1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * dell_rbu.c 4 * Bios Update driver for Dell systems 5 * Author: Dell Inc 6 * Abhay Salunke <abhay_salunke@dell.com> 7 * 8 * Copyright (C) 2005 Dell Inc. 9 * 10 * Remote BIOS Update (rbu) driver is used for updating DELL BIOS by 11 * creating entries in the /sys file systems on Linux 2.6 and higher 12 * kernels. The driver supports two mechanism to update the BIOS namely 13 * contiguous and packetized. Both these methods still require having some 14 * application to set the CMOS bit indicating the BIOS to update itself 15 * after a reboot. 16 * 17 * Contiguous method: 18 * This driver writes the incoming data in a monolithic image by allocating 19 * contiguous physical pages large enough to accommodate the incoming BIOS 20 * image size. 21 * 22 * Packetized method: 23 * The driver writes the incoming packet image by allocating a new packet 24 * on every time the packet data is written. This driver requires an 25 * application to break the BIOS image in to fixed sized packet chunks. 26 * 27 * See Documentation/admin-guide/dell_rbu.rst for more info. 28 */ 29 30 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 31 32 #include <linux/init.h> 33 #include <linux/module.h> 34 #include <linux/slab.h> 35 #include <linux/string.h> 36 #include <linux/errno.h> 37 #include <linux/blkdev.h> 38 #include <linux/platform_device.h> 39 #include <linux/spinlock.h> 40 #include <linux/moduleparam.h> 41 #include <linux/firmware.h> 42 #include <linux/dma-mapping.h> 43 #include <asm/set_memory.h> 44 45 MODULE_AUTHOR("Abhay Salunke <abhay_salunke@dell.com>"); 46 MODULE_DESCRIPTION("Driver for updating BIOS image on DELL systems"); 47 MODULE_LICENSE("GPL"); 48 MODULE_VERSION("3.3"); 49 50 #define BIOS_SCAN_LIMIT 0xffffffff 51 #define MAX_IMAGE_LENGTH 16 52 static struct _rbu_data { 53 void *image_update_buffer; 54 unsigned long image_update_buffer_size; 55 unsigned long bios_image_size; 56 int image_update_ordernum; 57 spinlock_t lock; 58 unsigned long packet_read_count; 59 unsigned long num_packets; 60 unsigned long packetsize; 61 unsigned long imagesize; 62 int entry_created; 63 } rbu_data; 64 65 static char image_type[MAX_IMAGE_LENGTH + 1] = "mono"; 66 module_param_string(image_type, image_type, sizeof (image_type), 0); 67 MODULE_PARM_DESC(image_type, "BIOS image type. choose- mono or packet or init"); 68 69 static unsigned long allocation_floor = 0x100000; 70 module_param(allocation_floor, ulong, 0644); 71 MODULE_PARM_DESC(allocation_floor, "Minimum address for allocations when using Packet mode"); 72 73 struct packet_data { 74 struct list_head list; 75 size_t length; 76 void *data; 77 int ordernum; 78 }; 79 80 static struct list_head packet_data_list; 81 82 static struct platform_device *rbu_device; 83 static int context; 84 85 static void init_packet_head(void) 86 { 87 INIT_LIST_HEAD(&packet_data_list); 88 rbu_data.packet_read_count = 0; 89 rbu_data.num_packets = 0; 90 rbu_data.packetsize = 0; 91 rbu_data.imagesize = 0; 92 } 93 94 static int create_packet(void *data, size_t length) __must_hold(&rbu_data.lock) 95 { 96 struct packet_data *newpacket; 97 int ordernum = 0; 98 int retval = 0; 99 unsigned int packet_array_size = 0; 100 void **invalid_addr_packet_array = NULL; 101 void *packet_data_temp_buf = NULL; 102 unsigned int idx = 0; 103 104 pr_debug("entry\n"); 105 106 if (!rbu_data.packetsize) { 107 pr_debug("packetsize not specified\n"); 108 retval = -EINVAL; 109 goto out_noalloc; 110 } 111 112 spin_unlock(&rbu_data.lock); 113 114 newpacket = kzalloc(sizeof (struct packet_data), GFP_KERNEL); 115 116 if (!newpacket) { 117 pr_warn("failed to allocate new packet\n"); 118 retval = -ENOMEM; 119 spin_lock(&rbu_data.lock); 120 goto out_noalloc; 121 } 122 123 ordernum = get_order(length); 124 125 /* 126 * BIOS errata mean we cannot allocate packets below 1MB or they will 127 * be overwritten by BIOS. 128 * 129 * array to temporarily hold packets 130 * that are below the allocation floor 131 * 132 * NOTE: very simplistic because we only need the floor to be at 1MB 133 * due to BIOS errata. This shouldn't be used for higher floors 134 * or you will run out of mem trying to allocate the array. 135 */ 136 packet_array_size = max_t(unsigned int, allocation_floor / rbu_data.packetsize, 1); 137 invalid_addr_packet_array = kcalloc(packet_array_size, sizeof(void *), 138 GFP_KERNEL); 139 140 if (!invalid_addr_packet_array) { 141 pr_warn("failed to allocate invalid_addr_packet_array\n"); 142 retval = -ENOMEM; 143 spin_lock(&rbu_data.lock); 144 goto out_alloc_packet; 145 } 146 147 while (!packet_data_temp_buf) { 148 packet_data_temp_buf = (unsigned char *) 149 __get_free_pages(GFP_KERNEL, ordernum); 150 if (!packet_data_temp_buf) { 151 pr_warn("failed to allocate new packet\n"); 152 retval = -ENOMEM; 153 spin_lock(&rbu_data.lock); 154 goto out_alloc_packet_array; 155 } 156 157 if ((unsigned long)virt_to_phys(packet_data_temp_buf) 158 < allocation_floor) { 159 pr_debug("packet 0x%lx below floor at 0x%lx\n", 160 (unsigned long)virt_to_phys( 161 packet_data_temp_buf), 162 allocation_floor); 163 invalid_addr_packet_array[idx++] = packet_data_temp_buf; 164 packet_data_temp_buf = NULL; 165 } 166 } 167 /* 168 * set to uncachable or it may never get written back before reboot 169 */ 170 set_memory_uc((unsigned long)packet_data_temp_buf, 1 << ordernum); 171 172 spin_lock(&rbu_data.lock); 173 174 newpacket->data = packet_data_temp_buf; 175 176 pr_debug("newpacket at physical addr %lx\n", 177 (unsigned long)virt_to_phys(newpacket->data)); 178 179 /* packets may not have fixed size */ 180 newpacket->length = length; 181 newpacket->ordernum = ordernum; 182 ++rbu_data.num_packets; 183 184 /* initialize the newly created packet headers */ 185 INIT_LIST_HEAD(&newpacket->list); 186 list_add_tail(&newpacket->list, &packet_data_list); 187 188 memcpy(newpacket->data, data, length); 189 190 pr_debug("exit\n"); 191 192 out_alloc_packet_array: 193 /* always free packet array */ 194 while (idx--) { 195 pr_debug("freeing unused packet below floor 0x%lx\n", 196 (unsigned long)virt_to_phys(invalid_addr_packet_array[idx])); 197 free_pages((unsigned long)invalid_addr_packet_array[idx], ordernum); 198 } 199 kfree(invalid_addr_packet_array); 200 201 out_alloc_packet: 202 /* if error, free data */ 203 if (retval) 204 kfree(newpacket); 205 206 out_noalloc: 207 return retval; 208 } 209 210 static int packetize_data(const u8 *data, size_t length) 211 { 212 int rc = 0; 213 int done = 0; 214 int packet_length; 215 u8 *temp; 216 u8 *end = (u8 *) data + length; 217 pr_debug("data length %zd\n", length); 218 if (!rbu_data.packetsize) { 219 pr_warn("packetsize not specified\n"); 220 return -EIO; 221 } 222 223 temp = (u8 *) data; 224 225 /* packetize the hunk */ 226 while (!done) { 227 if ((temp + rbu_data.packetsize) < end) 228 packet_length = rbu_data.packetsize; 229 else { 230 /* this is the last packet */ 231 packet_length = end - temp; 232 done = 1; 233 } 234 235 rc = create_packet(temp, packet_length); 236 if (rc) 237 return rc; 238 239 pr_debug("%p:%td\n", temp, (end - temp)); 240 temp += packet_length; 241 } 242 243 rbu_data.imagesize = length; 244 245 return rc; 246 } 247 248 static int do_packet_read(char *data, struct packet_data *newpacket, 249 int length, int bytes_read, int *list_read_count) 250 { 251 void *ptemp_buf; 252 int bytes_copied = 0; 253 int j = 0; 254 255 *list_read_count += newpacket->length; 256 257 if (*list_read_count > bytes_read) { 258 /* point to the start of unread data */ 259 j = newpacket->length - (*list_read_count - bytes_read); 260 /* point to the offset in the packet buffer */ 261 ptemp_buf = (u8 *) newpacket->data + j; 262 /* 263 * check if there is enough room in 264 * * the incoming buffer 265 */ 266 if (length > (*list_read_count - bytes_read)) 267 /* 268 * copy what ever is there in this 269 * packet and move on 270 */ 271 bytes_copied = (*list_read_count - bytes_read); 272 else 273 /* copy the remaining */ 274 bytes_copied = length; 275 memcpy(data, ptemp_buf, bytes_copied); 276 } 277 return bytes_copied; 278 } 279 280 static int packet_read_list(char *data, size_t *pread_length) 281 { 282 struct packet_data *newpacket; 283 int temp_count = 0; 284 int bytes_copied = 0; 285 int bytes_read = 0; 286 int remaining_bytes = 0; 287 char *pdest = data; 288 289 /* check if we have any packets */ 290 if (0 == rbu_data.num_packets) 291 return -ENOMEM; 292 293 remaining_bytes = *pread_length; 294 bytes_read = rbu_data.packet_read_count; 295 296 list_for_each_entry(newpacket, &packet_data_list, list) { 297 bytes_copied = do_packet_read(pdest, newpacket, 298 remaining_bytes, bytes_read, &temp_count); 299 remaining_bytes -= bytes_copied; 300 bytes_read += bytes_copied; 301 pdest += bytes_copied; 302 /* 303 * check if we reached end of buffer before reaching the 304 * last packet 305 */ 306 if (remaining_bytes == 0) 307 break; 308 } 309 /*finally set the bytes read */ 310 *pread_length = bytes_read - rbu_data.packet_read_count; 311 rbu_data.packet_read_count = bytes_read; 312 return 0; 313 } 314 315 static void packet_empty_list(void) 316 { 317 struct packet_data *newpacket, *tmp; 318 319 list_for_each_entry_safe(newpacket, tmp, &packet_data_list, list) { 320 list_del(&newpacket->list); 321 322 /* 323 * zero out the RBU packet memory before freeing 324 * to make sure there are no stale RBU packets left in memory 325 */ 326 memset(newpacket->data, 0, newpacket->length); 327 set_memory_wb((unsigned long)newpacket->data, 328 1 << newpacket->ordernum); 329 free_pages((unsigned long) newpacket->data, 330 newpacket->ordernum); 331 kfree(newpacket); 332 } 333 rbu_data.packet_read_count = 0; 334 rbu_data.num_packets = 0; 335 rbu_data.imagesize = 0; 336 } 337 338 /* 339 * img_update_free: Frees the buffer allocated for storing BIOS image 340 * Always called with lock held and returned with lock held 341 */ 342 static void img_update_free(void) 343 { 344 if (!rbu_data.image_update_buffer) 345 return; 346 /* 347 * zero out this buffer before freeing it to get rid of any stale 348 * BIOS image copied in memory. 349 */ 350 memset(rbu_data.image_update_buffer, 0, 351 rbu_data.image_update_buffer_size); 352 free_pages((unsigned long) rbu_data.image_update_buffer, 353 rbu_data.image_update_ordernum); 354 355 /* 356 * Re-initialize the rbu_data variables after a free 357 */ 358 rbu_data.image_update_ordernum = -1; 359 rbu_data.image_update_buffer = NULL; 360 rbu_data.image_update_buffer_size = 0; 361 rbu_data.bios_image_size = 0; 362 } 363 364 /* 365 * img_update_realloc: This function allocates the contiguous pages to 366 * accommodate the requested size of data. The memory address and size 367 * values are stored globally and on every call to this function the new 368 * size is checked to see if more data is required than the existing size. 369 * If true the previous memory is freed and new allocation is done to 370 * accommodate the new size. If the incoming size is less then than the 371 * already allocated size, then that memory is reused. This function is 372 * called with lock held and returns with lock held. 373 */ 374 static int img_update_realloc(unsigned long size) 375 { 376 unsigned char *image_update_buffer = NULL; 377 unsigned long img_buf_phys_addr; 378 int ordernum; 379 380 /* 381 * check if the buffer of sufficient size has been 382 * already allocated 383 */ 384 if (rbu_data.image_update_buffer_size >= size) { 385 /* 386 * check for corruption 387 */ 388 if ((size != 0) && (rbu_data.image_update_buffer == NULL)) { 389 pr_err("corruption check failed\n"); 390 return -EINVAL; 391 } 392 /* 393 * we have a valid pre-allocated buffer with 394 * sufficient size 395 */ 396 return 0; 397 } 398 399 /* 400 * free any previously allocated buffer 401 */ 402 img_update_free(); 403 404 spin_unlock(&rbu_data.lock); 405 406 ordernum = get_order(size); 407 image_update_buffer = 408 (unsigned char *)__get_free_pages(GFP_DMA32, ordernum); 409 spin_lock(&rbu_data.lock); 410 if (!image_update_buffer) { 411 pr_debug("Not enough memory for image update: size = %ld\n", size); 412 return -ENOMEM; 413 } 414 415 img_buf_phys_addr = (unsigned long)virt_to_phys(image_update_buffer); 416 if (WARN_ON_ONCE(img_buf_phys_addr > BIOS_SCAN_LIMIT)) 417 return -EINVAL; /* can't happen per definition */ 418 419 rbu_data.image_update_buffer = image_update_buffer; 420 rbu_data.image_update_buffer_size = size; 421 rbu_data.bios_image_size = rbu_data.image_update_buffer_size; 422 rbu_data.image_update_ordernum = ordernum; 423 return 0; 424 } 425 426 static ssize_t read_packet_data(char *buffer, loff_t pos, size_t count) 427 { 428 int retval; 429 size_t bytes_left; 430 size_t data_length; 431 char *ptempBuf = buffer; 432 433 /* check to see if we have something to return */ 434 if (rbu_data.num_packets == 0) { 435 pr_debug("no packets written\n"); 436 retval = -ENOMEM; 437 goto read_rbu_data_exit; 438 } 439 440 if (pos > rbu_data.imagesize) { 441 retval = 0; 442 pr_warn("data underrun\n"); 443 goto read_rbu_data_exit; 444 } 445 446 bytes_left = rbu_data.imagesize - pos; 447 data_length = min(bytes_left, count); 448 449 retval = packet_read_list(ptempBuf, &data_length); 450 if (retval < 0) 451 goto read_rbu_data_exit; 452 453 if ((pos + count) > rbu_data.imagesize) { 454 rbu_data.packet_read_count = 0; 455 /* this was the last copy */ 456 retval = bytes_left; 457 } else 458 retval = count; 459 460 read_rbu_data_exit: 461 return retval; 462 } 463 464 static ssize_t read_rbu_mono_data(char *buffer, loff_t pos, size_t count) 465 { 466 /* check to see if we have something to return */ 467 if ((rbu_data.image_update_buffer == NULL) || 468 (rbu_data.bios_image_size == 0)) { 469 pr_debug("image_update_buffer %p, bios_image_size %lu\n", 470 rbu_data.image_update_buffer, 471 rbu_data.bios_image_size); 472 return -ENOMEM; 473 } 474 475 return memory_read_from_buffer(buffer, count, &pos, 476 rbu_data.image_update_buffer, rbu_data.bios_image_size); 477 } 478 479 static ssize_t data_read(struct file *filp, struct kobject *kobj, 480 const struct bin_attribute *bin_attr, 481 char *buffer, loff_t pos, size_t count) 482 { 483 ssize_t ret_count = 0; 484 485 spin_lock(&rbu_data.lock); 486 487 if (!strcmp(image_type, "mono")) 488 ret_count = read_rbu_mono_data(buffer, pos, count); 489 else if (!strcmp(image_type, "packet")) 490 ret_count = read_packet_data(buffer, pos, count); 491 else 492 pr_debug("invalid image type specified\n"); 493 494 spin_unlock(&rbu_data.lock); 495 return ret_count; 496 } 497 static const BIN_ATTR_RO(data, 0); 498 499 static void callbackfn_rbu(const struct firmware *fw, void *context) 500 { 501 rbu_data.entry_created = 0; 502 503 if (!fw) 504 return; 505 506 if (!fw->size) 507 goto out; 508 509 spin_lock(&rbu_data.lock); 510 if (!strcmp(image_type, "mono")) { 511 if (!img_update_realloc(fw->size)) 512 memcpy(rbu_data.image_update_buffer, 513 fw->data, fw->size); 514 } else if (!strcmp(image_type, "packet")) { 515 /* 516 * we need to free previous packets if a 517 * new hunk of packets needs to be downloaded 518 */ 519 packet_empty_list(); 520 if (packetize_data(fw->data, fw->size)) 521 /* Incase something goes wrong when we are 522 * in middle of packetizing the data, we 523 * need to free up whatever packets might 524 * have been created before we quit. 525 */ 526 packet_empty_list(); 527 } else 528 pr_debug("invalid image type specified\n"); 529 spin_unlock(&rbu_data.lock); 530 out: 531 release_firmware(fw); 532 } 533 534 static ssize_t image_type_read(struct file *filp, struct kobject *kobj, 535 const struct bin_attribute *bin_attr, 536 char *buffer, loff_t pos, size_t count) 537 { 538 int size = 0; 539 if (!pos) 540 size = scnprintf(buffer, count, "%s\n", image_type); 541 return size; 542 } 543 544 static ssize_t image_type_write(struct file *filp, struct kobject *kobj, 545 const struct bin_attribute *bin_attr, 546 char *buffer, loff_t pos, size_t count) 547 { 548 int rc = count; 549 int req_firm_rc = 0; 550 int i; 551 spin_lock(&rbu_data.lock); 552 /* 553 * Find the first newline or space 554 */ 555 for (i = 0; i < count; ++i) 556 if (buffer[i] == '\n' || buffer[i] == ' ') { 557 buffer[i] = '\0'; 558 break; 559 } 560 if (i == count) 561 buffer[count] = '\0'; 562 563 if (strstr(buffer, "mono")) 564 strcpy(image_type, "mono"); 565 else if (strstr(buffer, "packet")) 566 strcpy(image_type, "packet"); 567 else if (strstr(buffer, "init")) { 568 /* 569 * If due to the user error the driver gets in a bad 570 * state where even though it is loaded , the 571 * /sys/class/firmware/dell_rbu entries are missing. 572 * to cover this situation the user can recreate entries 573 * by writing init to image_type. 574 */ 575 if (!rbu_data.entry_created) { 576 spin_unlock(&rbu_data.lock); 577 req_firm_rc = request_firmware_nowait(THIS_MODULE, 578 FW_ACTION_NOUEVENT, "dell_rbu", 579 &rbu_device->dev, GFP_KERNEL, &context, 580 callbackfn_rbu); 581 if (req_firm_rc) { 582 pr_err("request_firmware_nowait failed %d\n", rc); 583 rc = -EIO; 584 } else 585 rbu_data.entry_created = 1; 586 587 spin_lock(&rbu_data.lock); 588 } 589 } else { 590 pr_warn("image_type is invalid\n"); 591 spin_unlock(&rbu_data.lock); 592 return -EINVAL; 593 } 594 595 /* we must free all previous allocations */ 596 packet_empty_list(); 597 img_update_free(); 598 spin_unlock(&rbu_data.lock); 599 600 return rc; 601 } 602 static const BIN_ATTR_RW(image_type, 0); 603 604 static ssize_t packet_size_read(struct file *filp, struct kobject *kobj, 605 const struct bin_attribute *bin_attr, 606 char *buffer, loff_t pos, size_t count) 607 { 608 int size = 0; 609 if (!pos) { 610 spin_lock(&rbu_data.lock); 611 size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize); 612 spin_unlock(&rbu_data.lock); 613 } 614 return size; 615 } 616 617 static ssize_t packet_size_write(struct file *filp, struct kobject *kobj, 618 const struct bin_attribute *bin_attr, 619 char *buffer, loff_t pos, size_t count) 620 { 621 unsigned long temp; 622 spin_lock(&rbu_data.lock); 623 packet_empty_list(); 624 sscanf(buffer, "%lu", &temp); 625 if (temp < 0xffffffff) 626 rbu_data.packetsize = temp; 627 628 spin_unlock(&rbu_data.lock); 629 return count; 630 } 631 static const BIN_ATTR_RW(packet_size, 0); 632 633 static const struct bin_attribute *const rbu_bin_attrs[] = { 634 &bin_attr_data, 635 &bin_attr_image_type, 636 &bin_attr_packet_size, 637 NULL 638 }; 639 640 static const struct attribute_group rbu_group = { 641 .bin_attrs = rbu_bin_attrs, 642 }; 643 644 static int __init dcdrbu_init(void) 645 { 646 int rc; 647 spin_lock_init(&rbu_data.lock); 648 649 init_packet_head(); 650 rbu_device = platform_device_register_simple("dell_rbu", PLATFORM_DEVID_NONE, NULL, 0); 651 if (IS_ERR(rbu_device)) { 652 pr_err("platform_device_register_simple failed\n"); 653 return PTR_ERR(rbu_device); 654 } 655 656 rc = sysfs_create_group(&rbu_device->dev.kobj, &rbu_group); 657 if (rc) 658 goto out_devreg; 659 660 rbu_data.entry_created = 0; 661 return 0; 662 663 out_devreg: 664 platform_device_unregister(rbu_device); 665 return rc; 666 } 667 668 static __exit void dcdrbu_exit(void) 669 { 670 spin_lock(&rbu_data.lock); 671 packet_empty_list(); 672 img_update_free(); 673 spin_unlock(&rbu_data.lock); 674 sysfs_remove_group(&rbu_device->dev.kobj, &rbu_group); 675 platform_device_unregister(rbu_device); 676 } 677 678 module_exit(dcdrbu_exit); 679 module_init(dcdrbu_init); 680