linux/drivers/bus
Jeffrey Hugo e565d3efd8 bus: mhi: host: Use cached values for calculating the shared write pointer
mhi_recycle_ev_ring() computes the shared write pointer for the ring
(ctxt_wp) using a read/modify/write pattern where the ctxt_wp value in the
shared memory is read, incremented, and written back.  There are no checks
on the read value, it is assumed that it is kept in sync with the locally
cached value.  Per the MHI spec, this is correct.  The device should only
read ctxt_wp, never write it.

However, there are devices in the wild that violate the spec, and can
update the ctxt_wp in a specific scenario.  This can cause corruption, and
violate the above assumption that the ctxt_wp is in sync with the cached
value.

This can occur when the device has loaded firmware from the host, and is
transitioning from the SBL EE to the AMSS EE.  As part of shutting down
SBL, the SBL flushes it's local MHI context to the shared memory since
the local context will not persist across an EE change.  In the case of
the event ring, SBL will flush its entire context, not just the parts that
it is allowed to update.  This means SBL will write to ctxt_wp, and
possibly corrupt it.

An example:

Host				Device
----				---
Update ctxt_wp to 0x1f0
				SBL observes 0x1f0
Update ctxt_wp to 0x0
				Starts transition to AMSS EE
				Context flush, writes 0x1f0 to ctxt_wp
Update ctxt_wp to 0x200
Update ctxt_wp to 0x210
				AMSS observes 0x210
				0x210 exceeds ring size
				AMSS signals syserr

The reason the ctxt_wp goes off the end of the ring is that the rollover
check is only performed on the cached wp, which is out of sync with
ctxt_wp.

Since the host is the authority of the value of ctxt_wp per the MHI spec,
we can fix this issue by not reading ctxt_wp from the shared memory, and
instead compute it based on the cached value.  If SBL corrupts ctxt_wp,
the host won't observe it, and will correct the value at some point later.

Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Hemant Kumar <quic_hemantk@quicinc.com>
Reviewed-by: Bhaumik Bhatt <quic_bbhatt@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/1649868113-18826-1-git-send-email-quic_jhugo@quicinc.com
[mani: used the quicinc domain for Hemant and Bhaumik]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
2022-04-23 18:57:31 +05:30
..
fsl-mc bus: fsl-mc-msi: Simplify MSI descriptor handling 2021-12-16 22:22:19 +01:00
mhi bus: mhi: host: Use cached values for calculating the shared write pointer 2022-04-23 18:57:31 +05:30
arm-cci.c
arm-integrator-lm.c bus: arm-integrator-lm: Add of_node_put() before return statement 2021-01-15 17:53:05 +01:00
brcmstb_gisb.c - Config updates for BMIPS platform 2021-11-13 09:11:33 -08:00
bt1-apb.c bus: bt1-apb: Use sysfs_streq instead of strncmp 2020-05-28 16:56:56 +02:00
bt1-axi.c bus: bt1-axi: Use sysfs_streq instead of strncmp 2020-05-28 16:57:12 +02:00
da8xx-mstpri.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
hisi_lpc.c bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal 2020-02-28 17:30:49 +08:00
imx-weim.c bus: imx-weim: add DT overlay support for WEIM bus 2022-02-22 14:55:12 +08:00
intel-ixp4xx-eb.c bus: ixp4xx: return on error in ixp4xx_exp_probe() 2021-08-12 22:34:13 +02:00
Kconfig ARM: SoC drivers for 5.16 2021-11-03 17:00:52 -07:00
Makefile bus: mhi: Move host MHI code to "host" directory 2022-03-18 14:02:54 +01:00
mips_cdmm.c mips: cdmm: Fix refcount leak in mips_cdmm_phys_base 2022-03-14 15:01:51 +01:00
moxtet.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
mvebu-mbus.c bus: mvebu-mbus: Export symbols for public API window functions 2022-01-06 13:37:47 +00:00
omap_l3_noc.c bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD 2021-02-04 09:08:57 +02:00
omap_l3_noc.h
omap_l3_smx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
omap_l3_smx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
omap-ocp2scp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
qcom-ebi2.c bus: qcom-ebi2: Fix incorrect documentation for '{slow,fast}_cfg' 2021-05-26 21:19:23 -05:00
simple-pm-bus.c drivers: bus: simple-pm-bus: Add support for probing simple bus only devices 2021-10-05 17:47:15 +02:00
sun50i-de2.c bus: sun50i-de2: Adjust printing error message 2021-10-13 14:48:48 +02:00
sunxi-rsb.c bus: sunxi-rsb: Fix shutdown 2021-11-22 10:02:57 +01:00
tegra-aconnect.c
tegra-gmi.c bus: tegra-gmi: Add runtime PM and OPP support 2021-12-16 14:05:23 +01:00
ti-pwmss.c bus/ti-pwmss: move TI PWMSS driver from PWM to bus subsystem 2019-10-17 21:17:42 +01:00
ti-sysc.c ARM: SoC drivers for 5.16 2021-11-03 17:00:52 -07:00
ts-nbus.c
uniphier-system-bus.c bus: uniphier-system-bus: use devm_platform_ioremap_resource() 2019-09-05 17:57:18 +02:00
vexpress-config.c bus: vexpress-config: Support building as module 2020-05-13 12:42:46 -05:00