Re: [PATCH arm/aspeed/ast2500 v1] ipmi: add an Aspeed KCS IPMI BMC driver

From: Corey Minyard
Date: Tue Jan 16 2018 - 15:59:43 EST


On 01/16/2018 05:43 AM, Haiyue Wang wrote:
The KCS (Keyboard Controller Style) interface is used to perform in-band
IPMI communication between a server host and its BMC (BaseBoard Management
Controllers).

This driver exposes the KCS interface on ASpeed SOCs (AST2400 and AST2500)
as a character device. Such SOCs are commonly used as BMCs and this driver
implements the BMC side of the KCS interface.

I thought we were going to unify the BMC ioctl interface? My preference would be to
create a file named include/uapi/linux/ipmi-bmc.h and add the following:

#define __IPMI_BMC_IOCTL_MAGICÂÂÂ 0xb1
#define IPMI_BMC_IOCTL_SMS_SET_ATNÂÂÂ _IO(__IPMI_BMC_IOCTL_MAGIC, 0x00)

to make it the same as BT. Then in bt-bmc.h, set BT_BMC_IOCTL_SMS_ATN to
IPMI_BMC_IOCTL_SMS_SET_ATN. Then add the KCS ioctls in ipmi-bmc.h and
use that. That way we stay backward compatible but we are unified.

Since more KCS interfaces may come around, can you make the name more
specific? (I made this same error on bt-bmc,c, it should probably be renamed.)

More comments inline, as I'll go ahead and review this.

Signed-off-by: Haiyue Wang <haiyue.wang@xxxxxxxxxxxxxxx>
---
.../devicetree/bindings/ipmi/aspeed-kcs-bmc.txt | 26 +
drivers/char/ipmi/Kconfig | 9 +
drivers/char/ipmi/Makefile | 1 +
drivers/char/ipmi/kcs-bmc.c | 744 +++++++++++++++++++++
include/uapi/linux/kcs-bmc.h | 14 +
5 files changed, 794 insertions(+)
create mode 100644 Documentation/devicetree/bindings/ipmi/aspeed-kcs-bmc.txt
create mode 100644 drivers/char/ipmi/kcs-bmc.c
create mode 100644 include/uapi/linux/kcs-bmc.h

diff --git a/Documentation/devicetree/bindings/ipmi/aspeed-kcs-bmc.txt b/Documentation/devicetree/bindings/ipmi/aspeed-kcs-bmc.txt
new file mode 100644
index 0000000..dd0c73d
--- /dev/null
+++ b/Documentation/devicetree/bindings/ipmi/aspeed-kcs-bmc.txt
@@ -0,0 +1,26 @@
+* Aspeed KCS (Keyboard Controller Style) IPMI interface
+
+The Aspeed SOCs (AST2400 and AST2500) are commonly used as BMCs
+(BaseBoard Management Controllers) and the KCS interface can be
+used to perform in-band IPMI communication with their host.
+
+Required properties:
+- compatible : should be one of
+ "aspeed,ast2400-kcs-bmc"
+ "aspeed,ast2500-kcs-bmc"
+- interrupts : interrupt generated by the controller
+- kcs_chan : The LPC channel number in the controller
+- kcs_addr : The host CPU IO map address
+
+
+Example:
+
+ kcs3: kcs3@0 {
+ compatible = "aspeed,ast2500-kcs-bmc";
+ reg = <0x0 0x80>;
+ interrupts = <8>;
+ kcs_chan = <3>;
+ kcs_addr = <0xCA2>;
+ status = "okay";
+ };
+
diff --git a/drivers/char/ipmi/Kconfig b/drivers/char/ipmi/Kconfig
index 3544abc..36132f8 100644
--- a/drivers/char/ipmi/Kconfig
+++ b/drivers/char/ipmi/Kconfig
@@ -104,3 +104,12 @@ config ASPEED_BT_IPMI_BMC
Provides a driver for the BT (Block Transfer) IPMI interface
found on Aspeed SOCs (AST2400 and AST2500). The driver
implements the BMC side of the BT interface.
+
+config ASPEED_KCS_IPMI_BMC
+ depends on ARCH_ASPEED || COMPILE_TEST
+ select REGMAP_MMIO
+ tristate "KCS IPMI bmc driver"
+ help
+ Provides a driver for the KCS (Keyboard Controller Style) IPMI
+ interface found on Aspeed SOCs (AST2400 and AST2500). The driver
+ implements the BMC side of the KCS interface.
\ No newline at end of file
diff --git a/drivers/char/ipmi/Makefile b/drivers/char/ipmi/Makefile
index 33b899f..f217bae 100644
--- a/drivers/char/ipmi/Makefile
+++ b/drivers/char/ipmi/Makefile
@@ -22,3 +22,4 @@ obj-$(CONFIG_IPMI_POWERNV) += ipmi_powernv.o
obj-$(CONFIG_IPMI_WATCHDOG) += ipmi_watchdog.o
obj-$(CONFIG_IPMI_POWEROFF) += ipmi_poweroff.o
obj-$(CONFIG_ASPEED_BT_IPMI_BMC) += bt-bmc.o
+obj-$(CONFIG_ASPEED_KCS_IPMI_BMC) += kcs-bmc.o
\ No newline at end of file
diff --git a/drivers/char/ipmi/kcs-bmc.c b/drivers/char/ipmi/kcs-bmc.c
new file mode 100644
index 0000000..d6eab0b
--- /dev/null
+++ b/drivers/char/ipmi/kcs-bmc.c
@@ -0,0 +1,744 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (c) 2015-2018, Intel Corporation.
+
+#include <linux/atomic.h>
+#include <linux/errno.h>
+#include <linux/interrupt.h>
+#include <linux/io.h>
+#include <linux/kcs-bmc.h>
+#include <linux/mfd/syscon.h>
+#include <linux/miscdevice.h>
+#include <linux/module.h>
+#include <linux/of.h>
+#include <linux/platform_device.h>
+#include <linux/poll.h>
+#include <linux/regmap.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/timer.h>
+
+#define KCS_MSG_BUFSIZ 1024
+#define KCS_CHANNEL_MAX 4
+
+/*
+ * This is a BMC device used to communicate to the host
+ */
+#define DEVICE_NAME "ipmi-kcs-host"
+
+
+/* Different Phases of the KCS Module */
+#define KCS_PHASE_IDLE 0x00
+#define KCS_PHASE_WRITE 0x01
+#define KCS_PHASE_WRITE_END 0x02
+#define KCS_PHASE_READ 0x03
+#define KCS_PHASE_ABORT 0x04
+#define KCS_PHASE_ERROR 0x05

It would be nicer to make the above an enum.

+
+/* Abort Phase */
+#define ABORT_PHASE_ERROR1 0x01
+#define ABORT_PHASE_ERROR2 0x02

Can the above just be folded into two separate phases in kcs_phase?
That would be a little cleaner.


+
+/* KCS Command Control codes. */
+#define KCS_GET_STATUS 0x60
+#define KCS_ABORT 0x60
+#define KCS_WRITE_START 0x61
+#define KCS_WRITE_END 0x62
+#define KCS_READ_BYTE 0x68
+
+/* Status bits.:
+ * - IDLE_STATE. Interface is idle. System software should not be expecting
+ * nor sending any data.
+ * - READ_STATE. BMC is transferring a packet to system software. System
+ * software should be in the "Read Message" state.
+ * - WRITE_STATE. BMC is receiving a packet from system software. System
+ * software should be writing a command to the BMC.
+ * - ERROR_STATE. BMC has detected a protocol violation at the interface level,
+ * or the transfer has been aborted. System software can either
+ * use the "Get_Status" control code to request the nature of
+ * the error, or it can just retry the command.
+ */
+#define KCS_IDLE_STATE 0
+#define KCS_READ_STATE 1
+#define KCS_WRITE_STATE 2
+#define KCS_ERROR_STATE 3
+
+/* KCS Error Codes */
+#define KCS_NO_ERROR 0x00
+#define KCS_ABORTED_BY_COMMAND 0x01
+#define KCS_ILLEGAL_CONTROL_CODE 0x02
+#define KCS_LENGTH_ERROR 0x06
+#define KCS_UNSPECIFIED_ERROR 0xFF
+
+
+#define KCS_ZERO_DATA 0
+
+/* IPMI 2.0 - Table 9-1, KCS Interface Status Register Bits */
+#define KCS_STR_STATE(state) (state << 6)
+#define KCS_STR_STATE_MASK KCS_STR_STATE(0x3)
+#define KCS_STR_CMD_DAT BIT(3)
+#define KCS_STR_SMS_ATN BIT(2)
+#define KCS_STR_IBF BIT(1)
+#define KCS_STR_OBF BIT(0)
+
+
+/* mapped to lpc-bmc@0 IO space */
+#define LPC_HICR0 0x000
+#define LPC_HICR0_LPC3E BIT(7)
+#define LPC_HICR0_LPC2E BIT(6)
+#define LPC_HICR0_LPC1E BIT(5)
+#define LPC_HICR2 0x008
+#define LPC_HICR2_IBFIF3 BIT(3)
+#define LPC_HICR2_IBFIF2 BIT(2)
+#define LPC_HICR2_IBFIF1 BIT(1)
+#define LPC_HICR4 0x010
+#define LPC_HICR4_LADR12AS BIT(7)
+#define LPC_HICR4_KCSENBL BIT(2)
+#define LPC_LADR3H 0x014
+#define LPC_LADR3L 0x018
+#define LPC_LADR12H 0x01C
+#define LPC_LADR12L 0x020
+#define LPC_IDR1 0x024
+#define LPC_IDR2 0x028
+#define LPC_IDR3 0x02C
+#define LPC_ODR1 0x030
+#define LPC_ODR2 0x034
+#define LPC_ODR3 0x038
+#define LPC_STR1 0x03C
+#define LPC_STR2 0x040
+#define LPC_STR3 0x044
+
+/* mapped to lpc-host@80 IO space */
+#define LPC_HICRB 0x080
+#define LPC_HICRB_IBFIF4 BIT(1)
+#define LPC_HICRB_LPC4E BIT(0)
+#define LPC_LADR4 0x090
+#define LPC_IDR4 0x094
+#define LPC_ODR4 0x098
+#define LPC_STR4 0x09C
+
+
+/* IPMI 2.0 - 9.5, KCS Interface Registers */
+struct kcs_ioreg {
+ u32 idr; /* Input Data Register */
+ u32 odr; /* Output Data Register */
+ u32 str; /* Status Register */
+};
+
+static const struct kcs_ioreg kcs_ioreg_map[KCS_CHANNEL_MAX] = {
+ { .idr = LPC_IDR1, .odr = LPC_ODR1, .str = LPC_STR1 },
+ { .idr = LPC_IDR2, .odr = LPC_ODR2, .str = LPC_STR2 },
+ { .idr = LPC_IDR3, .odr = LPC_ODR3, .str = LPC_STR3 },
+ { .idr = LPC_IDR4, .odr = LPC_ODR4, .str = LPC_STR4 },
+};
+
+struct kcs_bmc {
+ struct regmap *map;
+ spinlock_t lock;

This lock is only used in threads, as far as I can tell. Couldn't it just be a normal mutex?
But more on this later.

+
+ u32 chan;
+ int running;
+
+ u32 idr;
+ u32 odr;
+ u32 str;
+
+ int kcs_phase;
+ u8 abort_phase;
+ u8 kcs_error;
+
+ wait_queue_head_t queue;
+ int data_in_avail;

data_in_avail should be a bool.

You set data_in_avail after the data is ready, but you don't have a barrier. You
have similar problems with kcs_phase.

In fact, the locking in the driver doesn't seem quite correct. If this ever ran on
an SMP system, it is likely to not work correctly. You can assume that the interrupt
runs exclusively, but you cannot assume that the data operations are available in
order on another processor that handles a subsequent interrupt.

The easiest way to fix this would be to add the spin lock around the case statement
in the irq handler and add them in the poll and read functions (you would need to
leave it as a spinlock in that case). That would provide the proper barriers assuming
you put them in the right place (checking data_in_avail again inside the spinlock
in the read case, for instance).

+ int data_in_idx;
+ u8 *data_in;
+
+ int data_out_idx;
+ int data_out_len;
+ u8 *data_out;
+
+ struct miscdevice miscdev;
+};
+
+static u8 kcs_inb(struct kcs_bmc *kcs_bmc, u32 reg)
+{
+ u32 val = 0;
+ int rc;
+
+ rc = regmap_read(kcs_bmc->map, reg, &val);
+ WARN(rc != 0, "regmap_read() failed: %d\n", rc);
+
+ return rc == 0 ? (u8) val : 0;
+}
+
+static void kcs_outb(struct kcs_bmc *kcs_bmc, u8 data, u32 reg)
+{
+ int rc;
+
+ rc = regmap_write(kcs_bmc->map, reg, data);
+ WARN(rc != 0, "regmap_write() failed: %d\n", rc);
+}
+
+static inline void kcs_set_state(struct kcs_bmc *kcs_bmc, u8 state)
+{
+ regmap_update_bits(kcs_bmc->map, kcs_bmc->str, KCS_STR_STATE_MASK,
+ KCS_STR_STATE(state));
+}
+
+static inline void kcs_set_atn(struct kcs_bmc *kcs_bmc)
+{
+ regmap_update_bits(kcs_bmc->map, kcs_bmc->str, KCS_STR_SMS_ATN,
+ KCS_STR_SMS_ATN);
+}
+
+static inline void kcs_clear_atn(struct kcs_bmc *kcs_bmc)
+{
+ regmap_update_bits(kcs_bmc->map, kcs_bmc->str, KCS_STR_SMS_ATN,
+ 0);
+}
+
+/*
+ * AST_usrGuide_KCS.pdf
+ * 2. Background:
+ * we note D for Data, and C for Cmd/Status, default rules are
+ * A. KCS1 / KCS2 ( D / C:X / X+4 )
+ * D / C : CA0h / CA4h
+ * D / C : CA8h / CACh
+ * B. KCS3 ( D / C:XX2h / XX3h )
+ * D / C : CA2h / CA3h
+ * D / C : CB2h / CB3h
+ * C. KCS4
+ * D / C : CA4h / CA5h
+ */
+static void kcs_set_addr(struct kcs_bmc *kcs_bmc, u16 addr)
+{
+ switch (kcs_bmc->chan) {
+ case 1:
+ regmap_update_bits(kcs_bmc->map, LPC_HICR4,
+ LPC_HICR4_LADR12AS, 0);
+ regmap_write(kcs_bmc->map, LPC_LADR12H, addr >> 8);
+ regmap_write(kcs_bmc->map, LPC_LADR12L, addr & 0xFF);
+ break;
+
+ case 2:
+ regmap_update_bits(kcs_bmc->map, LPC_HICR4,
+ LPC_HICR4_LADR12AS, LPC_HICR4_LADR12AS);
+ regmap_write(kcs_bmc->map, LPC_LADR12H, addr >> 8);
+ regmap_write(kcs_bmc->map, LPC_LADR12L, addr & 0xFF);
+ break;
+
+ case 3:
+ regmap_write(kcs_bmc->map, LPC_LADR3H, addr >> 8);
+ regmap_write(kcs_bmc->map, LPC_LADR3L, addr & 0xFF);
+ break;
+
+ case 4:
+ regmap_write(kcs_bmc->map, LPC_LADR4, ((addr + 1) << 16) |
+ addr);
+ break;
+
+ default:

Shouldn't you return an error here?

+ break;
+ }
+}
+
+static void kcs_enable_channel(struct kcs_bmc *kcs_bmc, int enable)
+{
+ switch (kcs_bmc->chan) {
+ case 1:
+ if (enable) {
+ regmap_update_bits(kcs_bmc->map, LPC_HICR2,
+ LPC_HICR2_IBFIF1, LPC_HICR2_IBFIF1);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR0,
+ LPC_HICR0_LPC1E, LPC_HICR0_LPC1E);
+ } else {
+ regmap_update_bits(kcs_bmc->map, LPC_HICR0,
+ LPC_HICR0_LPC1E, 0);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR2,
+ LPC_HICR2_IBFIF1, 0);
+ }
+ break;
+
+ case 2:
+ if (enable) {
+ regmap_update_bits(kcs_bmc->map, LPC_HICR2,
+ LPC_HICR2_IBFIF2, LPC_HICR2_IBFIF2);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR0,
+ LPC_HICR0_LPC2E, LPC_HICR0_LPC2E);
+ } else {
+ regmap_update_bits(kcs_bmc->map, LPC_HICR0,
+ LPC_HICR0_LPC2E, 0);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR2,
+ LPC_HICR2_IBFIF2, 0);
+ }
+ break;
+
+ case 3:
+ if (enable) {
+ regmap_update_bits(kcs_bmc->map, LPC_HICR2,
+ LPC_HICR2_IBFIF3, LPC_HICR2_IBFIF3);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR0,
+ LPC_HICR0_LPC3E, LPC_HICR0_LPC3E);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR4,
+ LPC_HICR4_KCSENBL, LPC_HICR4_KCSENBL);
+ } else {
+ regmap_update_bits(kcs_bmc->map, LPC_HICR0,
+ LPC_HICR0_LPC3E, 0);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR4,
+ LPC_HICR4_KCSENBL, 0);
+ regmap_update_bits(kcs_bmc->map, LPC_HICR2,
+ LPC_HICR2_IBFIF3, 0);
+ }
+ break;
+
+ case 4:
+ if (enable) {
+ regmap_update_bits(kcs_bmc->map, LPC_HICRB,
+ LPC_HICRB_IBFIF4 | LPC_HICRB_LPC4E,
+ LPC_HICRB_IBFIF4 | LPC_HICRB_LPC4E);
+ } else {
+ regmap_update_bits(kcs_bmc->map, LPC_HICRB,
+ LPC_HICRB_IBFIF4 | LPC_HICRB_LPC4E,
+ 0);
+ }

The above shouldn't have {}, did you run this through checkpatch?

+ break;
+
+ default:

Error here, too?

+ break;
+ }
+}
+
+static void kcs_rx_data(struct kcs_bmc *kcs_bmc)
+{
+ u8 data;
+
+ switch (kcs_bmc->kcs_phase) {
+ case KCS_PHASE_WRITE:
+ kcs_set_state(kcs_bmc, KCS_WRITE_STATE);
+
+ /* set OBF before reading data */
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+
+ if (kcs_bmc->data_in_idx < KCS_MSG_BUFSIZ)
+ kcs_bmc->data_in[kcs_bmc->data_in_idx++] =
+ kcs_inb(kcs_bmc, kcs_bmc->idr);
+ break;
+
+ case KCS_PHASE_WRITE_END:
+ kcs_set_state(kcs_bmc, KCS_READ_STATE);
+
+ if (kcs_bmc->data_in_idx < KCS_MSG_BUFSIZ)
+ kcs_bmc->data_in[kcs_bmc->data_in_idx++] =
+ kcs_inb(kcs_bmc, kcs_bmc->idr);
+
+ kcs_bmc->kcs_phase = KCS_PHASE_READ;
+ if (kcs_bmc->running) {
+ kcs_bmc->data_in_avail = 1;
+ wake_up_interruptible(&kcs_bmc->queue);
+ }
+ break;
+
+ case KCS_PHASE_READ:
+ if (kcs_bmc->data_out_idx == kcs_bmc->data_out_len)
+ kcs_set_state(kcs_bmc, KCS_IDLE_STATE);
+
+ data = kcs_inb(kcs_bmc, kcs_bmc->idr);
+ if (data != KCS_READ_BYTE) {
+ kcs_set_state(kcs_bmc, KCS_ERROR_STATE);
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+ break;
+ }
+
+ if (kcs_bmc->data_out_idx == kcs_bmc->data_out_len) {
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+ kcs_bmc->kcs_phase = KCS_PHASE_IDLE;
+ break;
+ }
+
+ kcs_outb(kcs_bmc, kcs_bmc->data_out[kcs_bmc->data_out_idx++],
+ kcs_bmc->odr);
+ break;
+
+ case KCS_PHASE_ABORT:
+ switch (kcs_bmc->abort_phase) {
+ case ABORT_PHASE_ERROR1:
+ kcs_set_state(kcs_bmc, KCS_READ_STATE);
+
+ /* Read the Dummy byte */
+ kcs_inb(kcs_bmc, kcs_bmc->idr);
+
+ kcs_outb(kcs_bmc, kcs_bmc->kcs_error, kcs_bmc->odr);
+ kcs_bmc->abort_phase = ABORT_PHASE_ERROR2;
+ break;
+
+ case ABORT_PHASE_ERROR2:
+ kcs_set_state(kcs_bmc, KCS_IDLE_STATE);
+
+ /* Read the Dummy byte */
+ kcs_inb(kcs_bmc, kcs_bmc->idr);
+
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+ kcs_bmc->kcs_phase = KCS_PHASE_IDLE;
+ kcs_bmc->abort_phase = 0;
+ break;
+
+ default:
+ break;
+ }
+
+ break;
+
+ case KCS_PHASE_ERROR:

This is identical to the default. And the default should never happen, anyway.
If the default happens you have a software bug and need to report it.

+ kcs_set_state(kcs_bmc, KCS_ERROR_STATE);
+
+ /* Read the Dummy byte */
+ kcs_inb(kcs_bmc, kcs_bmc->idr);
+
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+ break;
+
+ default:
+ kcs_set_state(kcs_bmc, KCS_ERROR_STATE);
+
+ /* Read the Dummy byte */
+ kcs_inb(kcs_bmc, kcs_bmc->idr);
+
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+ break;
+ }
+}
+
+static void kcs_rx_cmd(struct kcs_bmc *kcs_bmc)
+{
+ u8 cmd;
+
+ kcs_set_state(kcs_bmc, KCS_WRITE_STATE);
+
+ /* Dummy data to generate OBF */
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+
+ cmd = kcs_inb(kcs_bmc, kcs_bmc->idr);

Wouldn't you want to read the command before you write the OBF?

+ switch (cmd) {
+ case KCS_WRITE_START:
+ kcs_bmc->data_in_avail = 0;
+ kcs_bmc->data_in_idx = 0;
+ kcs_bmc->kcs_phase = KCS_PHASE_WRITE;
+ kcs_bmc->kcs_error = KCS_NO_ERROR;
+ break;
+
+ case KCS_WRITE_END:
+ kcs_bmc->kcs_phase = KCS_PHASE_WRITE_END;
+ break;
+
+ case KCS_ABORT:
+ if (kcs_bmc->kcs_error == KCS_NO_ERROR)
+ kcs_bmc->kcs_error = KCS_ABORTED_BY_COMMAND;
+
+ kcs_bmc->kcs_phase = KCS_PHASE_ABORT;
+ kcs_bmc->abort_phase = ABORT_PHASE_ERROR1;
+ break;
+
+ default:
+ kcs_bmc->kcs_error = KCS_ILLEGAL_CONTROL_CODE;
+ kcs_set_state(kcs_bmc, KCS_ERROR_STATE);
+ kcs_outb(kcs_bmc, kcs_bmc->kcs_error, kcs_bmc->odr);
+ kcs_bmc->kcs_phase = KCS_PHASE_ERROR;
+ break;
+ }
+}
+
+/*
+ * Whenever the BMC is reset (from power-on or a hard reset), the State Bits
+ * are initialized to "11 - Error State". Doing so allows SMS to detect that
+ * the BMC has been reset and that any message in process has been terminated
+ * by the BMC.
+ */
+static void kcs_force_abort(struct kcs_bmc *kcs_bmc)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&kcs_bmc->lock, flags);
+ kcs_set_state(kcs_bmc, KCS_ERROR_STATE);
+
+ /* Read the Dummy byte */
+ kcs_inb(kcs_bmc, kcs_bmc->idr);
+
+ kcs_outb(kcs_bmc, KCS_ZERO_DATA, kcs_bmc->odr);
+ kcs_bmc->kcs_phase = KCS_PHASE_ERROR;
+ spin_unlock_irqrestore(&kcs_bmc->lock, flags);

You don't set data_in_avail() to zero here?

+}
+
+static irqreturn_t kcs_bmc_irq(int irq, void *arg)
+{
+ struct kcs_bmc *kcs_bmc = arg;
+ u32 sts;
+
+ if (regmap_read(kcs_bmc->map, kcs_bmc->str, &sts) != 0)
+ return IRQ_NONE;
+
+ sts &= (KCS_STR_IBF | KCS_STR_CMD_DAT);
+
+ switch (sts) {
+ case KCS_STR_IBF | KCS_STR_CMD_DAT:
+ kcs_rx_cmd(kcs_bmc);
+ break;
+
+ case KCS_STR_IBF:
+ kcs_rx_data(kcs_bmc);
+
+ default:
+ return IRQ_NONE;
+ }
+
+ return IRQ_HANDLED;
+}
+
+static int kcs_bmc_config_irq(struct kcs_bmc *kcs_bmc,
+ struct platform_device *pdev)
+{
+ struct device *dev = &pdev->dev;
+ int irq;
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+ return irq;
+
+ return devm_request_irq(dev, irq, kcs_bmc_irq, IRQF_SHARED,
+ dev_name(dev), kcs_bmc);
+}
+
+
+static inline struct kcs_bmc *file_kcs_bmc(struct file *filp)
+{
+ return container_of(filp->private_data, struct kcs_bmc, miscdev);
+}
+
+static int kcs_bmc_open(struct inode *inode, struct file *filp)
+{
+ struct kcs_bmc *kcs_bmc = file_kcs_bmc(filp);
+ unsigned long flags;
+
+ if (kcs_bmc->running)
+ return -EBUSY;
+

The above is a race, it needs to be done inside the lock.

+ spin_lock_irqsave(&kcs_bmc->lock, flags);
+ kcs_bmc->kcs_phase = KCS_PHASE_IDLE;
+ kcs_bmc->running = 1;
+ kcs_bmc->data_in_avail = 0;
+ spin_unlock_irqrestore(&kcs_bmc->lock, flags);

What happens if the interface is not in a state where it can send a message?
The release code doesn't block until anything is done, so the interface might
not be in a place where you can use it. I think the init code handles it from
that side, but the release side is not handled.

Also, if release gets called, wouldn't you want to call kcs_force_abort() here
or in release()? That would be the equivalent of the BMC getting reset.

+
+ return 0;
+}
+
+static unsigned int kcs_bmc_poll(struct file *filp, poll_table *wait)
+{
+ struct kcs_bmc *kcs_bmc = file_kcs_bmc(filp);
+ unsigned int mask = 0;
+
+ poll_wait(filp, &kcs_bmc->queue, wait);
+
+ if (kcs_bmc->data_in_avail)
+ mask |= POLLIN;
+
+ if (kcs_bmc->kcs_phase == KCS_PHASE_READ)
+ mask |= POLLOUT;
+
+ return mask;
+}
+
+static ssize_t kcs_bmc_read(struct file *filp, char *buf,
+ size_t count, loff_t *offset)
+{
+ struct kcs_bmc *kcs_bmc = file_kcs_bmc(filp);
+ int rv;
+

You probably ought to handle O_NONBLOCK here. (Same problem on BT, too.)

+ rv = wait_event_interruptible(kcs_bmc->queue,
+ kcs_bmc->data_in_avail != 0);
+ if (rv < 0)
+ return -ERESTARTSYS;
+

This is a race condition for multiple users.

+ kcs_bmc->data_in_avail = 0;
+
+ if (count > kcs_bmc->data_in_idx)
+ count = kcs_bmc->data_in_idx;
+
+ if (copy_to_user(buf, kcs_bmc->data_in, count))
+ return -EFAULT;
+
+ return count;
+}
+
+static ssize_t kcs_bmc_write(struct file *filp, const char *buf,
+ size_t count, loff_t *offset)
+{
+ struct kcs_bmc *kcs_bmc = file_kcs_bmc(filp);
+ unsigned long flags;
+
+ if (count < 1 || count > KCS_MSG_BUFSIZ)
+ return -EINVAL;
+
+ if (copy_from_user(kcs_bmc->data_out, buf, count))
+ return -EFAULT;
+
+ spin_lock_irqsave(&kcs_bmc->lock, flags);
+ if (kcs_bmc->kcs_phase == KCS_PHASE_READ) {

If you don't modify kcs_phase here, you have a race condition. You probably
need a KCS_WAIT_READ condition. Also, the nomenclature of "read" and "write"
here is a little confusing, since your phases are from the host's point of view,
not this driver's point of view. You might want to document that explicitly.

+ kcs_bmc->data_out_idx = 1;
+ kcs_bmc->data_out_len = count;
+ kcs_outb(kcs_bmc, kcs_bmc->data_out[0], kcs_bmc->odr);
+ }

So if you write and the data isn't ready, you just drop the data on the floor silently?
Probably not the best design. You should probably return an error, as write can
only be called after read.

+ spin_unlock_irqrestore(&kcs_bmc->lock, flags);
+
+ return count;
+}
+
+static long kcs_bmc_ioctl(struct file *filp, unsigned int cmd,
+ unsigned long arg)
+{
+ struct kcs_bmc *kcs_bmc = file_kcs_bmc(filp);
+ long ret = 0;
+
+ switch (cmd) {
+ case KCS_BMC_IOCTL_SET_ATN:
+ kcs_set_atn(kcs_bmc);
+ break;
+
+ case KCS_BMC_IOCTL_CLR_ATN:
+ kcs_clear_atn(kcs_bmc);
+ break;
+
+ case KCS_BMC_IOCTL_FORCE_ABORT:
+ kcs_force_abort(kcs_bmc);
+ break;
+
+ default:
+ ret = -EINVAL;
+ break;
+ }
+
+ return ret;
+}
+
+static int kcs_bmc_release(struct inode *inode, struct file *filp)
+{
+ struct kcs_bmc *kcs_bmc = file_kcs_bmc(filp);
+ unsigned long flags;
+
+ spin_lock_irqsave(&kcs_bmc->lock, flags);
+ kcs_bmc->running = 0;
+ spin_unlock_irqrestore(&kcs_bmc->lock, flags);
+
+ return 0;
+}
+
+static const struct file_operations kcs_bmc_fops = {
+ .owner = THIS_MODULE,
+ .open = kcs_bmc_open,
+ .read = kcs_bmc_read,
+ .write = kcs_bmc_write,
+ .release = kcs_bmc_release,
+ .poll = kcs_bmc_poll,
+ .unlocked_ioctl = kcs_bmc_ioctl,
+};
+
+static int kcs_bmc_probe(struct platform_device *pdev)
+{
+ struct device *dev = &pdev->dev;
+ const struct kcs_ioreg *ioreg;
+ struct kcs_bmc *kcs_bmc;
+ u32 chan, addr;
+ int rc;
+
+ kcs_bmc = devm_kzalloc(dev, sizeof(*kcs_bmc), GFP_KERNEL);
+ if (!kcs_bmc)
+ return -ENOMEM;

Every error after this point will leak kcs_bmc. I'd recommend a "goto out_err"
to handle this.

+
+ rc = of_property_read_u32(dev->of_node, "kcs_chan", &chan);
+ if ((rc != 0) || (chan == 0 || chan > KCS_CHANNEL_MAX)) {
+ dev_err(dev, "no valid 'kcs_chan' configured\n");
+ return -ENODEV;
+ }
+
+ rc = of_property_read_u32(dev->of_node, "kcs_addr", &addr);
+ if (rc) {
+ dev_err(dev, "no valid 'kcs_addr' configured\n");
+ return -ENODEV;
+ }
+
+ kcs_bmc->map = syscon_node_to_regmap(dev->parent->of_node);
+ if (IS_ERR(kcs_bmc->map)) {
+ dev_err(dev, "Couldn't get regmap\n");
+ return -ENODEV;
+ }
+
+ dev_set_name(dev, "ipmi-kcs%u", chan);
+
+ spin_lock_init(&kcs_bmc->lock);
+ kcs_bmc->chan = chan;

You need error checking on chan.

+
+ ioreg = &kcs_ioreg_map[chan - 1];
+ kcs_bmc->idr = ioreg->idr;
+ kcs_bmc->odr = ioreg->odr;
+ kcs_bmc->str = ioreg->str;
+
+ init_waitqueue_head(&kcs_bmc->queue);
+ kcs_bmc->data_in = devm_kmalloc(dev, KCS_MSG_BUFSIZ, GFP_KERNEL);
+ kcs_bmc->data_out = devm_kmalloc(dev, KCS_MSG_BUFSIZ, GFP_KERNEL);
+ if (kcs_bmc->data_in == NULL || kcs_bmc->data_out == NULL) {
+ dev_err(dev, "Failed to allocate data buffers\n");

You will leak memory if you fail to allocate data_out but do allocate data_in.

+ return -ENOMEM;
+ }
+
+ kcs_bmc->miscdev.minor = MISC_DYNAMIC_MINOR;
+ kcs_bmc->miscdev.name = dev_name(dev);
+ kcs_bmc->miscdev.fops = &kcs_bmc_fops;
+ rc = misc_register(&kcs_bmc->miscdev);
+ if (rc) {
+ dev_err(dev, "Unable to register device\n");
+ return rc;
+ }

After you call misc_register something can open the device and use it.
You need to do that after everything is enabled.

+
+ kcs_set_addr(kcs_bmc, addr);
+ kcs_enable_channel(kcs_bmc, 1);
+
+ rc = kcs_bmc_config_irq(kcs_bmc, pdev);
+ if (rc) {
+ misc_deregister(&kcs_bmc->miscdev);
+ return rc;
+ }
+
+ dev_set_drvdata(&pdev->dev, kcs_bmc);

This should definitely be before you enable or register. The drvdata
needs to be available in case an irq comes in, for instance.

+
+ dev_info(dev, "addr=0x%x, idr=0x%x, odr=0x%x, str=0x%x\n",
+ addr, kcs_bmc->idr, kcs_bmc->odr, kcs_bmc->str);
+
+ return 0;
+}
+
+static int kcs_bmc_remove(struct platform_device *pdev)
+{
+ struct kcs_bmc *kcs_bmc = dev_get_drvdata(&pdev->dev);
+
+ misc_deregister(&kcs_bmc->miscdev);
+
+ return 0;
+}
+
+static const struct of_device_id kcs_bmc_match[] = {
+ { .compatible = "aspeed,ast2400-kcs-bmc" },
+ { .compatible = "aspeed,ast2500-kcs-bmc" },
+ { }
+};
+
+static struct platform_driver kcs_bmc_driver = {
+ .driver = {
+ .name = DEVICE_NAME,
+ .of_match_table = kcs_bmc_match,
+ },
+ .probe = kcs_bmc_probe,
+ .remove = kcs_bmc_remove,
+};
+
+module_platform_driver(kcs_bmc_driver);
+
+MODULE_DEVICE_TABLE(of, kcs_bmc_match);
+MODULE_LICENSE("GPL v2");
+MODULE_AUTHOR("Haiyue Wang <haiyue.wang@xxxxxxxxxxxxxxx>");
+MODULE_DESCRIPTION("Linux device interface to the IPMI KCS interface");
diff --git a/include/uapi/linux/kcs-bmc.h b/include/uapi/linux/kcs-bmc.h
new file mode 100644
index 0000000..d1550d3
--- /dev/null
+++ b/include/uapi/linux/kcs-bmc.h
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (c) 2015-2018, Intel Corporation.
+
+#ifndef _UAPI_LINUX_KCS_BMC_H
+#define _UAPI_LINUX_KCS_BMC_H
+
+#include <linux/ioctl.h>
+
+#define __KCS_BMC_IOCTL_MAGIC 'K'
+#define KCS_BMC_IOCTL_SET_ATN _IO(__KCS_BMC_IOCTL_MAGIC, 1)
+#define KCS_BMC_IOCTL_CLR_ATN _IO(__KCS_BMC_IOCTL_MAGIC, 2)
+#define KCS_BMC_IOCTL_FORCE_ABORT _IO(__KCS_BMC_IOCTL_MAGIC, 3)
+
+#endif /* _UAPI_LINUX_KCS_BMC_H */