1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * dell_rbu.c
4 * Bios Update driver for Dell systems
5 * Author: Dell Inc
6 * Abhay Salunke <abhay_salunke@dell.com>
7 *
8 * Copyright (C) 2005 Dell Inc.
9 *
10 * Remote BIOS Update (rbu) driver is used for updating DELL BIOS by
11 * creating entries in the /sys file systems on Linux 2.6 and higher
12 * kernels. The driver supports two mechanism to update the BIOS namely
13 * contiguous and packetized. Both these methods still require having some
14 * application to set the CMOS bit indicating the BIOS to update itself
15 * after a reboot.
16 *
17 * Contiguous method:
18 * This driver writes the incoming data in a monolithic image by allocating
19 * contiguous physical pages large enough to accommodate the incoming BIOS
20 * image size.
21 *
22 * Packetized method:
23 * The driver writes the incoming packet image by allocating a new packet
24 * on every time the packet data is written. This driver requires an
25 * application to break the BIOS image in to fixed sized packet chunks.
26 *
27 * See Documentation/admin-guide/dell_rbu.rst for more info.
28 */
29
30 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
31
32 #include <linux/init.h>
33 #include <linux/module.h>
34 #include <linux/slab.h>
35 #include <linux/string.h>
36 #include <linux/errno.h>
37 #include <linux/blkdev.h>
38 #include <linux/platform_device.h>
39 #include <linux/spinlock.h>
40 #include <linux/moduleparam.h>
41 #include <linux/firmware.h>
42 #include <linux/dma-mapping.h>
43 #include <asm/set_memory.h>
44
45 MODULE_AUTHOR("Abhay Salunke <abhay_salunke@dell.com>");
46 MODULE_DESCRIPTION("Driver for updating BIOS image on DELL systems");
47 MODULE_LICENSE("GPL");
48 MODULE_VERSION("3.3");
49
50 #define BIOS_SCAN_LIMIT 0xffffffff
51 #define MAX_IMAGE_LENGTH 16
52 static struct _rbu_data {
53 void *image_update_buffer;
54 unsigned long image_update_buffer_size;
55 unsigned long bios_image_size;
56 int image_update_ordernum;
57 spinlock_t lock;
58 unsigned long packet_read_count;
59 unsigned long num_packets;
60 unsigned long packetsize;
61 unsigned long imagesize;
62 int entry_created;
63 } rbu_data;
64
65 static char image_type[MAX_IMAGE_LENGTH + 1] = "mono";
66 module_param_string(image_type, image_type, sizeof (image_type), 0);
67 MODULE_PARM_DESC(image_type, "BIOS image type. choose- mono or packet or init");
68
69 static unsigned long allocation_floor = 0x100000;
70 module_param(allocation_floor, ulong, 0644);
71 MODULE_PARM_DESC(allocation_floor, "Minimum address for allocations when using Packet mode");
72
73 struct packet_data {
74 struct list_head list;
75 size_t length;
76 void *data;
77 int ordernum;
78 };
79
80 static struct list_head packet_data_list;
81
82 static struct platform_device *rbu_device;
83 static int context;
84
init_packet_head(void)85 static void init_packet_head(void)
86 {
87 INIT_LIST_HEAD(&packet_data_list);
88 rbu_data.packet_read_count = 0;
89 rbu_data.num_packets = 0;
90 rbu_data.packetsize = 0;
91 rbu_data.imagesize = 0;
92 }
93
create_packet(void * data,size_t length)94 static int create_packet(void *data, size_t length) __must_hold(&rbu_data.lock)
95 {
96 struct packet_data *newpacket;
97 int ordernum = 0;
98 int retval = 0;
99 unsigned int packet_array_size = 0;
100 void **invalid_addr_packet_array = NULL;
101 void *packet_data_temp_buf = NULL;
102 unsigned int idx = 0;
103
104 pr_debug("entry\n");
105
106 if (!rbu_data.packetsize) {
107 pr_debug("packetsize not specified\n");
108 retval = -EINVAL;
109 goto out_noalloc;
110 }
111
112 spin_unlock(&rbu_data.lock);
113
114 newpacket = kzalloc_obj(struct packet_data);
115
116 if (!newpacket) {
117 pr_warn("failed to allocate new packet\n");
118 retval = -ENOMEM;
119 spin_lock(&rbu_data.lock);
120 goto out_noalloc;
121 }
122
123 ordernum = get_order(length);
124
125 /*
126 * BIOS errata mean we cannot allocate packets below 1MB or they will
127 * be overwritten by BIOS.
128 *
129 * array to temporarily hold packets
130 * that are below the allocation floor
131 *
132 * NOTE: very simplistic because we only need the floor to be at 1MB
133 * due to BIOS errata. This shouldn't be used for higher floors
134 * or you will run out of mem trying to allocate the array.
135 */
136 packet_array_size = max_t(unsigned int, allocation_floor / rbu_data.packetsize, 1);
137 invalid_addr_packet_array = kcalloc(packet_array_size, sizeof(void *),
138 GFP_KERNEL);
139
140 if (!invalid_addr_packet_array) {
141 pr_warn("failed to allocate invalid_addr_packet_array\n");
142 retval = -ENOMEM;
143 spin_lock(&rbu_data.lock);
144 goto out_alloc_packet;
145 }
146
147 while (!packet_data_temp_buf) {
148 packet_data_temp_buf = (unsigned char *)
149 __get_free_pages(GFP_KERNEL, ordernum);
150 if (!packet_data_temp_buf) {
151 pr_warn("failed to allocate new packet\n");
152 retval = -ENOMEM;
153 spin_lock(&rbu_data.lock);
154 goto out_alloc_packet_array;
155 }
156
157 if ((unsigned long)virt_to_phys(packet_data_temp_buf)
158 < allocation_floor) {
159 pr_debug("packet 0x%lx below floor at 0x%lx\n",
160 (unsigned long)virt_to_phys(
161 packet_data_temp_buf),
162 allocation_floor);
163 invalid_addr_packet_array[idx++] = packet_data_temp_buf;
164 packet_data_temp_buf = NULL;
165 }
166 }
167 /*
168 * set to uncachable or it may never get written back before reboot
169 */
170 set_memory_uc((unsigned long)packet_data_temp_buf, 1 << ordernum);
171
172 spin_lock(&rbu_data.lock);
173
174 newpacket->data = packet_data_temp_buf;
175
176 pr_debug("newpacket at physical addr %lx\n",
177 (unsigned long)virt_to_phys(newpacket->data));
178
179 /* packets may not have fixed size */
180 newpacket->length = length;
181 newpacket->ordernum = ordernum;
182 ++rbu_data.num_packets;
183
184 /* initialize the newly created packet headers */
185 INIT_LIST_HEAD(&newpacket->list);
186 list_add_tail(&newpacket->list, &packet_data_list);
187
188 memcpy(newpacket->data, data, length);
189
190 pr_debug("exit\n");
191
192 out_alloc_packet_array:
193 /* always free packet array */
194 while (idx--) {
195 pr_debug("freeing unused packet below floor 0x%lx\n",
196 (unsigned long)virt_to_phys(invalid_addr_packet_array[idx]));
197 free_pages((unsigned long)invalid_addr_packet_array[idx], ordernum);
198 }
199 kfree(invalid_addr_packet_array);
200
201 out_alloc_packet:
202 /* if error, free data */
203 if (retval)
204 kfree(newpacket);
205
206 out_noalloc:
207 return retval;
208 }
209
packetize_data(const u8 * data,size_t length)210 static int packetize_data(const u8 *data, size_t length)
211 {
212 int rc = 0;
213 int done = 0;
214 int packet_length;
215 u8 *temp;
216 u8 *end = (u8 *) data + length;
217 pr_debug("data length %zd\n", length);
218 if (!rbu_data.packetsize) {
219 pr_warn("packetsize not specified\n");
220 return -EIO;
221 }
222
223 temp = (u8 *) data;
224
225 /* packetize the hunk */
226 while (!done) {
227 if ((temp + rbu_data.packetsize) < end)
228 packet_length = rbu_data.packetsize;
229 else {
230 /* this is the last packet */
231 packet_length = end - temp;
232 done = 1;
233 }
234
235 rc = create_packet(temp, packet_length);
236 if (rc)
237 return rc;
238
239 pr_debug("%p:%td\n", temp, (end - temp));
240 temp += packet_length;
241 }
242
243 rbu_data.imagesize = length;
244
245 return rc;
246 }
247
do_packet_read(char * data,struct packet_data * newpacket,int length,int bytes_read,int * list_read_count)248 static int do_packet_read(char *data, struct packet_data *newpacket,
249 int length, int bytes_read, int *list_read_count)
250 {
251 void *ptemp_buf;
252 int bytes_copied = 0;
253 int j = 0;
254
255 *list_read_count += newpacket->length;
256
257 if (*list_read_count > bytes_read) {
258 /* point to the start of unread data */
259 j = newpacket->length - (*list_read_count - bytes_read);
260 /* point to the offset in the packet buffer */
261 ptemp_buf = (u8 *) newpacket->data + j;
262 /*
263 * check if there is enough room in
264 * * the incoming buffer
265 */
266 if (length > (*list_read_count - bytes_read))
267 /*
268 * copy what ever is there in this
269 * packet and move on
270 */
271 bytes_copied = (*list_read_count - bytes_read);
272 else
273 /* copy the remaining */
274 bytes_copied = length;
275 memcpy(data, ptemp_buf, bytes_copied);
276 }
277 return bytes_copied;
278 }
279
packet_read_list(char * data,size_t * pread_length)280 static int packet_read_list(char *data, size_t *pread_length)
281 {
282 struct packet_data *newpacket;
283 int temp_count = 0;
284 int bytes_copied = 0;
285 int bytes_read = 0;
286 int remaining_bytes = 0;
287 char *pdest = data;
288
289 /* check if we have any packets */
290 if (0 == rbu_data.num_packets)
291 return -ENOMEM;
292
293 remaining_bytes = *pread_length;
294 bytes_read = rbu_data.packet_read_count;
295
296 list_for_each_entry(newpacket, &packet_data_list, list) {
297 bytes_copied = do_packet_read(pdest, newpacket,
298 remaining_bytes, bytes_read, &temp_count);
299 remaining_bytes -= bytes_copied;
300 bytes_read += bytes_copied;
301 pdest += bytes_copied;
302 /*
303 * check if we reached end of buffer before reaching the
304 * last packet
305 */
306 if (remaining_bytes == 0)
307 break;
308 }
309 /*finally set the bytes read */
310 *pread_length = bytes_read - rbu_data.packet_read_count;
311 rbu_data.packet_read_count = bytes_read;
312 return 0;
313 }
314
packet_empty_list(void)315 static void packet_empty_list(void)
316 {
317 struct packet_data *newpacket, *tmp;
318
319 list_for_each_entry_safe(newpacket, tmp, &packet_data_list, list) {
320 list_del(&newpacket->list);
321
322 /*
323 * zero out the RBU packet memory before freeing
324 * to make sure there are no stale RBU packets left in memory
325 */
326 memset(newpacket->data, 0, newpacket->length);
327 set_memory_wb((unsigned long)newpacket->data,
328 1 << newpacket->ordernum);
329 free_pages((unsigned long) newpacket->data,
330 newpacket->ordernum);
331 kfree(newpacket);
332 }
333 rbu_data.packet_read_count = 0;
334 rbu_data.num_packets = 0;
335 rbu_data.imagesize = 0;
336 }
337
338 /*
339 * img_update_free: Frees the buffer allocated for storing BIOS image
340 * Always called with lock held and returned with lock held
341 */
img_update_free(void)342 static void img_update_free(void)
343 {
344 if (!rbu_data.image_update_buffer)
345 return;
346 /*
347 * zero out this buffer before freeing it to get rid of any stale
348 * BIOS image copied in memory.
349 */
350 memset(rbu_data.image_update_buffer, 0,
351 rbu_data.image_update_buffer_size);
352 free_pages((unsigned long) rbu_data.image_update_buffer,
353 rbu_data.image_update_ordernum);
354
355 /*
356 * Re-initialize the rbu_data variables after a free
357 */
358 rbu_data.image_update_ordernum = -1;
359 rbu_data.image_update_buffer = NULL;
360 rbu_data.image_update_buffer_size = 0;
361 rbu_data.bios_image_size = 0;
362 }
363
364 /*
365 * img_update_realloc: This function allocates the contiguous pages to
366 * accommodate the requested size of data. The memory address and size
367 * values are stored globally and on every call to this function the new
368 * size is checked to see if more data is required than the existing size.
369 * If true the previous memory is freed and new allocation is done to
370 * accommodate the new size. If the incoming size is less then than the
371 * already allocated size, then that memory is reused. This function is
372 * called with lock held and returns with lock held.
373 */
img_update_realloc(unsigned long size)374 static int img_update_realloc(unsigned long size)
375 {
376 unsigned char *image_update_buffer = NULL;
377 unsigned long img_buf_phys_addr;
378 int ordernum;
379
380 /*
381 * check if the buffer of sufficient size has been
382 * already allocated
383 */
384 if (rbu_data.image_update_buffer_size >= size) {
385 /*
386 * check for corruption
387 */
388 if ((size != 0) && (rbu_data.image_update_buffer == NULL)) {
389 pr_err("corruption check failed\n");
390 return -EINVAL;
391 }
392 /*
393 * we have a valid pre-allocated buffer with
394 * sufficient size
395 */
396 return 0;
397 }
398
399 /*
400 * free any previously allocated buffer
401 */
402 img_update_free();
403
404 spin_unlock(&rbu_data.lock);
405
406 ordernum = get_order(size);
407 image_update_buffer =
408 (unsigned char *)__get_free_pages(GFP_DMA32, ordernum);
409 spin_lock(&rbu_data.lock);
410 if (!image_update_buffer) {
411 pr_debug("Not enough memory for image update: size = %ld\n", size);
412 return -ENOMEM;
413 }
414
415 img_buf_phys_addr = (unsigned long)virt_to_phys(image_update_buffer);
416 if (WARN_ON_ONCE(img_buf_phys_addr > BIOS_SCAN_LIMIT))
417 return -EINVAL; /* can't happen per definition */
418
419 rbu_data.image_update_buffer = image_update_buffer;
420 rbu_data.image_update_buffer_size = size;
421 rbu_data.bios_image_size = rbu_data.image_update_buffer_size;
422 rbu_data.image_update_ordernum = ordernum;
423 return 0;
424 }
425
read_packet_data(char * buffer,loff_t pos,size_t count)426 static ssize_t read_packet_data(char *buffer, loff_t pos, size_t count)
427 {
428 int retval;
429 size_t bytes_left;
430 size_t data_length;
431 char *ptempBuf = buffer;
432
433 /* check to see if we have something to return */
434 if (rbu_data.num_packets == 0) {
435 pr_debug("no packets written\n");
436 retval = -ENOMEM;
437 goto read_rbu_data_exit;
438 }
439
440 if (pos > rbu_data.imagesize) {
441 retval = 0;
442 pr_warn("data underrun\n");
443 goto read_rbu_data_exit;
444 }
445
446 bytes_left = rbu_data.imagesize - pos;
447 data_length = min(bytes_left, count);
448
449 retval = packet_read_list(ptempBuf, &data_length);
450 if (retval < 0)
451 goto read_rbu_data_exit;
452
453 if ((pos + count) > rbu_data.imagesize) {
454 rbu_data.packet_read_count = 0;
455 /* this was the last copy */
456 retval = bytes_left;
457 } else
458 retval = count;
459
460 read_rbu_data_exit:
461 return retval;
462 }
463
read_rbu_mono_data(char * buffer,loff_t pos,size_t count)464 static ssize_t read_rbu_mono_data(char *buffer, loff_t pos, size_t count)
465 {
466 /* check to see if we have something to return */
467 if ((rbu_data.image_update_buffer == NULL) ||
468 (rbu_data.bios_image_size == 0)) {
469 pr_debug("image_update_buffer %p, bios_image_size %lu\n",
470 rbu_data.image_update_buffer,
471 rbu_data.bios_image_size);
472 return -ENOMEM;
473 }
474
475 return memory_read_from_buffer(buffer, count, &pos,
476 rbu_data.image_update_buffer, rbu_data.bios_image_size);
477 }
478
data_read(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)479 static ssize_t data_read(struct file *filp, struct kobject *kobj,
480 const struct bin_attribute *bin_attr,
481 char *buffer, loff_t pos, size_t count)
482 {
483 ssize_t ret_count = 0;
484
485 spin_lock(&rbu_data.lock);
486
487 if (!strcmp(image_type, "mono"))
488 ret_count = read_rbu_mono_data(buffer, pos, count);
489 else if (!strcmp(image_type, "packet"))
490 ret_count = read_packet_data(buffer, pos, count);
491 else
492 pr_debug("invalid image type specified\n");
493
494 spin_unlock(&rbu_data.lock);
495 return ret_count;
496 }
497 static const BIN_ATTR_RO(data, 0);
498
callbackfn_rbu(const struct firmware * fw,void * context)499 static void callbackfn_rbu(const struct firmware *fw, void *context)
500 {
501 rbu_data.entry_created = 0;
502
503 if (!fw)
504 return;
505
506 if (!fw->size)
507 goto out;
508
509 spin_lock(&rbu_data.lock);
510 if (!strcmp(image_type, "mono")) {
511 if (!img_update_realloc(fw->size))
512 memcpy(rbu_data.image_update_buffer,
513 fw->data, fw->size);
514 } else if (!strcmp(image_type, "packet")) {
515 /*
516 * we need to free previous packets if a
517 * new hunk of packets needs to be downloaded
518 */
519 packet_empty_list();
520 if (packetize_data(fw->data, fw->size))
521 /* Incase something goes wrong when we are
522 * in middle of packetizing the data, we
523 * need to free up whatever packets might
524 * have been created before we quit.
525 */
526 packet_empty_list();
527 } else
528 pr_debug("invalid image type specified\n");
529 spin_unlock(&rbu_data.lock);
530 out:
531 release_firmware(fw);
532 }
533
image_type_read(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)534 static ssize_t image_type_read(struct file *filp, struct kobject *kobj,
535 const struct bin_attribute *bin_attr,
536 char *buffer, loff_t pos, size_t count)
537 {
538 int size = 0;
539 if (!pos)
540 size = scnprintf(buffer, count, "%s\n", image_type);
541 return size;
542 }
543
image_type_write(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)544 static ssize_t image_type_write(struct file *filp, struct kobject *kobj,
545 const struct bin_attribute *bin_attr,
546 char *buffer, loff_t pos, size_t count)
547 {
548 int rc = count;
549 int req_firm_rc = 0;
550 int i;
551 spin_lock(&rbu_data.lock);
552 /*
553 * Find the first newline or space
554 */
555 for (i = 0; i < count; ++i)
556 if (buffer[i] == '\n' || buffer[i] == ' ') {
557 buffer[i] = '\0';
558 break;
559 }
560 if (i == count)
561 buffer[count] = '\0';
562
563 if (strstr(buffer, "mono"))
564 strcpy(image_type, "mono");
565 else if (strstr(buffer, "packet"))
566 strcpy(image_type, "packet");
567 else if (strstr(buffer, "init")) {
568 /*
569 * If due to the user error the driver gets in a bad
570 * state where even though it is loaded , the
571 * /sys/class/firmware/dell_rbu entries are missing.
572 * to cover this situation the user can recreate entries
573 * by writing init to image_type.
574 */
575 if (!rbu_data.entry_created) {
576 spin_unlock(&rbu_data.lock);
577 req_firm_rc = request_firmware_nowait(THIS_MODULE,
578 FW_ACTION_NOUEVENT, "dell_rbu",
579 &rbu_device->dev, GFP_KERNEL, &context,
580 callbackfn_rbu);
581 if (req_firm_rc) {
582 pr_err("request_firmware_nowait failed %d\n", rc);
583 rc = -EIO;
584 } else
585 rbu_data.entry_created = 1;
586
587 spin_lock(&rbu_data.lock);
588 }
589 } else {
590 pr_warn("image_type is invalid\n");
591 spin_unlock(&rbu_data.lock);
592 return -EINVAL;
593 }
594
595 /* we must free all previous allocations */
596 packet_empty_list();
597 img_update_free();
598 spin_unlock(&rbu_data.lock);
599
600 return rc;
601 }
602 static const BIN_ATTR_RW(image_type, 0);
603
packet_size_read(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)604 static ssize_t packet_size_read(struct file *filp, struct kobject *kobj,
605 const struct bin_attribute *bin_attr,
606 char *buffer, loff_t pos, size_t count)
607 {
608 int size = 0;
609 if (!pos) {
610 spin_lock(&rbu_data.lock);
611 size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);
612 spin_unlock(&rbu_data.lock);
613 }
614 return size;
615 }
616
packet_size_write(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)617 static ssize_t packet_size_write(struct file *filp, struct kobject *kobj,
618 const struct bin_attribute *bin_attr,
619 char *buffer, loff_t pos, size_t count)
620 {
621 unsigned long temp;
622 spin_lock(&rbu_data.lock);
623 packet_empty_list();
624 sscanf(buffer, "%lu", &temp);
625 if (temp < 0xffffffff)
626 rbu_data.packetsize = temp;
627
628 spin_unlock(&rbu_data.lock);
629 return count;
630 }
631 static const BIN_ATTR_RW(packet_size, 0);
632
633 static const struct bin_attribute *const rbu_bin_attrs[] = {
634 &bin_attr_data,
635 &bin_attr_image_type,
636 &bin_attr_packet_size,
637 NULL
638 };
639
640 static const struct attribute_group rbu_group = {
641 .bin_attrs = rbu_bin_attrs,
642 };
643
dcdrbu_init(void)644 static int __init dcdrbu_init(void)
645 {
646 int rc;
647 spin_lock_init(&rbu_data.lock);
648
649 init_packet_head();
650 rbu_device = platform_device_register_simple("dell_rbu", PLATFORM_DEVID_NONE, NULL, 0);
651 if (IS_ERR(rbu_device)) {
652 pr_err("platform_device_register_simple failed\n");
653 return PTR_ERR(rbu_device);
654 }
655
656 rc = sysfs_create_group(&rbu_device->dev.kobj, &rbu_group);
657 if (rc)
658 goto out_devreg;
659
660 rbu_data.entry_created = 0;
661 return 0;
662
663 out_devreg:
664 platform_device_unregister(rbu_device);
665 return rc;
666 }
667
dcdrbu_exit(void)668 static __exit void dcdrbu_exit(void)
669 {
670 spin_lock(&rbu_data.lock);
671 packet_empty_list();
672 img_update_free();
673 spin_unlock(&rbu_data.lock);
674 sysfs_remove_group(&rbu_device->dev.kobj, &rbu_group);
675 platform_device_unregister(rbu_device);
676 }
677
678 module_exit(dcdrbu_exit);
679 module_init(dcdrbu_init);
680