1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Greybus Firmware Download Protocol Driver. |
4 | * |
5 | * Copyright 2016 Google Inc. |
6 | * Copyright 2016 Linaro Ltd. |
7 | */ |
8 | |
9 | #include <linux/firmware.h> |
10 | #include <linux/jiffies.h> |
11 | #include <linux/mutex.h> |
12 | #include <linux/workqueue.h> |
13 | #include <linux/greybus.h> |
14 | #include "firmware.h" |
15 | |
16 | /* Estimated minimum buffer size, actual size can be smaller than this */ |
17 | #define MIN_FETCH_SIZE 512 |
18 | /* Timeout, in jiffies, within which fetch or release firmware must be called */ |
19 | #define NEXT_REQ_TIMEOUT_J msecs_to_jiffies(1000) |
20 | |
21 | struct fw_request { |
22 | u8 firmware_id; |
23 | bool disabled; |
24 | bool timedout; |
25 | char name[FW_NAME_SIZE]; |
26 | const struct firmware *fw; |
27 | struct list_head node; |
28 | |
29 | struct delayed_work dwork; |
30 | /* Timeout, in jiffies, within which the firmware shall download */ |
31 | unsigned long release_timeout_j; |
32 | struct kref kref; |
33 | struct fw_download *fw_download; |
34 | }; |
35 | |
36 | struct fw_download { |
37 | struct device *parent; |
38 | struct gb_connection *connection; |
39 | struct list_head fw_requests; |
40 | struct ida id_map; |
41 | struct mutex mutex; |
42 | }; |
43 | |
44 | static void fw_req_release(struct kref *kref) |
45 | { |
46 | struct fw_request *fw_req = container_of(kref, struct fw_request, kref); |
47 | |
48 | dev_dbg(fw_req->fw_download->parent, "firmware %s released\n" , |
49 | fw_req->name); |
50 | |
51 | release_firmware(fw: fw_req->fw); |
52 | |
53 | /* |
54 | * The request timed out and the module may send a fetch-fw or |
55 | * release-fw request later. Lets block the id we allocated for this |
56 | * request, so that the AP doesn't refer to a later fw-request (with |
57 | * same firmware_id) for the old timedout fw-request. |
58 | * |
59 | * NOTE: |
60 | * |
61 | * This also means that after 255 timeouts we will fail to service new |
62 | * firmware downloads. But what else can we do in that case anyway? Lets |
63 | * just hope that it never happens. |
64 | */ |
65 | if (!fw_req->timedout) |
66 | ida_free(&fw_req->fw_download->id_map, id: fw_req->firmware_id); |
67 | |
68 | kfree(objp: fw_req); |
69 | } |
70 | |
71 | /* |
72 | * Incoming requests are serialized for a connection, and the only race possible |
73 | * is between the timeout handler freeing this and an incoming request. |
74 | * |
75 | * The operations on the fw-request list are protected by the mutex and |
76 | * get_fw_req() increments the reference count before returning a fw_req pointer |
77 | * to the users. |
78 | * |
79 | * free_firmware() also takes the mutex while removing an entry from the list, |
80 | * it guarantees that every user of fw_req has taken a kref-reference by now and |
81 | * we wouldn't have any new users. |
82 | * |
83 | * Once the last user drops the reference, the fw_req structure is freed. |
84 | */ |
85 | static void put_fw_req(struct fw_request *fw_req) |
86 | { |
87 | kref_put(kref: &fw_req->kref, release: fw_req_release); |
88 | } |
89 | |
90 | /* Caller must call put_fw_req() after using struct fw_request */ |
91 | static struct fw_request *get_fw_req(struct fw_download *fw_download, |
92 | u8 firmware_id) |
93 | { |
94 | struct fw_request *fw_req; |
95 | |
96 | mutex_lock(&fw_download->mutex); |
97 | |
98 | list_for_each_entry(fw_req, &fw_download->fw_requests, node) { |
99 | if (fw_req->firmware_id == firmware_id) { |
100 | kref_get(kref: &fw_req->kref); |
101 | goto unlock; |
102 | } |
103 | } |
104 | |
105 | fw_req = NULL; |
106 | |
107 | unlock: |
108 | mutex_unlock(lock: &fw_download->mutex); |
109 | |
110 | return fw_req; |
111 | } |
112 | |
113 | static void free_firmware(struct fw_download *fw_download, |
114 | struct fw_request *fw_req) |
115 | { |
116 | /* Already disabled from timeout handlers */ |
117 | if (fw_req->disabled) |
118 | return; |
119 | |
120 | mutex_lock(&fw_download->mutex); |
121 | list_del(entry: &fw_req->node); |
122 | mutex_unlock(lock: &fw_download->mutex); |
123 | |
124 | fw_req->disabled = true; |
125 | put_fw_req(fw_req); |
126 | } |
127 | |
128 | static void fw_request_timedout(struct work_struct *work) |
129 | { |
130 | struct delayed_work *dwork = to_delayed_work(work); |
131 | struct fw_request *fw_req = container_of(dwork, |
132 | struct fw_request, dwork); |
133 | struct fw_download *fw_download = fw_req->fw_download; |
134 | |
135 | dev_err(fw_download->parent, |
136 | "Timed out waiting for fetch / release firmware requests: %u\n" , |
137 | fw_req->firmware_id); |
138 | |
139 | fw_req->timedout = true; |
140 | free_firmware(fw_download, fw_req); |
141 | } |
142 | |
143 | static int exceeds_release_timeout(struct fw_request *fw_req) |
144 | { |
145 | struct fw_download *fw_download = fw_req->fw_download; |
146 | |
147 | if (time_before(jiffies, fw_req->release_timeout_j)) |
148 | return 0; |
149 | |
150 | dev_err(fw_download->parent, |
151 | "Firmware download didn't finish in time, abort: %d\n" , |
152 | fw_req->firmware_id); |
153 | |
154 | fw_req->timedout = true; |
155 | free_firmware(fw_download, fw_req); |
156 | |
157 | return -ETIMEDOUT; |
158 | } |
159 | |
160 | /* This returns path of the firmware blob on the disk */ |
161 | static struct fw_request *find_firmware(struct fw_download *fw_download, |
162 | const char *tag) |
163 | { |
164 | struct gb_interface *intf = fw_download->connection->bundle->intf; |
165 | struct fw_request *fw_req; |
166 | int ret, req_count; |
167 | |
168 | fw_req = kzalloc(size: sizeof(*fw_req), GFP_KERNEL); |
169 | if (!fw_req) |
170 | return ERR_PTR(error: -ENOMEM); |
171 | |
172 | /* Allocate ids from 1 to 255 (u8-max), 0 is an invalid id */ |
173 | ret = ida_alloc_range(&fw_download->id_map, min: 1, max: 255, GFP_KERNEL); |
174 | if (ret < 0) { |
175 | dev_err(fw_download->parent, |
176 | "failed to allocate firmware id (%d)\n" , ret); |
177 | goto err_free_req; |
178 | } |
179 | fw_req->firmware_id = ret; |
180 | |
181 | snprintf(buf: fw_req->name, size: sizeof(fw_req->name), |
182 | FW_NAME_PREFIX "%08x_%08x_%08x_%08x_%s.tftf" , |
183 | intf->ddbl1_manufacturer_id, intf->ddbl1_product_id, |
184 | intf->vendor_id, intf->product_id, tag); |
185 | |
186 | dev_info(fw_download->parent, "Requested firmware package '%s'\n" , |
187 | fw_req->name); |
188 | |
189 | ret = request_firmware(fw: &fw_req->fw, name: fw_req->name, device: fw_download->parent); |
190 | if (ret) { |
191 | dev_err(fw_download->parent, |
192 | "firmware request failed for %s (%d)\n" , fw_req->name, |
193 | ret); |
194 | goto err_free_id; |
195 | } |
196 | |
197 | fw_req->fw_download = fw_download; |
198 | kref_init(kref: &fw_req->kref); |
199 | |
200 | mutex_lock(&fw_download->mutex); |
201 | list_add(new: &fw_req->node, head: &fw_download->fw_requests); |
202 | mutex_unlock(lock: &fw_download->mutex); |
203 | |
204 | /* Timeout, in jiffies, within which firmware should get loaded */ |
205 | req_count = DIV_ROUND_UP(fw_req->fw->size, MIN_FETCH_SIZE); |
206 | fw_req->release_timeout_j = jiffies + req_count * NEXT_REQ_TIMEOUT_J; |
207 | |
208 | INIT_DELAYED_WORK(&fw_req->dwork, fw_request_timedout); |
209 | schedule_delayed_work(dwork: &fw_req->dwork, NEXT_REQ_TIMEOUT_J); |
210 | |
211 | return fw_req; |
212 | |
213 | err_free_id: |
214 | ida_free(&fw_download->id_map, id: fw_req->firmware_id); |
215 | err_free_req: |
216 | kfree(objp: fw_req); |
217 | |
218 | return ERR_PTR(error: ret); |
219 | } |
220 | |
221 | static int fw_download_find_firmware(struct gb_operation *op) |
222 | { |
223 | struct gb_connection *connection = op->connection; |
224 | struct fw_download *fw_download = gb_connection_get_data(connection); |
225 | struct gb_fw_download_find_firmware_request *request; |
226 | struct gb_fw_download_find_firmware_response *response; |
227 | struct fw_request *fw_req; |
228 | const char *tag; |
229 | |
230 | if (op->request->payload_size != sizeof(*request)) { |
231 | dev_err(fw_download->parent, |
232 | "illegal size of find firmware request (%zu != %zu)\n" , |
233 | op->request->payload_size, sizeof(*request)); |
234 | return -EINVAL; |
235 | } |
236 | |
237 | request = op->request->payload; |
238 | tag = (const char *)request->firmware_tag; |
239 | |
240 | /* firmware_tag must be null-terminated */ |
241 | if (strnlen(p: tag, GB_FIRMWARE_TAG_MAX_SIZE) == |
242 | GB_FIRMWARE_TAG_MAX_SIZE) { |
243 | dev_err(fw_download->parent, |
244 | "firmware-tag is not null-terminated\n" ); |
245 | return -EINVAL; |
246 | } |
247 | |
248 | fw_req = find_firmware(fw_download, tag); |
249 | if (IS_ERR(ptr: fw_req)) |
250 | return PTR_ERR(ptr: fw_req); |
251 | |
252 | if (!gb_operation_response_alloc(operation: op, response_size: sizeof(*response), GFP_KERNEL)) { |
253 | dev_err(fw_download->parent, "error allocating response\n" ); |
254 | free_firmware(fw_download, fw_req); |
255 | return -ENOMEM; |
256 | } |
257 | |
258 | response = op->response->payload; |
259 | response->firmware_id = fw_req->firmware_id; |
260 | response->size = cpu_to_le32(fw_req->fw->size); |
261 | |
262 | dev_dbg(fw_download->parent, |
263 | "firmware size is %zu bytes\n" , fw_req->fw->size); |
264 | |
265 | return 0; |
266 | } |
267 | |
268 | static int fw_download_fetch_firmware(struct gb_operation *op) |
269 | { |
270 | struct gb_connection *connection = op->connection; |
271 | struct fw_download *fw_download = gb_connection_get_data(connection); |
272 | struct gb_fw_download_fetch_firmware_request *request; |
273 | struct fw_request *fw_req; |
274 | const struct firmware *fw; |
275 | unsigned int offset, size; |
276 | u8 firmware_id; |
277 | u8 *response; |
278 | int ret = 0; |
279 | |
280 | if (op->request->payload_size != sizeof(*request)) { |
281 | dev_err(fw_download->parent, |
282 | "Illegal size of fetch firmware request (%zu %zu)\n" , |
283 | op->request->payload_size, sizeof(*request)); |
284 | return -EINVAL; |
285 | } |
286 | |
287 | request = op->request->payload; |
288 | offset = le32_to_cpu(request->offset); |
289 | size = le32_to_cpu(request->size); |
290 | firmware_id = request->firmware_id; |
291 | |
292 | fw_req = get_fw_req(fw_download, firmware_id); |
293 | if (!fw_req) { |
294 | dev_err(fw_download->parent, |
295 | "firmware not available for id: %02u\n" , firmware_id); |
296 | return -EINVAL; |
297 | } |
298 | |
299 | /* Make sure work handler isn't running in parallel */ |
300 | cancel_delayed_work_sync(dwork: &fw_req->dwork); |
301 | |
302 | /* We timed-out before reaching here ? */ |
303 | if (fw_req->disabled) { |
304 | ret = -ETIMEDOUT; |
305 | goto put_fw; |
306 | } |
307 | |
308 | /* |
309 | * Firmware download must finish within a limited time interval. If it |
310 | * doesn't, then we might have a buggy Module on the other side. Abort |
311 | * download. |
312 | */ |
313 | ret = exceeds_release_timeout(fw_req); |
314 | if (ret) |
315 | goto put_fw; |
316 | |
317 | fw = fw_req->fw; |
318 | |
319 | if (offset >= fw->size || size > fw->size - offset) { |
320 | dev_err(fw_download->parent, |
321 | "bad fetch firmware request (offs = %u, size = %u)\n" , |
322 | offset, size); |
323 | ret = -EINVAL; |
324 | goto put_fw; |
325 | } |
326 | |
327 | /* gb_fw_download_fetch_firmware_response contains only a byte array */ |
328 | if (!gb_operation_response_alloc(operation: op, response_size: size, GFP_KERNEL)) { |
329 | dev_err(fw_download->parent, |
330 | "error allocating fetch firmware response\n" ); |
331 | ret = -ENOMEM; |
332 | goto put_fw; |
333 | } |
334 | |
335 | response = op->response->payload; |
336 | memcpy(response, fw->data + offset, size); |
337 | |
338 | dev_dbg(fw_download->parent, |
339 | "responding with firmware (offs = %u, size = %u)\n" , offset, |
340 | size); |
341 | |
342 | /* Refresh timeout */ |
343 | schedule_delayed_work(dwork: &fw_req->dwork, NEXT_REQ_TIMEOUT_J); |
344 | |
345 | put_fw: |
346 | put_fw_req(fw_req); |
347 | |
348 | return ret; |
349 | } |
350 | |
351 | static int fw_download_release_firmware(struct gb_operation *op) |
352 | { |
353 | struct gb_connection *connection = op->connection; |
354 | struct fw_download *fw_download = gb_connection_get_data(connection); |
355 | struct gb_fw_download_release_firmware_request *request; |
356 | struct fw_request *fw_req; |
357 | u8 firmware_id; |
358 | |
359 | if (op->request->payload_size != sizeof(*request)) { |
360 | dev_err(fw_download->parent, |
361 | "Illegal size of release firmware request (%zu %zu)\n" , |
362 | op->request->payload_size, sizeof(*request)); |
363 | return -EINVAL; |
364 | } |
365 | |
366 | request = op->request->payload; |
367 | firmware_id = request->firmware_id; |
368 | |
369 | fw_req = get_fw_req(fw_download, firmware_id); |
370 | if (!fw_req) { |
371 | dev_err(fw_download->parent, |
372 | "firmware not available for id: %02u\n" , firmware_id); |
373 | return -EINVAL; |
374 | } |
375 | |
376 | cancel_delayed_work_sync(dwork: &fw_req->dwork); |
377 | |
378 | free_firmware(fw_download, fw_req); |
379 | put_fw_req(fw_req); |
380 | |
381 | dev_dbg(fw_download->parent, "release firmware\n" ); |
382 | |
383 | return 0; |
384 | } |
385 | |
386 | int gb_fw_download_request_handler(struct gb_operation *op) |
387 | { |
388 | u8 type = op->type; |
389 | |
390 | switch (type) { |
391 | case GB_FW_DOWNLOAD_TYPE_FIND_FIRMWARE: |
392 | return fw_download_find_firmware(op); |
393 | case GB_FW_DOWNLOAD_TYPE_FETCH_FIRMWARE: |
394 | return fw_download_fetch_firmware(op); |
395 | case GB_FW_DOWNLOAD_TYPE_RELEASE_FIRMWARE: |
396 | return fw_download_release_firmware(op); |
397 | default: |
398 | dev_err(&op->connection->bundle->dev, |
399 | "unsupported request: %u\n" , type); |
400 | return -EINVAL; |
401 | } |
402 | } |
403 | |
404 | int gb_fw_download_connection_init(struct gb_connection *connection) |
405 | { |
406 | struct fw_download *fw_download; |
407 | int ret; |
408 | |
409 | if (!connection) |
410 | return 0; |
411 | |
412 | fw_download = kzalloc(size: sizeof(*fw_download), GFP_KERNEL); |
413 | if (!fw_download) |
414 | return -ENOMEM; |
415 | |
416 | fw_download->parent = &connection->bundle->dev; |
417 | INIT_LIST_HEAD(list: &fw_download->fw_requests); |
418 | ida_init(ida: &fw_download->id_map); |
419 | gb_connection_set_data(connection, data: fw_download); |
420 | fw_download->connection = connection; |
421 | mutex_init(&fw_download->mutex); |
422 | |
423 | ret = gb_connection_enable(connection); |
424 | if (ret) |
425 | goto err_destroy_id_map; |
426 | |
427 | return 0; |
428 | |
429 | err_destroy_id_map: |
430 | ida_destroy(ida: &fw_download->id_map); |
431 | kfree(objp: fw_download); |
432 | |
433 | return ret; |
434 | } |
435 | |
436 | void gb_fw_download_connection_exit(struct gb_connection *connection) |
437 | { |
438 | struct fw_download *fw_download; |
439 | struct fw_request *fw_req, *tmp; |
440 | |
441 | if (!connection) |
442 | return; |
443 | |
444 | fw_download = gb_connection_get_data(connection); |
445 | gb_connection_disable(connection: fw_download->connection); |
446 | |
447 | /* |
448 | * Make sure we have a reference to the pending requests, before they |
449 | * are freed from the timeout handler. |
450 | */ |
451 | mutex_lock(&fw_download->mutex); |
452 | list_for_each_entry(fw_req, &fw_download->fw_requests, node) |
453 | kref_get(kref: &fw_req->kref); |
454 | mutex_unlock(lock: &fw_download->mutex); |
455 | |
456 | /* Release pending firmware packages */ |
457 | list_for_each_entry_safe(fw_req, tmp, &fw_download->fw_requests, node) { |
458 | cancel_delayed_work_sync(dwork: &fw_req->dwork); |
459 | free_firmware(fw_download, fw_req); |
460 | put_fw_req(fw_req); |
461 | } |
462 | |
463 | ida_destroy(ida: &fw_download->id_map); |
464 | kfree(objp: fw_download); |
465 | } |
466 | |