1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * main.c - Multi purpose firmware loading support
4  *
5  * Copyright (c) 2003 Manuel Estrada Sainz
6  *
7  * Please see Documentation/driver-api/firmware/ for more information.
8  *
9  */
10 
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 
13 #include <linux/capability.h>
14 #include <linux/device.h>
15 #include <linux/kernel_read_file.h>
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/initrd.h>
19 #include <linux/timer.h>
20 #include <linux/vmalloc.h>
21 #include <linux/interrupt.h>
22 #include <linux/bitops.h>
23 #include <linux/mutex.h>
24 #include <linux/workqueue.h>
25 #include <linux/highmem.h>
26 #include <linux/firmware.h>
27 #include <linux/slab.h>
28 #include <linux/sched.h>
29 #include <linux/file.h>
30 #include <linux/list.h>
31 #include <linux/fs.h>
32 #include <linux/async.h>
33 #include <linux/pm.h>
34 #include <linux/suspend.h>
35 #include <linux/syscore_ops.h>
36 #include <linux/reboot.h>
37 #include <linux/security.h>
38 #include <linux/zstd.h>
39 #include <linux/xz.h>
40 
41 #include <generated/utsrelease.h>
42 
43 #include "../base.h"
44 #include "firmware.h"
45 #include "fallback.h"
46 
47 MODULE_AUTHOR("Manuel Estrada Sainz");
48 MODULE_DESCRIPTION("Multi purpose firmware loading support");
49 MODULE_LICENSE("GPL");
50 
51 struct firmware_cache {
52 	/* firmware_buf instance will be added into the below list */
53 	spinlock_t lock;
54 	struct list_head head;
55 	int state;
56 
57 #ifdef CONFIG_FW_CACHE
58 	/*
59 	 * Names of firmware images which have been cached successfully
60 	 * will be added into the below list so that device uncache
61 	 * helper can trace which firmware images have been cached
62 	 * before.
63 	 */
64 	spinlock_t name_lock;
65 	struct list_head fw_names;
66 
67 	struct delayed_work work;
68 
69 	struct notifier_block   pm_notify;
70 #endif
71 };
72 
73 struct fw_cache_entry {
74 	struct list_head list;
75 	const char *name;
76 };
77 
78 struct fw_name_devm {
79 	unsigned long magic;
80 	const char *name;
81 };
82 
to_fw_priv(struct kref * ref)83 static inline struct fw_priv *to_fw_priv(struct kref *ref)
84 {
85 	return container_of(ref, struct fw_priv, ref);
86 }
87 
88 #define	FW_LOADER_NO_CACHE	0
89 #define	FW_LOADER_START_CACHE	1
90 
91 /* fw_lock could be moved to 'struct fw_sysfs' but since it is just
92  * guarding for corner cases a global lock should be OK */
93 DEFINE_MUTEX(fw_lock);
94 
95 struct firmware_cache fw_cache;
96 
fw_state_init(struct fw_priv * fw_priv)97 void fw_state_init(struct fw_priv *fw_priv)
98 {
99 	struct fw_state *fw_st = &fw_priv->fw_st;
100 
101 	init_completion(&fw_st->completion);
102 	fw_st->status = FW_STATUS_UNKNOWN;
103 }
104 
fw_state_wait(struct fw_priv * fw_priv)105 static inline int fw_state_wait(struct fw_priv *fw_priv)
106 {
107 	return __fw_state_wait_common(fw_priv, MAX_SCHEDULE_TIMEOUT);
108 }
109 
110 static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv);
111 
__allocate_fw_priv(const char * fw_name,struct firmware_cache * fwc,void * dbuf,size_t size,size_t offset,u32 opt_flags)112 static struct fw_priv *__allocate_fw_priv(const char *fw_name,
113 					  struct firmware_cache *fwc,
114 					  void *dbuf,
115 					  size_t size,
116 					  size_t offset,
117 					  u32 opt_flags)
118 {
119 	struct fw_priv *fw_priv;
120 
121 	/* For a partial read, the buffer must be preallocated. */
122 	if ((opt_flags & FW_OPT_PARTIAL) && !dbuf)
123 		return NULL;
124 
125 	/* Only partial reads are allowed to use an offset. */
126 	if (offset != 0 && !(opt_flags & FW_OPT_PARTIAL))
127 		return NULL;
128 
129 	fw_priv = kzalloc(sizeof(*fw_priv), GFP_ATOMIC);
130 	if (!fw_priv)
131 		return NULL;
132 
133 	fw_priv->fw_name = kstrdup_const(fw_name, GFP_ATOMIC);
134 	if (!fw_priv->fw_name) {
135 		kfree(fw_priv);
136 		return NULL;
137 	}
138 
139 	kref_init(&fw_priv->ref);
140 	fw_priv->fwc = fwc;
141 	fw_priv->data = dbuf;
142 	fw_priv->allocated_size = size;
143 	fw_priv->offset = offset;
144 	fw_priv->opt_flags = opt_flags;
145 	fw_state_init(fw_priv);
146 #ifdef CONFIG_FW_LOADER_USER_HELPER
147 	INIT_LIST_HEAD(&fw_priv->pending_list);
148 #endif
149 
150 	pr_debug("%s: fw-%s fw_priv=%p\n", __func__, fw_name, fw_priv);
151 
152 	return fw_priv;
153 }
154 
__lookup_fw_priv(const char * fw_name)155 static struct fw_priv *__lookup_fw_priv(const char *fw_name)
156 {
157 	struct fw_priv *tmp;
158 	struct firmware_cache *fwc = &fw_cache;
159 
160 	list_for_each_entry(tmp, &fwc->head, list)
161 		if (!strcmp(tmp->fw_name, fw_name))
162 			return tmp;
163 	return NULL;
164 }
165 
166 /* Returns 1 for batching firmware requests with the same name */
alloc_lookup_fw_priv(const char * fw_name,struct firmware_cache * fwc,struct fw_priv ** fw_priv,void * dbuf,size_t size,size_t offset,u32 opt_flags)167 int alloc_lookup_fw_priv(const char *fw_name, struct firmware_cache *fwc,
168 			 struct fw_priv **fw_priv, void *dbuf, size_t size,
169 			 size_t offset, u32 opt_flags)
170 {
171 	struct fw_priv *tmp;
172 
173 	spin_lock(&fwc->lock);
174 	/*
175 	 * Do not merge requests that are marked to be non-cached or
176 	 * are performing partial reads.
177 	 */
178 	if (!(opt_flags & (FW_OPT_NOCACHE | FW_OPT_PARTIAL))) {
179 		tmp = __lookup_fw_priv(fw_name);
180 		if (tmp) {
181 			kref_get(&tmp->ref);
182 			spin_unlock(&fwc->lock);
183 			*fw_priv = tmp;
184 			pr_debug("batched request - sharing the same struct fw_priv and lookup for multiple requests\n");
185 			return 1;
186 		}
187 	}
188 
189 	tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size, offset, opt_flags);
190 	if (tmp) {
191 		INIT_LIST_HEAD(&tmp->list);
192 		if (!(opt_flags & FW_OPT_NOCACHE))
193 			list_add(&tmp->list, &fwc->head);
194 	}
195 	spin_unlock(&fwc->lock);
196 
197 	*fw_priv = tmp;
198 
199 	return tmp ? 0 : -ENOMEM;
200 }
201 
__free_fw_priv(struct kref * ref)202 static void __free_fw_priv(struct kref *ref)
203 	__releases(&fwc->lock)
204 {
205 	struct fw_priv *fw_priv = to_fw_priv(ref);
206 	struct firmware_cache *fwc = fw_priv->fwc;
207 
208 	pr_debug("%s: fw-%s fw_priv=%p data=%p size=%u\n",
209 		 __func__, fw_priv->fw_name, fw_priv, fw_priv->data,
210 		 (unsigned int)fw_priv->size);
211 
212 	list_del(&fw_priv->list);
213 	spin_unlock(&fwc->lock);
214 
215 	if (fw_is_paged_buf(fw_priv))
216 		fw_free_paged_buf(fw_priv);
217 	else if (!fw_priv->allocated_size)
218 		vfree(fw_priv->data);
219 
220 	kfree_const(fw_priv->fw_name);
221 	kfree(fw_priv);
222 }
223 
free_fw_priv(struct fw_priv * fw_priv)224 void free_fw_priv(struct fw_priv *fw_priv)
225 {
226 	struct firmware_cache *fwc = fw_priv->fwc;
227 	spin_lock(&fwc->lock);
228 	if (!kref_put(&fw_priv->ref, __free_fw_priv))
229 		spin_unlock(&fwc->lock);
230 }
231 
232 #ifdef CONFIG_FW_LOADER_PAGED_BUF
fw_is_paged_buf(struct fw_priv * fw_priv)233 bool fw_is_paged_buf(struct fw_priv *fw_priv)
234 {
235 	return fw_priv->is_paged_buf;
236 }
237 
fw_free_paged_buf(struct fw_priv * fw_priv)238 void fw_free_paged_buf(struct fw_priv *fw_priv)
239 {
240 	int i;
241 
242 	if (!fw_priv->pages)
243 		return;
244 
245 	vunmap(fw_priv->data);
246 
247 	for (i = 0; i < fw_priv->nr_pages; i++)
248 		__free_page(fw_priv->pages[i]);
249 	kvfree(fw_priv->pages);
250 	fw_priv->pages = NULL;
251 	fw_priv->page_array_size = 0;
252 	fw_priv->nr_pages = 0;
253 	fw_priv->data = NULL;
254 	fw_priv->size = 0;
255 }
256 
fw_grow_paged_buf(struct fw_priv * fw_priv,int pages_needed)257 int fw_grow_paged_buf(struct fw_priv *fw_priv, int pages_needed)
258 {
259 	/* If the array of pages is too small, grow it */
260 	if (fw_priv->page_array_size < pages_needed) {
261 		int new_array_size = max(pages_needed,
262 					 fw_priv->page_array_size * 2);
263 		struct page **new_pages;
264 
265 		new_pages = kvmalloc_array(new_array_size, sizeof(void *),
266 					   GFP_KERNEL);
267 		if (!new_pages)
268 			return -ENOMEM;
269 		memcpy(new_pages, fw_priv->pages,
270 		       fw_priv->page_array_size * sizeof(void *));
271 		memset(&new_pages[fw_priv->page_array_size], 0, sizeof(void *) *
272 		       (new_array_size - fw_priv->page_array_size));
273 		kvfree(fw_priv->pages);
274 		fw_priv->pages = new_pages;
275 		fw_priv->page_array_size = new_array_size;
276 	}
277 
278 	while (fw_priv->nr_pages < pages_needed) {
279 		fw_priv->pages[fw_priv->nr_pages] =
280 			alloc_page(GFP_KERNEL | __GFP_HIGHMEM);
281 
282 		if (!fw_priv->pages[fw_priv->nr_pages])
283 			return -ENOMEM;
284 		fw_priv->nr_pages++;
285 	}
286 
287 	return 0;
288 }
289 
fw_map_paged_buf(struct fw_priv * fw_priv)290 int fw_map_paged_buf(struct fw_priv *fw_priv)
291 {
292 	/* one pages buffer should be mapped/unmapped only once */
293 	if (!fw_priv->pages)
294 		return 0;
295 
296 	vunmap(fw_priv->data);
297 	fw_priv->data = vmap(fw_priv->pages, fw_priv->nr_pages, 0,
298 			     PAGE_KERNEL_RO);
299 	if (!fw_priv->data)
300 		return -ENOMEM;
301 
302 	return 0;
303 }
304 #endif
305 
306 /*
307  * ZSTD-compressed firmware support
308  */
309 #ifdef CONFIG_FW_LOADER_COMPRESS_ZSTD
fw_decompress_zstd(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)310 static int fw_decompress_zstd(struct device *dev, struct fw_priv *fw_priv,
311 			      size_t in_size, const void *in_buffer)
312 {
313 	size_t len, out_size, workspace_size;
314 	void *workspace, *out_buf;
315 	zstd_dctx *ctx;
316 	int err;
317 
318 	if (fw_priv->allocated_size) {
319 		out_size = fw_priv->allocated_size;
320 		out_buf = fw_priv->data;
321 	} else {
322 		zstd_frame_header params;
323 
324 		if (zstd_get_frame_header(&params, in_buffer, in_size) ||
325 		    params.frameContentSize == ZSTD_CONTENTSIZE_UNKNOWN) {
326 			dev_dbg(dev, "%s: invalid zstd header\n", __func__);
327 			return -EINVAL;
328 		}
329 		out_size = params.frameContentSize;
330 		out_buf = vzalloc(out_size);
331 		if (!out_buf)
332 			return -ENOMEM;
333 	}
334 
335 	workspace_size = zstd_dctx_workspace_bound();
336 	workspace = kvzalloc(workspace_size, GFP_KERNEL);
337 	if (!workspace) {
338 		err = -ENOMEM;
339 		goto error;
340 	}
341 
342 	ctx = zstd_init_dctx(workspace, workspace_size);
343 	if (!ctx) {
344 		dev_dbg(dev, "%s: failed to initialize context\n", __func__);
345 		err = -EINVAL;
346 		goto error;
347 	}
348 
349 	len = zstd_decompress_dctx(ctx, out_buf, out_size, in_buffer, in_size);
350 	if (zstd_is_error(len)) {
351 		dev_dbg(dev, "%s: failed to decompress: %d\n", __func__,
352 			zstd_get_error_code(len));
353 		err = -EINVAL;
354 		goto error;
355 	}
356 
357 	if (!fw_priv->allocated_size)
358 		fw_priv->data = out_buf;
359 	fw_priv->size = len;
360 	err = 0;
361 
362  error:
363 	kvfree(workspace);
364 	if (err && !fw_priv->allocated_size)
365 		vfree(out_buf);
366 	return err;
367 }
368 #endif /* CONFIG_FW_LOADER_COMPRESS_ZSTD */
369 
370 /*
371  * XZ-compressed firmware support
372  */
373 #ifdef CONFIG_FW_LOADER_COMPRESS_XZ
374 /* show an error and return the standard error code */
fw_decompress_xz_error(struct device * dev,enum xz_ret xz_ret)375 static int fw_decompress_xz_error(struct device *dev, enum xz_ret xz_ret)
376 {
377 	if (xz_ret != XZ_STREAM_END) {
378 		dev_warn(dev, "xz decompression failed (xz_ret=%d)\n", xz_ret);
379 		return xz_ret == XZ_MEM_ERROR ? -ENOMEM : -EINVAL;
380 	}
381 	return 0;
382 }
383 
384 /* single-shot decompression onto the pre-allocated buffer */
fw_decompress_xz_single(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)385 static int fw_decompress_xz_single(struct device *dev, struct fw_priv *fw_priv,
386 				   size_t in_size, const void *in_buffer)
387 {
388 	struct xz_dec *xz_dec;
389 	struct xz_buf xz_buf;
390 	enum xz_ret xz_ret;
391 
392 	xz_dec = xz_dec_init(XZ_SINGLE, (u32)-1);
393 	if (!xz_dec)
394 		return -ENOMEM;
395 
396 	xz_buf.in_size = in_size;
397 	xz_buf.in = in_buffer;
398 	xz_buf.in_pos = 0;
399 	xz_buf.out_size = fw_priv->allocated_size;
400 	xz_buf.out = fw_priv->data;
401 	xz_buf.out_pos = 0;
402 
403 	xz_ret = xz_dec_run(xz_dec, &xz_buf);
404 	xz_dec_end(xz_dec);
405 
406 	fw_priv->size = xz_buf.out_pos;
407 	return fw_decompress_xz_error(dev, xz_ret);
408 }
409 
410 /* decompression on paged buffer and map it */
fw_decompress_xz_pages(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)411 static int fw_decompress_xz_pages(struct device *dev, struct fw_priv *fw_priv,
412 				  size_t in_size, const void *in_buffer)
413 {
414 	struct xz_dec *xz_dec;
415 	struct xz_buf xz_buf;
416 	enum xz_ret xz_ret;
417 	struct page *page;
418 	int err = 0;
419 
420 	xz_dec = xz_dec_init(XZ_DYNALLOC, (u32)-1);
421 	if (!xz_dec)
422 		return -ENOMEM;
423 
424 	xz_buf.in_size = in_size;
425 	xz_buf.in = in_buffer;
426 	xz_buf.in_pos = 0;
427 
428 	fw_priv->is_paged_buf = true;
429 	fw_priv->size = 0;
430 	do {
431 		if (fw_grow_paged_buf(fw_priv, fw_priv->nr_pages + 1)) {
432 			err = -ENOMEM;
433 			goto out;
434 		}
435 
436 		/* decompress onto the new allocated page */
437 		page = fw_priv->pages[fw_priv->nr_pages - 1];
438 		xz_buf.out = kmap_local_page(page);
439 		xz_buf.out_pos = 0;
440 		xz_buf.out_size = PAGE_SIZE;
441 		xz_ret = xz_dec_run(xz_dec, &xz_buf);
442 		kunmap_local(xz_buf.out);
443 		fw_priv->size += xz_buf.out_pos;
444 		/* partial decompression means either end or error */
445 		if (xz_buf.out_pos != PAGE_SIZE)
446 			break;
447 	} while (xz_ret == XZ_OK);
448 
449 	err = fw_decompress_xz_error(dev, xz_ret);
450 	if (!err)
451 		err = fw_map_paged_buf(fw_priv);
452 
453  out:
454 	xz_dec_end(xz_dec);
455 	return err;
456 }
457 
fw_decompress_xz(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer)458 static int fw_decompress_xz(struct device *dev, struct fw_priv *fw_priv,
459 			    size_t in_size, const void *in_buffer)
460 {
461 	/* if the buffer is pre-allocated, we can perform in single-shot mode */
462 	if (fw_priv->data)
463 		return fw_decompress_xz_single(dev, fw_priv, in_size, in_buffer);
464 	else
465 		return fw_decompress_xz_pages(dev, fw_priv, in_size, in_buffer);
466 }
467 #endif /* CONFIG_FW_LOADER_COMPRESS_XZ */
468 
469 /* direct firmware loading support */
470 static char fw_path_para[256];
471 static const char * const fw_path[] = {
472 	fw_path_para,
473 	"/lib/firmware/updates/" UTS_RELEASE,
474 	"/lib/firmware/updates",
475 	"/lib/firmware/" UTS_RELEASE,
476 	"/lib/firmware"
477 };
478 
479 /*
480  * Typical usage is that passing 'firmware_class.path=$CUSTOMIZED_PATH'
481  * from kernel command line because firmware_class is generally built in
482  * kernel instead of module.
483  */
484 module_param_string(path, fw_path_para, sizeof(fw_path_para), 0644);
485 MODULE_PARM_DESC(path, "customized firmware image search path with a higher priority than default path");
486 
487 static int
fw_get_filesystem_firmware(struct device * device,struct fw_priv * fw_priv,const char * suffix,int (* decompress)(struct device * dev,struct fw_priv * fw_priv,size_t in_size,const void * in_buffer))488 fw_get_filesystem_firmware(struct device *device, struct fw_priv *fw_priv,
489 			   const char *suffix,
490 			   int (*decompress)(struct device *dev,
491 					     struct fw_priv *fw_priv,
492 					     size_t in_size,
493 					     const void *in_buffer))
494 {
495 	size_t size;
496 	int i, len, maxlen = 0;
497 	int rc = -ENOENT;
498 	char *path, *nt = NULL;
499 	size_t msize = INT_MAX;
500 	void *buffer = NULL;
501 
502 	/* Already populated data member means we're loading into a buffer */
503 	if (!decompress && fw_priv->data) {
504 		buffer = fw_priv->data;
505 		msize = fw_priv->allocated_size;
506 	}
507 
508 	path = __getname();
509 	if (!path)
510 		return -ENOMEM;
511 
512 	wait_for_initramfs();
513 	for (i = 0; i < ARRAY_SIZE(fw_path); i++) {
514 		size_t file_size = 0;
515 		size_t *file_size_ptr = NULL;
516 
517 		/* skip the unset customized path */
518 		if (!fw_path[i][0])
519 			continue;
520 
521 		/* strip off \n from customized path */
522 		maxlen = strlen(fw_path[i]);
523 		if (i == 0) {
524 			nt = strchr(fw_path[i], '\n');
525 			if (nt)
526 				maxlen = nt - fw_path[i];
527 		}
528 
529 		len = snprintf(path, PATH_MAX, "%.*s/%s%s",
530 			       maxlen, fw_path[i],
531 			       fw_priv->fw_name, suffix);
532 		if (len >= PATH_MAX) {
533 			rc = -ENAMETOOLONG;
534 			break;
535 		}
536 
537 		fw_priv->size = 0;
538 
539 		/*
540 		 * The total file size is only examined when doing a partial
541 		 * read; the "full read" case needs to fail if the whole
542 		 * firmware was not completely loaded.
543 		 */
544 		if ((fw_priv->opt_flags & FW_OPT_PARTIAL) && buffer)
545 			file_size_ptr = &file_size;
546 
547 		/* load firmware files from the mount namespace of init */
548 		rc = kernel_read_file_from_path_initns(path, fw_priv->offset,
549 						       &buffer, msize,
550 						       file_size_ptr,
551 						       READING_FIRMWARE);
552 		if (rc < 0) {
553 			if (rc != -ENOENT)
554 				dev_warn(device, "loading %s failed with error %d\n",
555 					 path, rc);
556 			else
557 				dev_dbg(device, "loading %s failed for no such file or directory.\n",
558 					 path);
559 			continue;
560 		}
561 		size = rc;
562 		rc = 0;
563 
564 		dev_dbg(device, "Loading firmware from %s\n", path);
565 		if (decompress) {
566 			dev_dbg(device, "f/w decompressing %s\n",
567 				fw_priv->fw_name);
568 			rc = decompress(device, fw_priv, size, buffer);
569 			/* discard the superfluous original content */
570 			vfree(buffer);
571 			buffer = NULL;
572 			if (rc) {
573 				fw_free_paged_buf(fw_priv);
574 				continue;
575 			}
576 		} else {
577 			dev_dbg(device, "direct-loading %s\n",
578 				fw_priv->fw_name);
579 			if (!fw_priv->data)
580 				fw_priv->data = buffer;
581 			fw_priv->size = size;
582 		}
583 		fw_state_done(fw_priv);
584 		break;
585 	}
586 	__putname(path);
587 
588 	return rc;
589 }
590 
591 /* firmware holds the ownership of pages */
firmware_free_data(const struct firmware * fw)592 static void firmware_free_data(const struct firmware *fw)
593 {
594 	/* Loaded directly? */
595 	if (!fw->priv) {
596 		vfree(fw->data);
597 		return;
598 	}
599 	free_fw_priv(fw->priv);
600 }
601 
602 /* store the pages buffer info firmware from buf */
fw_set_page_data(struct fw_priv * fw_priv,struct firmware * fw)603 static void fw_set_page_data(struct fw_priv *fw_priv, struct firmware *fw)
604 {
605 	fw->priv = fw_priv;
606 	fw->size = fw_priv->size;
607 	fw->data = fw_priv->data;
608 
609 	pr_debug("%s: fw-%s fw_priv=%p data=%p size=%u\n",
610 		 __func__, fw_priv->fw_name, fw_priv, fw_priv->data,
611 		 (unsigned int)fw_priv->size);
612 }
613 
614 #ifdef CONFIG_FW_CACHE
fw_name_devm_release(struct device * dev,void * res)615 static void fw_name_devm_release(struct device *dev, void *res)
616 {
617 	struct fw_name_devm *fwn = res;
618 
619 	if (fwn->magic == (unsigned long)&fw_cache)
620 		pr_debug("%s: fw_name-%s devm-%p released\n",
621 				__func__, fwn->name, res);
622 	kfree_const(fwn->name);
623 }
624 
fw_devm_match(struct device * dev,void * res,void * match_data)625 static int fw_devm_match(struct device *dev, void *res,
626 		void *match_data)
627 {
628 	struct fw_name_devm *fwn = res;
629 
630 	return (fwn->magic == (unsigned long)&fw_cache) &&
631 		!strcmp(fwn->name, match_data);
632 }
633 
fw_find_devm_name(struct device * dev,const char * name)634 static struct fw_name_devm *fw_find_devm_name(struct device *dev,
635 		const char *name)
636 {
637 	struct fw_name_devm *fwn;
638 
639 	fwn = devres_find(dev, fw_name_devm_release,
640 			  fw_devm_match, (void *)name);
641 	return fwn;
642 }
643 
fw_cache_is_setup(struct device * dev,const char * name)644 static bool fw_cache_is_setup(struct device *dev, const char *name)
645 {
646 	struct fw_name_devm *fwn;
647 
648 	fwn = fw_find_devm_name(dev, name);
649 	if (fwn)
650 		return true;
651 
652 	return false;
653 }
654 
655 /* add firmware name into devres list */
fw_add_devm_name(struct device * dev,const char * name)656 static int fw_add_devm_name(struct device *dev, const char *name)
657 {
658 	struct fw_name_devm *fwn;
659 
660 	if (fw_cache_is_setup(dev, name))
661 		return 0;
662 
663 	fwn = devres_alloc(fw_name_devm_release, sizeof(struct fw_name_devm),
664 			   GFP_KERNEL);
665 	if (!fwn)
666 		return -ENOMEM;
667 	fwn->name = kstrdup_const(name, GFP_KERNEL);
668 	if (!fwn->name) {
669 		devres_free(fwn);
670 		return -ENOMEM;
671 	}
672 
673 	fwn->magic = (unsigned long)&fw_cache;
674 	devres_add(dev, fwn);
675 
676 	return 0;
677 }
678 #else
fw_cache_is_setup(struct device * dev,const char * name)679 static bool fw_cache_is_setup(struct device *dev, const char *name)
680 {
681 	return false;
682 }
683 
fw_add_devm_name(struct device * dev,const char * name)684 static int fw_add_devm_name(struct device *dev, const char *name)
685 {
686 	return 0;
687 }
688 #endif
689 
assign_fw(struct firmware * fw,struct device * device)690 int assign_fw(struct firmware *fw, struct device *device)
691 {
692 	struct fw_priv *fw_priv = fw->priv;
693 	int ret;
694 
695 	mutex_lock(&fw_lock);
696 	if (!fw_priv->size || fw_state_is_aborted(fw_priv)) {
697 		mutex_unlock(&fw_lock);
698 		return -ENOENT;
699 	}
700 
701 	/*
702 	 * add firmware name into devres list so that we can auto cache
703 	 * and uncache firmware for device.
704 	 *
705 	 * device may has been deleted already, but the problem
706 	 * should be fixed in devres or driver core.
707 	 */
708 	/* don't cache firmware handled without uevent */
709 	if (device && (fw_priv->opt_flags & FW_OPT_UEVENT) &&
710 	    !(fw_priv->opt_flags & FW_OPT_NOCACHE)) {
711 		ret = fw_add_devm_name(device, fw_priv->fw_name);
712 		if (ret) {
713 			mutex_unlock(&fw_lock);
714 			return ret;
715 		}
716 	}
717 
718 	/*
719 	 * After caching firmware image is started, let it piggyback
720 	 * on request firmware.
721 	 */
722 	if (!(fw_priv->opt_flags & FW_OPT_NOCACHE) &&
723 	    fw_priv->fwc->state == FW_LOADER_START_CACHE)
724 		fw_cache_piggyback_on_request(fw_priv);
725 
726 	/* pass the pages buffer to driver at the last minute */
727 	fw_set_page_data(fw_priv, fw);
728 	mutex_unlock(&fw_lock);
729 	return 0;
730 }
731 
732 /* prepare firmware and firmware_buf structs;
733  * return 0 if a firmware is already assigned, 1 if need to load one,
734  * or a negative error code
735  */
736 static int
_request_firmware_prepare(struct firmware ** firmware_p,const char * name,struct device * device,void * dbuf,size_t size,size_t offset,u32 opt_flags)737 _request_firmware_prepare(struct firmware **firmware_p, const char *name,
738 			  struct device *device, void *dbuf, size_t size,
739 			  size_t offset, u32 opt_flags)
740 {
741 	struct firmware *firmware;
742 	struct fw_priv *fw_priv;
743 	int ret;
744 
745 	*firmware_p = firmware = kzalloc(sizeof(*firmware), GFP_KERNEL);
746 	if (!firmware) {
747 		dev_err(device, "%s: kmalloc(struct firmware) failed\n",
748 			__func__);
749 		return -ENOMEM;
750 	}
751 
752 	if (firmware_request_builtin_buf(firmware, name, dbuf, size)) {
753 		dev_dbg(device, "using built-in %s\n", name);
754 		return 0; /* assigned */
755 	}
756 
757 	ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv, dbuf, size,
758 				   offset, opt_flags);
759 
760 	/*
761 	 * bind with 'priv' now to avoid warning in failure path
762 	 * of requesting firmware.
763 	 */
764 	firmware->priv = fw_priv;
765 
766 	if (ret > 0) {
767 		ret = fw_state_wait(fw_priv);
768 		if (!ret) {
769 			fw_set_page_data(fw_priv, firmware);
770 			return 0; /* assigned */
771 		}
772 	}
773 
774 	if (ret < 0)
775 		return ret;
776 	return 1; /* need to load */
777 }
778 
779 /*
780  * Batched requests need only one wake, we need to do this step last due to the
781  * fallback mechanism. The buf is protected with kref_get(), and it won't be
782  * released until the last user calls release_firmware().
783  *
784  * Failed batched requests are possible as well, in such cases we just share
785  * the struct fw_priv and won't release it until all requests are woken
786  * and have gone through this same path.
787  */
fw_abort_batch_reqs(struct firmware * fw)788 static void fw_abort_batch_reqs(struct firmware *fw)
789 {
790 	struct fw_priv *fw_priv;
791 
792 	/* Loaded directly? */
793 	if (!fw || !fw->priv)
794 		return;
795 
796 	fw_priv = fw->priv;
797 	mutex_lock(&fw_lock);
798 	if (!fw_state_is_aborted(fw_priv))
799 		fw_state_aborted(fw_priv);
800 	mutex_unlock(&fw_lock);
801 }
802 
803 #if defined(CONFIG_FW_LOADER_DEBUG)
804 #include <crypto/hash.h>
805 #include <crypto/sha2.h>
806 
fw_log_firmware_info(const struct firmware * fw,const char * name,struct device * device)807 static void fw_log_firmware_info(const struct firmware *fw, const char *name, struct device *device)
808 {
809 	struct shash_desc *shash;
810 	struct crypto_shash *alg;
811 	u8 *sha256buf;
812 	char *outbuf;
813 
814 	alg = crypto_alloc_shash("sha256", 0, 0);
815 	if (IS_ERR(alg))
816 		return;
817 
818 	sha256buf = kmalloc(SHA256_DIGEST_SIZE, GFP_KERNEL);
819 	outbuf = kmalloc(SHA256_BLOCK_SIZE + 1, GFP_KERNEL);
820 	shash = kmalloc(sizeof(*shash) + crypto_shash_descsize(alg), GFP_KERNEL);
821 	if (!sha256buf || !outbuf || !shash)
822 		goto out_free;
823 
824 	shash->tfm = alg;
825 
826 	if (crypto_shash_digest(shash, fw->data, fw->size, sha256buf) < 0)
827 		goto out_shash;
828 
829 	for (int i = 0; i < SHA256_DIGEST_SIZE; i++)
830 		sprintf(&outbuf[i * 2], "%02x", sha256buf[i]);
831 	outbuf[SHA256_BLOCK_SIZE] = 0;
832 	dev_dbg(device, "Loaded FW: %s, sha256: %s\n", name, outbuf);
833 
834 out_shash:
835 	crypto_free_shash(alg);
836 out_free:
837 	kfree(shash);
838 	kfree(outbuf);
839 	kfree(sha256buf);
840 }
841 #else
fw_log_firmware_info(const struct firmware * fw,const char * name,struct device * device)842 static void fw_log_firmware_info(const struct firmware *fw, const char *name,
843 				 struct device *device)
844 {}
845 #endif
846 
847 /*
848  * Reject firmware file names with ".." path components.
849  * There are drivers that construct firmware file names from device-supplied
850  * strings, and we don't want some device to be able to tell us "I would like to
851  * be sent my firmware from ../../../etc/shadow, please".
852  *
853  * Search for ".." surrounded by either '/' or start/end of string.
854  *
855  * This intentionally only looks at the firmware name, not at the firmware base
856  * directory or at symlink contents.
857  */
name_contains_dotdot(const char * name)858 static bool name_contains_dotdot(const char *name)
859 {
860 	size_t name_len = strlen(name);
861 
862 	return strcmp(name, "..") == 0 || strncmp(name, "../", 3) == 0 ||
863 	       strstr(name, "/../") != NULL ||
864 	       (name_len >= 3 && strcmp(name+name_len-3, "/..") == 0);
865 }
866 
867 /* called from request_firmware() and request_firmware_work_func() */
868 static int
_request_firmware(const struct firmware ** firmware_p,const char * name,struct device * device,void * buf,size_t size,size_t offset,u32 opt_flags)869 _request_firmware(const struct firmware **firmware_p, const char *name,
870 		  struct device *device, void *buf, size_t size,
871 		  size_t offset, u32 opt_flags)
872 {
873 	struct firmware *fw = NULL;
874 	struct cred *kern_cred = NULL;
875 	const struct cred *old_cred;
876 	bool nondirect = false;
877 	int ret;
878 
879 	if (!firmware_p)
880 		return -EINVAL;
881 
882 	if (!name || name[0] == '\0') {
883 		ret = -EINVAL;
884 		goto out;
885 	}
886 
887 	if (name_contains_dotdot(name)) {
888 		dev_warn(device,
889 			 "Firmware load for '%s' refused, path contains '..' component\n",
890 			 name);
891 		ret = -EINVAL;
892 		goto out;
893 	}
894 
895 	ret = _request_firmware_prepare(&fw, name, device, buf, size,
896 					offset, opt_flags);
897 	if (ret <= 0) /* error or already assigned */
898 		goto out;
899 
900 	/*
901 	 * We are about to try to access the firmware file. Because we may have been
902 	 * called by a driver when serving an unrelated request from userland, we use
903 	 * the kernel credentials to read the file.
904 	 */
905 	kern_cred = prepare_kernel_cred(&init_task);
906 	if (!kern_cred) {
907 		ret = -ENOMEM;
908 		goto out;
909 	}
910 	old_cred = override_creds(kern_cred);
911 
912 	ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL);
913 
914 	/* Only full reads can support decompression, platform, and sysfs. */
915 	if (!(opt_flags & FW_OPT_PARTIAL))
916 		nondirect = true;
917 
918 #ifdef CONFIG_FW_LOADER_COMPRESS_ZSTD
919 	if (ret == -ENOENT && nondirect)
920 		ret = fw_get_filesystem_firmware(device, fw->priv, ".zst",
921 						 fw_decompress_zstd);
922 #endif
923 #ifdef CONFIG_FW_LOADER_COMPRESS_XZ
924 	if (ret == -ENOENT && nondirect)
925 		ret = fw_get_filesystem_firmware(device, fw->priv, ".xz",
926 						 fw_decompress_xz);
927 #endif
928 	if (ret == -ENOENT && nondirect)
929 		ret = firmware_fallback_platform(fw->priv);
930 
931 	if (ret) {
932 		if (!(opt_flags & FW_OPT_NO_WARN))
933 			dev_warn(device,
934 				 "Direct firmware load for %s failed with error %d\n",
935 				 name, ret);
936 		if (nondirect)
937 			ret = firmware_fallback_sysfs(fw, name, device,
938 						      opt_flags, ret);
939 	} else
940 		ret = assign_fw(fw, device);
941 
942 	revert_creds(old_cred);
943 	put_cred(kern_cred);
944 
945 out:
946 	if (ret < 0) {
947 		fw_abort_batch_reqs(fw);
948 		release_firmware(fw);
949 		fw = NULL;
950 	} else {
951 		fw_log_firmware_info(fw, name, device);
952 	}
953 
954 	*firmware_p = fw;
955 	return ret;
956 }
957 
958 /**
959  * request_firmware() - send firmware request and wait for it
960  * @firmware_p: pointer to firmware image
961  * @name: name of firmware file
962  * @device: device for which firmware is being loaded
963  *
964  *      @firmware_p will be used to return a firmware image by the name
965  *      of @name for device @device.
966  *
967  *      Should be called from user context where sleeping is allowed.
968  *
969  *      @name will be used as $FIRMWARE in the uevent environment and
970  *      should be distinctive enough not to be confused with any other
971  *      firmware image for this or any other device.
972  *	It must not contain any ".." path components - "foo/bar..bin" is
973  *	allowed, but "foo/../bar.bin" is not.
974  *
975  *	Caller must hold the reference count of @device.
976  *
977  *	The function can be called safely inside device's suspend and
978  *	resume callback.
979  **/
980 int
request_firmware(const struct firmware ** firmware_p,const char * name,struct device * device)981 request_firmware(const struct firmware **firmware_p, const char *name,
982 		 struct device *device)
983 {
984 	int ret;
985 
986 	/* Need to pin this module until return */
987 	__module_get(THIS_MODULE);
988 	ret = _request_firmware(firmware_p, name, device, NULL, 0, 0,
989 				FW_OPT_UEVENT);
990 	module_put(THIS_MODULE);
991 	return ret;
992 }
993 EXPORT_SYMBOL(request_firmware);
994 
995 /**
996  * firmware_request_nowarn() - request for an optional fw module
997  * @firmware: pointer to firmware image
998  * @name: name of firmware file
999  * @device: device for which firmware is being loaded
1000  *
1001  * This function is similar in behaviour to request_firmware(), except it
1002  * doesn't produce warning messages when the file is not found. The sysfs
1003  * fallback mechanism is enabled if direct filesystem lookup fails. However,
1004  * failures to find the firmware file with it are still suppressed. It is
1005  * therefore up to the driver to check for the return value of this call and to
1006  * decide when to inform the users of errors.
1007  **/
firmware_request_nowarn(const struct firmware ** firmware,const char * name,struct device * device)1008 int firmware_request_nowarn(const struct firmware **firmware, const char *name,
1009 			    struct device *device)
1010 {
1011 	int ret;
1012 
1013 	/* Need to pin this module until return */
1014 	__module_get(THIS_MODULE);
1015 	ret = _request_firmware(firmware, name, device, NULL, 0, 0,
1016 				FW_OPT_UEVENT | FW_OPT_NO_WARN);
1017 	module_put(THIS_MODULE);
1018 	return ret;
1019 }
1020 EXPORT_SYMBOL_GPL(firmware_request_nowarn);
1021 
1022 /**
1023  * request_firmware_direct() - load firmware directly without usermode helper
1024  * @firmware_p: pointer to firmware image
1025  * @name: name of firmware file
1026  * @device: device for which firmware is being loaded
1027  *
1028  * This function works pretty much like request_firmware(), but this doesn't
1029  * fall back to usermode helper even if the firmware couldn't be loaded
1030  * directly from fs.  Hence it's useful for loading optional firmwares, which
1031  * aren't always present, without extra long timeouts of udev.
1032  **/
request_firmware_direct(const struct firmware ** firmware_p,const char * name,struct device * device)1033 int request_firmware_direct(const struct firmware **firmware_p,
1034 			    const char *name, struct device *device)
1035 {
1036 	int ret;
1037 
1038 	__module_get(THIS_MODULE);
1039 	ret = _request_firmware(firmware_p, name, device, NULL, 0, 0,
1040 				FW_OPT_UEVENT | FW_OPT_NO_WARN |
1041 				FW_OPT_NOFALLBACK_SYSFS);
1042 	module_put(THIS_MODULE);
1043 	return ret;
1044 }
1045 EXPORT_SYMBOL_GPL(request_firmware_direct);
1046 
1047 /**
1048  * firmware_request_platform() - request firmware with platform-fw fallback
1049  * @firmware: pointer to firmware image
1050  * @name: name of firmware file
1051  * @device: device for which firmware is being loaded
1052  *
1053  * This function is similar in behaviour to request_firmware, except that if
1054  * direct filesystem lookup fails, it will fallback to looking for a copy of the
1055  * requested firmware embedded in the platform's main (e.g. UEFI) firmware.
1056  **/
firmware_request_platform(const struct firmware ** firmware,const char * name,struct device * device)1057 int firmware_request_platform(const struct firmware **firmware,
1058 			      const char *name, struct device *device)
1059 {
1060 	int ret;
1061 
1062 	/* Need to pin this module until return */
1063 	__module_get(THIS_MODULE);
1064 	ret = _request_firmware(firmware, name, device, NULL, 0, 0,
1065 				FW_OPT_UEVENT | FW_OPT_FALLBACK_PLATFORM);
1066 	module_put(THIS_MODULE);
1067 	return ret;
1068 }
1069 EXPORT_SYMBOL_GPL(firmware_request_platform);
1070 
1071 /**
1072  * firmware_request_cache() - cache firmware for suspend so resume can use it
1073  * @name: name of firmware file
1074  * @device: device for which firmware should be cached for
1075  *
1076  * There are some devices with an optimization that enables the device to not
1077  * require loading firmware on system reboot. This optimization may still
1078  * require the firmware present on resume from suspend. This routine can be
1079  * used to ensure the firmware is present on resume from suspend in these
1080  * situations. This helper is not compatible with drivers which use
1081  * request_firmware_into_buf() or request_firmware_nowait() with no uevent set.
1082  **/
firmware_request_cache(struct device * device,const char * name)1083 int firmware_request_cache(struct device *device, const char *name)
1084 {
1085 	int ret;
1086 
1087 	mutex_lock(&fw_lock);
1088 	ret = fw_add_devm_name(device, name);
1089 	mutex_unlock(&fw_lock);
1090 
1091 	return ret;
1092 }
1093 EXPORT_SYMBOL_GPL(firmware_request_cache);
1094 
1095 /**
1096  * request_firmware_into_buf() - load firmware into a previously allocated buffer
1097  * @firmware_p: pointer to firmware image
1098  * @name: name of firmware file
1099  * @device: device for which firmware is being loaded and DMA region allocated
1100  * @buf: address of buffer to load firmware into
1101  * @size: size of buffer
1102  *
1103  * This function works pretty much like request_firmware(), but it doesn't
1104  * allocate a buffer to hold the firmware data. Instead, the firmware
1105  * is loaded directly into the buffer pointed to by @buf and the @firmware_p
1106  * data member is pointed at @buf.
1107  *
1108  * This function doesn't cache firmware either.
1109  */
1110 int
request_firmware_into_buf(const struct firmware ** firmware_p,const char * name,struct device * device,void * buf,size_t size)1111 request_firmware_into_buf(const struct firmware **firmware_p, const char *name,
1112 			  struct device *device, void *buf, size_t size)
1113 {
1114 	int ret;
1115 
1116 	if (fw_cache_is_setup(device, name))
1117 		return -EOPNOTSUPP;
1118 
1119 	__module_get(THIS_MODULE);
1120 	ret = _request_firmware(firmware_p, name, device, buf, size, 0,
1121 				FW_OPT_UEVENT | FW_OPT_NOCACHE);
1122 	module_put(THIS_MODULE);
1123 	return ret;
1124 }
1125 EXPORT_SYMBOL(request_firmware_into_buf);
1126 
1127 /**
1128  * request_partial_firmware_into_buf() - load partial firmware into a previously allocated buffer
1129  * @firmware_p: pointer to firmware image
1130  * @name: name of firmware file
1131  * @device: device for which firmware is being loaded and DMA region allocated
1132  * @buf: address of buffer to load firmware into
1133  * @size: size of buffer
1134  * @offset: offset into file to read
1135  *
1136  * This function works pretty much like request_firmware_into_buf except
1137  * it allows a partial read of the file.
1138  */
1139 int
request_partial_firmware_into_buf(const struct firmware ** firmware_p,const char * name,struct device * device,void * buf,size_t size,size_t offset)1140 request_partial_firmware_into_buf(const struct firmware **firmware_p,
1141 				  const char *name, struct device *device,
1142 				  void *buf, size_t size, size_t offset)
1143 {
1144 	int ret;
1145 
1146 	if (fw_cache_is_setup(device, name))
1147 		return -EOPNOTSUPP;
1148 
1149 	__module_get(THIS_MODULE);
1150 	ret = _request_firmware(firmware_p, name, device, buf, size, offset,
1151 				FW_OPT_UEVENT | FW_OPT_NOCACHE |
1152 				FW_OPT_PARTIAL);
1153 	module_put(THIS_MODULE);
1154 	return ret;
1155 }
1156 EXPORT_SYMBOL(request_partial_firmware_into_buf);
1157 
1158 /**
1159  * release_firmware() - release the resource associated with a firmware image
1160  * @fw: firmware resource to release
1161  **/
release_firmware(const struct firmware * fw)1162 void release_firmware(const struct firmware *fw)
1163 {
1164 	if (fw) {
1165 		if (!firmware_is_builtin(fw))
1166 			firmware_free_data(fw);
1167 		kfree(fw);
1168 	}
1169 }
1170 EXPORT_SYMBOL(release_firmware);
1171 
1172 /* Async support */
1173 struct firmware_work {
1174 	struct work_struct work;
1175 	struct module *module;
1176 	const char *name;
1177 	struct device *device;
1178 	void *context;
1179 	void (*cont)(const struct firmware *fw, void *context);
1180 	u32 opt_flags;
1181 };
1182 
request_firmware_work_func(struct work_struct * work)1183 static void request_firmware_work_func(struct work_struct *work)
1184 {
1185 	struct firmware_work *fw_work;
1186 	const struct firmware *fw;
1187 
1188 	fw_work = container_of(work, struct firmware_work, work);
1189 
1190 	_request_firmware(&fw, fw_work->name, fw_work->device, NULL, 0, 0,
1191 			  fw_work->opt_flags);
1192 	fw_work->cont(fw, fw_work->context);
1193 	put_device(fw_work->device); /* taken in request_firmware_nowait() */
1194 
1195 	module_put(fw_work->module);
1196 	kfree_const(fw_work->name);
1197 	kfree(fw_work);
1198 }
1199 
1200 /**
1201  * request_firmware_nowait() - asynchronous version of request_firmware
1202  * @module: module requesting the firmware
1203  * @uevent: sends uevent to copy the firmware image if this flag
1204  *	is non-zero else the firmware copy must be done manually.
1205  * @name: name of firmware file
1206  * @device: device for which firmware is being loaded
1207  * @gfp: allocation flags
1208  * @context: will be passed over to @cont, and
1209  *	@fw may be %NULL if firmware request fails.
1210  * @cont: function will be called asynchronously when the firmware
1211  *	request is over.
1212  *
1213  *	Caller must hold the reference count of @device.
1214  *
1215  *	Asynchronous variant of request_firmware() for user contexts:
1216  *		- sleep for as small periods as possible since it may
1217  *		  increase kernel boot time of built-in device drivers
1218  *		  requesting firmware in their ->probe() methods, if
1219  *		  @gfp is GFP_KERNEL.
1220  *
1221  *		- can't sleep at all if @gfp is GFP_ATOMIC.
1222  **/
1223 int
request_firmware_nowait(struct module * module,bool uevent,const char * name,struct device * device,gfp_t gfp,void * context,void (* cont)(const struct firmware * fw,void * context))1224 request_firmware_nowait(
1225 	struct module *module, bool uevent,
1226 	const char *name, struct device *device, gfp_t gfp, void *context,
1227 	void (*cont)(const struct firmware *fw, void *context))
1228 {
1229 	struct firmware_work *fw_work;
1230 
1231 	fw_work = kzalloc(sizeof(struct firmware_work), gfp);
1232 	if (!fw_work)
1233 		return -ENOMEM;
1234 
1235 	fw_work->module = module;
1236 	fw_work->name = kstrdup_const(name, gfp);
1237 	if (!fw_work->name) {
1238 		kfree(fw_work);
1239 		return -ENOMEM;
1240 	}
1241 	fw_work->device = device;
1242 	fw_work->context = context;
1243 	fw_work->cont = cont;
1244 	fw_work->opt_flags = FW_OPT_NOWAIT |
1245 		(uevent ? FW_OPT_UEVENT : FW_OPT_USERHELPER);
1246 
1247 	if (!uevent && fw_cache_is_setup(device, name)) {
1248 		kfree_const(fw_work->name);
1249 		kfree(fw_work);
1250 		return -EOPNOTSUPP;
1251 	}
1252 
1253 	if (!try_module_get(module)) {
1254 		kfree_const(fw_work->name);
1255 		kfree(fw_work);
1256 		return -EFAULT;
1257 	}
1258 
1259 	get_device(fw_work->device);
1260 	INIT_WORK(&fw_work->work, request_firmware_work_func);
1261 	schedule_work(&fw_work->work);
1262 	return 0;
1263 }
1264 EXPORT_SYMBOL(request_firmware_nowait);
1265 
1266 #ifdef CONFIG_FW_CACHE
1267 static ASYNC_DOMAIN_EXCLUSIVE(fw_cache_domain);
1268 
1269 /**
1270  * cache_firmware() - cache one firmware image in kernel memory space
1271  * @fw_name: the firmware image name
1272  *
1273  * Cache firmware in kernel memory so that drivers can use it when
1274  * system isn't ready for them to request firmware image from userspace.
1275  * Once it returns successfully, driver can use request_firmware or its
1276  * nowait version to get the cached firmware without any interacting
1277  * with userspace
1278  *
1279  * Return 0 if the firmware image has been cached successfully
1280  * Return !0 otherwise
1281  *
1282  */
cache_firmware(const char * fw_name)1283 static int cache_firmware(const char *fw_name)
1284 {
1285 	int ret;
1286 	const struct firmware *fw;
1287 
1288 	pr_debug("%s: %s\n", __func__, fw_name);
1289 
1290 	ret = request_firmware(&fw, fw_name, NULL);
1291 	if (!ret)
1292 		kfree(fw);
1293 
1294 	pr_debug("%s: %s ret=%d\n", __func__, fw_name, ret);
1295 
1296 	return ret;
1297 }
1298 
lookup_fw_priv(const char * fw_name)1299 static struct fw_priv *lookup_fw_priv(const char *fw_name)
1300 {
1301 	struct fw_priv *tmp;
1302 	struct firmware_cache *fwc = &fw_cache;
1303 
1304 	spin_lock(&fwc->lock);
1305 	tmp = __lookup_fw_priv(fw_name);
1306 	spin_unlock(&fwc->lock);
1307 
1308 	return tmp;
1309 }
1310 
1311 /**
1312  * uncache_firmware() - remove one cached firmware image
1313  * @fw_name: the firmware image name
1314  *
1315  * Uncache one firmware image which has been cached successfully
1316  * before.
1317  *
1318  * Return 0 if the firmware cache has been removed successfully
1319  * Return !0 otherwise
1320  *
1321  */
uncache_firmware(const char * fw_name)1322 static int uncache_firmware(const char *fw_name)
1323 {
1324 	struct fw_priv *fw_priv;
1325 	struct firmware fw;
1326 
1327 	pr_debug("%s: %s\n", __func__, fw_name);
1328 
1329 	if (firmware_request_builtin(&fw, fw_name))
1330 		return 0;
1331 
1332 	fw_priv = lookup_fw_priv(fw_name);
1333 	if (fw_priv) {
1334 		free_fw_priv(fw_priv);
1335 		return 0;
1336 	}
1337 
1338 	return -EINVAL;
1339 }
1340 
alloc_fw_cache_entry(const char * name)1341 static struct fw_cache_entry *alloc_fw_cache_entry(const char *name)
1342 {
1343 	struct fw_cache_entry *fce;
1344 
1345 	fce = kzalloc(sizeof(*fce), GFP_ATOMIC);
1346 	if (!fce)
1347 		goto exit;
1348 
1349 	fce->name = kstrdup_const(name, GFP_ATOMIC);
1350 	if (!fce->name) {
1351 		kfree(fce);
1352 		fce = NULL;
1353 		goto exit;
1354 	}
1355 exit:
1356 	return fce;
1357 }
1358 
__fw_entry_found(const char * name)1359 static int __fw_entry_found(const char *name)
1360 {
1361 	struct firmware_cache *fwc = &fw_cache;
1362 	struct fw_cache_entry *fce;
1363 
1364 	list_for_each_entry(fce, &fwc->fw_names, list) {
1365 		if (!strcmp(fce->name, name))
1366 			return 1;
1367 	}
1368 	return 0;
1369 }
1370 
fw_cache_piggyback_on_request(struct fw_priv * fw_priv)1371 static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv)
1372 {
1373 	const char *name = fw_priv->fw_name;
1374 	struct firmware_cache *fwc = fw_priv->fwc;
1375 	struct fw_cache_entry *fce;
1376 
1377 	spin_lock(&fwc->name_lock);
1378 	if (__fw_entry_found(name))
1379 		goto found;
1380 
1381 	fce = alloc_fw_cache_entry(name);
1382 	if (fce) {
1383 		list_add(&fce->list, &fwc->fw_names);
1384 		kref_get(&fw_priv->ref);
1385 		pr_debug("%s: fw: %s\n", __func__, name);
1386 	}
1387 found:
1388 	spin_unlock(&fwc->name_lock);
1389 }
1390 
free_fw_cache_entry(struct fw_cache_entry * fce)1391 static void free_fw_cache_entry(struct fw_cache_entry *fce)
1392 {
1393 	kfree_const(fce->name);
1394 	kfree(fce);
1395 }
1396 
__async_dev_cache_fw_image(void * fw_entry,async_cookie_t cookie)1397 static void __async_dev_cache_fw_image(void *fw_entry,
1398 				       async_cookie_t cookie)
1399 {
1400 	struct fw_cache_entry *fce = fw_entry;
1401 	struct firmware_cache *fwc = &fw_cache;
1402 	int ret;
1403 
1404 	ret = cache_firmware(fce->name);
1405 	if (ret) {
1406 		spin_lock(&fwc->name_lock);
1407 		list_del(&fce->list);
1408 		spin_unlock(&fwc->name_lock);
1409 
1410 		free_fw_cache_entry(fce);
1411 	}
1412 }
1413 
1414 /* called with dev->devres_lock held */
dev_create_fw_entry(struct device * dev,void * res,void * data)1415 static void dev_create_fw_entry(struct device *dev, void *res,
1416 				void *data)
1417 {
1418 	struct fw_name_devm *fwn = res;
1419 	const char *fw_name = fwn->name;
1420 	struct list_head *head = data;
1421 	struct fw_cache_entry *fce;
1422 
1423 	fce = alloc_fw_cache_entry(fw_name);
1424 	if (fce)
1425 		list_add(&fce->list, head);
1426 }
1427 
devm_name_match(struct device * dev,void * res,void * match_data)1428 static int devm_name_match(struct device *dev, void *res,
1429 			   void *match_data)
1430 {
1431 	struct fw_name_devm *fwn = res;
1432 	return (fwn->magic == (unsigned long)match_data);
1433 }
1434 
dev_cache_fw_image(struct device * dev,void * data)1435 static void dev_cache_fw_image(struct device *dev, void *data)
1436 {
1437 	LIST_HEAD(todo);
1438 	struct fw_cache_entry *fce;
1439 	struct fw_cache_entry *fce_next;
1440 	struct firmware_cache *fwc = &fw_cache;
1441 
1442 	devres_for_each_res(dev, fw_name_devm_release,
1443 			    devm_name_match, &fw_cache,
1444 			    dev_create_fw_entry, &todo);
1445 
1446 	list_for_each_entry_safe(fce, fce_next, &todo, list) {
1447 		list_del(&fce->list);
1448 
1449 		spin_lock(&fwc->name_lock);
1450 		/* only one cache entry for one firmware */
1451 		if (!__fw_entry_found(fce->name)) {
1452 			list_add(&fce->list, &fwc->fw_names);
1453 		} else {
1454 			free_fw_cache_entry(fce);
1455 			fce = NULL;
1456 		}
1457 		spin_unlock(&fwc->name_lock);
1458 
1459 		if (fce)
1460 			async_schedule_domain(__async_dev_cache_fw_image,
1461 					      (void *)fce,
1462 					      &fw_cache_domain);
1463 	}
1464 }
1465 
__device_uncache_fw_images(void)1466 static void __device_uncache_fw_images(void)
1467 {
1468 	struct firmware_cache *fwc = &fw_cache;
1469 	struct fw_cache_entry *fce;
1470 
1471 	spin_lock(&fwc->name_lock);
1472 	while (!list_empty(&fwc->fw_names)) {
1473 		fce = list_entry(fwc->fw_names.next,
1474 				struct fw_cache_entry, list);
1475 		list_del(&fce->list);
1476 		spin_unlock(&fwc->name_lock);
1477 
1478 		uncache_firmware(fce->name);
1479 		free_fw_cache_entry(fce);
1480 
1481 		spin_lock(&fwc->name_lock);
1482 	}
1483 	spin_unlock(&fwc->name_lock);
1484 }
1485 
1486 /**
1487  * device_cache_fw_images() - cache devices' firmware
1488  *
1489  * If one device called request_firmware or its nowait version
1490  * successfully before, the firmware names are recored into the
1491  * device's devres link list, so device_cache_fw_images can call
1492  * cache_firmware() to cache these firmwares for the device,
1493  * then the device driver can load its firmwares easily at
1494  * time when system is not ready to complete loading firmware.
1495  */
device_cache_fw_images(void)1496 static void device_cache_fw_images(void)
1497 {
1498 	struct firmware_cache *fwc = &fw_cache;
1499 	DEFINE_WAIT(wait);
1500 
1501 	pr_debug("%s\n", __func__);
1502 
1503 	/* cancel uncache work */
1504 	cancel_delayed_work_sync(&fwc->work);
1505 
1506 	fw_fallback_set_cache_timeout();
1507 
1508 	mutex_lock(&fw_lock);
1509 	fwc->state = FW_LOADER_START_CACHE;
1510 	dpm_for_each_dev(NULL, dev_cache_fw_image);
1511 	mutex_unlock(&fw_lock);
1512 
1513 	/* wait for completion of caching firmware for all devices */
1514 	async_synchronize_full_domain(&fw_cache_domain);
1515 
1516 	fw_fallback_set_default_timeout();
1517 }
1518 
1519 /**
1520  * device_uncache_fw_images() - uncache devices' firmware
1521  *
1522  * uncache all firmwares which have been cached successfully
1523  * by device_uncache_fw_images earlier
1524  */
device_uncache_fw_images(void)1525 static void device_uncache_fw_images(void)
1526 {
1527 	pr_debug("%s\n", __func__);
1528 	__device_uncache_fw_images();
1529 }
1530 
device_uncache_fw_images_work(struct work_struct * work)1531 static void device_uncache_fw_images_work(struct work_struct *work)
1532 {
1533 	device_uncache_fw_images();
1534 }
1535 
1536 /**
1537  * device_uncache_fw_images_delay() - uncache devices firmwares
1538  * @delay: number of milliseconds to delay uncache device firmwares
1539  *
1540  * uncache all devices's firmwares which has been cached successfully
1541  * by device_cache_fw_images after @delay milliseconds.
1542  */
device_uncache_fw_images_delay(unsigned long delay)1543 static void device_uncache_fw_images_delay(unsigned long delay)
1544 {
1545 	queue_delayed_work(system_power_efficient_wq, &fw_cache.work,
1546 			   msecs_to_jiffies(delay));
1547 }
1548 
fw_pm_notify(struct notifier_block * notify_block,unsigned long mode,void * unused)1549 static int fw_pm_notify(struct notifier_block *notify_block,
1550 			unsigned long mode, void *unused)
1551 {
1552 	switch (mode) {
1553 	case PM_HIBERNATION_PREPARE:
1554 	case PM_SUSPEND_PREPARE:
1555 	case PM_RESTORE_PREPARE:
1556 		/*
1557 		 * kill pending fallback requests with a custom fallback
1558 		 * to avoid stalling suspend.
1559 		 */
1560 		kill_pending_fw_fallback_reqs(true);
1561 		device_cache_fw_images();
1562 		break;
1563 
1564 	case PM_POST_SUSPEND:
1565 	case PM_POST_HIBERNATION:
1566 	case PM_POST_RESTORE:
1567 		/*
1568 		 * In case that system sleep failed and syscore_suspend is
1569 		 * not called.
1570 		 */
1571 		mutex_lock(&fw_lock);
1572 		fw_cache.state = FW_LOADER_NO_CACHE;
1573 		mutex_unlock(&fw_lock);
1574 
1575 		device_uncache_fw_images_delay(10 * MSEC_PER_SEC);
1576 		break;
1577 	}
1578 
1579 	return 0;
1580 }
1581 
1582 /* stop caching firmware once syscore_suspend is reached */
fw_suspend(void)1583 static int fw_suspend(void)
1584 {
1585 	fw_cache.state = FW_LOADER_NO_CACHE;
1586 	return 0;
1587 }
1588 
1589 static struct syscore_ops fw_syscore_ops = {
1590 	.suspend = fw_suspend,
1591 };
1592 
register_fw_pm_ops(void)1593 static int __init register_fw_pm_ops(void)
1594 {
1595 	int ret;
1596 
1597 	spin_lock_init(&fw_cache.name_lock);
1598 	INIT_LIST_HEAD(&fw_cache.fw_names);
1599 
1600 	INIT_DELAYED_WORK(&fw_cache.work,
1601 			  device_uncache_fw_images_work);
1602 
1603 	fw_cache.pm_notify.notifier_call = fw_pm_notify;
1604 	ret = register_pm_notifier(&fw_cache.pm_notify);
1605 	if (ret)
1606 		return ret;
1607 
1608 	register_syscore_ops(&fw_syscore_ops);
1609 
1610 	return ret;
1611 }
1612 
unregister_fw_pm_ops(void)1613 static inline void unregister_fw_pm_ops(void)
1614 {
1615 	unregister_syscore_ops(&fw_syscore_ops);
1616 	unregister_pm_notifier(&fw_cache.pm_notify);
1617 }
1618 #else
fw_cache_piggyback_on_request(struct fw_priv * fw_priv)1619 static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv)
1620 {
1621 }
register_fw_pm_ops(void)1622 static inline int register_fw_pm_ops(void)
1623 {
1624 	return 0;
1625 }
unregister_fw_pm_ops(void)1626 static inline void unregister_fw_pm_ops(void)
1627 {
1628 }
1629 #endif
1630 
fw_cache_init(void)1631 static void __init fw_cache_init(void)
1632 {
1633 	spin_lock_init(&fw_cache.lock);
1634 	INIT_LIST_HEAD(&fw_cache.head);
1635 	fw_cache.state = FW_LOADER_NO_CACHE;
1636 }
1637 
fw_shutdown_notify(struct notifier_block * unused1,unsigned long unused2,void * unused3)1638 static int fw_shutdown_notify(struct notifier_block *unused1,
1639 			      unsigned long unused2, void *unused3)
1640 {
1641 	/*
1642 	 * Kill all pending fallback requests to avoid both stalling shutdown,
1643 	 * and avoid a deadlock with the usermode_lock.
1644 	 */
1645 	kill_pending_fw_fallback_reqs(false);
1646 
1647 	return NOTIFY_DONE;
1648 }
1649 
1650 static struct notifier_block fw_shutdown_nb = {
1651 	.notifier_call = fw_shutdown_notify,
1652 };
1653 
firmware_class_init(void)1654 static int __init firmware_class_init(void)
1655 {
1656 	int ret;
1657 
1658 	/* No need to unfold these on exit */
1659 	fw_cache_init();
1660 
1661 	ret = register_fw_pm_ops();
1662 	if (ret)
1663 		return ret;
1664 
1665 	ret = register_reboot_notifier(&fw_shutdown_nb);
1666 	if (ret)
1667 		goto out;
1668 
1669 	return register_sysfs_loader();
1670 
1671 out:
1672 	unregister_fw_pm_ops();
1673 	return ret;
1674 }
1675 
firmware_class_exit(void)1676 static void __exit firmware_class_exit(void)
1677 {
1678 	unregister_fw_pm_ops();
1679 	unregister_reboot_notifier(&fw_shutdown_nb);
1680 	unregister_sysfs_loader();
1681 }
1682 
1683 fs_initcall(firmware_class_init);
1684 module_exit(firmware_class_exit);
1685