1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * dell_rbu.c 4 * Bios Update driver for Dell systems 5 * Author: Dell Inc 6 * Abhay Salunke <abhay_salunke@dell.com> 7 * 8 * Copyright (C) 2005 Dell Inc. 9 * 10 * Remote BIOS Update (rbu) driver is used for updating DELL BIOS by 11 * creating entries in the /sys file systems on Linux 2.6 and higher 12 * kernels. The driver supports two mechanism to update the BIOS namely 13 * contiguous and packetized. Both these methods still require having some 14 * application to set the CMOS bit indicating the BIOS to update itself 15 * after a reboot. 16 * 17 * Contiguous method: 18 * This driver writes the incoming data in a monolithic image by allocating 19 * contiguous physical pages large enough to accommodate the incoming BIOS 20 * image size. 21 * 22 * Packetized method: 23 * The driver writes the incoming packet image by allocating a new packet 24 * on every time the packet data is written. This driver requires an 25 * application to break the BIOS image in to fixed sized packet chunks. 26 * 27 * See Documentation/admin-guide/dell_rbu.rst for more info. 28 */ 29 30 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 31 32 #include <linux/init.h> 33 #include <linux/module.h> 34 #include <linux/slab.h> 35 #include <linux/string.h> 36 #include <linux/errno.h> 37 #include <linux/blkdev.h> 38 #include <linux/platform_device.h> 39 #include <linux/spinlock.h> 40 #include <linux/moduleparam.h> 41 #include <linux/firmware.h> 42 #include <linux/dma-mapping.h> 43 #include <asm/set_memory.h> 44 45 MODULE_AUTHOR("Abhay Salunke <abhay_salunke@dell.com>"); 46 MODULE_DESCRIPTION("Driver for updating BIOS image on DELL systems"); 47 MODULE_LICENSE("GPL"); 48 MODULE_VERSION("3.2"); 49 50 #define BIOS_SCAN_LIMIT 0xffffffff 51 #define MAX_IMAGE_LENGTH 16 52 static struct _rbu_data { 53 void *image_update_buffer; 54 unsigned long image_update_buffer_size; 55 unsigned long bios_image_size; 56 int image_update_ordernum; 57 spinlock_t lock; 58 unsigned long packet_read_count; 59 unsigned long num_packets; 60 unsigned long packetsize; 61 unsigned long imagesize; 62 int entry_created; 63 } rbu_data; 64 65 static char image_type[MAX_IMAGE_LENGTH + 1] = "mono"; 66 module_param_string(image_type, image_type, sizeof (image_type), 0); 67 MODULE_PARM_DESC(image_type, "BIOS image type. choose- mono or packet or init"); 68 69 static unsigned long allocation_floor = 0x100000; 70 module_param(allocation_floor, ulong, 0644); 71 MODULE_PARM_DESC(allocation_floor, "Minimum address for allocations when using Packet mode"); 72 73 struct packet_data { 74 struct list_head list; 75 size_t length; 76 void *data; 77 int ordernum; 78 }; 79 80 static struct packet_data packet_data_head; 81 82 static struct platform_device *rbu_device; 83 static int context; 84 85 static void init_packet_head(void) 86 { 87 INIT_LIST_HEAD(&packet_data_head.list); 88 rbu_data.packet_read_count = 0; 89 rbu_data.num_packets = 0; 90 rbu_data.packetsize = 0; 91 rbu_data.imagesize = 0; 92 } 93 94 static int create_packet(void *data, size_t length) 95 { 96 struct packet_data *newpacket; 97 int ordernum = 0; 98 int retval = 0; 99 unsigned int packet_array_size = 0; 100 void **invalid_addr_packet_array = NULL; 101 void *packet_data_temp_buf = NULL; 102 unsigned int idx = 0; 103 104 pr_debug("entry\n"); 105 106 if (!rbu_data.packetsize) { 107 pr_debug("packetsize not specified\n"); 108 retval = -EINVAL; 109 goto out_noalloc; 110 } 111 112 spin_unlock(&rbu_data.lock); 113 114 newpacket = kzalloc(sizeof (struct packet_data), GFP_KERNEL); 115 116 if (!newpacket) { 117 pr_warn("failed to allocate new packet\n"); 118 retval = -ENOMEM; 119 spin_lock(&rbu_data.lock); 120 goto out_noalloc; 121 } 122 123 ordernum = get_order(length); 124 125 /* 126 * BIOS errata mean we cannot allocate packets below 1MB or they will 127 * be overwritten by BIOS. 128 * 129 * array to temporarily hold packets 130 * that are below the allocation floor 131 * 132 * NOTE: very simplistic because we only need the floor to be at 1MB 133 * due to BIOS errata. This shouldn't be used for higher floors 134 * or you will run out of mem trying to allocate the array. 135 */ 136 packet_array_size = max_t(unsigned int, allocation_floor / rbu_data.packetsize, 1); 137 invalid_addr_packet_array = kcalloc(packet_array_size, sizeof(void *), 138 GFP_KERNEL); 139 140 if (!invalid_addr_packet_array) { 141 pr_warn("failed to allocate invalid_addr_packet_array\n"); 142 retval = -ENOMEM; 143 spin_lock(&rbu_data.lock); 144 goto out_alloc_packet; 145 } 146 147 while (!packet_data_temp_buf) { 148 packet_data_temp_buf = (unsigned char *) 149 __get_free_pages(GFP_KERNEL, ordernum); 150 if (!packet_data_temp_buf) { 151 pr_warn("failed to allocate new packet\n"); 152 retval = -ENOMEM; 153 spin_lock(&rbu_data.lock); 154 goto out_alloc_packet_array; 155 } 156 157 if ((unsigned long)virt_to_phys(packet_data_temp_buf) 158 < allocation_floor) { 159 pr_debug("packet 0x%lx below floor at 0x%lx\n", 160 (unsigned long)virt_to_phys( 161 packet_data_temp_buf), 162 allocation_floor); 163 invalid_addr_packet_array[idx++] = packet_data_temp_buf; 164 packet_data_temp_buf = NULL; 165 } 166 } 167 /* 168 * set to uncachable or it may never get written back before reboot 169 */ 170 set_memory_uc((unsigned long)packet_data_temp_buf, 1 << ordernum); 171 172 spin_lock(&rbu_data.lock); 173 174 newpacket->data = packet_data_temp_buf; 175 176 pr_debug("newpacket at physical addr %lx\n", 177 (unsigned long)virt_to_phys(newpacket->data)); 178 179 /* packets may not have fixed size */ 180 newpacket->length = length; 181 newpacket->ordernum = ordernum; 182 ++rbu_data.num_packets; 183 184 /* initialize the newly created packet headers */ 185 INIT_LIST_HEAD(&newpacket->list); 186 list_add_tail(&newpacket->list, &packet_data_head.list); 187 188 memcpy(newpacket->data, data, length); 189 190 pr_debug("exit\n"); 191 192 out_alloc_packet_array: 193 /* always free packet array */ 194 while (idx--) { 195 pr_debug("freeing unused packet below floor 0x%lx\n", 196 (unsigned long)virt_to_phys(invalid_addr_packet_array[idx])); 197 free_pages((unsigned long)invalid_addr_packet_array[idx], ordernum); 198 } 199 kfree(invalid_addr_packet_array); 200 201 out_alloc_packet: 202 /* if error, free data */ 203 if (retval) 204 kfree(newpacket); 205 206 out_noalloc: 207 return retval; 208 } 209 210 static int packetize_data(const u8 *data, size_t length) 211 { 212 int rc = 0; 213 int done = 0; 214 int packet_length; 215 u8 *temp; 216 u8 *end = (u8 *) data + length; 217 pr_debug("data length %zd\n", length); 218 if (!rbu_data.packetsize) { 219 pr_warn("packetsize not specified\n"); 220 return -EIO; 221 } 222 223 temp = (u8 *) data; 224 225 /* packetize the hunk */ 226 while (!done) { 227 if ((temp + rbu_data.packetsize) < end) 228 packet_length = rbu_data.packetsize; 229 else { 230 /* this is the last packet */ 231 packet_length = end - temp; 232 done = 1; 233 } 234 235 if ((rc = create_packet(temp, packet_length))) 236 return rc; 237 238 pr_debug("%p:%td\n", temp, (end - temp)); 239 temp += packet_length; 240 } 241 242 rbu_data.imagesize = length; 243 244 return rc; 245 } 246 247 static int do_packet_read(char *data, struct packet_data *newpacket, 248 int length, int bytes_read, int *list_read_count) 249 { 250 void *ptemp_buf; 251 int bytes_copied = 0; 252 int j = 0; 253 254 *list_read_count += newpacket->length; 255 256 if (*list_read_count > bytes_read) { 257 /* point to the start of unread data */ 258 j = newpacket->length - (*list_read_count - bytes_read); 259 /* point to the offset in the packet buffer */ 260 ptemp_buf = (u8 *) newpacket->data + j; 261 /* 262 * check if there is enough room in 263 * * the incoming buffer 264 */ 265 if (length > (*list_read_count - bytes_read)) 266 /* 267 * copy what ever is there in this 268 * packet and move on 269 */ 270 bytes_copied = (*list_read_count - bytes_read); 271 else 272 /* copy the remaining */ 273 bytes_copied = length; 274 memcpy(data, ptemp_buf, bytes_copied); 275 } 276 return bytes_copied; 277 } 278 279 static int packet_read_list(char *data, size_t * pread_length) 280 { 281 struct packet_data *newpacket; 282 int temp_count = 0; 283 int bytes_copied = 0; 284 int bytes_read = 0; 285 int remaining_bytes = 0; 286 char *pdest = data; 287 288 /* check if we have any packets */ 289 if (0 == rbu_data.num_packets) 290 return -ENOMEM; 291 292 remaining_bytes = *pread_length; 293 bytes_read = rbu_data.packet_read_count; 294 295 list_for_each_entry(newpacket, (&packet_data_head.list)->next, list) { 296 bytes_copied = do_packet_read(pdest, newpacket, 297 remaining_bytes, bytes_read, &temp_count); 298 remaining_bytes -= bytes_copied; 299 bytes_read += bytes_copied; 300 pdest += bytes_copied; 301 /* 302 * check if we reached end of buffer before reaching the 303 * last packet 304 */ 305 if (remaining_bytes == 0) 306 break; 307 } 308 /*finally set the bytes read */ 309 *pread_length = bytes_read - rbu_data.packet_read_count; 310 rbu_data.packet_read_count = bytes_read; 311 return 0; 312 } 313 314 static void packet_empty_list(void) 315 { 316 struct packet_data *newpacket, *tmp; 317 318 list_for_each_entry_safe(newpacket, tmp, (&packet_data_head.list)->next, list) { 319 list_del(&newpacket->list); 320 321 /* 322 * zero out the RBU packet memory before freeing 323 * to make sure there are no stale RBU packets left in memory 324 */ 325 memset(newpacket->data, 0, rbu_data.packetsize); 326 set_memory_wb((unsigned long)newpacket->data, 327 1 << newpacket->ordernum); 328 free_pages((unsigned long) newpacket->data, 329 newpacket->ordernum); 330 kfree(newpacket); 331 } 332 rbu_data.packet_read_count = 0; 333 rbu_data.num_packets = 0; 334 rbu_data.imagesize = 0; 335 } 336 337 /* 338 * img_update_free: Frees the buffer allocated for storing BIOS image 339 * Always called with lock held and returned with lock held 340 */ 341 static void img_update_free(void) 342 { 343 if (!rbu_data.image_update_buffer) 344 return; 345 /* 346 * zero out this buffer before freeing it to get rid of any stale 347 * BIOS image copied in memory. 348 */ 349 memset(rbu_data.image_update_buffer, 0, 350 rbu_data.image_update_buffer_size); 351 free_pages((unsigned long) rbu_data.image_update_buffer, 352 rbu_data.image_update_ordernum); 353 354 /* 355 * Re-initialize the rbu_data variables after a free 356 */ 357 rbu_data.image_update_ordernum = -1; 358 rbu_data.image_update_buffer = NULL; 359 rbu_data.image_update_buffer_size = 0; 360 rbu_data.bios_image_size = 0; 361 } 362 363 /* 364 * img_update_realloc: This function allocates the contiguous pages to 365 * accommodate the requested size of data. The memory address and size 366 * values are stored globally and on every call to this function the new 367 * size is checked to see if more data is required than the existing size. 368 * If true the previous memory is freed and new allocation is done to 369 * accommodate the new size. If the incoming size is less then than the 370 * already allocated size, then that memory is reused. This function is 371 * called with lock held and returns with lock held. 372 */ 373 static int img_update_realloc(unsigned long size) 374 { 375 unsigned char *image_update_buffer = NULL; 376 unsigned long img_buf_phys_addr; 377 int ordernum; 378 379 /* 380 * check if the buffer of sufficient size has been 381 * already allocated 382 */ 383 if (rbu_data.image_update_buffer_size >= size) { 384 /* 385 * check for corruption 386 */ 387 if ((size != 0) && (rbu_data.image_update_buffer == NULL)) { 388 pr_err("corruption check failed\n"); 389 return -EINVAL; 390 } 391 /* 392 * we have a valid pre-allocated buffer with 393 * sufficient size 394 */ 395 return 0; 396 } 397 398 /* 399 * free any previously allocated buffer 400 */ 401 img_update_free(); 402 403 spin_unlock(&rbu_data.lock); 404 405 ordernum = get_order(size); 406 image_update_buffer = 407 (unsigned char *)__get_free_pages(GFP_DMA32, ordernum); 408 spin_lock(&rbu_data.lock); 409 if (!image_update_buffer) { 410 pr_debug("Not enough memory for image update: size = %ld\n", size); 411 return -ENOMEM; 412 } 413 414 img_buf_phys_addr = (unsigned long)virt_to_phys(image_update_buffer); 415 if (WARN_ON_ONCE(img_buf_phys_addr > BIOS_SCAN_LIMIT)) 416 return -EINVAL; /* can't happen per definition */ 417 418 rbu_data.image_update_buffer = image_update_buffer; 419 rbu_data.image_update_buffer_size = size; 420 rbu_data.bios_image_size = rbu_data.image_update_buffer_size; 421 rbu_data.image_update_ordernum = ordernum; 422 return 0; 423 } 424 425 static ssize_t read_packet_data(char *buffer, loff_t pos, size_t count) 426 { 427 int retval; 428 size_t bytes_left; 429 size_t data_length; 430 char *ptempBuf = buffer; 431 432 /* check to see if we have something to return */ 433 if (rbu_data.num_packets == 0) { 434 pr_debug("no packets written\n"); 435 retval = -ENOMEM; 436 goto read_rbu_data_exit; 437 } 438 439 if (pos > rbu_data.imagesize) { 440 retval = 0; 441 pr_warn("data underrun\n"); 442 goto read_rbu_data_exit; 443 } 444 445 bytes_left = rbu_data.imagesize - pos; 446 data_length = min(bytes_left, count); 447 448 if ((retval = packet_read_list(ptempBuf, &data_length)) < 0) 449 goto read_rbu_data_exit; 450 451 if ((pos + count) > rbu_data.imagesize) { 452 rbu_data.packet_read_count = 0; 453 /* this was the last copy */ 454 retval = bytes_left; 455 } else 456 retval = count; 457 458 read_rbu_data_exit: 459 return retval; 460 } 461 462 static ssize_t read_rbu_mono_data(char *buffer, loff_t pos, size_t count) 463 { 464 /* check to see if we have something to return */ 465 if ((rbu_data.image_update_buffer == NULL) || 466 (rbu_data.bios_image_size == 0)) { 467 pr_debug("image_update_buffer %p, bios_image_size %lu\n", 468 rbu_data.image_update_buffer, 469 rbu_data.bios_image_size); 470 return -ENOMEM; 471 } 472 473 return memory_read_from_buffer(buffer, count, &pos, 474 rbu_data.image_update_buffer, rbu_data.bios_image_size); 475 } 476 477 static ssize_t data_read(struct file *filp, struct kobject *kobj, 478 struct bin_attribute *bin_attr, 479 char *buffer, loff_t pos, size_t count) 480 { 481 ssize_t ret_count = 0; 482 483 spin_lock(&rbu_data.lock); 484 485 if (!strcmp(image_type, "mono")) 486 ret_count = read_rbu_mono_data(buffer, pos, count); 487 else if (!strcmp(image_type, "packet")) 488 ret_count = read_packet_data(buffer, pos, count); 489 else 490 pr_debug("invalid image type specified\n"); 491 492 spin_unlock(&rbu_data.lock); 493 return ret_count; 494 } 495 static BIN_ATTR_RO(data, 0); 496 497 static void callbackfn_rbu(const struct firmware *fw, void *context) 498 { 499 rbu_data.entry_created = 0; 500 501 if (!fw) 502 return; 503 504 if (!fw->size) 505 goto out; 506 507 spin_lock(&rbu_data.lock); 508 if (!strcmp(image_type, "mono")) { 509 if (!img_update_realloc(fw->size)) 510 memcpy(rbu_data.image_update_buffer, 511 fw->data, fw->size); 512 } else if (!strcmp(image_type, "packet")) { 513 /* 514 * we need to free previous packets if a 515 * new hunk of packets needs to be downloaded 516 */ 517 packet_empty_list(); 518 if (packetize_data(fw->data, fw->size)) 519 /* Incase something goes wrong when we are 520 * in middle of packetizing the data, we 521 * need to free up whatever packets might 522 * have been created before we quit. 523 */ 524 packet_empty_list(); 525 } else 526 pr_debug("invalid image type specified\n"); 527 spin_unlock(&rbu_data.lock); 528 out: 529 release_firmware(fw); 530 } 531 532 static ssize_t image_type_read(struct file *filp, struct kobject *kobj, 533 struct bin_attribute *bin_attr, 534 char *buffer, loff_t pos, size_t count) 535 { 536 int size = 0; 537 if (!pos) 538 size = scnprintf(buffer, count, "%s\n", image_type); 539 return size; 540 } 541 542 static ssize_t image_type_write(struct file *filp, struct kobject *kobj, 543 struct bin_attribute *bin_attr, 544 char *buffer, loff_t pos, size_t count) 545 { 546 int rc = count; 547 int req_firm_rc = 0; 548 int i; 549 spin_lock(&rbu_data.lock); 550 /* 551 * Find the first newline or space 552 */ 553 for (i = 0; i < count; ++i) 554 if (buffer[i] == '\n' || buffer[i] == ' ') { 555 buffer[i] = '\0'; 556 break; 557 } 558 if (i == count) 559 buffer[count] = '\0'; 560 561 if (strstr(buffer, "mono")) 562 strcpy(image_type, "mono"); 563 else if (strstr(buffer, "packet")) 564 strcpy(image_type, "packet"); 565 else if (strstr(buffer, "init")) { 566 /* 567 * If due to the user error the driver gets in a bad 568 * state where even though it is loaded , the 569 * /sys/class/firmware/dell_rbu entries are missing. 570 * to cover this situation the user can recreate entries 571 * by writing init to image_type. 572 */ 573 if (!rbu_data.entry_created) { 574 spin_unlock(&rbu_data.lock); 575 req_firm_rc = request_firmware_nowait(THIS_MODULE, 576 FW_ACTION_NOHOTPLUG, "dell_rbu", 577 &rbu_device->dev, GFP_KERNEL, &context, 578 callbackfn_rbu); 579 if (req_firm_rc) { 580 pr_err("request_firmware_nowait failed %d\n", rc); 581 rc = -EIO; 582 } else 583 rbu_data.entry_created = 1; 584 585 spin_lock(&rbu_data.lock); 586 } 587 } else { 588 pr_warn("image_type is invalid\n"); 589 spin_unlock(&rbu_data.lock); 590 return -EINVAL; 591 } 592 593 /* we must free all previous allocations */ 594 packet_empty_list(); 595 img_update_free(); 596 spin_unlock(&rbu_data.lock); 597 598 return rc; 599 } 600 static BIN_ATTR_RW(image_type, 0); 601 602 static ssize_t packet_size_read(struct file *filp, struct kobject *kobj, 603 struct bin_attribute *bin_attr, 604 char *buffer, loff_t pos, size_t count) 605 { 606 int size = 0; 607 if (!pos) { 608 spin_lock(&rbu_data.lock); 609 size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize); 610 spin_unlock(&rbu_data.lock); 611 } 612 return size; 613 } 614 615 static ssize_t packet_size_write(struct file *filp, struct kobject *kobj, 616 struct bin_attribute *bin_attr, 617 char *buffer, loff_t pos, size_t count) 618 { 619 unsigned long temp; 620 spin_lock(&rbu_data.lock); 621 packet_empty_list(); 622 sscanf(buffer, "%lu", &temp); 623 if (temp < 0xffffffff) 624 rbu_data.packetsize = temp; 625 626 spin_unlock(&rbu_data.lock); 627 return count; 628 } 629 static BIN_ATTR_RW(packet_size, 0); 630 631 static struct bin_attribute *rbu_bin_attrs[] = { 632 &bin_attr_data, 633 &bin_attr_image_type, 634 &bin_attr_packet_size, 635 NULL 636 }; 637 638 static const struct attribute_group rbu_group = { 639 .bin_attrs = rbu_bin_attrs, 640 }; 641 642 static int __init dcdrbu_init(void) 643 { 644 int rc; 645 spin_lock_init(&rbu_data.lock); 646 647 init_packet_head(); 648 rbu_device = platform_device_register_simple("dell_rbu", -1, NULL, 0); 649 if (IS_ERR(rbu_device)) { 650 pr_err("platform_device_register_simple failed\n"); 651 return PTR_ERR(rbu_device); 652 } 653 654 rc = sysfs_create_group(&rbu_device->dev.kobj, &rbu_group); 655 if (rc) 656 goto out_devreg; 657 658 rbu_data.entry_created = 0; 659 return 0; 660 661 out_devreg: 662 platform_device_unregister(rbu_device); 663 return rc; 664 } 665 666 static __exit void dcdrbu_exit(void) 667 { 668 spin_lock(&rbu_data.lock); 669 packet_empty_list(); 670 img_update_free(); 671 spin_unlock(&rbu_data.lock); 672 sysfs_remove_group(&rbu_device->dev.kobj, &rbu_group); 673 platform_device_unregister(rbu_device); 674 } 675 676 module_exit(dcdrbu_exit); 677 module_init(dcdrbu_init); 678