)
3877	{
3878	struct cmd_rcvr *rcvr;
3879	int rv = 0;
3880	unsigned char netfn;
3881	unsigned char cmd;
3882	unsigned char chan;
3883	struct ipmi_user *user = NULL;
3884	struct ipmi_ipmb_addr *ipmb_addr;
3885	struct ipmi_recv_msg *recv_msg;
3886
3887	if (msg->rsp_size < 10) {
3888	/* Message not big enough, just ignore it. */
3889	ipmi_inc_stat(intf, invalid_commands);
3890	return 0;
3891	}
3892
3893	if (msg->rsp[2] != 0) {
3894	/* An error getting the response, just ignore it. */
3895	return 0;
3896	}
3897
3898	netfn = msg->rsp[4] >> 2;
3899	cmd = msg->rsp[8];
3900	chan = msg->rsp[3] & 0xf;
3901
3902	rcu_read_lock();
3903	rcvr = find_cmd_rcvr(intf, netfn, cmd, chan);
3904	if (rcvr) {
3905	user = rcvr->user;
3906	kref_get(kref: &user->refcount);
3907	} else
3908	user = NULL;
3909	rcu_read_unlock();
3910
3911	if (user == NULL) {
3912	/* We didn't find a user, deliver an error response. */
3913	ipmi_inc_stat(intf, unhandled_commands);
3914
3915	msg->data[0] = (IPMI_NETFN_APP_REQUEST << 2);
3916	msg->data[1] = IPMI_SEND_MSG_CMD;
3917	msg->data[2] = msg->rsp[3];
3918	msg->data[3] = msg->rsp[6];
3919	msg->data[4] = ((netfn + 1) << 2) | (msg->rsp[7] & 0x3);
3920	msg->data[5] = ipmb_checksum(&msg->data[3], 2);
3921	msg->data[6] = intf->addrinfo[msg->rsp[3] & 0xf].address;
3922	/* rqseq/lun */
3923	msg->data[7] = (msg->rsp[7] & 0xfc) | (msg->rsp[4] & 0x3);
3924	msg->data[8] = msg->rsp[8]; /* cmd */
3925	msg->data[9] = IPMI_INVALID_CMD_COMPLETION_CODE;
3926	msg->data[10] = ipmb_checksum(&msg->data[6], 4);
3927	msg->data_size = 11;
3928
3929	dev_dbg(intf->si_dev, "Invalid command: %*ph\n",
3930	msg->data_size, msg->data);
3931
3932	rcu_read_lock();
3933	if (!intf->in_shutdown) {
3934	smi_send(intf, handlers: intf->handlers, smi_msg: msg, priority: 0);
3935	/*
3936	* We used the message, so return the value
3937	* that causes it to not be freed or
3938	* queued.
3939	*/
3940	rv = -1;
3941	}
3942	rcu_read_unlock();
3943	} else {
3944	recv_msg = ipmi_alloc_recv_msg();
3945	if (!recv_msg) {
3946	/*
3947	* We couldn't allocate memory for the
3948	* message, so requeue it for handling
3949	* later.
3950	*/
3951	rv = 1;
3952	kref_put(kref: &user->refcount, release: free_user);
3953	} else {
3954	/* Extract the source address from the data. */
3955	ipmb_addr = (struct ipmi_ipmb_addr *) &recv_msg->addr;
3956	ipmb_addr->addr_type = IPMI_IPMB_ADDR_TYPE;
3957	ipmb_addr->slave_addr = msg->rsp[6];
3958	ipmb_addr->lun = msg->rsp[7] & 3;
3959	ipmb_addr->channel = msg->rsp[3] & 0xf;
3960
3961	/*
3962	* Extract the rest of the message information
3963	* from the IPMB header.
3964	*/
3965	recv_msg->user = user;
3966	recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
3967	recv_msg->msgid = msg->rsp[7] >> 2;
3968	recv_msg->msg.netfn = msg->rsp[4] >> 2;
3969	recv_msg->msg.cmd = msg->rsp[8];
3970	recv_msg->msg.data = recv_msg->msg_data;
3971
3972	/*
3973	* We chop off 10, not 9 bytes because the checksum
3974	* at the end also needs to be removed.
3975	*/
3976	recv_msg->msg.data_len = msg->rsp_size - 10;
3977	memcpy(recv_msg->msg_data, &msg->rsp[9],
3978	msg->rsp_size - 10);
3979	if (deliver_response(intf, msg: recv_msg))
3980	ipmi_inc_stat(intf, unhandled_commands);
3981	else
3982	ipmi_inc_stat(intf, handled_commands);
3983	}
3984	}
3985
3986	return rv;
3987	}
3988
3989	static int handle_ipmb_direct_rcv_cmd(struct ipmi_smi *intf,
3990	struct ipmi_smi_msg *msg)
3991	{
3992	struct cmd_rcvr *rcvr;
3993	int rv = 0;
3994	struct ipmi_user *user = NULL;
3995	struct ipmi_ipmb_direct_addr *daddr;
3996	struct ipmi_recv_msg *recv_msg;
3997	unsigned char netfn = msg->rsp[0] >> 2;
3998	unsigned char cmd = msg->rsp[3];
3999
4000	rcu_read_lock();
4001	/* We always use channel 0 for direct messages. */
4002	rcvr = find_cmd_rcvr(intf, netfn, cmd, chan: 0);
4003	if (rcvr) {
4004	user = rcvr->user;
4005	kref_get(kref: &user->refcount);
4006	} else
4007	user = NULL;
4008	rcu_read_unlock();
4009
4010	if (user == NULL) {
4011	/* We didn't find a user, deliver an error response. */
4012	ipmi_inc_stat(intf, unhandled_commands);
4013
4014	msg->data[0] = (netfn + 1) << 2;
4015	msg->data[0] |= msg->rsp[2] & 0x3; /* rqLUN */
4016	msg->data[1] = msg->rsp[1]; /* Addr */
4017	msg->data[2] = msg->rsp[2] & ~0x3; /* rqSeq */
4018	msg->data[2] |= msg->rsp[0] & 0x3; /* rsLUN */
4019	msg->data[3] = cmd;
4020	msg->data[4] = IPMI_INVALID_CMD_COMPLETION_CODE;
4021	msg->data_size = 5;
4022
4023	rcu_read_lock();
4024	if (!intf->in_shutdown) {
4025	smi_send(intf, handlers: intf->handlers, smi_msg: msg, priority: 0);
4026	/*
4027	* We used the message, so return the value
4028	* that causes it to not be freed or
4029	* queued.
4030	*/
4031	rv = -1;
4032	}
4033	rcu_read_unlock();
4034	} else {
4035	recv_msg = ipmi_alloc_recv_msg();
4036	if (!recv_msg) {
4037	/*
4038	* We couldn't allocate memory for the
4039	* message, so requeue it for handling
4040	* later.
4041	*/
4042	rv = 1;
4043	kref_put(kref: &user->refcount, release: free_user);
4044	} else {
4045	/* Extract the source address from the data. */
4046	daddr = (struct ipmi_ipmb_direct_addr *)&recv_msg->addr;
4047	daddr->addr_type = IPMI_IPMB_DIRECT_ADDR_TYPE;
4048	daddr->channel = 0;
4049	daddr->slave_addr = msg->rsp[1];
4050	daddr->rs_lun = msg->rsp[0] & 3;
4051	daddr->rq_lun = msg->rsp[2] & 3;
4052
4053	/*
4054	* Extract the rest of the message information
4055	* from the IPMB header.
4056	*/
4057	recv_msg->user = user;
4058	recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
4059	recv_msg->msgid = (msg->rsp[2] >> 2);
4060	recv_msg->msg.netfn = msg->rsp[0] >> 2;
4061	recv_msg->msg.cmd = msg->rsp[3];
4062	recv_msg->msg.data = recv_msg->msg_data;
4063
4064	recv_msg->msg.data_len = msg->rsp_size - 4;
4065	memcpy(recv_msg->msg_data, msg->rsp + 4,
4066	msg->rsp_size - 4);
4067	if (deliver_response(intf, msg: recv_msg))
4068	ipmi_inc_stat(intf, unhandled_commands);
4069	else
4070	ipmi_inc_stat(intf, handled_commands);
4071	}
4072	}
4073
4074	return rv;
4075	}
4076
4077	static int handle_ipmb_direct_rcv_rsp(struct ipmi_smi *intf,
4078	struct ipmi_smi_msg *msg)
4079	{
4080	struct ipmi_recv_msg *recv_msg;
4081	struct ipmi_ipmb_direct_addr *daddr;
4082
4083	recv_msg = msg->user_data;
4084	if (recv_msg == NULL) {
4085	dev_warn(intf->si_dev,
4086	"IPMI direct message received with no owner. This could be because of a malformed message, or because of a hardware error. Contact your hardware vendor for assistance.\n");
4087	return 0;
4088	}
4089
4090	recv_msg->recv_type = IPMI_RESPONSE_RECV_TYPE;
4091	recv_msg->msgid = msg->msgid;
4092	daddr = (struct ipmi_ipmb_direct_addr *) &recv_msg->addr;
4093	daddr->addr_type = IPMI_IPMB_DIRECT_ADDR_TYPE;
4094	daddr->channel = 0;
4095	daddr->slave_addr = msg->rsp[1];
4096	daddr->rq_lun = msg->rsp[0] & 3;
4097	daddr->rs_lun = msg->rsp[2] & 3;
4098	recv_msg->msg.netfn = msg->rsp[0] >> 2;
4099	recv_msg->msg.cmd = msg->rsp[3];
4100	memcpy(recv_msg->msg_data, &msg->rsp[4], msg->rsp_size - 4);
4101	recv_msg->msg.data = recv_msg->msg_data;
4102	recv_msg->msg.data_len = msg->rsp_size - 4;
4103	deliver_local_response(intf, msg: recv_msg);
4104
4105	return 0;
4106	}
4107
4108	static int handle_lan_get_msg_rsp(struct ipmi_smi *intf,
4109	struct ipmi_smi_msg *msg)
4110	{
4111	struct ipmi_lan_addr lan_addr;
4112	struct ipmi_recv_msg *recv_msg;
4113
4114
4115	/*
4116	* This is 13, not 12, because the response must contain a
4117	* completion code.
4118	*/
4119	if (msg->rsp_size < 13) {
4120	/* Message not big enough, just ignore it. */
4121	ipmi_inc_stat(intf, invalid_lan_responses);
4122	return 0;
4123	}
4124
4125	if (msg->rsp[2] != 0) {
4126	/* An error getting the response, just ignore it. */
4127	return 0;
4128	}
4129
4130	lan_addr.addr_type = IPMI_LAN_ADDR_TYPE;
4131	lan_addr.session_handle = msg->rsp[4];
4132	lan_addr.remote_SWID = msg->rsp[8];
4133	lan_addr.local_SWID = msg->rsp[5];
4134	lan_addr.channel = msg->rsp[3] & 0x0f;
4135	lan_addr.privilege = msg->rsp[3] >> 4;
4136	lan_addr.lun = msg->rsp[9] & 3;
4137
4138	/*
4139	* It's a response from a remote entity. Look up the sequence
4140	* number and handle the response.
4141	*/
4142	if (intf_find_seq(intf,
4143	seq: msg->rsp[9] >> 2,
4144	channel: msg->rsp[3] & 0x0f,
4145	cmd: msg->rsp[10],
4146	netfn: (msg->rsp[6] >> 2) & (~1),
4147	addr: (struct ipmi_addr *) &lan_addr,
4148	recv_msg: &recv_msg)) {
4149	/*
4150	* We were unable to find the sequence number,
4151	* so just nuke the message.
4152	*/
4153	ipmi_inc_stat(intf, unhandled_lan_responses);
4154	return 0;
4155	}
4156
4157	memcpy(recv_msg->msg_data, &msg->rsp[11], msg->rsp_size - 11);
4158	/*
4159	* The other fields matched, so no need to set them, except
4160	* for netfn, which needs to be the response that was
4161	* returned, not the request value.
4162	*/
4163	recv_msg->msg.netfn = msg->rsp[6] >> 2;
4164	recv_msg->msg.data = recv_msg->msg_data;
4165	recv_msg->msg.data_len = msg->rsp_size - 12;
4166	recv_msg->recv_type = IPMI_RESPONSE_RECV_TYPE;
4167	if (deliver_response(intf, msg: recv_msg))
4168	ipmi_inc_stat(intf, unhandled_lan_responses);
4169	else
4170	ipmi_inc_stat(intf, handled_lan_responses);
4171
4172	return 0;
4173	}
4174
4175	static int handle_lan_get_msg_cmd(struct ipmi_smi *intf,
4176	struct ipmi_smi_msg *msg)
4177	{
4178	struct cmd_rcvr *rcvr;
4179	int rv = 0;
4180	unsigned char netfn;
4181	unsigned char cmd;
4182	unsigned char chan;
4183	struct ipmi_user *user = NULL;
4184	struct ipmi_lan_addr *lan_addr;
4185	struct ipmi_recv_msg *recv_msg;
4186
4187	if (msg->rsp_size < 12) {
4188	/* Message not big enough, just ignore it. */
4189	ipmi_inc_stat(intf, invalid_commands);
4190	return 0;
4191	}
4192
4193	if (msg->rsp[2] != 0) {
4194	/* An error getting the response, just ignore it. */
4195	return 0;
4196	}
4197
4198	netfn = msg->rsp[6] >> 2;
4199	cmd = msg->rsp[10];
4200	chan = msg->rsp[3] & 0xf;
4201
4202	rcu_read_lock();
4203	rcvr = find_cmd_rcvr(intf, netfn, cmd, chan);
4204	if (rcvr) {
4205	user = rcvr->user;
4206	kref_get(kref: &user->refcount);
4207	} else
4208	user = NULL;
4209	rcu_read_unlock();
4210
4211	if (user == NULL) {
4212	/* We didn't find a user, just give up. */
4213	ipmi_inc_stat(intf, unhandled_commands);
4214
4215	/*
4216	* Don't do anything with these messages, just allow
4217	* them to be freed.
4218	*/
4219	rv = 0;
4220	} else {
4221	recv_msg = ipmi_alloc_recv_msg();
4222	if (!recv_msg) {
4223	/*
4224	* We couldn't allocate memory for the
4225	* message, so requeue it for handling later.
4226	*/
4227	rv = 1;
4228	kref_put(kref: &user->refcount, release: free_user);
4229	} else {
4230	/* Extract the source address from the data. */
4231	lan_addr = (struct ipmi_lan_addr *) &recv_msg->addr;
4232	lan_addr->addr_type = IPMI_LAN_ADDR_TYPE;
4233	lan_addr->session_handle = msg->rsp[4];
4234	lan_addr->remote_SWID = msg->rsp[8];
4235	lan_addr->local_SWID = msg->rsp[5];
4236	lan_addr->lun = msg->rsp[9] & 3;
4237	lan_addr->channel = msg->rsp[3] & 0xf;
4238	lan_addr->privilege = msg->rsp[3] >> 4;
4239
4240	/*
4241	* Extract the rest of the message information
4242	* from the IPMB header.
4243	*/
4244	recv_msg->user = user;
4245	recv_msg->recv_type = IPMI_CMD_RECV_TYPE;
4246	recv_msg->msgid = msg->rsp[9] >> 2;
4247	recv_msg->msg.netfn = msg->rsp[6] >> 2;
4248	recv_msg->msg.cmd = msg->rsp[10];
4249	recv_msg->msg.data = recv_msg->msg_data;
4250
4251	/*
4252	* We chop off 12, not 11 bytes because the checksum
4253	* at the end also needs to be removed.
4254	*/
4255	recv_msg->msg.data_len = msg->rsp_size - 12;
4256	memcpy(recv_msg->msg_data, &msg->rsp[11],
4257	msg->rsp_size - 12);
4258	if (deliver_response(intf, msg: recv_msg))
4259	ipmi_inc_stat(intf, unhandled_commands);
4260	else
4261	ipmi_inc_stat(intf, handled_commands);
4262	}
4263	}
4264
4265	return rv;
4266	}
4267
4268	/*
4269	* This routine will handle "Get Message" command responses with
4270	* channels that use an OEM Medium. The message format belongs to
4271	* the OEM. See IPMI 2.0 specification, Chapter 6 and
4272	* Chapter 22, sections 22.6 and 22.24 for more details.
4273	*/
4274	static int handle_oem_get_msg_cmd(struct ipmi_smi *intf,
4275	struct ipmi_smi_msg *msg)
4276	{
4277	struct cmd_rcvr *rcvr;
4278	int rv = 0;
4279	unsigned char netfn;
4280	unsigned char cmd;
4281	unsigned char chan;
4282	struct ipmi_user *user = NULL;
4283	struct ipmi_system_interface_addr *smi_addr;
4284	struct ipmi_recv_msg *recv_msg;
4285
4286	/*
4287	* We expect the OEM SW to perform error checking
4288	* so we just do some basic sanity checks
4289	*/
4290	if (msg->rsp_size < 4) {
4291	/* Message not big enough, just ignore it. */
4292	ipmi_inc_stat(intf, invalid_commands);
4293	return 0;
4294	}
4295
4296	if (msg->rsp[2] != 0) {
4297	/* An error getting the response, just ignore it. */
4298	return 0;
4299	}
4300
4301	/*
4302	* This is an OEM Message so the OEM needs to know how
4303	* handle the message. We do no interpretation.
4304	*/
4305	netfn = msg->rsp[0] >> 2;
4306	cmd = msg->rsp[1];
4307	chan = msg->rsp[3] & 0xf;
4308
4309	rcu_read_lock();
4310	rcvr = find_cmd_rcvr(intf, netfn, cmd, chan);
4311	if (rcvr) {
4312	user = rcvr->user;
4313	kref_get(kref: &user->refcount);
4314	} else
4315	user = NULL;
4316	rcu_read_unlock();
4317
4318	if (user == NULL) {
4319	/* We didn't find a user, just give up. */
4320	ipmi_inc_stat(intf, unhandled_commands);
4321
4322	/*
4323	* Don't do anything with these messages, just allow
4324	* them to be freed.
4325	*/
4326
4327	rv = 0;
4328	} else {
4329	recv_msg = ipmi_alloc_recv_msg();
4330	if (!recv_msg) {
4331	/*
4332	* We couldn't allocate memory for the
4333	* message, so requeue it for handling
4334	* later.
4335	*/
4336	rv = 1;
4337	kref_put(kref: &user->refcount, release: free_user);
4338	} else {
4339	/*
4340	* OEM Messages are expected to be delivered via
4341	* the system interface to SMS software. We might
4342	* need to visit this again depending on OEM
4343	* requirements
4344	*/
4345	smi_addr = ((struct ipmi_system_interface_addr *)
4346	&recv_msg->addr);
4347	smi_addr->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
4348	smi_addr->channel = IPMI_BMC_CHANNEL;
4349	smi_addr->lun = msg->rsp[0] & 3;
4350
4351	recv_msg->user = user;
4352	recv_msg->user_msg_data = NULL;
4353	recv_msg->recv_type = IPMI_OEM_RECV_TYPE;
4354	recv_msg->msg.netfn = msg->rsp[0] >> 2;
4355	recv_msg->msg.cmd = msg->rsp[1];
4356	recv_msg->msg.data = recv_msg->msg_data;
4357
4358	/*
4359	* The message starts at byte 4 which follows the
4360	* Channel Byte in the "GET MESSAGE" command
4361	*/
4362	recv_msg->msg.data_len = msg->rsp_size - 4;
4363	memcpy(recv_msg->msg_data, &msg->rsp[4],
4364	msg->rsp_size - 4);
4365	if (deliver_response(intf, msg: recv_msg))
4366	ipmi_inc_stat(intf, unhandled_commands);
4367	else
4368	ipmi_inc_stat(intf, handled_commands);
4369	}
4370	}
4371
4372	return rv;
4373	}
4374
4375	static void copy_event_into_recv_msg(struct ipmi_recv_msg *recv_msg,
4376	struct ipmi_smi_msg *msg)
4377	{
4378	struct ipmi_system_interface_addr *smi_addr;
4379
4380	recv_msg->msgid = 0;
4381	smi_addr = (struct ipmi_system_interface_addr *) &recv_msg->addr;
4382	smi_addr->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
4383	smi_addr->channel = IPMI_BMC_CHANNEL;
4384	smi_addr->lun = msg->rsp[0] & 3;
4385	recv_msg->recv_type = IPMI_ASYNC_EVENT_RECV_TYPE;
4386	recv_msg->msg.netfn = msg->rsp[0] >> 2;
4387	recv_msg->msg.cmd = msg->rsp[1];
4388	memcpy(recv_msg->msg_data, &msg->rsp[3], msg->rsp_size - 3);
4389	recv_msg->msg.data = recv_msg->msg_data;
4390	recv_msg->msg.data_len = msg->rsp_size - 3;
4391	}
4392
4393	static int handle_read_event_rsp(struct ipmi_smi *intf,
4394	struct ipmi_smi_msg *msg)
4395	{
4396	struct ipmi_recv_msg *recv_msg, *recv_msg2;
4397	struct list_head msgs;
4398	struct ipmi_user *user;
4399	int rv = 0, deliver_count = 0, index;
4400	unsigned long flags;
4401
4402	if (msg->rsp_size < 19) {
4403	/* Message is too small to be an IPMB event. */
4404	ipmi_inc_stat(intf, invalid_events);
4405	return 0;
4406	}
4407
4408	if (msg->rsp[2] != 0) {
4409	/* An error getting the event, just ignore it. */
4410	return 0;
4411	}
4412
4413	INIT_LIST_HEAD(list: &msgs);
4414
4415	spin_lock_irqsave(&intf->events_lock, flags);
4416
4417	ipmi_inc_stat(intf, events);
4418
4419	/*
4420	* Allocate and fill in one message for every user that is
4421	* getting events.
4422	*/
4423	index = srcu_read_lock(ssp: &intf->users_srcu);
4424	list_for_each_entry_rcu(user, &intf->users, link) {
4425	if (!user->gets_events)
4426	continue;
4427
4428	recv_msg = ipmi_alloc_recv_msg();
4429	if (!recv_msg) {
4430	rcu_read_unlock();
4431	list_for_each_entry_safe(recv_msg, recv_msg2, &msgs,
4432	link) {
4433	list_del(entry: &recv_msg->link);
4434	ipmi_free_recv_msg(msg: recv_msg);
4435	}
4436	/*
4437	* We couldn't allocate memory for the
4438	* message, so requeue it for handling
4439	* later.
4440	*/
4441	rv = 1;
4442	goto out;
4443	}
4444
4445	deliver_count++;
4446
4447	copy_event_into_recv_msg(recv_msg, msg);
4448	recv_msg->user = user;
4449	kref_get(kref: &user->refcount);
4450	list_add_tail(new: &recv_msg->link, head: &msgs);
4451	}
4452	srcu_read_unlock(ssp: &intf->users_srcu, idx: index);
4453
4454	if (deliver_count) {
4455	/* Now deliver all the messages. */
4456	list_for_each_entry_safe(recv_msg, recv_msg2, &msgs, link) {
4457	list_del(entry: &recv_msg->link);
4458	deliver_local_response(intf, msg: recv_msg);
4459	}
4460	} else if (intf->waiting_events_count < MAX_EVENTS_IN_QUEUE) {
4461	/*
4462	* No one to receive the message, put it in queue if there's
4463	* not already too many things in the queue.
4464	*/
4465	recv_msg = ipmi_alloc_recv_msg();
4466	if (!recv_msg) {
4467	/*
4468	* We couldn't allocate memory for the
4469	* message, so requeue it for handling
4470	* later.
4471	*/
4472	rv = 1;
4473	goto out;
4474	}
4475
4476	copy_event_into_recv_msg(recv_msg, msg);
4477	list_add_tail(new: &recv_msg->link, head: &intf->waiting_events);
4478	intf->waiting_events_count++;
4479	} else if (!intf->event_msg_printed) {
4480	/*
4481	* There's too many things in the queue, discard this
4482	* message.
4483	*/
4484	dev_warn(intf->si_dev,
4485	"Event queue full, discarding incoming events\n");
4486	intf->event_msg_printed = 1;
4487	}
4488
4489	out:
4490	spin_unlock_irqrestore(lock: &intf->events_lock, flags);
4491
4492	return rv;
4493	}
4494
4495	static int handle_bmc_rsp(struct ipmi_smi *intf,
4496	struct ipmi_smi_msg *msg)
4497	{
4498	struct ipmi_recv_msg *recv_msg;
4499	struct ipmi_system_interface_addr *smi_addr;
4500
4501	recv_msg = msg->user_data;
4502	if (recv_msg == NULL) {
4503	dev_warn(intf->si_dev,
4504	"IPMI SMI message received with no owner. This could be because of a malformed message, or because of a hardware error. Contact your hardware vendor for assistance.\n");
4505	return 0;
4506	}
4507
4508	recv_msg->recv_type = IPMI_RESPONSE_RECV_TYPE;
4509	recv_msg->msgid = msg->msgid;
4510	smi_addr = ((struct ipmi_system_interface_addr *)
4511	&recv_msg->addr);
4512	smi_addr->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
4513	smi_addr->channel = IPMI_BMC_CHANNEL;
4514	smi_addr->lun = msg->rsp[0] & 3;
4515	recv_msg->msg.netfn = msg->rsp[0] >> 2;
4516	recv_msg->msg.cmd = msg->rsp[1];
4517	memcpy(recv_msg->msg_data, &msg->rsp[2], msg->rsp_size - 2);
4518	recv_msg->msg.data = recv_msg->msg_data;
4519	recv_msg->msg.data_len = msg->rsp_size - 2;
4520	deliver_local_response(intf, msg: recv_msg);
4521
4522	return 0;
4523	}
4524
4525	/*
4526	* Handle a received message. Return 1 if the message should be requeued,
4527	* 0 if the message should be freed, or -1 if the message should not
4528	* be freed or requeued.
4529	*/
4530	static int handle_one_recv_msg(struct ipmi_smi *intf,
4531	struct ipmi_smi_msg *msg)
4532	{
4533	int requeue = 0;
4534	int chan;
4535	unsigned char cc;
4536	bool is_cmd = !((msg->rsp[0] >> 2) & 1);
4537
4538	dev_dbg(intf->si_dev, "Recv: %*ph\n", msg->rsp_size, msg->rsp);
4539
4540	if (msg->rsp_size < 2) {
4541	/* Message is too small to be correct. */
4542	dev_warn(intf->si_dev,
4543	"BMC returned too small a message for netfn %x cmd %x, got %d bytes\n",
4544	(msg->data[0] >> 2) | 1, msg->data[1], msg->rsp_size);
4545
4546	return_unspecified:
4547	/* Generate an error response for the message. */
4548	msg->rsp[0] = msg->data[0] | (1 << 2);
4549	msg->rsp[1] = msg->data[1];
4550	msg->rsp[2] = IPMI_ERR_UNSPECIFIED;
4551	msg->rsp_size = 3;
4552	} else if (msg->type == IPMI_SMI_MSG_TYPE_IPMB_DIRECT) {
4553	/* commands must have at least 4 bytes, responses 5. */
4554	if (is_cmd && (msg->rsp_size < 4)) {
4555	ipmi_inc_stat(intf, invalid_commands);
4556	goto out;
4557	}
4558	if (!is_cmd && (msg->rsp_size < 5)) {
4559	ipmi_inc_stat(intf, invalid_ipmb_responses);
4560	/* Construct a valid error response. */
4561	msg->rsp[0] = msg->data[0] & 0xfc; /* NetFN */
4562	msg->rsp[0] |= (1 << 2); /* Make it a response */
4563	msg->rsp[0] |= msg->data[2] & 3; /* rqLUN */
4564	msg->rsp[1] = msg->data[1]; /* Addr */
4565	msg->rsp[2] = msg->data[2] & 0xfc; /* rqSeq */
4566	msg->rsp[2] |= msg->data[0] & 0x3; /* rsLUN */
4567	msg->rsp[3] = msg->data[3]; /* Cmd */
4568	msg->rsp[4] = IPMI_ERR_UNSPECIFIED;
4569	msg->rsp_size = 5;
4570	}
4571	} else if ((msg->data_size >= 2)
4572	&& (msg->data[0] == (IPMI_NETFN_APP_REQUEST << 2))
4573	&& (msg->data[1] == IPMI_SEND_MSG_CMD)
4574	&& (msg->user_data == NULL)) {
4575
4576	if (intf->in_shutdown)
4577	goto out;
4578
4579	/*
4580	* This is the local response to a command send, start
4581	* the timer for these. The user_data will not be
4582	* NULL if this is a response send, and we will let
4583	* response sends just go through.
4584	*/
4585
4586	/*
4587	* Check for errors, if we get certain errors (ones
4588	* that mean basically we can try again later), we
4589	* ignore them and start the timer. Otherwise we
4590	* report the error immediately.
4591	*/
4592	if ((msg->rsp_size >= 3) && (msg->rsp[2] != 0)
4593	&& (msg->rsp[2] != IPMI_NODE_BUSY_ERR)
4594	&& (msg->rsp[2] != IPMI_LOST_ARBITRATION_ERR)
4595	&& (msg->rsp[2] != IPMI_BUS_ERR)
4596	&& (msg->rsp[2] != IPMI_NAK_ON_WRITE_ERR)) {
4597	int ch = msg->rsp[3] & 0xf;
4598	struct ipmi_channel *chans;
4599
4600	/* Got an error sending the message, handle it. */
4601
4602	chans = READ_ONCE(intf->channel_list)->c;
4603	if ((chans[ch].medium == IPMI_CHANNEL_MEDIUM_8023LAN)
4604	|| (chans[ch].medium == IPMI_CHANNEL_MEDIUM_ASYNC))
4605	ipmi_inc_stat(intf, sent_lan_command_errs);
4606	else
4607	ipmi_inc_stat(intf, sent_ipmb_command_errs);
4608	intf_err_seq(intf, msgid: msg->msgid, err: msg->rsp[2]);
4609	} else
4610	/* The message was sent, start the timer. */
4611	intf_start_seq_timer(intf, msgid: msg->msgid);
4612	requeue = 0;
4613	goto out;
4614	} else if (((msg->rsp[0] >> 2) != ((msg->data[0] >> 2) | 1))
4615	|| (msg->rsp[1] != msg->data[1])) {
4616	/*
4617	* The NetFN and Command in the response is not even
4618	* marginally correct.
4619	*/
4620	dev_warn(intf->si_dev,
4621	"BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
4622	(msg->data[0] >> 2) | 1, msg->data[1],
4623	msg->rsp[0] >> 2, msg->rsp[1]);
4624
4625	goto return_unspecified;
4626	}
4627
4628	if (msg->type == IPMI_SMI_MSG_TYPE_IPMB_DIRECT) {
4629	if ((msg->data[0] >> 2) & 1) {
4630	/* It's a response to a sent response. */
4631	chan = 0;
4632	cc = msg->rsp[4];
4633	goto process_response_response;
4634	}
4635	if (is_cmd)
4636	requeue = handle_ipmb_direct_rcv_cmd(intf, msg);
4637	else
4638	requeue = handle_ipmb_direct_rcv_rsp(intf, msg);
4639	} else if ((msg->rsp[0] == ((IPMI_NETFN_APP_REQUEST|1) << 2))
4640	&& (msg->rsp[1] == IPMI_SEND_MSG_CMD)
4641	&& (msg->user_data != NULL)) {
4642	/*
4643	* It's a response to a response we sent. For this we
4644	* deliver a send message response to the user.
4645	*/
4646	struct ipmi_recv_msg *recv_msg;
4647
4648	chan = msg->data[2] & 0x0f;
4649	if (chan >= IPMI_MAX_CHANNELS)
4650	/* Invalid channel number */
4651	goto out;
4652	cc = msg->rsp[2];
4653
4654	process_response_response:
4655	recv_msg = msg->user_data;
4656
4657	requeue = 0;
4658	if (!recv_msg)
4659	goto out;
4660
4661	recv_msg->recv_type = IPMI_RESPONSE_RESPONSE_TYPE;
4662	recv_msg->msg.data = recv_msg->msg_data;
4663	recv_msg->msg_data[0] = cc;
4664	recv_msg->msg.data_len = 1;
4665	deliver_local_response(intf, msg: recv_msg);
4666	} else if ((msg->rsp[0] == ((IPMI_NETFN_APP_REQUEST|1) << 2))
4667	&& (msg->rsp[1] == IPMI_GET_MSG_CMD)) {
4668	struct ipmi_channel *chans;
4669
4670	/* It's from the receive queue. */
4671	chan = msg->rsp[3] & 0xf;
4672	if (chan >= IPMI_MAX_CHANNELS) {
4673	/* Invalid channel number */
4674	requeue = 0;
4675	goto out;
4676	}
4677
4678	/*
4679	* We need to make sure the channels have been initialized.
4680	* The channel_handler routine will set the "curr_channel"
4681	* equal to or greater than IPMI_MAX_CHANNELS when all the
4682	* channels for this interface have been initialized.
4683	*/
4684	if (!intf->channels_ready) {
4685	requeue = 0; /* Throw the message away */
4686	goto out;
4687	}
4688
4689	chans = READ_ONCE(intf->channel_list)->c;
4690
4691	switch (chans[chan].medium) {
4692	case IPMI_CHANNEL_MEDIUM_IPMB:
4693	if (msg->rsp[4] & 0x04) {
4694	/*
4695	* It's a response, so find the
4696	* requesting message and send it up.
4697	*/
4698	requeue = handle_ipmb_get_msg_rsp(intf, msg);
4699	} else {
4700	/*
4701	* It's a command to the SMS from some other
4702	* entity. Handle that.
4703	*/
4704	requeue = handle_ipmb_get_msg_cmd(intf, msg);
4705	}
4706	break;
4707
4708	case IPMI_CHANNEL_MEDIUM_8023LAN:
4709	case IPMI_CHANNEL_MEDIUM_ASYNC:
4710	if (msg->rsp[6] & 0x04) {
4711	/*
4712	* It's a response, so find the
4713	* requesting message and send it up.
4714	*/
4715	requeue = handle_lan_get_msg_rsp(intf, msg);
4716	} else {
4717	/*
4718	* It's a command to the SMS from some other
4719	* entity. Handle that.
4720	*/
4721	requeue = handle_lan_get_msg_cmd(intf, msg);
4722	}
4723	break;
4724
4725	default:
4726	/* Check for OEM Channels. Clients had better
4727	register for these commands. */
4728	if ((chans[chan].medium >= IPMI_CHANNEL_MEDIUM_OEM_MIN)
4729	&& (chans[chan].medium
4730	<= IPMI_CHANNEL_MEDIUM_OEM_MAX)) {
4731	requeue = handle_oem_get_msg_cmd(intf, msg);
4732	} else {
4733	/*
4734	* We don't handle the channel type, so just
4735	* free the message.
4736	*/
4737	requeue = 0;
4738	}
4739	}
4740
4741	} else if ((msg->rsp[0] == ((IPMI_NETFN_APP_REQUEST|1) << 2))
4742	&& (msg->rsp[1] == IPMI_READ_EVENT_MSG_BUFFER_CMD)) {
4743	/* It's an asynchronous event. */
4744	requeue = handle_read_event_rsp(intf, msg);
4745	} else {
4746	/* It's a response from the local BMC. */
4747	requeue = handle_bmc_rsp(intf, msg);
4748	}
4749
4750	out:
4751	return requeue;
4752	}
4753
4754	/*
4755	* If there are messages in the queue or pretimeouts, handle them.
4756	*/
4757	static void handle_new_recv_msgs(struct ipmi_smi *intf)
4758	{
4759	struct ipmi_smi_msg *smi_msg;
4760	unsigned long flags = 0;
4761	int rv;
4762	int run_to_completion = intf->run_to_completion;
4763
4764	/* See if any waiting messages need to be processed. */
4765	if (!run_to_completion)
4766	spin_lock_irqsave(&intf->waiting_rcv_msgs_lock, flags);
4767	while (!list_empty(head: &intf->waiting_rcv_msgs)) {
4768	smi_msg = list_entry(intf->waiting_rcv_msgs.next,
4769	struct ipmi_smi_msg, link);
4770	list_del(entry: &smi_msg->link);
4771	if (!run_to_completion)
4772	spin_unlock_irqrestore(lock: &intf->waiting_rcv_msgs_lock,
4773	flags);
4774	rv = handle_one_recv_msg(intf, msg: smi_msg);
4775	if (!run_to_completion)
4776	spin_lock_irqsave(&intf->waiting_rcv_msgs_lock, flags);
4777	if (rv > 0) {
4778	/*
4779	* To preserve message order, quit if we
4780	* can't handle a message. Add the message
4781	* back at the head, this is safe because this
4782	* tasklet is the only thing that pulls the
4783	* messages.
4784	*/
4785	list_add(new: &smi_msg->link, head: &intf->waiting_rcv_msgs);
4786	break;
4787	} else {
4788	if (rv == 0)
4789	/* Message handled */
4790	ipmi_free_smi_msg(msg: smi_msg);
4791	/* If rv < 0, fatal error, del but don't free. */
4792	}
4793	}
4794	if (!run_to_completion)
4795	spin_unlock_irqrestore(lock: &intf->waiting_rcv_msgs_lock, flags);
4796
4797	/*
4798	* If the pretimout count is non-zero, decrement one from it and
4799	* deliver pretimeouts to all the users.
4800	*/
4801	if (atomic_add_unless(v: &intf->watchdog_pretimeouts_to_deliver, a: -1, u: 0)) {
4802	struct ipmi_user *user;
4803	int index;
4804
4805	index = srcu_read_lock(ssp: &intf->users_srcu);
4806	list_for_each_entry_rcu(user, &intf->users, link) {
4807	if (user->handler->ipmi_watchdog_pretimeout)
4808	user->handler->ipmi_watchdog_pretimeout(
4809	user->handler_data);
4810	}
4811	srcu_read_unlock(ssp: &intf->users_srcu, idx: index);
4812	}
4813	}
4814
4815	static void smi_recv_tasklet(struct tasklet_struct *t)
4816	{
4817	unsigned long flags = 0; /* keep us warning-free. */
4818	struct ipmi_smi *intf = from_tasklet(intf, t, recv_tasklet);
4819	int run_to_completion = intf->run_to_completion;
4820	struct ipmi_smi_msg *newmsg = NULL;
4821
4822	/*
4823	* Start the next message if available.
4824	*
4825	* Do this here, not in the actual receiver, because we may deadlock
4826	* because the lower layer is allowed to hold locks while calling
4827	* message delivery.
4828	*/
4829
4830	rcu_read_lock();
4831
4832	if (!run_to_completion)
4833	spin_lock_irqsave(&intf->xmit_msgs_lock, flags);
4834	if (intf->curr_msg == NULL && !intf->in_shutdown) {
4835	struct list_head *entry = NULL;
4836
4837	/* Pick the high priority queue first. */
4838	if (!list_empty(head: &intf->hp_xmit_msgs))
4839	entry = intf->hp_xmit_msgs.next;
4840	else if (!list_empty(head: &intf->xmit_msgs))
4841	entry = intf->xmit_msgs.next;
4842
4843	if (entry) {
4844	list_del(entry);
4845	newmsg = list_entry(entry, struct ipmi_smi_msg, link);
4846	intf->curr_msg = newmsg;
4847	}
4848	}
4849
4850	if (!run_to_completion)
4851	spin_unlock_irqrestore(lock: &intf->xmit_msgs_lock, flags);
4852	if (newmsg)
4853	intf->handlers->sender(intf->send_info, newmsg);
4854
4855	rcu_read_unlock();
4856
4857	handle_new_recv_msgs(intf);
4858	}
4859
4860	/* Handle a new message from the lower layer. */
4861	void ipmi_smi_msg_received(struct ipmi_smi *intf,
4862	struct ipmi_smi_msg *msg)
4863	{
4864	unsigned long flags = 0; /* keep us warning-free. */
4865	int run_to_completion = intf->run_to_completion;
4866
4867	/*
4868	* To preserve message order, we keep a queue and deliver from
4869	* a tasklet.
4870	*/
4871	if (!run_to_completion)
4872	spin_lock_irqsave(&intf->waiting_rcv_msgs_lock, flags);
4873	list_add_tail(new: &msg->link, head: &intf->waiting_rcv_msgs);
4874	if (!run_to_completion)
4875	spin_unlock_irqrestore(lock: &intf->waiting_rcv_msgs_lock,
4876	flags);
4877
4878	if (!run_to_completion)
4879	spin_lock_irqsave(&intf->xmit_msgs_lock, flags);
4880	/*
4881	* We can get an asynchronous event or receive message in addition
4882	* to commands we send.
4883	*/
4884	if (msg == intf->curr_msg)
4885	intf->curr_msg = NULL;
4886	if (!run_to_completion)
4887	spin_unlock_irqrestore(lock: &intf->xmit_msgs_lock, flags);
4888
4889	if (run_to_completion)
4890	smi_recv_tasklet(t: &intf->recv_tasklet);
4891	else
4892	tasklet_schedule(t: &intf->recv_tasklet);
4893	}
4894	EXPORT_SYMBOL(ipmi_smi_msg_received);
4895
4896	void ipmi_smi_watchdog_pretimeout(struct ipmi_smi *intf)
4897	{
4898	if (intf->in_shutdown)
4899	return;
4900
4901	atomic_set(v: &intf->watchdog_pretimeouts_to_deliver, i: 1);
4902	tasklet_schedule(t: &intf->recv_tasklet);
4903	}
4904	EXPORT_SYMBOL(ipmi_smi_watchdog_pretimeout);
4905
4906	static struct ipmi_smi_msg *
4907	smi_from_recv_msg(struct ipmi_smi *intf, struct ipmi_recv_msg *recv_msg,
4908	unsigned char seq, long seqid)
4909	{
4910	struct ipmi_smi_msg *smi_msg = ipmi_alloc_smi_msg();
4911	if (!smi_msg)
4912	/*
4913	* If we can't allocate the message, then just return, we
4914	* get 4 retries, so this should be ok.
4915	*/
4916	return NULL;
4917
4918	memcpy(smi_msg->data, recv_msg->msg.data, recv_msg->msg.data_len);
4919	smi_msg->data_size = recv_msg->msg.data_len;
4920	smi_msg->msgid = STORE_SEQ_IN_MSGID(seq, seqid);
4921
4922	dev_dbg(intf->si_dev, "Resend: %*ph\n",
4923	smi_msg->data_size, smi_msg->data);
4924
4925	return smi_msg;
4926	}
4927
4928	static void check_msg_timeout(struct ipmi_smi *intf, struct seq_table *ent,
4929	struct list_head *timeouts,
4930	unsigned long timeout_period,
4931	int slot, unsigned long *flags,
4932	bool *need_timer)
4933	{
4934	struct ipmi_recv_msg *msg;
4935
4936	if (intf->in_shutdown)
4937	return;
4938
4939	if (!ent->inuse)
4940	return;
4941
4942	if (timeout_period < ent->timeout) {
4943	ent->timeout -= timeout_period;
4944	*need_timer = true;
4945	return;
4946	}
4947
4948	if (ent->retries_left == 0) {
4949	/* The message has used all its retries. */
4950	ent->inuse = 0;
4951	smi_remove_watch(intf, IPMI_WATCH_MASK_CHECK_MESSAGES);
4952	msg = ent->recv_msg;
4953	list_add_tail(new: &msg->link, head: timeouts);
4954	if (ent->broadcast)
4955	ipmi_inc_stat(intf, timed_out_ipmb_broadcasts);
4956	else if (is_lan_addr(addr: &ent->recv_msg->addr))
4957	ipmi_inc_stat(intf, timed_out_lan_commands);
4958	else
4959	ipmi_inc_stat(intf, timed_out_ipmb_commands);
4960	} else {
4961	struct ipmi_smi_msg *smi_msg;
4962	/* More retries, send again. */
4963
4964	*need_timer = true;
4965
4966	/*
4967	* Start with the max timer, set to normal timer after
4968	* the message is sent.
4969	*/
4970	ent->timeout = MAX_MSG_TIMEOUT;
4971	ent->retries_left--;
4972	smi_msg = smi_from_recv_msg(intf, recv_msg: ent->recv_msg, seq: slot,
4973	seqid: ent->seqid);
4974	if (!smi_msg) {
4975	if (is_lan_addr(addr: &ent->recv_msg->addr))
4976	ipmi_inc_stat(intf,
4977	dropped_rexmit_lan_commands);
4978	else
4979	ipmi_inc_stat(intf,
4980	dropped_rexmit_ipmb_commands);
4981	return;
4982	}
4983
4984	spin_unlock_irqrestore(lock: &intf->seq_lock, flags: *flags);
4985
4986	/*
4987	* Send the new message. We send with a zero
4988	* priority. It timed out, I doubt time is that
4989	* critical now, and high priority messages are really
4990	* only for messages to the local MC, which don't get
4991	* resent.
4992	*/
4993	if (intf->handlers) {
4994	if (is_lan_addr(addr: &ent->recv_msg->addr))
4995	ipmi_inc_stat(intf,
4996	retransmitted_lan_commands);
4997	else
4998	ipmi_inc_stat(intf,
4999	retransmitted_ipmb_commands);
5000
5001	smi_send(intf, handlers: intf->handlers, smi_msg, priority: 0);
5002	} else
5003	ipmi_free_smi_msg(msg: smi_msg);
5004
5005	spin_lock_irqsave(&intf->seq_lock, *flags);
5006	}
5007	}
5008
5009	static bool ipmi_timeout_handler(struct ipmi_smi *intf,
5010	unsigned long timeout_period)
5011	{
5012	struct list_head timeouts;
5013	struct ipmi_recv_msg *msg, *msg2;
5014	unsigned long flags;
5015	int i;
5016	bool need_timer = false;
5017
5018	if (!intf->bmc_registered) {
5019	kref_get(kref: &intf->refcount);
5020	if (!schedule_work(work: &intf->bmc_reg_work)) {
5021	kref_put(kref: &intf->refcount, release: intf_free);
5022	need_timer = true;
5023	}
5024	}
5025
5026	/*
5027	* Go through the seq table and find any messages that
5028	* have timed out, putting them in the timeouts
5029	* list.
5030	*/
5031	INIT_LIST_HEAD(list: &timeouts);
5032	spin_lock_irqsave(&intf->seq_lock, flags);
5033	if (intf->ipmb_maintenance_mode_timeout) {
5034	if (intf->ipmb_maintenance_mode_timeout <= timeout_period)
5035	intf->ipmb_maintenance_mode_timeout = 0;
5036	else
5037	intf->ipmb_maintenance_mode_timeout -= timeout_period;
5038	}
5039	for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++)
5040	check_msg_timeout(intf, ent: &intf->seq_table[i],
5041	timeouts: &timeouts, timeout_period, slot: i,
5042	flags: &flags, need_timer: &need_timer);
5043	spin_unlock_irqrestore(lock: &intf->seq_lock, flags);
5044
5045	list_for_each_entry_safe(msg, msg2, &timeouts, link)
5046	deliver_err_response(intf, msg, IPMI_TIMEOUT_COMPLETION_CODE);
5047
5048	/*
5049	* Maintenance mode handling. Check the timeout
5050	* optimistically before we claim the lock. It may
5051	* mean a timeout gets missed occasionally, but that
5052	* only means the timeout gets extended by one period
5053	* in that case. No big deal, and it avoids the lock
5054	* most of the time.
5055	*/
5056	if (intf->auto_maintenance_timeout > 0) {
5057	spin_lock_irqsave(&intf->maintenance_mode_lock, flags);
5058	if (intf->auto_maintenance_timeout > 0) {
5059	intf->auto_maintenance_timeout
5060	-= timeout_period;
5061	if (!intf->maintenance_mode
5062	&& (intf->auto_maintenance_timeout <= 0)) {
5063	intf->maintenance_mode_enable = false;
5064	maintenance_mode_update(intf);
5065	}
5066	}
5067	spin_unlock_irqrestore(lock: &intf->maintenance_mode_lock,
5068	flags);
5069	}
5070
5071	tasklet_schedule(t: &intf->recv_tasklet);
5072
5073	return need_timer;
5074	}
5075
5076	static void ipmi_request_event(struct ipmi_smi *intf)
5077	{
5078	/* No event requests when in maintenance mode. */
5079	if (intf->maintenance_mode_enable)
5080	return;
5081
5082	if (!intf->in_shutdown)
5083	intf->handlers->request_events(intf->send_info);
5084	}
5085
5086	static struct timer_list ipmi_timer;
5087
5088	static atomic_t stop_operation;
5089
5090	static void ipmi_timeout(struct timer_list *unused)
5091	{
5092	struct ipmi_smi *intf;
5093	bool need_timer = false;
5094	int index;
5095
5096	if (atomic_read(v: &stop_operation))
5097	return;
5098
5099	index = srcu_read_lock(ssp: &ipmi_interfaces_srcu);
5100	list_for_each_entry_rcu(intf, &ipmi_interfaces, link) {
5101	if (atomic_read(v: &intf->event_waiters)) {
5102	intf->ticks_to_req_ev--;
5103	if (intf->ticks_to_req_ev == 0) {
5104	ipmi_request_event(intf);
5105	intf->ticks_to_req_ev = IPMI_REQUEST_EV_TIME;
5106	}
5107	need_timer = true;
5108	}
5109
5110	need_timer |= ipmi_timeout_handler(intf, IPMI_TIMEOUT_TIME);
5111	}
5112	srcu_read_unlock(ssp: &ipmi_interfaces_srcu, idx: index);
5113
5114	if (need_timer)
5115	mod_timer(timer: &ipmi_timer, expires: jiffies + IPMI_TIMEOUT_JIFFIES);
5116	}
5117
5118	static void need_waiter(struct ipmi_smi *intf)
5119	{
5120	/* Racy, but worst case we start the timer twice. */
5121	if (!timer_pending(timer: &ipmi_timer))
5122	mod_timer(timer: &ipmi_timer, expires: jiffies + IPMI_TIMEOUT_JIFFIES);
5123	}
5124
5125	static atomic_t smi_msg_inuse_count = ATOMIC_INIT(0);
5126	static atomic_t recv_msg_inuse_count = ATOMIC_INIT(0);
5127
5128	static void free_smi_msg(struct ipmi_smi_msg *msg)
5129	{
5130	atomic_dec(v: &smi_msg_inuse_count);
5131	/* Try to keep as much stuff out of the panic path as possible. */
5132	if (!oops_in_progress)
5133	kfree(objp: msg);
5134	}
5135
5136	struct ipmi_smi_msg *ipmi_alloc_smi_msg(void)
5137	{
5138	struct ipmi_smi_msg *rv;
5139	rv = kmalloc(size: sizeof(struct ipmi_smi_msg), GFP_ATOMIC);
5140	if (rv) {
5141	rv->done = free_smi_msg;
5142	rv->user_data = NULL;
5143	rv->type = IPMI_SMI_MSG_TYPE_NORMAL;
5144	atomic_inc(v: &smi_msg_inuse_count);
5145	}
5146	return rv;
5147	}
5148	EXPORT_SYMBOL(ipmi_alloc_smi_msg);
5149
5150	static void free_recv_msg(struct ipmi_recv_msg *msg)
5151	{
5152	atomic_dec(v: &recv_msg_inuse_count);
5153	/* Try to keep as much stuff out of the panic path as possible. */
5154	if (!oops_in_progress)
5155	kfree(objp: msg);
5156	}
5157
5158	static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void)
5159	{
5160	struct ipmi_recv_msg *rv;
5161
5162	rv = kmalloc(size: sizeof(struct ipmi_recv_msg), GFP_ATOMIC);
5163	if (rv) {
5164	rv->user = NULL;
5165	rv->done = free_recv_msg;
5166	atomic_inc(v: &recv_msg_inuse_count);
5167	}
5168	return rv;
5169	}
5170
5171	void ipmi_free_recv_msg(struct ipmi_recv_msg *msg)
5172	{
5173	if (msg->user && !oops_in_progress)
5174	kref_put(kref: &msg->user->refcount, release: free_user);
5175	msg->done(msg);
5176	}
5177	EXPORT_SYMBOL(ipmi_free_recv_msg);
5178
5179	static atomic_t panic_done_count = ATOMIC_INIT(0);
5180
5181	static void dummy_smi_done_handler(struct ipmi_smi_msg *msg)
5182	{
5183	atomic_dec(v: &panic_done_count);
5184	}
5185
5186	static void dummy_recv_done_handler(struct ipmi_recv_msg *msg)
5187	{
5188	atomic_dec(v: &panic_done_count);
5189	}
5190
5191	/*
5192	* Inside a panic, send a message and wait for a response.
5193	*/
5194	static void ipmi_panic_request_and_wait(struct ipmi_smi *intf,
5195	struct ipmi_addr *addr,
5196	struct kernel_ipmi_msg *msg)
5197	{
5198	struct ipmi_smi_msg smi_msg;
5199	struct ipmi_recv_msg recv_msg;
5200	int rv;
5201
5202	smi_msg.done = dummy_smi_done_handler;
5203	recv_msg.done = dummy_recv_done_handler;
5204	atomic_add(i: 2, v: &panic_done_count);
5205	rv = i_ipmi_request(NULL,
5206	intf,
5207	addr,
5208	msgid: 0,
5209	msg,
5210	user_msg_data: intf,
5211	supplied_smi: &smi_msg,
5212	supplied_recv: &recv_msg,
5213	priority: 0,
5214	source_address: intf->addrinfo[0].address,
5215	source_lun: intf->addrinfo[0].lun,
5216	retries: 0, retry_time_ms: 1); /* Don't retry, and don't wait. */
5217	if (rv)
5218	atomic_sub(i: 2, v: &panic_done_count);
5219	else if (intf->handlers->flush_messages)
5220	intf->handlers->flush_messages(intf->send_info);
5221
5222	while (atomic_read(v: &panic_done_count) != 0)
5223	ipmi_poll(intf);
5224	}
5225
5226	static void event_receiver_fetcher(struct ipmi_smi *intf,
5227	struct ipmi_recv_msg *msg)
5228	{
5229	if ((msg->addr.addr_type == IPMI_SYSTEM_INTERFACE_ADDR_TYPE)
5230	&& (msg->msg.netfn == IPMI_NETFN_SENSOR_EVENT_RESPONSE)
5231	&& (msg->msg.cmd == IPMI_GET_EVENT_RECEIVER_CMD)
5232	&& (msg->msg.data[0] == IPMI_CC_NO_ERROR)) {
5233	/* A get event receiver command, save it. */
5234	intf->event_receiver = msg->msg.data[1];
5235	intf->event_receiver_lun = msg->msg.data[2] & 0x3;
5236	}
5237	}
5238
5239	static void device_id_fetcher(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
5240	{
5241	if ((msg->addr.addr_type == IPMI_SYSTEM_INTERFACE_ADDR_TYPE)
5242	&& (msg->msg.netfn == IPMI_NETFN_APP_RESPONSE)
5243	&& (msg->msg.cmd == IPMI_GET_DEVICE_ID_CMD)
5244	&& (msg->msg.data[0] == IPMI_CC_NO_ERROR)) {
5245	/*
5246	* A get device id command, save if we are an event
5247	* receiver or generator.
5248	*/
5249	intf->local_sel_device = (msg->msg.data[6] >> 2) & 1;
5250	intf->local_event_generator = (msg->msg.data[6] >> 5) & 1;
5251	}
5252	}
5253
5254	static void send_panic_events(struct ipmi_smi *intf, char *str)
5255	{
5256	struct kernel_ipmi_msg msg;
5257	unsigned char data[16];
5258	struct ipmi_system_interface_addr *si;
5259	struct ipmi_addr addr;
5260	char *p = str;
5261	struct ipmi_ipmb_addr *ipmb;
5262	int j;
5263
5264	if (ipmi_send_panic_event == IPMI_SEND_PANIC_EVENT_NONE)
5265	return;
5266
5267	si = (struct ipmi_system_interface_addr *) &addr;
5268	si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
5269	si->channel = IPMI_BMC_CHANNEL;
5270	si->lun = 0;
5271
5272	/* Fill in an event telling that we have failed. */
5273	msg.netfn = 0x04; /* Sensor or Event. */
5274	msg.cmd = 2; /* Platform event command. */
5275	msg.data = data;
5276	msg.data_len = 8;
5277	data[0] = 0x41; /* Kernel generator ID, IPMI table 5-4 */
5278	data[1] = 0x03; /* This is for IPMI 1.0. */
5279	data[2] = 0x20; /* OS Critical Stop, IPMI table 36-3 */
5280	data[4] = 0x6f; /* Sensor specific, IPMI table 36-1 */
5281	data[5] = 0xa1; /* Runtime stop OEM bytes 2 & 3. */
5282
5283	/*
5284	* Put a few breadcrumbs in. Hopefully later we can add more things
5285	* to make the panic events more useful.
5286	*/
5287	if (str) {
5288	data[3] = str[0];
5289	data[6] = str[1];
5290	data[7] = str[2];
5291	}
5292
5293	/* Send the event announcing the panic. */
5294	ipmi_panic_request_and_wait(intf, addr: &addr, msg: &msg);
5295
5296	/*
5297	* On every interface, dump a bunch of OEM event holding the
5298	* string.
5299	*/
5300	if (ipmi_send_panic_event != IPMI_SEND_PANIC_EVENT_STRING || !str)
5301	return;
5302
5303	/*
5304	* intf_num is used as an marker to tell if the
5305	* interface is valid. Thus we need a read barrier to
5306	* make sure data fetched before checking intf_num
5307	* won't be used.
5308	*/
5309	smp_rmb();
5310
5311	/*
5312	* First job here is to figure out where to send the
5313	* OEM events. There's no way in IPMI to send OEM
5314	* events using an event send command, so we have to
5315	* find the SEL to put them in and stick them in
5316	* there.
5317	*/
5318
5319	/* Get capabilities from the get device id. */
5320	intf->local_sel_device = 0;
5321	intf->local_event_generator = 0;
5322	intf->event_receiver = 0;
5323
5324	/* Request the device info from the local MC. */
5325	msg.netfn = IPMI_NETFN_APP_REQUEST;
5326	msg.cmd = IPMI_GET_DEVICE_ID_CMD;
5327	msg.data = NULL;
5328	msg.data_len = 0;
5329	intf->null_user_handler = device_id_fetcher;
5330	ipmi_panic_request_and_wait(intf, addr: &addr, msg: &msg);
5331
5332	if (intf->local_event_generator) {
5333	/* Request the event receiver from the local MC. */
5334	msg.netfn = IPMI_NETFN_SENSOR_EVENT_REQUEST;
5335	msg.cmd = IPMI_GET_EVENT_RECEIVER_CMD;
5336	msg.data = NULL;
5337	msg.data_len = 0;
5338	intf->null_user_handler = event_receiver_fetcher;
5339	ipmi_panic_request_and_wait(intf, addr: &addr, msg: &msg);
5340	}
5341	intf->null_user_handler = NULL;
5342
5343	/*
5344	* Validate the event receiver. The low bit must not
5345	* be 1 (it must be a valid IPMB address), it cannot
5346	* be zero, and it must not be my address.
5347	*/
5348	if (((intf->event_receiver & 1) == 0)
5349	&& (intf->event_receiver != 0)
5350	&& (intf->event_receiver != intf->addrinfo[0].address)) {
5351	/*
5352	* The event receiver is valid, send an IPMB
5353	* message.
5354	*/
5355	ipmb = (struct ipmi_ipmb_addr *) &addr;
5356	ipmb->addr_type = IPMI_IPMB_ADDR_TYPE;
5357	ipmb->channel = 0; /* FIXME - is this right? */
5358	ipmb->lun = intf->event_receiver_lun;
5359	ipmb->slave_addr = intf->event_receiver;
5360	} else if (intf->local_sel_device) {
5361	/*
5362	* The event receiver was not valid (or was
5363	* me), but I am an SEL device, just dump it
5364	* in my SEL.
5365	*/
5366	si = (struct ipmi_system_interface_addr *) &addr;
5367	si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
5368	si->channel = IPMI_BMC_CHANNEL;
5369	si->lun = 0;
5370	} else
5371	return; /* No where to send the event. */
5372
5373	msg.netfn = IPMI_NETFN_STORAGE_REQUEST; /* Storage. */
5374	msg.cmd = IPMI_ADD_SEL_ENTRY_CMD;
5375	msg.data = data;
5376	msg.data_len = 16;
5377
5378	j = 0;
5379	while (*p) {
5380	int size = strnlen(p, maxlen: 11);
5381
5382	data[0] = 0;
5383	data[1] = 0;
5384	data[2] = 0xf0; /* OEM event without timestamp. */
5385	data[3] = intf->addrinfo[0].address;
5386	data[4] = j++; /* sequence # */
5387
5388	memcpy_and_pad(dest: data+5, dest_len: 11, src: p, count: size, pad: '\0');
5389	p += size;
5390
5391	ipmi_panic_request_and_wait(intf, addr: &addr, msg: &msg);
5392	}
5393	}
5394
5395	static int has_panicked;
5396
5397	static int panic_event(struct notifier_block *this,
5398	unsigned long event,
5399	void *ptr)
5400	{
5401	struct ipmi_smi *intf;
5402	struct ipmi_user *user;
5403
5404	if (has_panicked)
5405	return NOTIFY_DONE;
5406	has_panicked = 1;
5407
5408	/* For every registered interface, set it to run to completion. */
5409	list_for_each_entry_rcu(intf, &ipmi_interfaces, link) {
5410	if (!intf->handlers || intf->intf_num == -1)
5411	/* Interface is not ready. */
5412	continue;
5413
5414	if (!intf->handlers->poll)
5415	continue;
5416
5417	/*
5418	* If we were interrupted while locking xmit_msgs_lock or
5419	* waiting_rcv_msgs_lock, the corresponding list may be
5420	* corrupted. In this case, drop items on the list for
5421	* the safety.
5422	*/
5423	if (!spin_trylock(lock: &intf->xmit_msgs_lock)) {
5424	INIT_LIST_HEAD(list: &intf->xmit_msgs);
5425	INIT_LIST_HEAD(list: &intf->hp_xmit_msgs);
5426	} else
5427	spin_unlock(lock: &intf->xmit_msgs_lock);
5428
5429	if (!spin_trylock(lock: &intf->waiting_rcv_msgs_lock))
5430	INIT_LIST_HEAD(list: &intf->waiting_rcv_msgs);
5431	else
5432	spin_unlock(lock: &intf->waiting_rcv_msgs_lock);
5433
5434	intf->run_to_completion = 1;
5435	if (intf->handlers->set_run_to_completion)
5436	intf->handlers->set_run_to_completion(intf->send_info,
5437	1);
5438
5439	list_for_each_entry_rcu(user, &intf->users, link) {
5440	if (user->handler->ipmi_panic_handler)
5441	user->handler->ipmi_panic_handler(
5442	user->handler_data);
5443	}
5444
5445	send_panic_events(intf, str: ptr);
5446	}
5447
5448	return NOTIFY_DONE;
5449	}
5450
5451	/* Must be called with ipmi_interfaces_mutex held. */
5452	static int ipmi_register_driver(void)
5453	{
5454	int rv;
5455
5456	if (drvregistered)
5457	return 0;
5458
5459	rv = driver_register(drv: &ipmidriver.driver);
5460	if (rv)
5461	pr_err("Could not register IPMI driver\n");
5462	else
5463	drvregistered = true;
5464	return rv;
5465	}
5466
5467	static struct notifier_block panic_block = {
5468	.notifier_call = panic_event,
5469	.next = NULL,
5470	.priority = 200 /* priority: INT_MAX >= x >= 0 */
5471	};
5472
5473	static int ipmi_init_msghandler(void)
5474	{
5475	int rv;
5476
5477	mutex_lock(&ipmi_interfaces_mutex);
5478	rv = ipmi_register_driver();
5479	if (rv)
5480	goto out;
5481	if (initialized)
5482	goto out;
5483
5484	rv = init_srcu_struct(&ipmi_interfaces_srcu);
5485	if (rv)
5486	goto out;
5487
5488	remove_work_wq = create_singlethread_workqueue("ipmi-msghandler-remove-wq");
5489	if (!remove_work_wq) {
5490	pr_err("unable to create ipmi-msghandler-remove-wq workqueue");
5491	rv = -ENOMEM;
5492	goto out_wq;
5493	}
5494
5495	timer_setup(&ipmi_timer, ipmi_timeout, 0);
5496	mod_timer(timer: &ipmi_timer, expires: jiffies + IPMI_TIMEOUT_JIFFIES);
5497
5498	atomic_notifier_chain_register(nh: &panic_notifier_list, nb: &panic_block);
5499
5500	initialized = true;
5501
5502	out_wq:
5503	if (rv)
5504	cleanup_srcu_struct(ssp: &ipmi_interfaces_srcu);
5505	out:
5506	mutex_unlock(lock: &ipmi_interfaces_mutex);
5507	return rv;
5508	}
5509
5510	static int __init ipmi_init_msghandler_mod(void)
5511	{
5512	int rv;
5513
5514	pr_info("version " IPMI_DRIVER_VERSION "\n");
5515
5516	mutex_lock(&ipmi_interfaces_mutex);
5517	rv = ipmi_register_driver();
5518	mutex_unlock(lock: &ipmi_interfaces_mutex);
5519
5520	return rv;
5521	}
5522
5523	static void __exit cleanup_ipmi(void)
5524	{
5525	int count;
5526
5527	if (initialized) {
5528	destroy_workqueue(wq: remove_work_wq);
5529
5530	atomic_notifier_chain_unregister(nh: &panic_notifier_list,
5531	nb: &panic_block);
5532
5533	/*
5534	* This can't be called if any interfaces exist, so no worry
5535	* about shutting down the interfaces.
5536	*/
5537
5538	/*
5539	* Tell the timer to stop, then wait for it to stop. This
5540	* avoids problems with race conditions removing the timer
5541	* here.
5542	*/
5543	atomic_set(v: &stop_operation, i: 1);
5544	del_timer_sync(timer: &ipmi_timer);
5545
5546	initialized = false;
5547
5548	/* Check for buffer leaks. */
5549	count = atomic_read(v: &smi_msg_inuse_count);
5550	if (count != 0)
5551	pr_warn("SMI message count %d at exit\n", count);
5552	count = atomic_read(v: &recv_msg_inuse_count);
5553	if (count != 0)
5554	pr_warn("recv message count %d at exit\n", count);
5555
5556	cleanup_srcu_struct(ssp: &ipmi_interfaces_srcu);
5557	}
5558	if (drvregistered)
5559	driver_unregister(drv: &ipmidriver.driver);
5560	}
5561	module_exit(cleanup_ipmi);
5562
5563	module_init(ipmi_init_msghandler_mod);
5564	MODULE_LICENSE("GPL");
5565	MODULE_AUTHOR("Corey Minyard <minyard@mvista.com>");
5566	MODULE_DESCRIPTION("Incoming and outgoing message routing for an IPMI interface.");
5567	MODULE_VERSION(IPMI_DRIVER_VERSION);
5568	MODULE_SOFTDEP("post: ipmi_devintf");
5569