1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2005-2008, Sam Leffler <sam@errno.com>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice unmodified, this list of conditions, and the following
12 * disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include <sys/param.h>
30 #include <sys/errno.h>
31 #include <sys/eventhandler.h>
32 #include <sys/fcntl.h>
33 #include <sys/firmware.h>
34 #include <sys/kernel.h>
35 #include <sys/linker.h>
36 #include <sys/lock.h>
37 #include <sys/malloc.h>
38 #include <sys/module.h>
39 #include <sys/mutex.h>
40 #include <sys/namei.h>
41 #include <sys/priv.h>
42 #include <sys/proc.h>
43 #include <sys/queue.h>
44 #include <sys/sbuf.h>
45 #include <sys/sysctl.h>
46 #include <sys/systm.h>
47 #include <sys/taskqueue.h>
48
49 #include <sys/filedesc.h>
50 #include <sys/vnode.h>
51
52 /*
53 * Loadable firmware support. See sys/sys/firmware.h and firmware(9)
54 * form more details on the subsystem.
55 *
56 * 'struct firmware' is the user-visible part of the firmware table.
57 * Additional internal information is stored in a 'struct priv_fw',
58 * which embeds the public firmware structure.
59 */
60
61 /*
62 * fw.name != NULL when an image is registered; file != NULL for
63 * autoloaded images whose handling has not been completed.
64 *
65 * The state of a slot evolves as follows:
66 * firmware_register --> fw.name = image_name
67 * (autoloaded image) --> file = module reference
68 * firmware_unregister --> fw.name = NULL
69 * (unloadentry complete) --> file = NULL
70 *
71 * In order for the above to work, the 'file' field must remain
72 * unchanged in firmware_unregister().
73 *
74 * Images residing in the same module are linked to each other
75 * through the 'parent' argument of firmware_register().
76 * One image (typically, one with the same name as the module to let
77 * the autoloading mechanism work) is considered the parent image for
78 * all other images in the same module. Children affect the refcount
79 * on the parent image preventing improper unloading of the image itself.
80 */
81
82 struct priv_fw {
83 int refcnt; /* reference count */
84 LIST_ENTRY(priv_fw) link; /* table linkage */
85
86 /*
87 * parent entry, see above. Set on firmware_register(),
88 * cleared on firmware_unregister().
89 */
90 struct priv_fw *parent;
91
92 int flags;
93 #define FW_BINARY 0x080 /* Firmware directly loaded, file == NULL */
94 #define FW_UNLOAD 0x100 /* record FIRMWARE_UNLOAD requests */
95
96 /*
97 * 'file' is private info managed by the autoload/unload code.
98 * Set at the end of firmware_get(), cleared only in the
99 * firmware_unload_task, so the latter can depend on its value even
100 * while the lock is not held.
101 */
102 linker_file_t file; /* module file, if autoloaded */
103
104 /*
105 * 'fw' is the externally visible image information.
106 * We do not make it the first field in priv_fw, to avoid the
107 * temptation of casting pointers to each other.
108 * Use PRIV_FW(fw) to get a pointer to the cointainer of fw.
109 * Beware, PRIV_FW does not work for a NULL pointer.
110 */
111 struct firmware fw; /* externally visible information */
112 };
113
114 /*
115 * PRIV_FW returns the pointer to the container of struct firmware *x.
116 * Cast to intptr_t to override the 'const' attribute of x
117 */
118 #define PRIV_FW(x) ((struct priv_fw *) \
119 ((intptr_t)(x) - offsetof(struct priv_fw, fw)) )
120
121 /*
122 * Global firmware image registry.
123 */
124 static LIST_HEAD(, priv_fw) firmware_table;
125
126 /*
127 * Firmware module operations are handled in a separate task as they
128 * might sleep and they require directory context to do i/o. We also
129 * use this when loading binaries directly.
130 */
131 static struct taskqueue *firmware_tq;
132 static struct task firmware_unload_task;
133
134 /*
135 * This mutex protects accesses to the firmware table.
136 */
137 static struct mtx firmware_mtx;
138 MTX_SYSINIT(firmware, &firmware_mtx, "firmware table", MTX_DEF);
139
140 static MALLOC_DEFINE(M_FIRMWARE, "firmware", "device firmware images");
141
142 static uint64_t firmware_max_size = 8u << 20; /* Default to 8MB cap */
143 SYSCTL_U64(_debug, OID_AUTO, firmware_max_size,
144 CTLFLAG_RWTUN, &firmware_max_size, 0,
145 "Max size permitted for a firmware file.");
146
147 /*
148 * Helper function to lookup a name.
149 * As a side effect, it sets the pointer to a free slot, if any.
150 * This way we can concentrate most of the registry scanning in
151 * this function, which makes it easier to replace the registry
152 * with some other data structure.
153 */
154 static struct priv_fw *
lookup(const char * name)155 lookup(const char *name)
156 {
157 struct priv_fw *fp;
158
159 mtx_assert(&firmware_mtx, MA_OWNED);
160
161 LIST_FOREACH(fp, &firmware_table, link) {
162 if (fp->fw.name != NULL && strcasecmp(name, fp->fw.name) == 0)
163 break;
164
165 /*
166 * If the name looks like an absolute path, also try to match
167 * the last part of the string to the requested firmware if it
168 * matches the trailing components. This allows us to load
169 * /boot/firmware/abc/bca2233_fw.bin and match it against
170 * requests for bca2233_fw.bin or abc/bca2233_fw.bin.
171 */
172 if (*fp->fw.name == '/' && strlen(fp->fw.name) > strlen(name)) {
173 const char *p = fp->fw.name + strlen(fp->fw.name) - strlen(name);
174 if (p[-1] == '/' && strcasecmp(name, p) == 0)
175 break;
176 }
177 }
178 return (fp);
179 }
180
181 /*
182 * Register a firmware image with the specified name. The
183 * image name must not already be registered. If this is a
184 * subimage then parent refers to a previously registered
185 * image that this should be associated with.
186 */
187 const struct firmware *
firmware_register(const char * imagename,const void * data,size_t datasize,unsigned int version,const struct firmware * parent)188 firmware_register(const char *imagename, const void *data, size_t datasize,
189 unsigned int version, const struct firmware *parent)
190 {
191 struct priv_fw *frp;
192 char *name;
193
194 mtx_lock(&firmware_mtx);
195 frp = lookup(imagename);
196 if (frp != NULL) {
197 mtx_unlock(&firmware_mtx);
198 printf("%s: image %s already registered!\n",
199 __func__, imagename);
200 return (NULL);
201 }
202 mtx_unlock(&firmware_mtx);
203
204 frp = malloc(sizeof(*frp), M_FIRMWARE, M_WAITOK | M_ZERO);
205 name = strdup(imagename, M_FIRMWARE);
206
207 mtx_lock(&firmware_mtx);
208 if (lookup(imagename) != NULL) {
209 /* We lost a race. */
210 mtx_unlock(&firmware_mtx);
211 free(name, M_FIRMWARE);
212 free(frp, M_FIRMWARE);
213 return (NULL);
214 }
215 frp->fw.name = name;
216 frp->fw.data = data;
217 frp->fw.datasize = datasize;
218 frp->fw.version = version;
219 if (parent != NULL)
220 frp->parent = PRIV_FW(parent);
221 LIST_INSERT_HEAD(&firmware_table, frp, link);
222 mtx_unlock(&firmware_mtx);
223 if (bootverbose)
224 printf("firmware: '%s' version %u: %zu bytes loaded at %p\n",
225 imagename, version, datasize, data);
226 return (&frp->fw);
227 }
228
229 /*
230 * Unregister/remove a firmware image. If there are outstanding
231 * references an error is returned and the image is not removed
232 * from the registry.
233 */
234 int
firmware_unregister(const char * imagename)235 firmware_unregister(const char *imagename)
236 {
237 struct priv_fw *fp;
238 int err;
239
240 mtx_lock(&firmware_mtx);
241 fp = lookup(imagename);
242 if (fp == NULL) {
243 /*
244 * It is ok for the lookup to fail; this can happen
245 * when a module is unloaded on last reference and the
246 * module unload handler unregister's each of its
247 * firmware images.
248 */
249 err = 0;
250 } else if (fp->refcnt != 0) { /* cannot unregister */
251 err = EBUSY;
252 } else {
253 LIST_REMOVE(fp, link);
254 free(__DECONST(char *, fp->fw.name), M_FIRMWARE);
255 free(fp, M_FIRMWARE);
256 err = 0;
257 }
258 mtx_unlock(&firmware_mtx);
259 return (err);
260 }
261
262 struct fw_loadimage {
263 const char *imagename;
264 uint32_t flags;
265 };
266
267 static const char *fw_path = "/boot/firmware/";
268
269 static void
try_binary_file(const char * imagename,uint32_t flags)270 try_binary_file(const char *imagename, uint32_t flags)
271 {
272 struct nameidata nd;
273 struct thread *td = curthread;
274 struct ucred *cred = td ? td->td_ucred : NULL;
275 struct sbuf *sb;
276 struct priv_fw *fp;
277 const char *fn;
278 struct vattr vattr;
279 void *data = NULL;
280 const struct firmware *fw;
281 int oflags;
282 size_t resid;
283 int error;
284 bool warn = (flags & FIRMWARE_GET_NOWARN) == 0;
285
286 /*
287 * XXX TODO: Loop over some path instead of a single element path.
288 * and fetch this path from the 'firmware_path' kenv the loader sets.
289 */
290 sb = sbuf_new_auto();
291 sbuf_printf(sb, "%s%s", fw_path, imagename);
292 sbuf_finish(sb);
293 fn = sbuf_data(sb);
294 if (bootverbose)
295 printf("Trying to load binary firmware from %s\n", fn);
296
297 NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, fn);
298 oflags = FREAD;
299 error = vn_open(&nd, &oflags, 0, NULL);
300 if (error)
301 goto err;
302 NDFREE_PNBUF(&nd);
303 if (nd.ni_vp->v_type != VREG)
304 goto err2;
305 error = VOP_GETATTR(nd.ni_vp, &vattr, cred);
306 if (error)
307 goto err2;
308
309 /*
310 * Limit this to something sane, 8MB by default.
311 */
312 if (vattr.va_size > firmware_max_size) {
313 printf("Firmware %s is too big: %lld bytes, %ld bytes max.\n",
314 fn, (long long)vattr.va_size, (long)firmware_max_size);
315 goto err2;
316 }
317 data = malloc(vattr.va_size, M_FIRMWARE, M_WAITOK);
318 error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)data, vattr.va_size, 0,
319 UIO_SYSSPACE, IO_NODELOCKED, cred, NOCRED, &resid, td);
320 /* XXX make data read only? */
321 VOP_UNLOCK(nd.ni_vp);
322 vn_close(nd.ni_vp, FREAD, cred, td);
323 nd.ni_vp = NULL;
324 if (error != 0 || resid != 0)
325 goto err;
326 fw = firmware_register(fn, data, vattr.va_size, 0, NULL);
327 if (fw == NULL)
328 goto err;
329 fp = PRIV_FW(fw);
330 fp->flags |= FW_BINARY;
331 if (bootverbose)
332 printf("%s: Loaded binary firmware using %s\n", imagename, fn);
333 sbuf_delete(sb);
334 return;
335
336 err2: /* cleanup in vn_open through vn_close */
337 VOP_UNLOCK(nd.ni_vp);
338 vn_close(nd.ni_vp, FREAD, cred, td);
339 err:
340 free(data, M_FIRMWARE);
341 if (bootverbose || warn)
342 printf("%s: could not load binary firmware %s either\n", imagename, fn);
343 sbuf_delete(sb);
344 }
345
346 static void
loadimage(void * arg,int npending __unused)347 loadimage(void *arg, int npending __unused)
348 {
349 struct fw_loadimage *fwli = arg;
350 struct priv_fw *fp;
351 linker_file_t result;
352 int error;
353
354 error = linker_reference_module(fwli->imagename, NULL, &result);
355 if (error != 0) {
356 if (bootverbose || (fwli->flags & FIRMWARE_GET_NOWARN) == 0)
357 printf("%s: could not load firmware image, error %d\n",
358 fwli->imagename, error);
359 try_binary_file(fwli->imagename, fwli->flags);
360 mtx_lock(&firmware_mtx);
361 goto done;
362 }
363
364 mtx_lock(&firmware_mtx);
365 fp = lookup(fwli->imagename);
366 if (fp == NULL || fp->file != NULL) {
367 mtx_unlock(&firmware_mtx);
368 if (fp == NULL)
369 printf("%s: firmware image loaded, "
370 "but did not register\n", fwli->imagename);
371 (void) linker_release_module(fwli->imagename, NULL, NULL);
372 mtx_lock(&firmware_mtx);
373 goto done;
374 }
375 fp->file = result; /* record the module identity */
376 done:
377 wakeup_one(arg);
378 mtx_unlock(&firmware_mtx);
379 }
380
381 /*
382 * Lookup and potentially load the specified firmware image.
383 * If the firmware is not found in the registry, try to load a kernel
384 * module named as the image name.
385 * If the firmware is located, a reference is returned. The caller must
386 * release this reference for the image to be eligible for removal/unload.
387 */
388 const struct firmware *
firmware_get_flags(const char * imagename,uint32_t flags)389 firmware_get_flags(const char *imagename, uint32_t flags)
390 {
391 struct task fwload_task;
392 struct thread *td;
393 struct priv_fw *fp;
394
395 mtx_lock(&firmware_mtx);
396 fp = lookup(imagename);
397 if (fp != NULL)
398 goto found;
399 /*
400 * Image not present, try to load the module holding it.
401 */
402 td = curthread;
403 if (priv_check(td, PRIV_FIRMWARE_LOAD) != 0 ||
404 securelevel_gt(td->td_ucred, 0) != 0) {
405 mtx_unlock(&firmware_mtx);
406 printf("%s: insufficient privileges to "
407 "load firmware image %s\n", __func__, imagename);
408 return NULL;
409 }
410 /*
411 * Defer load to a thread with known context. linker_reference_module
412 * may do filesystem i/o which requires root & current dirs, etc.
413 * Also we must not hold any mtx's over this call which is problematic.
414 */
415 if (!cold) {
416 struct fw_loadimage fwli;
417
418 fwli.imagename = imagename;
419 fwli.flags = flags;
420 TASK_INIT(&fwload_task, 0, loadimage, (void *)&fwli);
421 taskqueue_enqueue(firmware_tq, &fwload_task);
422 msleep((void *)&fwli, &firmware_mtx, 0, "fwload", 0);
423 }
424 /*
425 * After attempting to load the module, see if the image is registered.
426 */
427 fp = lookup(imagename);
428 if (fp == NULL) {
429 mtx_unlock(&firmware_mtx);
430 return NULL;
431 }
432 found: /* common exit point on success */
433 if (fp->refcnt == 0 && fp->parent != NULL)
434 fp->parent->refcnt++;
435 fp->refcnt++;
436 mtx_unlock(&firmware_mtx);
437 return &fp->fw;
438 }
439
440 const struct firmware *
firmware_get(const char * imagename)441 firmware_get(const char *imagename)
442 {
443
444 return (firmware_get_flags(imagename, 0));
445 }
446
447 /*
448 * Release a reference to a firmware image returned by firmware_get.
449 * The caller may specify, with the FIRMWARE_UNLOAD flag, its desire
450 * to release the resource, but the flag is only advisory.
451 *
452 * If this is the last reference to the firmware image, and this is an
453 * autoloaded module, wake up the firmware_unload_task to figure out
454 * what to do with the associated module.
455 */
456 void
firmware_put(const struct firmware * p,int flags)457 firmware_put(const struct firmware *p, int flags)
458 {
459 struct priv_fw *fp = PRIV_FW(p);
460
461 mtx_lock(&firmware_mtx);
462 fp->refcnt--;
463 if (fp->refcnt == 0) {
464 if (fp->parent != NULL)
465 fp->parent->refcnt--;
466 if (flags & FIRMWARE_UNLOAD)
467 fp->flags |= FW_UNLOAD;
468 if (fp->file)
469 taskqueue_enqueue(firmware_tq, &firmware_unload_task);
470 }
471 mtx_unlock(&firmware_mtx);
472 }
473
474 /*
475 * Setup directory state for the firmware_tq thread so we can do i/o.
476 */
477 static void
set_rootvnode(void * arg,int npending)478 set_rootvnode(void *arg, int npending)
479 {
480
481 pwd_ensure_dirs();
482 free(arg, M_TEMP);
483 }
484
485 /*
486 * Event handler called on mounting of /; bounce a task
487 * into the task queue thread to setup it's directories.
488 */
489 static void
firmware_mountroot(void * arg)490 firmware_mountroot(void *arg)
491 {
492 struct task *setroot_task;
493
494 setroot_task = malloc(sizeof(struct task), M_TEMP, M_NOWAIT);
495 if (setroot_task != NULL) {
496 TASK_INIT(setroot_task, 0, set_rootvnode, setroot_task);
497 taskqueue_enqueue(firmware_tq, setroot_task);
498 } else
499 printf("%s: no memory for task!\n", __func__);
500 }
501 EVENTHANDLER_DEFINE(mountroot, firmware_mountroot, NULL, 0);
502
503 /*
504 * The body of the task in charge of unloading autoloaded modules
505 * that are not needed anymore.
506 * Images can be cross-linked so we may need to make multiple passes,
507 * but the time we spend in the loop is bounded because we clear entries
508 * as we touch them.
509 */
510 static void
unloadentry(void * unused1,int unused2)511 unloadentry(void *unused1, int unused2)
512 {
513 struct priv_fw *fp, *tmp;
514
515 mtx_lock(&firmware_mtx);
516 restart:
517 LIST_FOREACH_SAFE(fp, &firmware_table, link, tmp) {
518 if (((fp->flags & FW_BINARY) == 0 && fp->file == NULL) ||
519 fp->refcnt != 0 || (fp->flags & FW_UNLOAD) == 0)
520 continue;
521
522 /*
523 * If we directly loaded the firmware, then we just need to
524 * remove the entry from the list and free the entry and go to
525 * the next one. There's no need for the indirection of the kld
526 * module case, we free memory and go to the next one.
527 */
528 if ((fp->flags & FW_BINARY) != 0) {
529 LIST_REMOVE(fp, link);
530 free(__DECONST(char *, fp->fw.data), M_FIRMWARE);
531 free(__DECONST(char *, fp->fw.name), M_FIRMWARE);
532 free(fp, M_FIRMWARE);
533 continue;
534 }
535
536 /*
537 * Found an entry. This is the kld case, so we have a more
538 * complex dance. Now:
539 * 1. make sure we scan the table again
540 * 2. clear FW_UNLOAD so we don't try this entry again.
541 * 3. release the lock while trying to unload the module.
542 */
543 fp->flags &= ~FW_UNLOAD; /* do not try again */
544
545 /*
546 * We rely on the module to call firmware_unregister()
547 * on unload to actually free the entry.
548 */
549 mtx_unlock(&firmware_mtx);
550 (void)linker_release_module(NULL, NULL, fp->file);
551 mtx_lock(&firmware_mtx);
552
553 /*
554 * When we dropped the lock, another thread could have
555 * removed an element, so we must restart the scan.
556 */
557 goto restart;
558 }
559 mtx_unlock(&firmware_mtx);
560 }
561
562 /*
563 * Find all the binary firmware that was loaded in the boot loader via load -t
564 * firmware foo. There is only one firmware per file, it's the whole file, and
565 * there's no meaningful version passed in, so pass 0 for that. If version is
566 * needed by the consumer (and not just arbitrarily defined), the .ko version
567 * must be used instead.
568 */
569 static void
firmware_binary_files(void)570 firmware_binary_files(void)
571 {
572 caddr_t file;
573 char *name;
574 const char *type;
575 const void *addr;
576 size_t size;
577 unsigned int version = 0;
578 const struct firmware *fw;
579 struct priv_fw *fp;
580
581 file = 0;
582 for (;;) {
583 file = preload_search_next_name(file);
584 if (file == 0)
585 break;
586 type = (const char *)preload_search_info(file, MODINFO_TYPE);
587 if (type == NULL || strcmp(type, "firmware") != 0)
588 continue;
589 name = preload_search_info(file, MODINFO_NAME);
590 addr = preload_fetch_addr(file);
591 size = preload_fetch_size(file);
592 fw = firmware_register(name, addr, size, version, NULL);
593 fp = PRIV_FW(fw);
594 fp->refcnt++; /* Hold an extra reference so we never unload */
595 }
596 }
597
598 /*
599 * Module glue.
600 */
601 static int
firmware_modevent(module_t mod,int type,void * unused)602 firmware_modevent(module_t mod, int type, void *unused)
603 {
604 struct priv_fw *fp;
605 int err;
606
607 err = 0;
608 switch (type) {
609 case MOD_LOAD:
610 TASK_INIT(&firmware_unload_task, 0, unloadentry, NULL);
611 firmware_tq = taskqueue_create("taskqueue_firmware", M_WAITOK,
612 taskqueue_thread_enqueue, &firmware_tq);
613 /* NB: use our own loop routine that sets up context */
614 (void) taskqueue_start_threads(&firmware_tq, 1, PWAIT,
615 "firmware taskq");
616 firmware_binary_files();
617 if (rootvnode != NULL) {
618 /*
619 * Root is already mounted so we won't get an event;
620 * simulate one here.
621 */
622 firmware_mountroot(NULL);
623 }
624 break;
625
626 case MOD_UNLOAD:
627 /* request all autoloaded modules to be released */
628 mtx_lock(&firmware_mtx);
629 LIST_FOREACH(fp, &firmware_table, link)
630 fp->flags |= FW_UNLOAD;
631 mtx_unlock(&firmware_mtx);
632 taskqueue_enqueue(firmware_tq, &firmware_unload_task);
633 taskqueue_drain(firmware_tq, &firmware_unload_task);
634
635 LIST_FOREACH(fp, &firmware_table, link) {
636 if (fp->fw.name != NULL) {
637 printf("%s: image %s still active, %d refs\n",
638 __func__, fp->fw.name, fp->refcnt);
639 err = EINVAL;
640 }
641 }
642 if (err == 0)
643 taskqueue_free(firmware_tq);
644 break;
645
646 default:
647 err = EOPNOTSUPP;
648 break;
649 }
650 return (err);
651 }
652
653 static moduledata_t firmware_mod = {
654 "firmware",
655 firmware_modevent,
656 NULL
657 };
658 DECLARE_MODULE(firmware, firmware_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
659 MODULE_VERSION(firmware, 1);
660