1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * main.c - Multi purpose firmware loading support
4  *
5  * Copyright (c) 2003 Manuel Estrada Sainz
6  *
7  * Please see Documentation/driver-api/firmware/ for more information.
8  *
9  */
10 
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 
13 #include <linux/capability.h>
14 #include <linux/device.h>
15 #include <linux/kernel_read_file.h>
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/initrd.h>
19 #include <linux/timer.h>
20 #include <linux/vmalloc.h>
21 #include <linux/interrupt.h>
22 #include <linux/bitops.h>
23 #include <linux/mutex.h>
24 #include <linux/workqueue.h>
25 #include <linux/highmem.h>
26 #include <linux/firmware.h>
27 #include <linux/slab.h>
28 #include <linux/sched.h>
29 #include <linux/file.h>
30 #include <linux/list.h>
31 #include <linux/fs.h>
32 #include <linux/async.h>
33 #include <linux/pm.h>
34 #include <linux/suspend.h>
35 #include <linux/syscore_ops.h>
36 #include <linux/reboot.h>
37 #include <linux/security.h>
38 #include <linux/zstd.h>
39 #include <linux/xz.h>
40 
41 #include <generated/utsrelease.h>
42 
43 #include "../base.h"
44 #include "firmware.h"
45 #include "fallback.h"
46 
47 MODULE_AUTHOR("Manuel Estrada Sainz");
48 MODULE_DESCRIPTION("Multi purpose firmware loading support");
49 MODULE_LICENSE("GPL");
50 
51 struct firmware_cache {
52 	/* firmware_buf instance will be added into the below list */
53 	spinlock_t lock;
54 	struct list_head head;
55 	int state;
56 
57 #ifdef CONFIG_FW_CACHE
58 	/*
59 	 * Names of firmware images which have been cached successfully
60 	 * will be added into the below list so that device uncache
61 	 * helper can trace which firmware images have been cached
62 	 * before.
63 	 */
64 	spinlock_t name_lock;
65 	struct list_head fw_names;
66 
67 	struct delayed_work work;
68 
69 	struct notifier_block   pm_notify;
70 #endif
71 };
72 
73 struct fw_cache_entry {
74 	struct list_head list;
75 	const char *name;
76 };
77 
78 struct fw_name_devm {
79 	unsigned long magic;
80 	const char *name;
81 };
82 
to_fw_priv(struct kref * ref)83 static inline struct fw_priv *to_fw_priv(struct kref *ref)
84 {
85 	return container_of(ref, struct fw_priv, ref);
86 }
87 
88 #define	FW_LOADER_NO_CACHE	0
89 #define	FW_LOADER_START_CACHE	1
90 
91 /* fw_lock could be moved to 'struct fw_sysfs' but since it is just
92  * guarding for corner cases a global lock should be OK */
93 DEFINE_MUTEX(fw_lock);
94 
95 struct firmware_cache fw_cache;
96 bool fw_load_abort_all;
97 
fw_state_init(struct fw_priv * fw_priv)98 void fw_state_init(struct fw_priv *fw_priv)
99 {
100 	struct fw_state *fw_st = &fw_priv->fw_st;
101 
102 	init_completion(&fw_st->completion);
103 	fw_st->status = FW_STATUS_UNKNOWN;
104 }
105 
fw_state_wait(struct fw_priv * fw_priv)106 static inline int fw_state_wait(struct fw_priv *fw_priv)
107 {
108 	return __fw_state_wait_common(fw_priv, MAX_SCHEDULE_TIMEOUT);
109 }
110 
111 static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv);
112 
__allocate_fw_priv(const char * fw_name,struct firmware_cache * fwc,void * dbuf,size_t size,size_t offset,u32 opt_flags)113 static struct fw_priv *__allocate_fw_priv(const char *fw_name,
114 					  struct firmware_cache *fwc,
115 					  void *dbuf,
116 					  size_t size,
117 					  size_t offset,
118 					  u32 opt_flags)
119 {
120 	struct fw_priv *fw_priv;
121 
122 	/* For a partial read, the buffer must be preallocated. */
123 	if ((opt_flags & FW_OPT_PARTIAL) && !dbuf)
124 		return NULL;
125 
126 	/* Only partial reads are allowed to use an offset. */
127 	if (offset != 0 && !(opt_flags & FW_OPT_PARTIAL))
128 		return NULL;
129 
130 	fw_priv = kzalloc(sizeof(*fw_priv), GFP_ATOMIC);
131 	if (!fw_priv)
132 		return NULL;
133 
134 	fw_priv->fw_name = kstrdup_const(fw_name, GFP_ATOMIC);
135 	if (!fw_priv->fw_name) {
136 		kfree(fw_priv);
137 		return NULL;
138 	}
139 
140 	kref_init(&fw_priv->ref);
141 	fw_priv->fwc = fwc;
142 	fw_priv->data = dbuf;
143 	fw_priv->allocated_size = size;
144 	fw_priv->offset = offset;
145 	fw_priv->opt_flags = opt_flags;
146 	fw_state_init(fw_priv);
147 #ifdef CONFIG_FW_LOADER_USER_HELPER
148 	INIT_LIST_HEAD(&fw_priv->pending_list);
149 #endif
150 
151 	pr_debug("%s: fw-%s fw_priv=%p\n", __func__, fw_name, fw_priv);
152 
153 	return fw_priv;
154 }
155 
__lookup_fw_priv(const char * fw_name)156 static struct fw_priv *__lookup_fw_priv(const char *fw_name)
157 {
158 	struct fw_priv *tmp;
159 	struct firmware_cache *fwc = &fw_cache;
160 
161 	list_for_each_entry(tmp, &fwc->head, list)
162 		if (!strcmp(tmp->fw_name, fw_name))
163 			return tmp;
164 	return NULL;
165 }
166 
167 /* Returns 1 for batching firmware requests with the same name */
alloc_lookup_fw_priv(const char * fw_name,struct firmware_cache * fwc,struct fw_priv ** fw_priv,void * dbuf,size_t size,size_t offset,u32 opt_flags)168 int alloc_lookup_fw_priv(const char *fw_name, struct firmware_cache *fwc,
169 			 struct fw_priv **fw_priv, void *dbuf, size_t size,
170 			 size_t offset, u32 opt_flags)
171 {
172 	struct fw_priv *tmp;
173 
174 	spin_lock(&fwc->lock);
175 	/*
176 	 * Do not merge requests that are marked to be non-cached or
177 	 * are performing partial reads.
178 	 */
179 	if (!(opt_flags & (FW_OPT_NOCACHE | FW_OPT_PARTIAL))) {
180 		tmp = __lookup_fw_priv(fw_name);
181 		if (tmp) {
182 			kref_get(&tmp->ref);
183 			spin_unlock(&fwc->lock);
184 			*fw_priv = tmp;
185 			pr_debug("batched request - sharing the same struct fw_priv and lookup for multiple requests\n");
186 			return 1;
187 		}
188 	}
189 
190 	tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size, offset, opt_flags);
191 	if (tmp) {
192 		INIT_LIST_HEAD(&tmp->list);
193 		if (!(opt_flags & FW_OPT_NOCACHE))
194 			list_add(&tmp->list, &fwc->head);
195 	}
196 	spin_unlock(&fwc->lock);
197 
198 	*fw_priv = tmp;
199 
200 	return tmp ? 0 : -ENOMEM;
201 }
202 
__free_fw_priv(struct kref * ref)203 static void __free_fw_priv(struct kref *ref)
204 	__releases(&fwc->lock)
205 {
206 	struct fw_priv *fw_priv = to_fw_priv(ref);
207 	struct firmware_cache *fwc = fw_priv->fwc;
208 
209 	pr_debug("%s: fw-%s fw_priv=%p data=%p size=%u\n",
210 		 __func__, fw_priv->fw_name, fw_priv, fw_priv->data,
211 		 (unsigned int)fw_priv->size);
212 
213 	list_del(&fw_priv->list);
214 	spin_unlock(&fwc->lock);
215 
216 	if (fw_is_paged_buf(fw_priv))
217 		fw_free_paged_buf(fw_priv);
218 	else if (!fw_priv->allocated_size)
219 		vfree(fw_priv->data);
220 
221 	kfree_const(fw_priv->fw_name);
222 	kfree(fw_priv);
223 }
224 
free_fw_priv(struct fw_priv * fw_priv)225 void free_fw_priv(struct fw_priv *fw_priv)
226 {
227 	struct firmware_cache *fwc = fw_priv->fwc;
228 	spin_lock(&fwc->lock);
229 	if (!kref_put(&fw_priv->ref, __free_fw_priv))
230 		spin_unlock(&fwc->lock);
231 }
232 
233 #ifdef CONFIG_FW_LOADER_PAGED_BUF
fw_is_paged_buf(struct fw_priv * fw_priv)234 bool fw_is_paged_buf(struct fw_priv *fw_priv)
235 {
236 	return fw_priv->is_paged_buf;
237 }
238 
fw_free_paged_buf(struct fw_priv * fw_priv)239 void fw_free_paged_buf(struct fw_priv *fw_priv)
240 {
241 	int i;
242 
243 	if (!fw_priv->pages)
244 		return;
245 
246 	vunmap(fw_priv->data);
247 
248 	for (i = 0; i < fw_priv->nr_pages; i++)
249 		__free_page(fw_priv->pages[i]);
250 	kvfree(fw_priv->pages);
251 	fw_priv->pages = NULL;
252 	fw_priv->page_array_size = 0;
253 	fw_priv->nr_pages = 0;
254 	fw_priv->data = NULL;
255 	fw_priv->size = 0;
256 }
257 
fw_grow_paged_buf(struct fw_priv * fw_priv,int pages_needed)258 int fw_grow_paged_buf(struct fw_priv *fw_priv, int pages_needed)
259 {
260 	/* If the array of pages is too small, grow it */
261 	if (fw_priv->page_array_size < pages_needed) {
262 		int new_array_size = max(pages_needed,
263 					 fw_priv->page_array_size * 2);
264 		struct page **new_pages;
265 
266 		new_pages = kvmalloc_array(new_array_size, sizeof(void *),
267 					   GFP_KERNEL);
268 		if (!new_pages)
269 			return -ENOMEM;
270 		memcpy(new_pages, fw_priv->pages,
271 		       fw_priv->page_array_size * sizeof(void *));
272 		memset(&new_pages[fw_priv->page_array_size], 0, sizeof(void *) *
273 		       (new_array_size - fw_priv->page_array_size));
274 		kvfree(fw_priv->pages);
275 		fw_priv->pages = new_pages;
276 		fw_priv->page_array_size = new_array_size;
277 	}
278 
279 	while (fw_priv->nr_pages < pages_needed) {
280 		fw_priv->pages[fw_priv->nr_pages] =
281 			alloc_page(GFP_KERNEL | __GFP_HIGHMEM);
282 
283 		if (!fw_priv->pages[fw_priv->nr_pages])
284 			return -ENOMEM;
285 		fw_priv->nr_pages++;
286 	}
287 
288 	return 0;
289 }
290 
fw_map_paged_buf(struct fw_priv * fw_priv)291 int fw_map_paged_buf(struct fw_priv *fw_priv)
292 {
293 	/* one pages buffer should be mapped/unmapped only once */
294 	if (!fw_priv->pages)
295 		return 0;
296 
297 	vunmap(fw_priv->data);
298 	fw_priv->data = vmap(fw_priv->pages, fw_priv->nr_pages, 0,
299 			     PAGE_KERNEL_RO);
300 	if (!fw_priv->data)
301 		return -ENOMEM;
302 
303 	return 0;
304 }
305 #endif
306 
307 /*
308  * ZSTD-compressed firmware support
309  */
310 #ifdef CONFIG_FW_LOADER_COMPRESS_ZSTD
fw_decompress_zstd(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)311 static int fw_decompress_zstd(struct device *dev, struct fw_priv *fw_priv,
312 			      size_t in_size, const void *in_buffer)
313 {
314 	size_t len, out_size, workspace_size;
315 	void *workspace, *out_buf;
316 	zstd_dctx *ctx;
317 	int err;
318 
319 	if (fw_priv->allocated_size) {
320 		out_size = fw_priv->allocated_size;
321 		out_buf = fw_priv->data;
322 	} else {
323 		zstd_frame_header params;
324 
325 		if (zstd_get_frame_header(&params, in_buffer, in_size) ||
326 		    params.frameContentSize == ZSTD_CONTENTSIZE_UNKNOWN) {
327 			dev_dbg(dev, "%s: invalid zstd header\n", __func__);
328 			return -EINVAL;
329 		}
330 		out_size = params.frameContentSize;
331 		out_buf = vzalloc(out_size);
332 		if (!out_buf)
333 			return -ENOMEM;
334 	}
335 
336 	workspace_size = zstd_dctx_workspace_bound();
337 	workspace = kvzalloc(workspace_size, GFP_KERNEL);
338 	if (!workspace) {
339 		err = -ENOMEM;
340 		goto error;
341 	}
342 
343 	ctx = zstd_init_dctx(workspace, workspace_size);
344 	if (!ctx) {
345 		dev_dbg(dev, "%s: failed to initialize context\n", __func__);
346 		err = -EINVAL;
347 		goto error;
348 	}
349 
350 	len = zstd_decompress_dctx(ctx, out_buf, out_size, in_buffer, in_size);
351 	if (zstd_is_error(len)) {
352 		dev_dbg(dev, "%s: failed to decompress: %d\n", __func__,
353 			zstd_get_error_code(len));
354 		err = -EINVAL;
355 		goto error;
356 	}
357 
358 	if (!fw_priv->allocated_size)
359 		fw_priv->data = out_buf;
360 	fw_priv->size = len;
361 	err = 0;
362 
363  error:
364 	kvfree(workspace);
365 	if (err && !fw_priv->allocated_size)
366 		vfree(out_buf);
367 	return err;
368 }
369 #endif /* CONFIG_FW_LOADER_COMPRESS_ZSTD */
370 
371 /*
372  * XZ-compressed firmware support
373  */
374 #ifdef CONFIG_FW_LOADER_COMPRESS_XZ
375 /* show an error and return the standard error code */
fw_decompress_xz_error(struct device * dev,enum xz_ret xz_ret)376 static int fw_decompress_xz_error(struct device *dev, enum xz_ret xz_ret)
377 {
378 	if (xz_ret != XZ_STREAM_END) {
379 		dev_warn(dev, "xz decompression failed (xz_ret=%d)\n", xz_ret);
380 		return xz_ret == XZ_MEM_ERROR ? -ENOMEM : -EINVAL;
381 	}
382 	return 0;
383 }
384 
385 /* single-shot decompression onto the pre-allocated buffer */
fw_decompress_xz_single(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)386 static int fw_decompress_xz_single(struct device *dev, struct fw_priv *fw_priv,
387 				   size_t in_size, const void *in_buffer)
388 {
389 	struct xz_dec *xz_dec;
390 	struct xz_buf xz_buf;
391 	enum xz_ret xz_ret;
392 
393 	xz_dec = xz_dec_init(XZ_SINGLE, (u32)-1);
394 	if (!xz_dec)
395 		return -ENOMEM;
396 
397 	xz_buf.in_size = in_size;
398 	xz_buf.in = in_buffer;
399 	xz_buf.in_pos = 0;
400 	xz_buf.out_size = fw_priv->allocated_size;
401 	xz_buf.out = fw_priv->data;
402 	xz_buf.out_pos = 0;
403 
404 	xz_ret = xz_dec_run(xz_dec, &xz_buf);
405 	xz_dec_end(xz_dec);
406 
407 	fw_priv->size = xz_buf.out_pos;
408 	return fw_decompress_xz_error(dev, xz_ret);
409 }
410 
411 /* decompression on paged buffer and map it */
fw_decompress_xz_pages(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)412 static int fw_decompress_xz_pages(struct device *dev, struct fw_priv *fw_priv,
413 				  size_t in_size, const void *in_buffer)
414 {
415 	struct xz_dec *xz_dec;
416 	struct xz_buf xz_buf;
417 	enum xz_ret xz_ret;
418 	struct page *page;
419 	int err = 0;
420 
421 	xz_dec = xz_dec_init(XZ_DYNALLOC, (u32)-1);
422 	if (!xz_dec)
423 		return -ENOMEM;
424 
425 	xz_buf.in_size = in_size;
426 	xz_buf.in = in_buffer;
427 	xz_buf.in_pos = 0;
428 
429 	fw_priv->is_paged_buf = true;
430 	fw_priv->size = 0;
431 	do {
432 		if (fw_grow_paged_buf(fw_priv, fw_priv->nr_pages + 1)) {
433 			err = -ENOMEM;
434 			goto out;
435 		}
436 
437 		/* decompress onto the new allocated page */
438 		page = fw_priv->pages[fw_priv->nr_pages - 1];
439 		xz_buf.out = kmap_local_page(page);
440 		xz_buf.out_pos = 0;
441 		xz_buf.out_size = PAGE_SIZE;
442 		xz_ret = xz_dec_run(xz_dec, &xz_buf);
443 		kunmap_local(xz_buf.out);
444 		fw_priv->size += xz_buf.out_pos;
445 		/* partial decompression means either end or error */
446 		if (xz_buf.out_pos != PAGE_SIZE)
447 			break;
448 	} while (xz_ret == XZ_OK);
449 
450 	err = fw_decompress_xz_error(dev, xz_ret);
451 	if (!err)
452 		err = fw_map_paged_buf(fw_priv);
453 
454  out:
455 	xz_dec_end(xz_dec);
456 	return err;
457 }
458 
fw_decompress_xz(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)459 static int fw_decompress_xz(struct device *dev, struct fw_priv *fw_priv,
460 			    size_t in_size, const void *in_buffer)
461 {
462 	/* if the buffer is pre-allocated, we can perform in single-shot mode */
463 	if (fw_priv->data)
464 		return fw_decompress_xz_single(dev, fw_priv, in_size, in_buffer);
465 	else
466 		return fw_decompress_xz_pages(dev, fw_priv, in_size, in_buffer);
467 }
468 #endif /* CONFIG_FW_LOADER_COMPRESS_XZ */
469 
470 /* direct firmware loading support */
471 static char fw_path_para[256];
472 static const char * const fw_path[] = {
473 	fw_path_para,
474 	"/lib/firmware/updates/" UTS_RELEASE,
475 	"/lib/firmware/updates",
476 	"/lib/firmware/" UTS_RELEASE,
477 	"/lib/firmware"
478 };
479 
480 /*
481  * Typical usage is that passing 'firmware_class.path=$CUSTOMIZED_PATH'
482  * from kernel command line because firmware_class is generally built in
483  * kernel instead of module.
484  */
485 module_param_string(path, fw_path_para, sizeof(fw_path_para), 0644);
486 MODULE_PARM_DESC(path, "customized firmware image search path with a higher priority than default path");
487 
488 static int
fw_get_filesystem_firmware(struct device * device,struct fw_priv * fw_priv,const char * suffix,int (* decompress)(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer))489 fw_get_filesystem_firmware(struct device *device, struct fw_priv *fw_priv,
490 			   const char *suffix,
491 			   int (*decompress)(struct device *dev,
492 					     struct fw_priv *fw_priv,
493 					     size_t in_size,
494 					     const void *in_buffer))
495 {
496 	size_t size;
497 	int i, len, maxlen = 0;
498 	int rc = -ENOENT;
499 	char *path, *nt = NULL;
500 	size_t msize = INT_MAX;
501 	void *buffer = NULL;
502 
503 	/* Already populated data member means we're loading into a buffer */
504 	if (!decompress && fw_priv->data) {
505 		buffer = fw_priv->data;
506 		msize = fw_priv->allocated_size;
507 	}
508 
509 	path = __getname();
510 	if (!path)
511 		return -ENOMEM;
512 
513 	wait_for_initramfs();
514 	for (i = 0; i < ARRAY_SIZE(fw_path); i++) {
515 		size_t file_size = 0;
516 		size_t *file_size_ptr = NULL;
517 
518 		/* skip the unset customized path */
519 		if (!fw_path[i][0])
520 			continue;
521 
522 		/* strip off \n from customized path */
523 		maxlen = strlen(fw_path[i]);
524 		if (i == 0) {
525 			nt = strchr(fw_path[i], '\n');
526 			if (nt)
527 				maxlen = nt - fw_path[i];
528 		}
529 
530 		len = snprintf(path, PATH_MAX, "%.*s/%s%s",
531 			       maxlen, fw_path[i],
532 			       fw_priv->fw_name, suffix);
533 		if (len >= PATH_MAX) {
534 			rc = -ENAMETOOLONG;
535 			break;
536 		}
537 
538 		fw_priv->size = 0;
539 
540 		/*
541 		 * The total file size is only examined when doing a partial
542 		 * read; the "full read" case needs to fail if the whole
543 		 * firmware was not completely loaded.
544 		 */
545 		if ((fw_priv->opt_flags & FW_OPT_PARTIAL) && buffer)
546 			file_size_ptr = &file_size;
547 
548 		/* load firmware files from the mount namespace of init */
549 		rc = kernel_read_file_from_path_initns(path, fw_priv->offset,
550 						       &buffer, msize,
551 						       file_size_ptr,
552 						       READING_FIRMWARE);
553 		if (rc < 0) {
554 			if (!(fw_priv->opt_flags & FW_OPT_NO_WARN)) {
555 				if (rc != -ENOENT)
556 					dev_warn(device,
557 						 "loading %s failed with error %d\n",
558 						 path, rc);
559 				else
560 					dev_dbg(device,
561 						"loading %s failed for no such file or directory.\n",
562 						path);
563 			}
564 			continue;
565 		}
566 		size = rc;
567 		rc = 0;
568 
569 		dev_dbg(device, "Loading firmware from %s\n", path);
570 		if (decompress) {
571 			dev_dbg(device, "f/w decompressing %s\n",
572 				fw_priv->fw_name);
573 			rc = decompress(device, fw_priv, size, buffer);
574 			/* discard the superfluous original content */
575 			vfree(buffer);
576 			buffer = NULL;
577 			if (rc) {
578 				fw_free_paged_buf(fw_priv);
579 				continue;
580 			}
581 		} else {
582 			dev_dbg(device, "direct-loading %s\n",
583 				fw_priv->fw_name);
584 			if (!fw_priv->data)
585 				fw_priv->data = buffer;
586 			fw_priv->size = size;
587 		}
588 		fw_state_done(fw_priv);
589 		break;
590 	}
591 	__putname(path);
592 
593 	return rc;
594 }
595 
596 /* firmware holds the ownership of pages */
firmware_free_data(const struct firmware * fw)597 static void firmware_free_data(const struct firmware *fw)
598 {
599 	/* Loaded directly? */
600 	if (!fw->priv) {
601 		vfree(fw->data);
602 		return;
603 	}
604 	free_fw_priv(fw->priv);
605 }
606 
607 /* store the pages buffer info firmware from buf */
fw_set_page_data(struct fw_priv * fw_priv,struct firmware * fw)608 static void fw_set_page_data(struct fw_priv *fw_priv, struct firmware *fw)
609 {
610 	fw->priv = fw_priv;
611 	fw->size = fw_priv->size;
612 	fw->data = fw_priv->data;
613 
614 	pr_debug("%s: fw-%s fw_priv=%p data=%p size=%u\n",
615 		 __func__, fw_priv->fw_name, fw_priv, fw_priv->data,
616 		 (unsigned int)fw_priv->size);
617 }
618 
619 #ifdef CONFIG_FW_CACHE
fw_name_devm_release(struct device * dev,void * res)620 static void fw_name_devm_release(struct device *dev, void *res)
621 {
622 	struct fw_name_devm *fwn = res;
623 
624 	if (fwn->magic == (unsigned long)&fw_cache)
625 		pr_debug("%s: fw_name-%s devm-%p released\n",
626 				__func__, fwn->name, res);
627 	kfree_const(fwn->name);
628 }
629 
fw_devm_match(struct device * dev,void * res,void * match_data)630 static int fw_devm_match(struct device *dev, void *res,
631 		void *match_data)
632 {
633 	struct fw_name_devm *fwn = res;
634 
635 	return (fwn->magic == (unsigned long)&fw_cache) &&
636 		!strcmp(fwn->name, match_data);
637 }
638 
fw_find_devm_name(struct device * dev,const char * name)639 static struct fw_name_devm *fw_find_devm_name(struct device *dev,
640 		const char *name)
641 {
642 	struct fw_name_devm *fwn;
643 
644 	fwn = devres_find(dev, fw_name_devm_release,
645 			  fw_devm_match, (void *)name);
646 	return fwn;
647 }
648 
fw_cache_is_setup(struct device * dev,const char * name)649 static bool fw_cache_is_setup(struct device *dev, const char *name)
650 {
651 	struct fw_name_devm *fwn;
652 
653 	fwn = fw_find_devm_name(dev, name);
654 	if (fwn)
655 		return true;
656 
657 	return false;
658 }
659 
660 /* add firmware name into devres list */
fw_add_devm_name(struct device * dev,const char * name)661 static int fw_add_devm_name(struct device *dev, const char *name)
662 {
663 	struct fw_name_devm *fwn;
664 
665 	if (fw_cache_is_setup(dev, name))
666 		return 0;
667 
668 	fwn = devres_alloc(fw_name_devm_release, sizeof(struct fw_name_devm),
669 			   GFP_KERNEL);
670 	if (!fwn)
671 		return -ENOMEM;
672 	fwn->name = kstrdup_const(name, GFP_KERNEL);
673 	if (!fwn->name) {
674 		devres_free(fwn);
675 		return -ENOMEM;
676 	}
677 
678 	fwn->magic = (unsigned long)&fw_cache;
679 	devres_add(dev, fwn);
680 
681 	return 0;
682 }
683 #else
fw_cache_is_setup(struct device * dev,const char * name)684 static bool fw_cache_is_setup(struct device *dev, const char *name)
685 {
686 	return false;
687 }
688 
fw_add_devm_name(struct device * dev,const char * name)689 static int fw_add_devm_name(struct device *dev, const char *name)
690 {
691 	return 0;
692 }
693 #endif
694 
assign_fw(struct firmware * fw,struct device * device)695 int assign_fw(struct firmware *fw, struct device *device)
696 {
697 	struct fw_priv *fw_priv = fw->priv;
698 	int ret;
699 
700 	mutex_lock(&fw_lock);
701 	if (!fw_priv->size || fw_state_is_aborted(fw_priv)) {
702 		mutex_unlock(&fw_lock);
703 		return -ENOENT;
704 	}
705 
706 	/*
707 	 * add firmware name into devres list so that we can auto cache
708 	 * and uncache firmware for device.
709 	 *
710 	 * device may has been deleted already, but the problem
711 	 * should be fixed in devres or driver core.
712 	 */
713 	/* don't cache firmware handled without uevent */
714 	if (device && (fw_priv->opt_flags & FW_OPT_UEVENT) &&
715 	    !(fw_priv->opt_flags & FW_OPT_NOCACHE)) {
716 		ret = fw_add_devm_name(device, fw_priv->fw_name);
717 		if (ret) {
718 			mutex_unlock(&fw_lock);
719 			return ret;
720 		}
721 	}
722 
723 	/*
724 	 * After caching firmware image is started, let it piggyback
725 	 * on request firmware.
726 	 */
727 	if (!(fw_priv->opt_flags & FW_OPT_NOCACHE) &&
728 	    fw_priv->fwc->state == FW_LOADER_START_CACHE)
729 		fw_cache_piggyback_on_request(fw_priv);
730 
731 	/* pass the pages buffer to driver at the last minute */
732 	fw_set_page_data(fw_priv, fw);
733 	mutex_unlock(&fw_lock);
734 	return 0;
735 }
736 
737 /* prepare firmware and firmware_buf structs;
738  * return 0 if a firmware is already assigned, 1 if need to load one,
739  * or a negative error code
740  */
741 static int
_request_firmware_prepare(struct firmware ** firmware_p,const char * name,struct device * device,void * dbuf,size_t size,size_t offset,u32 opt_flags)742 _request_firmware_prepare(struct firmware **firmware_p, const char *name,
743 			  struct device *device, void *dbuf, size_t size,
744 			  size_t offset, u32 opt_flags)
745 {
746 	struct firmware *firmware;
747 	struct fw_priv *fw_priv;
748 	int ret;
749 
750 	*firmware_p = firmware = kzalloc(sizeof(*firmware), GFP_KERNEL);
751 	if (!firmware) {
752 		dev_err(device, "%s: kmalloc(struct firmware) failed\n",
753 			__func__);
754 		return -ENOMEM;
755 	}
756 
757 	if (firmware_request_builtin_buf(firmware, name, dbuf, size)) {
758 		dev_dbg(device, "using built-in %s\n", name);
759 		return 0; /* assigned */
760 	}
761 
762 	ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv, dbuf, size,
763 				   offset, opt_flags);
764 
765 	/*
766 	 * bind with 'priv' now to avoid warning in failure path
767 	 * of requesting firmware.
768 	 */
769 	firmware->priv = fw_priv;
770 
771 	if (ret > 0) {
772 		ret = fw_state_wait(fw_priv);
773 		if (!ret) {
774 			fw_set_page_data(fw_priv, firmware);
775 			return 0; /* assigned */
776 		}
777 	}
778 
779 	if (ret < 0)
780 		return ret;
781 	return 1; /* need to load */
782 }
783 
784 /*
785  * Batched requests need only one wake, we need to do this step last due to the
786  * fallback mechanism. The buf is protected with kref_get(), and it won't be
787  * released until the last user calls release_firmware().
788  *
789  * Failed batched requests are possible as well, in such cases we just share
790  * the struct fw_priv and won't release it until all requests are woken
791  * and have gone through this same path.
792  */
fw_abort_batch_reqs(struct firmware * fw)793 static void fw_abort_batch_reqs(struct firmware *fw)
794 {
795 	struct fw_priv *fw_priv;
796 
797 	/* Loaded directly? */
798 	if (!fw || !fw->priv)
799 		return;
800 
801 	fw_priv = fw->priv;
802 	mutex_lock(&fw_lock);
803 	if (!fw_state_is_aborted(fw_priv))
804 		fw_state_aborted(fw_priv);
805 	mutex_unlock(&fw_lock);
806 }
807 
808 #if defined(CONFIG_FW_LOADER_DEBUG)
809 #include <crypto/hash.h>
810 #include <crypto/sha2.h>
811 
fw_log_firmware_info(const struct firmware * fw,const char * name,struct device * device)812 static void fw_log_firmware_info(const struct firmware *fw, const char *name, struct device *device)
813 {
814 	struct shash_desc *shash;
815 	struct crypto_shash *alg;
816 	u8 *sha256buf;
817 	char *outbuf;
818 
819 	alg = crypto_alloc_shash("sha256", 0, 0);
820 	if (IS_ERR(alg))
821 		return;
822 
823 	sha256buf = kmalloc(SHA256_DIGEST_SIZE, GFP_KERNEL);
824 	outbuf = kmalloc(SHA256_BLOCK_SIZE + 1, GFP_KERNEL);
825 	shash = kmalloc(sizeof(*shash) + crypto_shash_descsize(alg), GFP_KERNEL);
826 	if (!sha256buf || !outbuf || !shash)
827 		goto out_free;
828 
829 	shash->tfm = alg;
830 
831 	if (crypto_shash_digest(shash, fw->data, fw->size, sha256buf) < 0)
832 		goto out_shash;
833 
834 	for (int i = 0; i < SHA256_DIGEST_SIZE; i++)
835 		sprintf(&outbuf[i * 2], "%02x", sha256buf[i]);
836 	outbuf[SHA256_BLOCK_SIZE] = 0;
837 	dev_dbg(device, "Loaded FW: %s, sha256: %s\n", name, outbuf);
838 
839 out_shash:
840 	crypto_free_shash(alg);
841 out_free:
842 	kfree(shash);
843 	kfree(outbuf);
844 	kfree(sha256buf);
845 }
846 #else
fw_log_firmware_info(const struct firmware * fw,const char * name,struct device * device)847 static void fw_log_firmware_info(const struct firmware *fw, const char *name,
848 				 struct device *device)
849 {}
850 #endif
851 
852 /*
853  * Reject firmware file names with ".." path components.
854  * There are drivers that construct firmware file names from device-supplied
855  * strings, and we don't want some device to be able to tell us "I would like to
856  * be sent my firmware from ../../../etc/shadow, please".
857  *
858  * Search for ".." surrounded by either '/' or start/end of string.
859  *
860  * This intentionally only looks at the firmware name, not at the firmware base
861  * directory or at symlink contents.
862  */
name_contains_dotdot(const char * name)863 static bool name_contains_dotdot(const char *name)
864 {
865 	size_t name_len = strlen(name);
866 
867 	return strcmp(name, "..") == 0 || strncmp(name, "../", 3) == 0 ||
868 	       strstr(name, "/../") != NULL ||
869 	       (name_len >= 3 && strcmp(name+name_len-3, "/..") == 0);
870 }
871 
872 /* called from request_firmware() and request_firmware_work_func() */
873 static int
_request_firmware(const struct firmware ** firmware_p,const char * name,struct device * device,void * buf,size_t size,size_t offset,u32 opt_flags)874 _request_firmware(const struct firmware **firmware_p, const char *name,
875 		  struct device *device, void *buf, size_t size,
876 		  size_t offset, u32 opt_flags)
877 {
878 	struct firmware *fw = NULL;
879 	struct cred *kern_cred = NULL;
880 	const struct cred *old_cred;
881 	bool nondirect = false;
882 	int ret;
883 
884 	if (!firmware_p)
885 		return -EINVAL;
886 
887 	if (!name || name[0] == '\0') {
888 		ret = -EINVAL;
889 		goto out;
890 	}
891 
892 	if (name_contains_dotdot(name)) {
893 		dev_warn(device,
894 			 "Firmware load for '%s' refused, path contains '..' component\n",
895 			 name);
896 		ret = -EINVAL;
897 		goto out;
898 	}
899 
900 	ret = _request_firmware_prepare(&fw, name, device, buf, size,
901 					offset, opt_flags);
902 	if (ret <= 0) /* error or already assigned */
903 		goto out;
904 
905 	/*
906 	 * We are about to try to access the firmware file. Because we may have been
907 	 * called by a driver when serving an unrelated request from userland, we use
908 	 * the kernel credentials to read the file.
909 	 */
910 	kern_cred = prepare_kernel_cred(&init_task);
911 	if (!kern_cred) {
912 		ret = -ENOMEM;
913 		goto out;
914 	}
915 	old_cred = override_creds(kern_cred);
916 
917 	ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL);
918 
919 	/* Only full reads can support decompression, platform, and sysfs. */
920 	if (!(opt_flags & FW_OPT_PARTIAL))
921 		nondirect = true;
922 
923 #ifdef CONFIG_FW_LOADER_COMPRESS_ZSTD
924 	if (ret == -ENOENT && nondirect)
925 		ret = fw_get_filesystem_firmware(device, fw->priv, ".zst",
926 						 fw_decompress_zstd);
927 #endif
928 #ifdef CONFIG_FW_LOADER_COMPRESS_XZ
929 	if (ret == -ENOENT && nondirect)
930 		ret = fw_get_filesystem_firmware(device, fw->priv, ".xz",
931 						 fw_decompress_xz);
932 #endif
933 	if (ret == -ENOENT && nondirect)
934 		ret = firmware_fallback_platform(fw->priv);
935 
936 	if (ret) {
937 		if (!(opt_flags & FW_OPT_NO_WARN))
938 			dev_warn(device,
939 				 "Direct firmware load for %s failed with error %d\n",
940 				 name, ret);
941 		if (nondirect)
942 			ret = firmware_fallback_sysfs(fw, name, device,
943 						      opt_flags, ret);
944 	} else
945 		ret = assign_fw(fw, device);
946 
947 	revert_creds(old_cred);
948 	put_cred(kern_cred);
949 
950 out:
951 	if (ret < 0) {
952 		fw_abort_batch_reqs(fw);
953 		release_firmware(fw);
954 		fw = NULL;
955 	} else {
956 		fw_log_firmware_info(fw, name, device);
957 	}
958 
959 	*firmware_p = fw;
960 	return ret;
961 }
962 
963 /**
964  * request_firmware() - send firmware request and wait for it
965  * @firmware_p: pointer to firmware image
966  * @name: name of firmware file
967  * @device: device for which firmware is being loaded
968  *
969  *      @firmware_p will be used to return a firmware image by the name
970  *      of @name for device @device.
971  *
972  *      Should be called from user context where sleeping is allowed.
973  *
974  *      @name will be used as $FIRMWARE in the uevent environment and
975  *      should be distinctive enough not to be confused with any other
976  *      firmware image for this or any other device.
977  *	It must not contain any ".." path components - "foo/bar..bin" is
978  *	allowed, but "foo/../bar.bin" is not.
979  *
980  *	Caller must hold the reference count of @device.
981  *
982  *	The function can be called safely inside device's suspend and
983  *	resume callback.
984  **/
985 int
request_firmware(const struct firmware ** firmware_p,const char * name,struct device * device)986 request_firmware(const struct firmware **firmware_p, const char *name,
987 		 struct device *device)
988 {
989 	int ret;
990 
991 	/* Need to pin this module until return */
992 	__module_get(THIS_MODULE);
993 	ret = _request_firmware(firmware_p, name, device, NULL, 0, 0,
994 				FW_OPT_UEVENT);
995 	module_put(THIS_MODULE);
996 	return ret;
997 }
998 EXPORT_SYMBOL(request_firmware);
999 
1000 /**
1001  * firmware_request_nowarn() - request for an optional fw module
1002  * @firmware: pointer to firmware image
1003  * @name: name of firmware file
1004  * @device: device for which firmware is being loaded
1005  *
1006  * This function is similar in behaviour to request_firmware(), except it
1007  * doesn't produce warning messages when the file is not found. The sysfs
1008  * fallback mechanism is enabled if direct filesystem lookup fails. However,
1009  * failures to find the firmware file with it are still suppressed. It is
1010  * therefore up to the driver to check for the return value of this call and to
1011  * decide when to inform the users of errors.
1012  **/
firmware_request_nowarn(const struct firmware ** firmware,const char * name,struct device * device)1013 int firmware_request_nowarn(const struct firmware **firmware, const char *name,
1014 			    struct device *device)
1015 {
1016 	int ret;
1017 
1018 	/* Need to pin this module until return */
1019 	__module_get(THIS_MODULE);
1020 	ret = _request_firmware(firmware, name, device, NULL, 0, 0,
1021 				FW_OPT_UEVENT | FW_OPT_NO_WARN);
1022 	module_put(THIS_MODULE);
1023 	return ret;
1024 }
1025 EXPORT_SYMBOL_GPL(firmware_request_nowarn);
1026 
1027 /**
1028  * request_firmware_direct() - load firmware directly without usermode helper
1029  * @firmware_p: pointer to firmware image
1030  * @name: name of firmware file
1031  * @device: device for which firmware is being loaded
1032  *
1033  * This function works pretty much like request_firmware(), but this doesn't
1034  * fall back to usermode helper even if the firmware couldn't be loaded
1035  * directly from fs.  Hence it's useful for loading optional firmwares, which
1036  * aren't always present, without extra long timeouts of udev.
1037  **/
request_firmware_direct(const struct firmware ** firmware_p,const char * name,struct device * device)1038 int request_firmware_direct(const struct firmware **firmware_p,
1039 			    const char *name, struct device *device)
1040 {
1041 	int ret;
1042 
1043 	__module_get(THIS_MODULE);
1044 	ret = _request_firmware(firmware_p, name, device, NULL, 0, 0,
1045 				FW_OPT_UEVENT | FW_OPT_NO_WARN |
1046 				FW_OPT_NOFALLBACK_SYSFS);
1047 	module_put(THIS_MODULE);
1048 	return ret;
1049 }
1050 EXPORT_SYMBOL_GPL(request_firmware_direct);
1051 
1052 /**
1053  * firmware_request_platform() - request firmware with platform-fw fallback
1054  * @firmware: pointer to firmware image
1055  * @name: name of firmware file
1056  * @device: device for which firmware is being loaded
1057  *
1058  * This function is similar in behaviour to request_firmware, except that if
1059  * direct filesystem lookup fails, it will fallback to looking for a copy of the
1060  * requested firmware embedded in the platform's main (e.g. UEFI) firmware.
1061  **/
firmware_request_platform(const struct firmware ** firmware,const char * name,struct device * device)1062 int firmware_request_platform(const struct firmware **firmware,
1063 			      const char *name, struct device *device)
1064 {
1065 	int ret;
1066 
1067 	/* Need to pin this module until return */
1068 	__module_get(THIS_MODULE);
1069 	ret = _request_firmware(firmware, name, device, NULL, 0, 0,
1070 				FW_OPT_UEVENT | FW_OPT_FALLBACK_PLATFORM);
1071 	module_put(THIS_MODULE);
1072 	return ret;
1073 }
1074 EXPORT_SYMBOL_GPL(firmware_request_platform);
1075 
1076 /**
1077  * firmware_request_cache() - cache firmware for suspend so resume can use it
1078  * @name: name of firmware file
1079  * @device: device for which firmware should be cached for
1080  *
1081  * There are some devices with an optimization that enables the device to not
1082  * require loading firmware on system reboot. This optimization may still
1083  * require the firmware present on resume from suspend. This routine can be
1084  * used to ensure the firmware is present on resume from suspend in these
1085  * situations. This helper is not compatible with drivers which use
1086  * request_firmware_into_buf() or request_firmware_nowait() with no uevent set.
1087  **/
firmware_request_cache(struct device * device,const char * name)1088 int firmware_request_cache(struct device *device, const char *name)
1089 {
1090 	int ret;
1091 
1092 	mutex_lock(&fw_lock);
1093 	ret = fw_add_devm_name(device, name);
1094 	mutex_unlock(&fw_lock);
1095 
1096 	return ret;
1097 }
1098 EXPORT_SYMBOL_GPL(firmware_request_cache);
1099 
1100 /**
1101  * request_firmware_into_buf() - load firmware into a previously allocated buffer
1102  * @firmware_p: pointer to firmware image
1103  * @name: name of firmware file
1104  * @device: device for which firmware is being loaded and DMA region allocated
1105  * @buf: address of buffer to load firmware into
1106  * @size: size of buffer
1107  *
1108  * This function works pretty much like request_firmware(), but it doesn't
1109  * allocate a buffer to hold the firmware data. Instead, the firmware
1110  * is loaded directly into the buffer pointed to by @buf and the @firmware_p
1111  * data member is pointed at @buf.
1112  *
1113  * This function doesn't cache firmware either.
1114  */
1115 int
request_firmware_into_buf(const struct firmware ** firmware_p,const char * name,struct device * device,void * buf,size_t size)1116 request_firmware_into_buf(const struct firmware **firmware_p, const char *name,
1117 			  struct device *device, void *buf, size_t size)
1118 {
1119 	int ret;
1120 
1121 	if (fw_cache_is_setup(device, name))
1122 		return -EOPNOTSUPP;
1123 
1124 	__module_get(THIS_MODULE);
1125 	ret = _request_firmware(firmware_p, name, device, buf, size, 0,
1126 				FW_OPT_UEVENT | FW_OPT_NOCACHE);
1127 	module_put(THIS_MODULE);
1128 	return ret;
1129 }
1130 EXPORT_SYMBOL(request_firmware_into_buf);
1131 
1132 /**
1133  * request_partial_firmware_into_buf() - load partial firmware into a previously allocated buffer
1134  * @firmware_p: pointer to firmware image
1135  * @name: name of firmware file
1136  * @device: device for which firmware is being loaded and DMA region allocated
1137  * @buf: address of buffer to load firmware into
1138  * @size: size of buffer
1139  * @offset: offset into file to read
1140  *
1141  * This function works pretty much like request_firmware_into_buf except
1142  * it allows a partial read of the file.
1143  */
1144 int
request_partial_firmware_into_buf(const struct firmware ** firmware_p,const char * name,struct device * device,void * buf,size_t size,size_t offset)1145 request_partial_firmware_into_buf(const struct firmware **firmware_p,
1146 				  const char *name, struct device *device,
1147 				  void *buf, size_t size, size_t offset)
1148 {
1149 	int ret;
1150 
1151 	if (fw_cache_is_setup(device, name))
1152 		return -EOPNOTSUPP;
1153 
1154 	__module_get(THIS_MODULE);
1155 	ret = _request_firmware(firmware_p, name, device, buf, size, offset,
1156 				FW_OPT_UEVENT | FW_OPT_NOCACHE |
1157 				FW_OPT_PARTIAL);
1158 	module_put(THIS_MODULE);
1159 	return ret;
1160 }
1161 EXPORT_SYMBOL(request_partial_firmware_into_buf);
1162 
1163 /**
1164  * release_firmware() - release the resource associated with a firmware image
1165  * @fw: firmware resource to release
1166  **/
release_firmware(const struct firmware * fw)1167 void release_firmware(const struct firmware *fw)
1168 {
1169 	if (fw) {
1170 		if (!firmware_is_builtin(fw))
1171 			firmware_free_data(fw);
1172 		kfree(fw);
1173 	}
1174 }
1175 EXPORT_SYMBOL(release_firmware);
1176 
1177 /* Async support */
1178 struct firmware_work {
1179 	struct work_struct work;
1180 	struct module *module;
1181 	const char *name;
1182 	struct device *device;
1183 	void *context;
1184 	void (*cont)(const struct firmware *fw, void *context);
1185 	u32 opt_flags;
1186 };
1187 
request_firmware_work_func(struct work_struct * work)1188 static void request_firmware_work_func(struct work_struct *work)
1189 {
1190 	struct firmware_work *fw_work;
1191 	const struct firmware *fw;
1192 
1193 	fw_work = container_of(work, struct firmware_work, work);
1194 
1195 	_request_firmware(&fw, fw_work->name, fw_work->device, NULL, 0, 0,
1196 			  fw_work->opt_flags);
1197 	fw_work->cont(fw, fw_work->context);
1198 	put_device(fw_work->device); /* taken in request_firmware_nowait() */
1199 
1200 	module_put(fw_work->module);
1201 	kfree_const(fw_work->name);
1202 	kfree(fw_work);
1203 }
1204 
1205 
_request_firmware_nowait(struct module * module,bool uevent,const char * name,struct device * device,gfp_t gfp,void * context,void (* cont)(const struct firmware * fw,void * context),bool nowarn)1206 static int _request_firmware_nowait(
1207 	struct module *module, bool uevent,
1208 	const char *name, struct device *device, gfp_t gfp, void *context,
1209 	void (*cont)(const struct firmware *fw, void *context), bool nowarn)
1210 {
1211 	struct firmware_work *fw_work;
1212 
1213 	fw_work = kzalloc(sizeof(struct firmware_work), gfp);
1214 	if (!fw_work)
1215 		return -ENOMEM;
1216 
1217 	fw_work->module = module;
1218 	fw_work->name = kstrdup_const(name, gfp);
1219 	if (!fw_work->name) {
1220 		kfree(fw_work);
1221 		return -ENOMEM;
1222 	}
1223 	fw_work->device = device;
1224 	fw_work->context = context;
1225 	fw_work->cont = cont;
1226 	fw_work->opt_flags = FW_OPT_NOWAIT |
1227 		(uevent ? FW_OPT_UEVENT : FW_OPT_USERHELPER) |
1228 		(nowarn ? FW_OPT_NO_WARN : 0);
1229 
1230 	if (!uevent && fw_cache_is_setup(device, name)) {
1231 		kfree_const(fw_work->name);
1232 		kfree(fw_work);
1233 		return -EOPNOTSUPP;
1234 	}
1235 
1236 	if (!try_module_get(module)) {
1237 		kfree_const(fw_work->name);
1238 		kfree(fw_work);
1239 		return -EFAULT;
1240 	}
1241 
1242 	get_device(fw_work->device);
1243 	INIT_WORK(&fw_work->work, request_firmware_work_func);
1244 	schedule_work(&fw_work->work);
1245 	return 0;
1246 }
1247 
1248 /**
1249  * request_firmware_nowait() - asynchronous version of request_firmware
1250  * @module: module requesting the firmware
1251  * @uevent: sends uevent to copy the firmware image if this flag
1252  *	is non-zero else the firmware copy must be done manually.
1253  * @name: name of firmware file
1254  * @device: device for which firmware is being loaded
1255  * @gfp: allocation flags
1256  * @context: will be passed over to @cont, and
1257  *	@fw may be %NULL if firmware request fails.
1258  * @cont: function will be called asynchronously when the firmware
1259  *	request is over.
1260  *
1261  *	Caller must hold the reference count of @device.
1262  *
1263  *	Asynchronous variant of request_firmware() for user contexts:
1264  *		- sleep for as small periods as possible since it may
1265  *		  increase kernel boot time of built-in device drivers
1266  *		  requesting firmware in their ->probe() methods, if
1267  *		  @gfp is GFP_KERNEL.
1268  *
1269  *		- can't sleep at all if @gfp is GFP_ATOMIC.
1270  **/
request_firmware_nowait(struct module * module,bool uevent,const char * name,struct device * device,gfp_t gfp,void * context,void (* cont)(const struct firmware * fw,void * context))1271 int request_firmware_nowait(
1272 	struct module *module, bool uevent,
1273 	const char *name, struct device *device, gfp_t gfp, void *context,
1274 	void (*cont)(const struct firmware *fw, void *context))
1275 {
1276 	return _request_firmware_nowait(module, uevent, name, device, gfp,
1277 					context, cont, false);
1278 
1279 }
1280 EXPORT_SYMBOL(request_firmware_nowait);
1281 
1282 /**
1283  * firmware_request_nowait_nowarn() - async version of request_firmware_nowarn
1284  * @module: module requesting the firmware
1285  * @name: name of firmware file
1286  * @device: device for which firmware is being loaded
1287  * @gfp: allocation flags
1288  * @context: will be passed over to @cont, and
1289  *	@fw may be %NULL if firmware request fails.
1290  * @cont: function will be called asynchronously when the firmware
1291  *	request is over.
1292  *
1293  * Similar in function to request_firmware_nowait(), but doesn't print a warning
1294  * when the firmware file could not be found and always sends a uevent to copy
1295  * the firmware image.
1296  */
firmware_request_nowait_nowarn(struct module * module,const char * name,struct device * device,gfp_t gfp,void * context,void (* cont)(const struct firmware * fw,void * context))1297 int firmware_request_nowait_nowarn(
1298 	struct module *module, const char *name,
1299 	struct device *device, gfp_t gfp, void *context,
1300 	void (*cont)(const struct firmware *fw, void *context))
1301 {
1302 	return _request_firmware_nowait(module, FW_ACTION_UEVENT, name, device,
1303 					gfp, context, cont, true);
1304 }
1305 EXPORT_SYMBOL_GPL(firmware_request_nowait_nowarn);
1306 
1307 #ifdef CONFIG_FW_CACHE
1308 static ASYNC_DOMAIN_EXCLUSIVE(fw_cache_domain);
1309 
1310 /**
1311  * cache_firmware() - cache one firmware image in kernel memory space
1312  * @fw_name: the firmware image name
1313  *
1314  * Cache firmware in kernel memory so that drivers can use it when
1315  * system isn't ready for them to request firmware image from userspace.
1316  * Once it returns successfully, driver can use request_firmware or its
1317  * nowait version to get the cached firmware without any interacting
1318  * with userspace
1319  *
1320  * Return 0 if the firmware image has been cached successfully
1321  * Return !0 otherwise
1322  *
1323  */
cache_firmware(const char * fw_name)1324 static int cache_firmware(const char *fw_name)
1325 {
1326 	int ret;
1327 	const struct firmware *fw;
1328 
1329 	pr_debug("%s: %s\n", __func__, fw_name);
1330 
1331 	ret = request_firmware(&fw, fw_name, NULL);
1332 	if (!ret)
1333 		kfree(fw);
1334 
1335 	pr_debug("%s: %s ret=%d\n", __func__, fw_name, ret);
1336 
1337 	return ret;
1338 }
1339 
lookup_fw_priv(const char * fw_name)1340 static struct fw_priv *lookup_fw_priv(const char *fw_name)
1341 {
1342 	struct fw_priv *tmp;
1343 	struct firmware_cache *fwc = &fw_cache;
1344 
1345 	spin_lock(&fwc->lock);
1346 	tmp = __lookup_fw_priv(fw_name);
1347 	spin_unlock(&fwc->lock);
1348 
1349 	return tmp;
1350 }
1351 
1352 /**
1353  * uncache_firmware() - remove one cached firmware image
1354  * @fw_name: the firmware image name
1355  *
1356  * Uncache one firmware image which has been cached successfully
1357  * before.
1358  *
1359  * Return 0 if the firmware cache has been removed successfully
1360  * Return !0 otherwise
1361  *
1362  */
uncache_firmware(const char * fw_name)1363 static int uncache_firmware(const char *fw_name)
1364 {
1365 	struct fw_priv *fw_priv;
1366 	struct firmware fw;
1367 
1368 	pr_debug("%s: %s\n", __func__, fw_name);
1369 
1370 	if (firmware_request_builtin(&fw, fw_name))
1371 		return 0;
1372 
1373 	fw_priv = lookup_fw_priv(fw_name);
1374 	if (fw_priv) {
1375 		free_fw_priv(fw_priv);
1376 		return 0;
1377 	}
1378 
1379 	return -EINVAL;
1380 }
1381 
alloc_fw_cache_entry(const char * name)1382 static struct fw_cache_entry *alloc_fw_cache_entry(const char *name)
1383 {
1384 	struct fw_cache_entry *fce;
1385 
1386 	fce = kzalloc(sizeof(*fce), GFP_ATOMIC);
1387 	if (!fce)
1388 		goto exit;
1389 
1390 	fce->name = kstrdup_const(name, GFP_ATOMIC);
1391 	if (!fce->name) {
1392 		kfree(fce);
1393 		fce = NULL;
1394 		goto exit;
1395 	}
1396 exit:
1397 	return fce;
1398 }
1399 
__fw_entry_found(const char * name)1400 static int __fw_entry_found(const char *name)
1401 {
1402 	struct firmware_cache *fwc = &fw_cache;
1403 	struct fw_cache_entry *fce;
1404 
1405 	list_for_each_entry(fce, &fwc->fw_names, list) {
1406 		if (!strcmp(fce->name, name))
1407 			return 1;
1408 	}
1409 	return 0;
1410 }
1411 
fw_cache_piggyback_on_request(struct fw_priv * fw_priv)1412 static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv)
1413 {
1414 	const char *name = fw_priv->fw_name;
1415 	struct firmware_cache *fwc = fw_priv->fwc;
1416 	struct fw_cache_entry *fce;
1417 
1418 	spin_lock(&fwc->name_lock);
1419 	if (__fw_entry_found(name))
1420 		goto found;
1421 
1422 	fce = alloc_fw_cache_entry(name);
1423 	if (fce) {
1424 		list_add(&fce->list, &fwc->fw_names);
1425 		kref_get(&fw_priv->ref);
1426 		pr_debug("%s: fw: %s\n", __func__, name);
1427 	}
1428 found:
1429 	spin_unlock(&fwc->name_lock);
1430 }
1431 
free_fw_cache_entry(struct fw_cache_entry * fce)1432 static void free_fw_cache_entry(struct fw_cache_entry *fce)
1433 {
1434 	kfree_const(fce->name);
1435 	kfree(fce);
1436 }
1437 
__async_dev_cache_fw_image(void * fw_entry,async_cookie_t cookie)1438 static void __async_dev_cache_fw_image(void *fw_entry,
1439 				       async_cookie_t cookie)
1440 {
1441 	struct fw_cache_entry *fce = fw_entry;
1442 	struct firmware_cache *fwc = &fw_cache;
1443 	int ret;
1444 
1445 	ret = cache_firmware(fce->name);
1446 	if (ret) {
1447 		spin_lock(&fwc->name_lock);
1448 		list_del(&fce->list);
1449 		spin_unlock(&fwc->name_lock);
1450 
1451 		free_fw_cache_entry(fce);
1452 	}
1453 }
1454 
1455 /* called with dev->devres_lock held */
dev_create_fw_entry(struct device * dev,void * res,void * data)1456 static void dev_create_fw_entry(struct device *dev, void *res,
1457 				void *data)
1458 {
1459 	struct fw_name_devm *fwn = res;
1460 	const char *fw_name = fwn->name;
1461 	struct list_head *head = data;
1462 	struct fw_cache_entry *fce;
1463 
1464 	fce = alloc_fw_cache_entry(fw_name);
1465 	if (fce)
1466 		list_add(&fce->list, head);
1467 }
1468 
devm_name_match(struct device * dev,void * res,void * match_data)1469 static int devm_name_match(struct device *dev, void *res,
1470 			   void *match_data)
1471 {
1472 	struct fw_name_devm *fwn = res;
1473 	return (fwn->magic == (unsigned long)match_data);
1474 }
1475 
dev_cache_fw_image(struct device * dev,void * data)1476 static void dev_cache_fw_image(struct device *dev, void *data)
1477 {
1478 	LIST_HEAD(todo);
1479 	struct fw_cache_entry *fce;
1480 	struct fw_cache_entry *fce_next;
1481 	struct firmware_cache *fwc = &fw_cache;
1482 
1483 	devres_for_each_res(dev, fw_name_devm_release,
1484 			    devm_name_match, &fw_cache,
1485 			    dev_create_fw_entry, &todo);
1486 
1487 	list_for_each_entry_safe(fce, fce_next, &todo, list) {
1488 		list_del(&fce->list);
1489 
1490 		spin_lock(&fwc->name_lock);
1491 		/* only one cache entry for one firmware */
1492 		if (!__fw_entry_found(fce->name)) {
1493 			list_add(&fce->list, &fwc->fw_names);
1494 		} else {
1495 			free_fw_cache_entry(fce);
1496 			fce = NULL;
1497 		}
1498 		spin_unlock(&fwc->name_lock);
1499 
1500 		if (fce)
1501 			async_schedule_domain(__async_dev_cache_fw_image,
1502 					      (void *)fce,
1503 					      &fw_cache_domain);
1504 	}
1505 }
1506 
__device_uncache_fw_images(void)1507 static void __device_uncache_fw_images(void)
1508 {
1509 	struct firmware_cache *fwc = &fw_cache;
1510 	struct fw_cache_entry *fce;
1511 
1512 	spin_lock(&fwc->name_lock);
1513 	while (!list_empty(&fwc->fw_names)) {
1514 		fce = list_entry(fwc->fw_names.next,
1515 				struct fw_cache_entry, list);
1516 		list_del(&fce->list);
1517 		spin_unlock(&fwc->name_lock);
1518 
1519 		uncache_firmware(fce->name);
1520 		free_fw_cache_entry(fce);
1521 
1522 		spin_lock(&fwc->name_lock);
1523 	}
1524 	spin_unlock(&fwc->name_lock);
1525 }
1526 
1527 /**
1528  * device_cache_fw_images() - cache devices' firmware
1529  *
1530  * If one device called request_firmware or its nowait version
1531  * successfully before, the firmware names are recored into the
1532  * device's devres link list, so device_cache_fw_images can call
1533  * cache_firmware() to cache these firmwares for the device,
1534  * then the device driver can load its firmwares easily at
1535  * time when system is not ready to complete loading firmware.
1536  */
device_cache_fw_images(void)1537 static void device_cache_fw_images(void)
1538 {
1539 	struct firmware_cache *fwc = &fw_cache;
1540 	DEFINE_WAIT(wait);
1541 
1542 	pr_debug("%s\n", __func__);
1543 
1544 	/* cancel uncache work */
1545 	cancel_delayed_work_sync(&fwc->work);
1546 
1547 	fw_fallback_set_cache_timeout();
1548 
1549 	mutex_lock(&fw_lock);
1550 	fwc->state = FW_LOADER_START_CACHE;
1551 	dpm_for_each_dev(NULL, dev_cache_fw_image);
1552 	mutex_unlock(&fw_lock);
1553 
1554 	/* wait for completion of caching firmware for all devices */
1555 	async_synchronize_full_domain(&fw_cache_domain);
1556 
1557 	fw_fallback_set_default_timeout();
1558 }
1559 
1560 /**
1561  * device_uncache_fw_images() - uncache devices' firmware
1562  *
1563  * uncache all firmwares which have been cached successfully
1564  * by device_uncache_fw_images earlier
1565  */
device_uncache_fw_images(void)1566 static void device_uncache_fw_images(void)
1567 {
1568 	pr_debug("%s\n", __func__);
1569 	__device_uncache_fw_images();
1570 }
1571 
device_uncache_fw_images_work(struct work_struct * work)1572 static void device_uncache_fw_images_work(struct work_struct *work)
1573 {
1574 	device_uncache_fw_images();
1575 }
1576 
1577 /**
1578  * device_uncache_fw_images_delay() - uncache devices firmwares
1579  * @delay: number of milliseconds to delay uncache device firmwares
1580  *
1581  * uncache all devices's firmwares which has been cached successfully
1582  * by device_cache_fw_images after @delay milliseconds.
1583  */
device_uncache_fw_images_delay(unsigned long delay)1584 static void device_uncache_fw_images_delay(unsigned long delay)
1585 {
1586 	queue_delayed_work(system_power_efficient_wq, &fw_cache.work,
1587 			   msecs_to_jiffies(delay));
1588 }
1589 
fw_pm_notify(struct notifier_block * notify_block,unsigned long mode,void * unused)1590 static int fw_pm_notify(struct notifier_block *notify_block,
1591 			unsigned long mode, void *unused)
1592 {
1593 	switch (mode) {
1594 	case PM_HIBERNATION_PREPARE:
1595 	case PM_SUSPEND_PREPARE:
1596 	case PM_RESTORE_PREPARE:
1597 		/*
1598 		 * Here, kill pending fallback requests will only kill
1599 		 * non-uevent firmware request to avoid stalling suspend.
1600 		 */
1601 		kill_pending_fw_fallback_reqs(false);
1602 		device_cache_fw_images();
1603 		break;
1604 
1605 	case PM_POST_SUSPEND:
1606 	case PM_POST_HIBERNATION:
1607 	case PM_POST_RESTORE:
1608 		/*
1609 		 * In case that system sleep failed and syscore_suspend is
1610 		 * not called.
1611 		 */
1612 		mutex_lock(&fw_lock);
1613 		fw_cache.state = FW_LOADER_NO_CACHE;
1614 		mutex_unlock(&fw_lock);
1615 
1616 		device_uncache_fw_images_delay(10 * MSEC_PER_SEC);
1617 		break;
1618 	}
1619 
1620 	return 0;
1621 }
1622 
1623 /* stop caching firmware once syscore_suspend is reached */
fw_suspend(void)1624 static int fw_suspend(void)
1625 {
1626 	fw_cache.state = FW_LOADER_NO_CACHE;
1627 	return 0;
1628 }
1629 
1630 static struct syscore_ops fw_syscore_ops = {
1631 	.suspend = fw_suspend,
1632 };
1633 
register_fw_pm_ops(void)1634 static int __init register_fw_pm_ops(void)
1635 {
1636 	int ret;
1637 
1638 	spin_lock_init(&fw_cache.name_lock);
1639 	INIT_LIST_HEAD(&fw_cache.fw_names);
1640 
1641 	INIT_DELAYED_WORK(&fw_cache.work,
1642 			  device_uncache_fw_images_work);
1643 
1644 	fw_cache.pm_notify.notifier_call = fw_pm_notify;
1645 	ret = register_pm_notifier(&fw_cache.pm_notify);
1646 	if (ret)
1647 		return ret;
1648 
1649 	register_syscore_ops(&fw_syscore_ops);
1650 
1651 	return ret;
1652 }
1653 
unregister_fw_pm_ops(void)1654 static inline void unregister_fw_pm_ops(void)
1655 {
1656 	unregister_syscore_ops(&fw_syscore_ops);
1657 	unregister_pm_notifier(&fw_cache.pm_notify);
1658 }
1659 #else
fw_cache_piggyback_on_request(struct fw_priv * fw_priv)1660 static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv)
1661 {
1662 }
register_fw_pm_ops(void)1663 static inline int register_fw_pm_ops(void)
1664 {
1665 	return 0;
1666 }
unregister_fw_pm_ops(void)1667 static inline void unregister_fw_pm_ops(void)
1668 {
1669 }
1670 #endif
1671 
fw_cache_init(void)1672 static void __init fw_cache_init(void)
1673 {
1674 	spin_lock_init(&fw_cache.lock);
1675 	INIT_LIST_HEAD(&fw_cache.head);
1676 	fw_cache.state = FW_LOADER_NO_CACHE;
1677 }
1678 
fw_shutdown_notify(struct notifier_block * unused1,unsigned long unused2,void * unused3)1679 static int fw_shutdown_notify(struct notifier_block *unused1,
1680 			      unsigned long unused2, void *unused3)
1681 {
1682 	/*
1683 	 * Kill all pending fallback requests to avoid both stalling shutdown,
1684 	 * and avoid a deadlock with the usermode_lock.
1685 	 */
1686 	kill_pending_fw_fallback_reqs(true);
1687 
1688 	return NOTIFY_DONE;
1689 }
1690 
1691 static struct notifier_block fw_shutdown_nb = {
1692 	.notifier_call = fw_shutdown_notify,
1693 };
1694 
firmware_class_init(void)1695 static int __init firmware_class_init(void)
1696 {
1697 	int ret;
1698 
1699 	/* No need to unfold these on exit */
1700 	fw_cache_init();
1701 
1702 	ret = register_fw_pm_ops();
1703 	if (ret)
1704 		return ret;
1705 
1706 	ret = register_reboot_notifier(&fw_shutdown_nb);
1707 	if (ret)
1708 		goto out;
1709 
1710 	return register_sysfs_loader();
1711 
1712 out:
1713 	unregister_fw_pm_ops();
1714 	return ret;
1715 }
1716 
firmware_class_exit(void)1717 static void __exit firmware_class_exit(void)
1718 {
1719 	unregister_fw_pm_ops();
1720 	unregister_reboot_notifier(&fw_shutdown_nb);
1721 	unregister_sysfs_loader();
1722 }
1723 
1724 fs_initcall(firmware_class_init);
1725 module_exit(firmware_class_exit);
1726