ivc.c 16 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
/*
 * Copyright (c) 2017, NVIDIA CORPORATION. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#include <arch_helpers.h>
#include <assert.h>
#include <debug.h>
#include <errno.h>
#include <stddef.h>
#include <string.h>

#include "ivc.h"

/*
 * IVC channel reset protocol.
 *
 * Each end uses its tx_channel.state to indicate its synchronization state.
 */
enum {
	/*
	 * This value is zero for backwards compatibility with services that
	 * assume channels to be initially zeroed. Such channels are in an
	 * initially valid state, but cannot be asynchronously reset, and must
	 * maintain a valid state at all times.
	 *
	 * The transmitting end can enter the established state from the sync or
	 * ack state when it observes the receiving endpoint in the ack or
	 * established state, indicating that has cleared the counters in our
	 * rx_channel.
	 */
	ivc_state_established = U(0),

	/*
	 * If an endpoint is observed in the sync state, the remote endpoint is
	 * allowed to clear the counters it owns asynchronously with respect to
	 * the current endpoint. Therefore, the current endpoint is no longer
	 * allowed to communicate.
	 */
	ivc_state_sync = U(1),

	/*
	 * When the transmitting end observes the receiving end in the sync
	 * state, it can clear the w_count and r_count and transition to the ack
	 * state. If the remote endpoint observes us in the ack state, it can
	 * return to the established state once it has cleared its counters.
	 */
	ivc_state_ack = U(2)
};

/*
 * This structure is divided into two-cache aligned parts, the first is only
 * written through the tx_channel pointer, while the second is only written
 * through the rx_channel pointer. This delineates ownership of the cache lines,
 * which is critical to performance and necessary in non-cache coherent
 * implementations.
 */
struct ivc_channel_header {
	struct {
		/* fields owned by the transmitting end */
		uint32_t w_count;
		uint32_t state;
		uint32_t w_rsvd[IVC_CHHDR_TX_FIELDS - 2];
	};
	struct {
		/* fields owned by the receiving end */
		uint32_t r_count;
		uint32_t r_rsvd[IVC_CHHDR_RX_FIELDS - 1];
	};
};

static inline bool ivc_channel_empty(const struct ivc *ivc,
		volatile const struct ivc_channel_header *ch)
{
	/*
	 * This function performs multiple checks on the same values with
	 * security implications, so sample the counters' current values in
	 * shared memory to ensure that these checks use the same values.
	 */
	uint32_t wr_count = ch->w_count;
	uint32_t rd_count = ch->r_count;
	bool ret = false;

	(void)ivc;

	/*
	 * Perform an over-full check to prevent denial of service attacks where
	 * a server could be easily fooled into believing that there's an
	 * extremely large number of frames ready, since receivers are not
	 * expected to check for full or over-full conditions.
	 *
	 * Although the channel isn't empty, this is an invalid case caused by
	 * a potentially malicious peer, so returning empty is safer, because it
	 * gives the impression that the channel has gone silent.
	 */
	if (((wr_count - rd_count) > ivc->nframes) || (wr_count == rd_count)) {
		ret = true;
	}

	return ret;
}

static inline bool ivc_channel_full(const struct ivc *ivc,
		volatile const struct ivc_channel_header *ch)
{
	uint32_t wr_count = ch->w_count;
	uint32_t rd_count = ch->r_count;

	(void)ivc;

	/*
	 * Invalid cases where the counters indicate that the queue is over
	 * capacity also appear full.
	 */
	return ((wr_count - rd_count) >= ivc->nframes);
}

static inline uint32_t ivc_channel_avail_count(const struct ivc *ivc,
		volatile const struct ivc_channel_header *ch)
{
	uint32_t wr_count = ch->w_count;
	uint32_t rd_count = ch->r_count;

	(void)ivc;

	/*
	 * This function isn't expected to be used in scenarios where an
	 * over-full situation can lead to denial of service attacks. See the
	 * comment in ivc_channel_empty() for an explanation about special
	 * over-full considerations.
	 */
	return (wr_count - rd_count);
}

static inline void ivc_advance_tx(struct ivc *ivc)
{
	ivc->tx_channel->w_count++;

	if (ivc->w_pos == (ivc->nframes - (uint32_t)1U)) {
		ivc->w_pos = 0U;
	} else {
		ivc->w_pos++;
	}
}

static inline void ivc_advance_rx(struct ivc *ivc)
{
	ivc->rx_channel->r_count++;

	if (ivc->r_pos == (ivc->nframes - (uint32_t)1U)) {
		ivc->r_pos = 0U;
	} else {
		ivc->r_pos++;
	}
}

static inline int32_t ivc_check_read(const struct ivc *ivc)
{
	/*
	 * tx_channel->state is set locally, so it is not synchronized with
	 * state from the remote peer. The remote peer cannot reset its
	 * transmit counters until we've acknowledged its synchronization
	 * request, so no additional synchronization is required because an
	 * asynchronous transition of rx_channel->state to ivc_state_ack is not
	 * allowed.
	 */
	if (ivc->tx_channel->state != ivc_state_established) {
		return -ECONNRESET;
	}

	/*
	* Avoid unnecessary invalidations when performing repeated accesses to
	* an IVC channel by checking the old queue pointers first.
	* Synchronization is only necessary when these pointers indicate empty
	* or full.
	*/
	if (!ivc_channel_empty(ivc, ivc->rx_channel)) {
		return 0;
	}

	return ivc_channel_empty(ivc, ivc->rx_channel) ? -ENOMEM : 0;
}

static inline int32_t ivc_check_write(const struct ivc *ivc)
{
	if (ivc->tx_channel->state != ivc_state_established) {
		return -ECONNRESET;
	}

	if (!ivc_channel_full(ivc, ivc->tx_channel)) {
		return 0;
	}

	return ivc_channel_full(ivc, ivc->tx_channel) ? -ENOMEM : 0;
}

bool tegra_ivc_can_read(const struct ivc *ivc)
{
	return ivc_check_read(ivc) == 0;
}

bool tegra_ivc_can_write(const struct ivc *ivc)
{
	return ivc_check_write(ivc) == 0;
}

bool tegra_ivc_tx_empty(const struct ivc *ivc)
{
	return ivc_channel_empty(ivc, ivc->tx_channel);
}

static inline uintptr_t calc_frame_offset(uint32_t frame_index,
	uint32_t frame_size, uint32_t frame_offset)
{
    return ((uintptr_t)frame_index * (uintptr_t)frame_size) +
	    (uintptr_t)frame_offset;
}

static void *ivc_frame_pointer(const struct ivc *ivc,
				volatile const struct ivc_channel_header *ch,
				uint32_t frame)
{
	assert(frame < ivc->nframes);
	return (void *)((uintptr_t)(&ch[1]) +
		calc_frame_offset(frame, ivc->frame_size, 0));
}

int32_t tegra_ivc_read(struct ivc *ivc, void *buf, size_t max_read)
{
	const void *src;
	int32_t result;

	if (buf == NULL) {
		return -EINVAL;
	}

	if (max_read > ivc->frame_size) {
		return -E2BIG;
	}

	result = ivc_check_read(ivc);
	if (result != 0) {
		return result;
	}

	/*
	 * Order observation of w_pos potentially indicating new data before
	 * data read.
	 */
	dmbish();

	src = ivc_frame_pointer(ivc, ivc->rx_channel, ivc->r_pos);

	(void)memcpy(buf, src, max_read);

	ivc_advance_rx(ivc);

	/*
	 * Ensure our write to r_pos occurs before our read from w_pos.
	 */
	dmbish();

	/*
	 * Notify only upon transition from full to non-full.
	 * The available count can only asynchronously increase, so the
	 * worst possible side-effect will be a spurious notification.
	 */
	if (ivc_channel_avail_count(ivc, ivc->rx_channel) == (ivc->nframes - (uint32_t)1U)) {
		ivc->notify(ivc);
	}

	return (int32_t)max_read;
}

/* directly peek at the next frame rx'ed */
void *tegra_ivc_read_get_next_frame(const struct ivc *ivc)
{
	if (ivc_check_read(ivc) != 0) {
		return NULL;
	}

	/*
	 * Order observation of w_pos potentially indicating new data before
	 * data read.
	 */
	dmbld();

	return ivc_frame_pointer(ivc, ivc->rx_channel, ivc->r_pos);
}

int32_t tegra_ivc_read_advance(struct ivc *ivc)
{
	/*
	 * No read barriers or synchronization here: the caller is expected to
	 * have already observed the channel non-empty. This check is just to
	 * catch programming errors.
	 */
	int32_t result = ivc_check_read(ivc);
	if (result != 0) {
		return result;
	}

	ivc_advance_rx(ivc);

	/*
	 * Ensure our write to r_pos occurs before our read from w_pos.
	 */
	dmbish();

	/*
	 * Notify only upon transition from full to non-full.
	 * The available count can only asynchronously increase, so the
	 * worst possible side-effect will be a spurious notification.
	 */
	if (ivc_channel_avail_count(ivc, ivc->rx_channel) == (ivc->nframes - (uint32_t)1U)) {
		ivc->notify(ivc);
	}

	return 0;
}

int32_t tegra_ivc_write(struct ivc *ivc, const void *buf, size_t size)
{
	void *p;
	int32_t result;

	if ((buf == NULL) || (ivc == NULL)) {
		return -EINVAL;
	}

	if (size > ivc->frame_size) {
		return -E2BIG;
	}

	result = ivc_check_write(ivc);
	if (result != 0) {
		return result;
	}

	p = ivc_frame_pointer(ivc, ivc->tx_channel, ivc->w_pos);

	(void)memset(p, 0, ivc->frame_size);
	(void)memcpy(p, buf, size);

	/*
	 * Ensure that updated data is visible before the w_pos counter
	 * indicates that it is ready.
	 */
	dmbst();

	ivc_advance_tx(ivc);

	/*
	 * Ensure our write to w_pos occurs before our read from r_pos.
	 */
	dmbish();

	/*
	 * Notify only upon transition from empty to non-empty.
	 * The available count can only asynchronously decrease, so the
	 * worst possible side-effect will be a spurious notification.
	 */
	if (ivc_channel_avail_count(ivc, ivc->tx_channel) == 1U) {
		ivc->notify(ivc);
	}

	return (int32_t)size;
}

/* directly poke at the next frame to be tx'ed */
void *tegra_ivc_write_get_next_frame(const struct ivc *ivc)
{
	if (ivc_check_write(ivc) != 0) {
		return NULL;
	}

	return ivc_frame_pointer(ivc, ivc->tx_channel, ivc->w_pos);
}

/* advance the tx buffer */
int32_t tegra_ivc_write_advance(struct ivc *ivc)
{
	int32_t result = ivc_check_write(ivc);

	if (result != 0) {
		return result;
	}

	/*
	 * Order any possible stores to the frame before update of w_pos.
	 */
	dmbst();

	ivc_advance_tx(ivc);

	/*
	 * Ensure our write to w_pos occurs before our read from r_pos.
	 */
	dmbish();

	/*
	 * Notify only upon transition from empty to non-empty.
	 * The available count can only asynchronously decrease, so the
	 * worst possible side-effect will be a spurious notification.
	 */
	if (ivc_channel_avail_count(ivc, ivc->tx_channel) == (uint32_t)1U) {
		ivc->notify(ivc);
	}

	return 0;
}

void tegra_ivc_channel_reset(const struct ivc *ivc)
{
	ivc->tx_channel->state = ivc_state_sync;
	ivc->notify(ivc);
}

/*
 * ===============================================================
 *  IVC State Transition Table - see tegra_ivc_channel_notified()
 * ===============================================================
 *
 *	local	remote	action
 *	-----	------	-----------------------------------
 *	SYNC	EST	<none>
 *	SYNC	ACK	reset counters; move to EST; notify
 *	SYNC	SYNC	reset counters; move to ACK; notify
 *	ACK	EST	move to EST; notify
 *	ACK	ACK	move to EST; notify
 *	ACK	SYNC	reset counters; move to ACK; notify
 *	EST	EST	<none>
 *	EST	ACK	<none>
 *	EST	SYNC	reset counters; move to ACK; notify
 *
 * ===============================================================
 */
int32_t tegra_ivc_channel_notified(struct ivc *ivc)
{
	uint32_t peer_state;

	/* Copy the receiver's state out of shared memory. */
	peer_state = ivc->rx_channel->state;

	if (peer_state == (uint32_t)ivc_state_sync) {
		/*
		 * Order observation of ivc_state_sync before stores clearing
		 * tx_channel.
		 */
		dmbld();

		/*
		 * Reset tx_channel counters. The remote end is in the SYNC
		 * state and won't make progress until we change our state,
		 * so the counters are not in use at this time.
		 */
		ivc->tx_channel->w_count = 0U;
		ivc->rx_channel->r_count = 0U;

		ivc->w_pos = 0U;
		ivc->r_pos = 0U;

		/*
		 * Ensure that counters appear cleared before new state can be
		 * observed.
		 */
		dmbst();

		/*
		 * Move to ACK state. We have just cleared our counters, so it
		 * is now safe for the remote end to start using these values.
		 */
		ivc->tx_channel->state = ivc_state_ack;

		/*
		 * Notify remote end to observe state transition.
		 */
		ivc->notify(ivc);

	} else if ((ivc->tx_channel->state == (uint32_t)ivc_state_sync) &&
			(peer_state == (uint32_t)ivc_state_ack)) {
		/*
		 * Order observation of ivc_state_sync before stores clearing
		 * tx_channel.
		 */
		dmbld();

		/*
		 * Reset tx_channel counters. The remote end is in the ACK
		 * state and won't make progress until we change our state,
		 * so the counters are not in use at this time.
		 */
		ivc->tx_channel->w_count = 0U;
		ivc->rx_channel->r_count = 0U;

		ivc->w_pos = 0U;
		ivc->r_pos = 0U;

		/*
		 * Ensure that counters appear cleared before new state can be
		 * observed.
		 */
		dmbst();

		/*
		 * Move to ESTABLISHED state. We know that the remote end has
		 * already cleared its counters, so it is safe to start
		 * writing/reading on this channel.
		 */
		ivc->tx_channel->state = ivc_state_established;

		/*
		 * Notify remote end to observe state transition.
		 */
		ivc->notify(ivc);

	} else if (ivc->tx_channel->state == (uint32_t)ivc_state_ack) {
		/*
		 * At this point, we have observed the peer to be in either
		 * the ACK or ESTABLISHED state. Next, order observation of
		 * peer state before storing to tx_channel.
		 */
		dmbld();

		/*
		 * Move to ESTABLISHED state. We know that we have previously
		 * cleared our counters, and we know that the remote end has
		 * cleared its counters, so it is safe to start writing/reading
		 * on this channel.
		 */
		ivc->tx_channel->state = ivc_state_established;

		/*
		 * Notify remote end to observe state transition.
		 */
		ivc->notify(ivc);

	} else {
		/*
		 * There is no need to handle any further action. Either the
		 * channel is already fully established, or we are waiting for
		 * the remote end to catch up with our current state. Refer
		 * to the diagram in "IVC State Transition Table" above.
		 */
	}

	return ((ivc->tx_channel->state == (uint32_t)ivc_state_established) ? 0 : -EAGAIN);
}

size_t tegra_ivc_align(size_t size)
{
	return (size + (IVC_ALIGN - 1U)) & ~(IVC_ALIGN - 1U);
}

size_t tegra_ivc_total_queue_size(size_t queue_size)
{
	if ((queue_size & (IVC_ALIGN - 1U)) != 0U) {
		ERROR("queue_size (%d) must be %d-byte aligned\n",
				(int32_t)queue_size, IVC_ALIGN);
		return 0;
	}
	return queue_size + sizeof(struct ivc_channel_header);
}

static int32_t check_ivc_params(uintptr_t queue_base1, uintptr_t queue_base2,
		uint32_t nframes, uint32_t frame_size)
{
	assert((offsetof(struct ivc_channel_header, w_count)
				& (IVC_ALIGN - 1U)) == 0U);
	assert((offsetof(struct ivc_channel_header, r_count)
				& (IVC_ALIGN - 1U)) == 0U);
	assert((sizeof(struct ivc_channel_header) & (IVC_ALIGN - 1U)) == 0U);

	if (((uint64_t)nframes * (uint64_t)frame_size) >= 0x100000000ULL) {
		ERROR("nframes * frame_size overflows\n");
		return -EINVAL;
	}

	/*
	 * The headers must at least be aligned enough for counters
	 * to be accessed atomically.
	 */
	if ((queue_base1 & (IVC_ALIGN - 1U)) != 0U) {
		ERROR("ivc channel start not aligned: %lx\n", queue_base1);
		return -EINVAL;
	}
	if ((queue_base2 & (IVC_ALIGN - 1U)) != 0U) {
		ERROR("ivc channel start not aligned: %lx\n", queue_base2);
		return -EINVAL;
	}

	if ((frame_size & (IVC_ALIGN - 1U)) != 0U) {
		ERROR("frame size not adequately aligned: %u\n",
				frame_size);
		return -EINVAL;
	}

	if (queue_base1 < queue_base2) {
		if ((queue_base1 + ((uint64_t)frame_size * nframes)) > queue_base2) {
			ERROR("queue regions overlap: %lx + %x, %x\n",
					queue_base1, frame_size,
					frame_size * nframes);
			return -EINVAL;
		}
	} else {
		if ((queue_base2 + ((uint64_t)frame_size * nframes)) > queue_base1) {
			ERROR("queue regions overlap: %lx + %x, %x\n",
					queue_base2, frame_size,
					frame_size * nframes);
			return -EINVAL;
		}
	}

	return 0;
}

int32_t tegra_ivc_init(struct ivc *ivc, uintptr_t rx_base, uintptr_t tx_base,
		uint32_t nframes, uint32_t frame_size,
		ivc_notify_function notify)
{
	int32_t result;

	/* sanity check input params */
	if ((ivc == NULL) || (notify == NULL)) {
		return -EINVAL;
	}

	result = check_ivc_params(rx_base, tx_base, nframes, frame_size);
	if (result != 0) {
		return result;
	}

	/*
	 * All sizes that can be returned by communication functions should
	 * fit in a 32-bit integer.
	 */
	if (frame_size > (1u << 31)) {
		return -E2BIG;
	}

	ivc->rx_channel = (struct ivc_channel_header *)rx_base;
	ivc->tx_channel = (struct ivc_channel_header *)tx_base;
	ivc->notify = notify;
	ivc->frame_size = frame_size;
	ivc->nframes = nframes;
	ivc->w_pos = 0U;
	ivc->r_pos = 0U;

	INFO("%s: done\n", __func__);

	return 0;
}