1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Greybus Firmware Download Protocol Driver.
4 *
5 * Copyright 2016 Google Inc.
6 * Copyright 2016 Linaro Ltd.
7 */
8
9 #include <linux/firmware.h>
10 #include <linux/jiffies.h>
11 #include <linux/mutex.h>
12 #include <linux/workqueue.h>
13 #include <linux/greybus.h>
14 #include "firmware.h"
15
16 /* Estimated minimum buffer size, actual size can be smaller than this */
17 #define MIN_FETCH_SIZE 512
18 /* Timeout, in jiffies, within which fetch or release firmware must be called */
19 #define NEXT_REQ_TIMEOUT_J msecs_to_jiffies(1000)
20
21 struct fw_request {
22 u8 firmware_id;
23 bool disabled;
24 bool timedout;
25 char name[FW_NAME_SIZE];
26 const struct firmware *fw;
27 struct list_head node;
28
29 struct delayed_work dwork;
30 /* Timeout, in jiffies, within which the firmware shall download */
31 unsigned long release_timeout_j;
32 struct kref kref;
33 struct fw_download *fw_download;
34 };
35
36 struct fw_download {
37 struct device *parent;
38 struct gb_connection *connection;
39 struct list_head fw_requests;
40 struct ida id_map;
41 struct mutex mutex;
42 };
43
fw_req_release(struct kref * kref)44 static void fw_req_release(struct kref *kref)
45 {
46 struct fw_request *fw_req = container_of(kref, struct fw_request, kref);
47
48 dev_dbg(fw_req->fw_download->parent, "firmware %s released\n",
49 fw_req->name);
50
51 release_firmware(fw_req->fw);
52
53 /*
54 * The request timed out and the module may send a fetch-fw or
55 * release-fw request later. Lets block the id we allocated for this
56 * request, so that the AP doesn't refer to a later fw-request (with
57 * same firmware_id) for the old timedout fw-request.
58 *
59 * NOTE:
60 *
61 * This also means that after 255 timeouts we will fail to service new
62 * firmware downloads. But what else can we do in that case anyway? Lets
63 * just hope that it never happens.
64 */
65 if (!fw_req->timedout)
66 ida_free(&fw_req->fw_download->id_map, fw_req->firmware_id);
67
68 kfree(fw_req);
69 }
70
71 /*
72 * Incoming requests are serialized for a connection, and the only race possible
73 * is between the timeout handler freeing this and an incoming request.
74 *
75 * The operations on the fw-request list are protected by the mutex and
76 * get_fw_req() increments the reference count before returning a fw_req pointer
77 * to the users.
78 *
79 * free_firmware() also takes the mutex while removing an entry from the list,
80 * it guarantees that every user of fw_req has taken a kref-reference by now and
81 * we wouldn't have any new users.
82 *
83 * Once the last user drops the reference, the fw_req structure is freed.
84 */
put_fw_req(struct fw_request * fw_req)85 static void put_fw_req(struct fw_request *fw_req)
86 {
87 kref_put(&fw_req->kref, fw_req_release);
88 }
89
90 /* Caller must call put_fw_req() after using struct fw_request */
get_fw_req(struct fw_download * fw_download,u8 firmware_id)91 static struct fw_request *get_fw_req(struct fw_download *fw_download,
92 u8 firmware_id)
93 {
94 struct fw_request *fw_req;
95
96 mutex_lock(&fw_download->mutex);
97
98 list_for_each_entry(fw_req, &fw_download->fw_requests, node) {
99 if (fw_req->firmware_id == firmware_id) {
100 kref_get(&fw_req->kref);
101 goto unlock;
102 }
103 }
104
105 fw_req = NULL;
106
107 unlock:
108 mutex_unlock(&fw_download->mutex);
109
110 return fw_req;
111 }
112
free_firmware(struct fw_download * fw_download,struct fw_request * fw_req)113 static void free_firmware(struct fw_download *fw_download,
114 struct fw_request *fw_req)
115 {
116 /* Already disabled from timeout handlers */
117 if (fw_req->disabled)
118 return;
119
120 mutex_lock(&fw_download->mutex);
121 list_del(&fw_req->node);
122 mutex_unlock(&fw_download->mutex);
123
124 fw_req->disabled = true;
125 put_fw_req(fw_req);
126 }
127
fw_request_timedout(struct work_struct * work)128 static void fw_request_timedout(struct work_struct *work)
129 {
130 struct delayed_work *dwork = to_delayed_work(work);
131 struct fw_request *fw_req = container_of(dwork,
132 struct fw_request, dwork);
133 struct fw_download *fw_download = fw_req->fw_download;
134
135 dev_err(fw_download->parent,
136 "Timed out waiting for fetch / release firmware requests: %u\n",
137 fw_req->firmware_id);
138
139 fw_req->timedout = true;
140 free_firmware(fw_download, fw_req);
141 }
142
exceeds_release_timeout(struct fw_request * fw_req)143 static int exceeds_release_timeout(struct fw_request *fw_req)
144 {
145 struct fw_download *fw_download = fw_req->fw_download;
146
147 if (time_before(jiffies, fw_req->release_timeout_j))
148 return 0;
149
150 dev_err(fw_download->parent,
151 "Firmware download didn't finish in time, abort: %d\n",
152 fw_req->firmware_id);
153
154 fw_req->timedout = true;
155 free_firmware(fw_download, fw_req);
156
157 return -ETIMEDOUT;
158 }
159
160 /* This returns path of the firmware blob on the disk */
find_firmware(struct fw_download * fw_download,const char * tag)161 static struct fw_request *find_firmware(struct fw_download *fw_download,
162 const char *tag)
163 {
164 struct gb_interface *intf = fw_download->connection->bundle->intf;
165 struct fw_request *fw_req;
166 int ret, req_count;
167
168 fw_req = kzalloc(sizeof(*fw_req), GFP_KERNEL);
169 if (!fw_req)
170 return ERR_PTR(-ENOMEM);
171
172 /* Allocate ids from 1 to 255 (u8-max), 0 is an invalid id */
173 ret = ida_alloc_range(&fw_download->id_map, 1, 255, GFP_KERNEL);
174 if (ret < 0) {
175 dev_err(fw_download->parent,
176 "failed to allocate firmware id (%d)\n", ret);
177 goto err_free_req;
178 }
179 fw_req->firmware_id = ret;
180
181 snprintf(fw_req->name, sizeof(fw_req->name),
182 FW_NAME_PREFIX "%08x_%08x_%08x_%08x_%s.tftf",
183 intf->ddbl1_manufacturer_id, intf->ddbl1_product_id,
184 intf->vendor_id, intf->product_id, tag);
185
186 dev_info(fw_download->parent, "Requested firmware package '%s'\n",
187 fw_req->name);
188
189 ret = request_firmware(&fw_req->fw, fw_req->name, fw_download->parent);
190 if (ret) {
191 dev_err(fw_download->parent,
192 "firmware request failed for %s (%d)\n", fw_req->name,
193 ret);
194 goto err_free_id;
195 }
196
197 fw_req->fw_download = fw_download;
198 kref_init(&fw_req->kref);
199
200 mutex_lock(&fw_download->mutex);
201 list_add(&fw_req->node, &fw_download->fw_requests);
202 mutex_unlock(&fw_download->mutex);
203
204 /* Timeout, in jiffies, within which firmware should get loaded */
205 req_count = DIV_ROUND_UP(fw_req->fw->size, MIN_FETCH_SIZE);
206 fw_req->release_timeout_j = jiffies + req_count * NEXT_REQ_TIMEOUT_J;
207
208 INIT_DELAYED_WORK(&fw_req->dwork, fw_request_timedout);
209 schedule_delayed_work(&fw_req->dwork, NEXT_REQ_TIMEOUT_J);
210
211 return fw_req;
212
213 err_free_id:
214 ida_free(&fw_download->id_map, fw_req->firmware_id);
215 err_free_req:
216 kfree(fw_req);
217
218 return ERR_PTR(ret);
219 }
220
fw_download_find_firmware(struct gb_operation * op)221 static int fw_download_find_firmware(struct gb_operation *op)
222 {
223 struct gb_connection *connection = op->connection;
224 struct fw_download *fw_download = gb_connection_get_data(connection);
225 struct gb_fw_download_find_firmware_request *request;
226 struct gb_fw_download_find_firmware_response *response;
227 struct fw_request *fw_req;
228 const char *tag;
229
230 if (op->request->payload_size != sizeof(*request)) {
231 dev_err(fw_download->parent,
232 "illegal size of find firmware request (%zu != %zu)\n",
233 op->request->payload_size, sizeof(*request));
234 return -EINVAL;
235 }
236
237 request = op->request->payload;
238 tag = (const char *)request->firmware_tag;
239
240 /* firmware_tag must be null-terminated */
241 if (strnlen(tag, GB_FIRMWARE_TAG_MAX_SIZE) ==
242 GB_FIRMWARE_TAG_MAX_SIZE) {
243 dev_err(fw_download->parent,
244 "firmware-tag is not null-terminated\n");
245 return -EINVAL;
246 }
247
248 fw_req = find_firmware(fw_download, tag);
249 if (IS_ERR(fw_req))
250 return PTR_ERR(fw_req);
251
252 if (!gb_operation_response_alloc(op, sizeof(*response), GFP_KERNEL)) {
253 dev_err(fw_download->parent, "error allocating response\n");
254 free_firmware(fw_download, fw_req);
255 return -ENOMEM;
256 }
257
258 response = op->response->payload;
259 response->firmware_id = fw_req->firmware_id;
260 response->size = cpu_to_le32(fw_req->fw->size);
261
262 dev_dbg(fw_download->parent,
263 "firmware size is %zu bytes\n", fw_req->fw->size);
264
265 return 0;
266 }
267
fw_download_fetch_firmware(struct gb_operation * op)268 static int fw_download_fetch_firmware(struct gb_operation *op)
269 {
270 struct gb_connection *connection = op->connection;
271 struct fw_download *fw_download = gb_connection_get_data(connection);
272 struct gb_fw_download_fetch_firmware_request *request;
273 struct fw_request *fw_req;
274 const struct firmware *fw;
275 unsigned int offset, size;
276 u8 firmware_id;
277 u8 *response;
278 int ret = 0;
279
280 if (op->request->payload_size != sizeof(*request)) {
281 dev_err(fw_download->parent,
282 "Illegal size of fetch firmware request (%zu %zu)\n",
283 op->request->payload_size, sizeof(*request));
284 return -EINVAL;
285 }
286
287 request = op->request->payload;
288 offset = le32_to_cpu(request->offset);
289 size = le32_to_cpu(request->size);
290 firmware_id = request->firmware_id;
291
292 fw_req = get_fw_req(fw_download, firmware_id);
293 if (!fw_req) {
294 dev_err(fw_download->parent,
295 "firmware not available for id: %02u\n", firmware_id);
296 return -EINVAL;
297 }
298
299 /* Make sure work handler isn't running in parallel */
300 cancel_delayed_work_sync(&fw_req->dwork);
301
302 /* We timed-out before reaching here ? */
303 if (fw_req->disabled) {
304 ret = -ETIMEDOUT;
305 goto put_fw;
306 }
307
308 /*
309 * Firmware download must finish within a limited time interval. If it
310 * doesn't, then we might have a buggy Module on the other side. Abort
311 * download.
312 */
313 ret = exceeds_release_timeout(fw_req);
314 if (ret)
315 goto put_fw;
316
317 fw = fw_req->fw;
318
319 if (offset >= fw->size || size > fw->size - offset) {
320 dev_err(fw_download->parent,
321 "bad fetch firmware request (offs = %u, size = %u)\n",
322 offset, size);
323 ret = -EINVAL;
324 goto put_fw;
325 }
326
327 /* gb_fw_download_fetch_firmware_response contains only a byte array */
328 if (!gb_operation_response_alloc(op, size, GFP_KERNEL)) {
329 dev_err(fw_download->parent,
330 "error allocating fetch firmware response\n");
331 ret = -ENOMEM;
332 goto put_fw;
333 }
334
335 response = op->response->payload;
336 memcpy(response, fw->data + offset, size);
337
338 dev_dbg(fw_download->parent,
339 "responding with firmware (offs = %u, size = %u)\n", offset,
340 size);
341
342 /* Refresh timeout */
343 schedule_delayed_work(&fw_req->dwork, NEXT_REQ_TIMEOUT_J);
344
345 put_fw:
346 put_fw_req(fw_req);
347
348 return ret;
349 }
350
fw_download_release_firmware(struct gb_operation * op)351 static int fw_download_release_firmware(struct gb_operation *op)
352 {
353 struct gb_connection *connection = op->connection;
354 struct fw_download *fw_download = gb_connection_get_data(connection);
355 struct gb_fw_download_release_firmware_request *request;
356 struct fw_request *fw_req;
357 u8 firmware_id;
358
359 if (op->request->payload_size != sizeof(*request)) {
360 dev_err(fw_download->parent,
361 "Illegal size of release firmware request (%zu %zu)\n",
362 op->request->payload_size, sizeof(*request));
363 return -EINVAL;
364 }
365
366 request = op->request->payload;
367 firmware_id = request->firmware_id;
368
369 fw_req = get_fw_req(fw_download, firmware_id);
370 if (!fw_req) {
371 dev_err(fw_download->parent,
372 "firmware not available for id: %02u\n", firmware_id);
373 return -EINVAL;
374 }
375
376 cancel_delayed_work_sync(&fw_req->dwork);
377
378 free_firmware(fw_download, fw_req);
379 put_fw_req(fw_req);
380
381 dev_dbg(fw_download->parent, "release firmware\n");
382
383 return 0;
384 }
385
gb_fw_download_request_handler(struct gb_operation * op)386 int gb_fw_download_request_handler(struct gb_operation *op)
387 {
388 u8 type = op->type;
389
390 switch (type) {
391 case GB_FW_DOWNLOAD_TYPE_FIND_FIRMWARE:
392 return fw_download_find_firmware(op);
393 case GB_FW_DOWNLOAD_TYPE_FETCH_FIRMWARE:
394 return fw_download_fetch_firmware(op);
395 case GB_FW_DOWNLOAD_TYPE_RELEASE_FIRMWARE:
396 return fw_download_release_firmware(op);
397 default:
398 dev_err(&op->connection->bundle->dev,
399 "unsupported request: %u\n", type);
400 return -EINVAL;
401 }
402 }
403
gb_fw_download_connection_init(struct gb_connection * connection)404 int gb_fw_download_connection_init(struct gb_connection *connection)
405 {
406 struct fw_download *fw_download;
407 int ret;
408
409 if (!connection)
410 return 0;
411
412 fw_download = kzalloc(sizeof(*fw_download), GFP_KERNEL);
413 if (!fw_download)
414 return -ENOMEM;
415
416 fw_download->parent = &connection->bundle->dev;
417 INIT_LIST_HEAD(&fw_download->fw_requests);
418 ida_init(&fw_download->id_map);
419 gb_connection_set_data(connection, fw_download);
420 fw_download->connection = connection;
421 mutex_init(&fw_download->mutex);
422
423 ret = gb_connection_enable(connection);
424 if (ret)
425 goto err_destroy_id_map;
426
427 return 0;
428
429 err_destroy_id_map:
430 ida_destroy(&fw_download->id_map);
431 kfree(fw_download);
432
433 return ret;
434 }
435
gb_fw_download_connection_exit(struct gb_connection * connection)436 void gb_fw_download_connection_exit(struct gb_connection *connection)
437 {
438 struct fw_download *fw_download;
439 struct fw_request *fw_req, *tmp;
440
441 if (!connection)
442 return;
443
444 fw_download = gb_connection_get_data(connection);
445 gb_connection_disable(fw_download->connection);
446
447 /*
448 * Make sure we have a reference to the pending requests, before they
449 * are freed from the timeout handler.
450 */
451 mutex_lock(&fw_download->mutex);
452 list_for_each_entry(fw_req, &fw_download->fw_requests, node)
453 kref_get(&fw_req->kref);
454 mutex_unlock(&fw_download->mutex);
455
456 /* Release pending firmware packages */
457 list_for_each_entry_safe(fw_req, tmp, &fw_download->fw_requests, node) {
458 cancel_delayed_work_sync(&fw_req->dwork);
459 free_firmware(fw_download, fw_req);
460 put_fw_req(fw_req);
461 }
462
463 ida_destroy(&fw_download->id_map);
464 kfree(fw_download);
465 }
466