1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * dell_rbu.c
4 * Bios Update driver for Dell systems
5 * Author: Dell Inc
6 * Abhay Salunke <abhay_salunke@dell.com>
7 *
8 * Copyright (C) 2005 Dell Inc.
9 *
10 * Remote BIOS Update (rbu) driver is used for updating DELL BIOS by
11 * creating entries in the /sys file systems on Linux 2.6 and higher
12 * kernels. The driver supports two mechanism to update the BIOS namely
13 * contiguous and packetized. Both these methods still require having some
14 * application to set the CMOS bit indicating the BIOS to update itself
15 * after a reboot.
16 *
17 * Contiguous method:
18 * This driver writes the incoming data in a monolithic image by allocating
19 * contiguous physical pages large enough to accommodate the incoming BIOS
20 * image size.
21 *
22 * Packetized method:
23 * The driver writes the incoming packet image by allocating a new packet
24 * on every time the packet data is written. This driver requires an
25 * application to break the BIOS image in to fixed sized packet chunks.
26 *
27 * See Documentation/admin-guide/dell_rbu.rst for more info.
28 */
29
30 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
31
32 #include <linux/init.h>
33 #include <linux/kstrtox.h>
34 #include <linux/module.h>
35 #include <linux/slab.h>
36 #include <linux/string.h>
37 #include <linux/errno.h>
38 #include <linux/blkdev.h>
39 #include <linux/platform_device.h>
40 #include <linux/spinlock.h>
41 #include <linux/moduleparam.h>
42 #include <linux/firmware.h>
43 #include <linux/dma-mapping.h>
44 #include <asm/set_memory.h>
45
46 MODULE_AUTHOR("Abhay Salunke <abhay_salunke@dell.com>");
47 MODULE_DESCRIPTION("Driver for updating BIOS image on DELL systems");
48 MODULE_LICENSE("GPL");
49 MODULE_VERSION("3.3");
50
51 #define BIOS_SCAN_LIMIT 0xffffffff
52 #define MAX_IMAGE_LENGTH 16
53 static struct _rbu_data {
54 void *image_update_buffer;
55 unsigned long image_update_buffer_size;
56 unsigned long bios_image_size;
57 int image_update_ordernum;
58 spinlock_t lock;
59 unsigned long packet_read_count;
60 unsigned long num_packets;
61 unsigned long packetsize;
62 unsigned long imagesize;
63 int entry_created;
64 } rbu_data;
65
66 static char image_type[MAX_IMAGE_LENGTH + 1] = "mono";
67 module_param_string(image_type, image_type, sizeof (image_type), 0);
68 MODULE_PARM_DESC(image_type, "BIOS image type. choose- mono or packet or init");
69
70 static unsigned long allocation_floor = 0x100000;
71 module_param(allocation_floor, ulong, 0644);
72 MODULE_PARM_DESC(allocation_floor, "Minimum address for allocations when using Packet mode");
73
74 struct packet_data {
75 struct list_head list;
76 size_t length;
77 void *data;
78 int ordernum;
79 };
80
81 static struct list_head packet_data_list;
82
83 static struct platform_device *rbu_device;
84 static int context;
85
init_packet_head(void)86 static void init_packet_head(void)
87 {
88 INIT_LIST_HEAD(&packet_data_list);
89 rbu_data.packet_read_count = 0;
90 rbu_data.num_packets = 0;
91 rbu_data.packetsize = 0;
92 rbu_data.imagesize = 0;
93 }
94
create_packet(void * data,size_t length)95 static int create_packet(void *data, size_t length) __must_hold(&rbu_data.lock)
96 {
97 struct packet_data *newpacket;
98 int ordernum = 0;
99 int retval = 0;
100 unsigned int packet_array_size = 0;
101 void **invalid_addr_packet_array = NULL;
102 void *packet_data_temp_buf = NULL;
103 unsigned int idx = 0;
104
105 pr_debug("entry\n");
106
107 if (!rbu_data.packetsize) {
108 pr_debug("packetsize not specified\n");
109 retval = -EINVAL;
110 goto out_noalloc;
111 }
112
113 spin_unlock(&rbu_data.lock);
114
115 newpacket = kzalloc_obj(struct packet_data);
116
117 if (!newpacket) {
118 pr_warn("failed to allocate new packet\n");
119 retval = -ENOMEM;
120 spin_lock(&rbu_data.lock);
121 goto out_noalloc;
122 }
123
124 ordernum = get_order(length);
125
126 /*
127 * BIOS errata mean we cannot allocate packets below 1MB or they will
128 * be overwritten by BIOS.
129 *
130 * array to temporarily hold packets
131 * that are below the allocation floor
132 *
133 * NOTE: very simplistic because we only need the floor to be at 1MB
134 * due to BIOS errata. This shouldn't be used for higher floors
135 * or you will run out of mem trying to allocate the array.
136 */
137 packet_array_size = max_t(unsigned int, allocation_floor / rbu_data.packetsize, 1);
138 invalid_addr_packet_array = kcalloc(packet_array_size, sizeof(void *),
139 GFP_KERNEL);
140
141 if (!invalid_addr_packet_array) {
142 pr_warn("failed to allocate invalid_addr_packet_array\n");
143 retval = -ENOMEM;
144 spin_lock(&rbu_data.lock);
145 goto out_alloc_packet;
146 }
147
148 while (!packet_data_temp_buf) {
149 packet_data_temp_buf = (unsigned char *)
150 __get_free_pages(GFP_KERNEL, ordernum);
151 if (!packet_data_temp_buf) {
152 pr_warn("failed to allocate new packet\n");
153 retval = -ENOMEM;
154 spin_lock(&rbu_data.lock);
155 goto out_alloc_packet_array;
156 }
157
158 if ((unsigned long)virt_to_phys(packet_data_temp_buf)
159 < allocation_floor) {
160 pr_debug("packet 0x%lx below floor at 0x%lx\n",
161 (unsigned long)virt_to_phys(
162 packet_data_temp_buf),
163 allocation_floor);
164 invalid_addr_packet_array[idx++] = packet_data_temp_buf;
165 packet_data_temp_buf = NULL;
166 }
167 }
168 /*
169 * set to uncachable or it may never get written back before reboot
170 */
171 set_memory_uc((unsigned long)packet_data_temp_buf, 1 << ordernum);
172
173 spin_lock(&rbu_data.lock);
174
175 newpacket->data = packet_data_temp_buf;
176
177 pr_debug("newpacket at physical addr %lx\n",
178 (unsigned long)virt_to_phys(newpacket->data));
179
180 /* packets may not have fixed size */
181 newpacket->length = length;
182 newpacket->ordernum = ordernum;
183 ++rbu_data.num_packets;
184
185 /* initialize the newly created packet headers */
186 INIT_LIST_HEAD(&newpacket->list);
187 list_add_tail(&newpacket->list, &packet_data_list);
188
189 memcpy(newpacket->data, data, length);
190
191 pr_debug("exit\n");
192
193 out_alloc_packet_array:
194 /* always free packet array */
195 while (idx--) {
196 pr_debug("freeing unused packet below floor 0x%lx\n",
197 (unsigned long)virt_to_phys(invalid_addr_packet_array[idx]));
198 free_pages((unsigned long)invalid_addr_packet_array[idx], ordernum);
199 }
200 kfree(invalid_addr_packet_array);
201
202 out_alloc_packet:
203 /* if error, free data */
204 if (retval)
205 kfree(newpacket);
206
207 out_noalloc:
208 return retval;
209 }
210
packetize_data(const u8 * data,size_t length)211 static int packetize_data(const u8 *data, size_t length)
212 {
213 int rc = 0;
214 int done = 0;
215 int packet_length;
216 u8 *temp;
217 u8 *end = (u8 *) data + length;
218 pr_debug("data length %zd\n", length);
219 if (!rbu_data.packetsize) {
220 pr_warn("packetsize not specified\n");
221 return -EIO;
222 }
223
224 temp = (u8 *) data;
225
226 /* packetize the hunk */
227 while (!done) {
228 if ((temp + rbu_data.packetsize) < end)
229 packet_length = rbu_data.packetsize;
230 else {
231 /* this is the last packet */
232 packet_length = end - temp;
233 done = 1;
234 }
235
236 rc = create_packet(temp, packet_length);
237 if (rc)
238 return rc;
239
240 pr_debug("%p:%td\n", temp, (end - temp));
241 temp += packet_length;
242 }
243
244 rbu_data.imagesize = length;
245
246 return rc;
247 }
248
do_packet_read(char * data,struct packet_data * newpacket,int length,int bytes_read,int * list_read_count)249 static int do_packet_read(char *data, struct packet_data *newpacket,
250 int length, int bytes_read, int *list_read_count)
251 {
252 void *ptemp_buf;
253 int bytes_copied = 0;
254 int j = 0;
255
256 *list_read_count += newpacket->length;
257
258 if (*list_read_count > bytes_read) {
259 /* point to the start of unread data */
260 j = newpacket->length - (*list_read_count - bytes_read);
261 /* point to the offset in the packet buffer */
262 ptemp_buf = (u8 *) newpacket->data + j;
263 /*
264 * check if there is enough room in
265 * * the incoming buffer
266 */
267 if (length > (*list_read_count - bytes_read))
268 /*
269 * copy what ever is there in this
270 * packet and move on
271 */
272 bytes_copied = (*list_read_count - bytes_read);
273 else
274 /* copy the remaining */
275 bytes_copied = length;
276 memcpy(data, ptemp_buf, bytes_copied);
277 }
278 return bytes_copied;
279 }
280
packet_read_list(char * data,size_t * pread_length)281 static int packet_read_list(char *data, size_t *pread_length)
282 {
283 struct packet_data *newpacket;
284 int temp_count = 0;
285 int bytes_copied = 0;
286 int bytes_read = 0;
287 int remaining_bytes = 0;
288 char *pdest = data;
289
290 /* check if we have any packets */
291 if (0 == rbu_data.num_packets)
292 return -ENOMEM;
293
294 remaining_bytes = *pread_length;
295 bytes_read = rbu_data.packet_read_count;
296
297 list_for_each_entry(newpacket, &packet_data_list, list) {
298 bytes_copied = do_packet_read(pdest, newpacket,
299 remaining_bytes, bytes_read, &temp_count);
300 remaining_bytes -= bytes_copied;
301 bytes_read += bytes_copied;
302 pdest += bytes_copied;
303 /*
304 * check if we reached end of buffer before reaching the
305 * last packet
306 */
307 if (remaining_bytes == 0)
308 break;
309 }
310 /*finally set the bytes read */
311 *pread_length = bytes_read - rbu_data.packet_read_count;
312 rbu_data.packet_read_count = bytes_read;
313 return 0;
314 }
315
packet_empty_list(void)316 static void packet_empty_list(void)
317 {
318 struct packet_data *newpacket, *tmp;
319
320 list_for_each_entry_safe(newpacket, tmp, &packet_data_list, list) {
321 list_del(&newpacket->list);
322
323 /*
324 * zero out the RBU packet memory before freeing
325 * to make sure there are no stale RBU packets left in memory
326 */
327 memset(newpacket->data, 0, newpacket->length);
328 set_memory_wb((unsigned long)newpacket->data,
329 1 << newpacket->ordernum);
330 free_pages((unsigned long) newpacket->data,
331 newpacket->ordernum);
332 kfree(newpacket);
333 }
334 rbu_data.packet_read_count = 0;
335 rbu_data.num_packets = 0;
336 rbu_data.imagesize = 0;
337 }
338
339 /*
340 * img_update_free: Frees the buffer allocated for storing BIOS image
341 * Always called with lock held and returned with lock held
342 */
img_update_free(void)343 static void img_update_free(void)
344 {
345 if (!rbu_data.image_update_buffer)
346 return;
347 /*
348 * zero out this buffer before freeing it to get rid of any stale
349 * BIOS image copied in memory.
350 */
351 memset(rbu_data.image_update_buffer, 0,
352 rbu_data.image_update_buffer_size);
353 free_pages((unsigned long) rbu_data.image_update_buffer,
354 rbu_data.image_update_ordernum);
355
356 /*
357 * Re-initialize the rbu_data variables after a free
358 */
359 rbu_data.image_update_ordernum = -1;
360 rbu_data.image_update_buffer = NULL;
361 rbu_data.image_update_buffer_size = 0;
362 rbu_data.bios_image_size = 0;
363 }
364
365 /*
366 * img_update_realloc: This function allocates the contiguous pages to
367 * accommodate the requested size of data. The memory address and size
368 * values are stored globally and on every call to this function the new
369 * size is checked to see if more data is required than the existing size.
370 * If true the previous memory is freed and new allocation is done to
371 * accommodate the new size. If the incoming size is less then than the
372 * already allocated size, then that memory is reused. This function is
373 * called with lock held and returns with lock held.
374 */
img_update_realloc(unsigned long size)375 static int img_update_realloc(unsigned long size)
376 {
377 unsigned char *image_update_buffer = NULL;
378 unsigned long img_buf_phys_addr;
379 int ordernum;
380
381 /*
382 * check if the buffer of sufficient size has been
383 * already allocated
384 */
385 if (rbu_data.image_update_buffer_size >= size) {
386 /*
387 * check for corruption
388 */
389 if ((size != 0) && (rbu_data.image_update_buffer == NULL)) {
390 pr_err("corruption check failed\n");
391 return -EINVAL;
392 }
393 /*
394 * we have a valid pre-allocated buffer with
395 * sufficient size
396 */
397 return 0;
398 }
399
400 /*
401 * free any previously allocated buffer
402 */
403 img_update_free();
404
405 spin_unlock(&rbu_data.lock);
406
407 ordernum = get_order(size);
408 image_update_buffer =
409 (unsigned char *)__get_free_pages(GFP_DMA32, ordernum);
410 spin_lock(&rbu_data.lock);
411 if (!image_update_buffer) {
412 pr_debug("Not enough memory for image update: size = %ld\n", size);
413 return -ENOMEM;
414 }
415
416 img_buf_phys_addr = (unsigned long)virt_to_phys(image_update_buffer);
417 if (WARN_ON_ONCE(img_buf_phys_addr > BIOS_SCAN_LIMIT))
418 return -EINVAL; /* can't happen per definition */
419
420 rbu_data.image_update_buffer = image_update_buffer;
421 rbu_data.image_update_buffer_size = size;
422 rbu_data.bios_image_size = rbu_data.image_update_buffer_size;
423 rbu_data.image_update_ordernum = ordernum;
424 return 0;
425 }
426
read_packet_data(char * buffer,loff_t pos,size_t count)427 static ssize_t read_packet_data(char *buffer, loff_t pos, size_t count)
428 {
429 int retval;
430 size_t bytes_left;
431 size_t data_length;
432 char *ptempBuf = buffer;
433
434 /* check to see if we have something to return */
435 if (rbu_data.num_packets == 0) {
436 pr_debug("no packets written\n");
437 retval = -ENOMEM;
438 goto read_rbu_data_exit;
439 }
440
441 if (pos > rbu_data.imagesize) {
442 retval = 0;
443 pr_warn("data underrun\n");
444 goto read_rbu_data_exit;
445 }
446
447 bytes_left = rbu_data.imagesize - pos;
448 data_length = min(bytes_left, count);
449
450 retval = packet_read_list(ptempBuf, &data_length);
451 if (retval < 0)
452 goto read_rbu_data_exit;
453
454 if ((pos + count) > rbu_data.imagesize) {
455 rbu_data.packet_read_count = 0;
456 /* this was the last copy */
457 retval = bytes_left;
458 } else
459 retval = count;
460
461 read_rbu_data_exit:
462 return retval;
463 }
464
read_rbu_mono_data(char * buffer,loff_t pos,size_t count)465 static ssize_t read_rbu_mono_data(char *buffer, loff_t pos, size_t count)
466 {
467 /* check to see if we have something to return */
468 if ((rbu_data.image_update_buffer == NULL) ||
469 (rbu_data.bios_image_size == 0)) {
470 pr_debug("image_update_buffer %p, bios_image_size %lu\n",
471 rbu_data.image_update_buffer,
472 rbu_data.bios_image_size);
473 return -ENOMEM;
474 }
475
476 return memory_read_from_buffer(buffer, count, &pos,
477 rbu_data.image_update_buffer, rbu_data.bios_image_size);
478 }
479
data_read(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)480 static ssize_t data_read(struct file *filp, struct kobject *kobj,
481 const struct bin_attribute *bin_attr,
482 char *buffer, loff_t pos, size_t count)
483 {
484 ssize_t ret_count = 0;
485
486 spin_lock(&rbu_data.lock);
487
488 if (!strcmp(image_type, "mono"))
489 ret_count = read_rbu_mono_data(buffer, pos, count);
490 else if (!strcmp(image_type, "packet"))
491 ret_count = read_packet_data(buffer, pos, count);
492 else
493 pr_debug("invalid image type specified\n");
494
495 spin_unlock(&rbu_data.lock);
496 return ret_count;
497 }
498 static const BIN_ATTR_RO(data, 0);
499
callbackfn_rbu(const struct firmware * fw,void * context)500 static void callbackfn_rbu(const struct firmware *fw, void *context)
501 {
502 rbu_data.entry_created = 0;
503
504 if (!fw)
505 return;
506
507 if (!fw->size)
508 goto out;
509
510 spin_lock(&rbu_data.lock);
511 if (!strcmp(image_type, "mono")) {
512 if (!img_update_realloc(fw->size))
513 memcpy(rbu_data.image_update_buffer,
514 fw->data, fw->size);
515 } else if (!strcmp(image_type, "packet")) {
516 /*
517 * we need to free previous packets if a
518 * new hunk of packets needs to be downloaded
519 */
520 packet_empty_list();
521 if (packetize_data(fw->data, fw->size))
522 /* Incase something goes wrong when we are
523 * in middle of packetizing the data, we
524 * need to free up whatever packets might
525 * have been created before we quit.
526 */
527 packet_empty_list();
528 } else
529 pr_debug("invalid image type specified\n");
530 spin_unlock(&rbu_data.lock);
531 out:
532 release_firmware(fw);
533 }
534
image_type_read(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)535 static ssize_t image_type_read(struct file *filp, struct kobject *kobj,
536 const struct bin_attribute *bin_attr,
537 char *buffer, loff_t pos, size_t count)
538 {
539 int size = 0;
540 if (!pos)
541 size = scnprintf(buffer, count, "%s\n", image_type);
542 return size;
543 }
544
image_type_write(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)545 static ssize_t image_type_write(struct file *filp, struct kobject *kobj,
546 const struct bin_attribute *bin_attr,
547 char *buffer, loff_t pos, size_t count)
548 {
549 int rc = count;
550 int req_firm_rc = 0;
551 int i;
552 spin_lock(&rbu_data.lock);
553 /*
554 * Find the first newline or space
555 */
556 for (i = 0; i < count; ++i)
557 if (buffer[i] == '\n' || buffer[i] == ' ') {
558 buffer[i] = '\0';
559 break;
560 }
561 if (i == count)
562 buffer[count] = '\0';
563
564 if (strstr(buffer, "mono"))
565 strcpy(image_type, "mono");
566 else if (strstr(buffer, "packet"))
567 strcpy(image_type, "packet");
568 else if (strstr(buffer, "init")) {
569 /*
570 * If due to the user error the driver gets in a bad
571 * state where even though it is loaded , the
572 * /sys/class/firmware/dell_rbu entries are missing.
573 * to cover this situation the user can recreate entries
574 * by writing init to image_type.
575 */
576 if (!rbu_data.entry_created) {
577 spin_unlock(&rbu_data.lock);
578 req_firm_rc = request_firmware_nowait(THIS_MODULE,
579 FW_ACTION_NOUEVENT, "dell_rbu",
580 &rbu_device->dev, GFP_KERNEL, &context,
581 callbackfn_rbu);
582 if (req_firm_rc) {
583 pr_err("request_firmware_nowait failed %d\n", rc);
584 rc = -EIO;
585 } else
586 rbu_data.entry_created = 1;
587
588 spin_lock(&rbu_data.lock);
589 }
590 } else {
591 pr_warn("image_type is invalid\n");
592 spin_unlock(&rbu_data.lock);
593 return -EINVAL;
594 }
595
596 /* we must free all previous allocations */
597 packet_empty_list();
598 img_update_free();
599 spin_unlock(&rbu_data.lock);
600
601 return rc;
602 }
603 static const BIN_ATTR_RW(image_type, 0);
604
packet_size_read(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)605 static ssize_t packet_size_read(struct file *filp, struct kobject *kobj,
606 const struct bin_attribute *bin_attr,
607 char *buffer, loff_t pos, size_t count)
608 {
609 int size = 0;
610 if (!pos) {
611 spin_lock(&rbu_data.lock);
612 size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);
613 spin_unlock(&rbu_data.lock);
614 }
615 return size;
616 }
617
packet_size_write(struct file * filp,struct kobject * kobj,const struct bin_attribute * bin_attr,char * buffer,loff_t pos,size_t count)618 static ssize_t packet_size_write(struct file *filp, struct kobject *kobj,
619 const struct bin_attribute *bin_attr,
620 char *buffer, loff_t pos, size_t count)
621 {
622 unsigned long temp;
623
624 if (kstrtoul(buffer, 10, &temp))
625 return -EINVAL;
626
627 spin_lock(&rbu_data.lock);
628 packet_empty_list();
629 if (temp < 0xffffffff)
630 rbu_data.packetsize = temp;
631
632 spin_unlock(&rbu_data.lock);
633 return count;
634 }
635 static const BIN_ATTR_RW(packet_size, 0);
636
637 static const struct bin_attribute *const rbu_bin_attrs[] = {
638 &bin_attr_data,
639 &bin_attr_image_type,
640 &bin_attr_packet_size,
641 NULL
642 };
643
644 static const struct attribute_group rbu_group = {
645 .bin_attrs = rbu_bin_attrs,
646 };
647
dcdrbu_init(void)648 static int __init dcdrbu_init(void)
649 {
650 int rc;
651 spin_lock_init(&rbu_data.lock);
652
653 init_packet_head();
654 rbu_device = platform_device_register_simple("dell_rbu", PLATFORM_DEVID_NONE, NULL, 0);
655 if (IS_ERR(rbu_device)) {
656 pr_err("platform_device_register_simple failed\n");
657 return PTR_ERR(rbu_device);
658 }
659
660 rc = sysfs_create_group(&rbu_device->dev.kobj, &rbu_group);
661 if (rc)
662 goto out_devreg;
663
664 rbu_data.entry_created = 0;
665 return 0;
666
667 out_devreg:
668 platform_device_unregister(rbu_device);
669 return rc;
670 }
671
dcdrbu_exit(void)672 static __exit void dcdrbu_exit(void)
673 {
674 spin_lock(&rbu_data.lock);
675 packet_empty_list();
676 img_update_free();
677 spin_unlock(&rbu_data.lock);
678 sysfs_remove_group(&rbu_device->dev.kobj, &rbu_group);
679 platform_device_unregister(rbu_device);
680 }
681
682 module_exit(dcdrbu_exit);
683 module_init(dcdrbu_init);
684