1 // SPDX-License-Identifier: GPL-2.0 2 3 #include <linux/types.h> 4 #include <linux/kconfig.h> 5 #include <linux/list.h> 6 #include <linux/slab.h> 7 #include <linux/security.h> 8 #include <linux/highmem.h> 9 #include <linux/umh.h> 10 #include <linux/sysctl.h> 11 12 #include "fallback.h" 13 #include "firmware.h" 14 15 /* 16 * firmware fallback mechanism 17 */ 18 19 extern struct firmware_fallback_config fw_fallback_config; 20 21 /* These getters are vetted to use int properly */ 22 static inline int __firmware_loading_timeout(void) 23 { 24 return fw_fallback_config.loading_timeout; 25 } 26 27 /* These setters are vetted to use int properly */ 28 static void __fw_fallback_set_timeout(int timeout) 29 { 30 fw_fallback_config.loading_timeout = timeout; 31 } 32 33 /* 34 * use small loading timeout for caching devices' firmware because all these 35 * firmware images have been loaded successfully at lease once, also system is 36 * ready for completing firmware loading now. The maximum size of firmware in 37 * current distributions is about 2M bytes, so 10 secs should be enough. 38 */ 39 void fw_fallback_set_cache_timeout(void) 40 { 41 fw_fallback_config.old_timeout = __firmware_loading_timeout(); 42 __fw_fallback_set_timeout(10); 43 } 44 45 /* Restores the timeout to the value last configured during normal operation */ 46 void fw_fallback_set_default_timeout(void) 47 { 48 __fw_fallback_set_timeout(fw_fallback_config.old_timeout); 49 } 50 51 static long firmware_loading_timeout(void) 52 { 53 return __firmware_loading_timeout() > 0 ? 54 __firmware_loading_timeout() * HZ : MAX_JIFFY_OFFSET; 55 } 56 57 static inline bool fw_sysfs_done(struct fw_priv *fw_priv) 58 { 59 return __fw_state_check(fw_priv, FW_STATUS_DONE); 60 } 61 62 static inline bool fw_sysfs_loading(struct fw_priv *fw_priv) 63 { 64 return __fw_state_check(fw_priv, FW_STATUS_LOADING); 65 } 66 67 static inline int fw_sysfs_wait_timeout(struct fw_priv *fw_priv, long timeout) 68 { 69 return __fw_state_wait_common(fw_priv, timeout); 70 } 71 72 struct fw_sysfs { 73 bool nowait; 74 struct device dev; 75 struct fw_priv *fw_priv; 76 struct firmware *fw; 77 }; 78 79 static struct fw_sysfs *to_fw_sysfs(struct device *dev) 80 { 81 return container_of(dev, struct fw_sysfs, dev); 82 } 83 84 static void __fw_load_abort(struct fw_priv *fw_priv) 85 { 86 /* 87 * There is a small window in which user can write to 'loading' 88 * between loading done and disappearance of 'loading' 89 */ 90 if (fw_sysfs_done(fw_priv)) 91 return; 92 93 list_del_init(&fw_priv->pending_list); 94 fw_state_aborted(fw_priv); 95 } 96 97 static void fw_load_abort(struct fw_sysfs *fw_sysfs) 98 { 99 struct fw_priv *fw_priv = fw_sysfs->fw_priv; 100 101 __fw_load_abort(fw_priv); 102 } 103 104 static LIST_HEAD(pending_fw_head); 105 106 void kill_pending_fw_fallback_reqs(bool only_kill_custom) 107 { 108 struct fw_priv *fw_priv; 109 struct fw_priv *next; 110 111 mutex_lock(&fw_lock); 112 list_for_each_entry_safe(fw_priv, next, &pending_fw_head, 113 pending_list) { 114 if (!fw_priv->need_uevent || !only_kill_custom) 115 __fw_load_abort(fw_priv); 116 } 117 mutex_unlock(&fw_lock); 118 } 119 120 static ssize_t timeout_show(struct class *class, struct class_attribute *attr, 121 char *buf) 122 { 123 return sprintf(buf, "%d\n", __firmware_loading_timeout()); 124 } 125 126 /** 127 * firmware_timeout_store - set number of seconds to wait for firmware 128 * @class: device class pointer 129 * @attr: device attribute pointer 130 * @buf: buffer to scan for timeout value 131 * @count: number of bytes in @buf 132 * 133 * Sets the number of seconds to wait for the firmware. Once 134 * this expires an error will be returned to the driver and no 135 * firmware will be provided. 136 * 137 * Note: zero means 'wait forever'. 138 **/ 139 static ssize_t timeout_store(struct class *class, struct class_attribute *attr, 140 const char *buf, size_t count) 141 { 142 int tmp_loading_timeout = simple_strtol(buf, NULL, 10); 143 144 if (tmp_loading_timeout < 0) 145 tmp_loading_timeout = 0; 146 147 __fw_fallback_set_timeout(tmp_loading_timeout); 148 149 return count; 150 } 151 static CLASS_ATTR_RW(timeout); 152 153 static struct attribute *firmware_class_attrs[] = { 154 &class_attr_timeout.attr, 155 NULL, 156 }; 157 ATTRIBUTE_GROUPS(firmware_class); 158 159 static void fw_dev_release(struct device *dev) 160 { 161 struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev); 162 163 kfree(fw_sysfs); 164 } 165 166 static int do_firmware_uevent(struct fw_sysfs *fw_sysfs, struct kobj_uevent_env *env) 167 { 168 if (add_uevent_var(env, "FIRMWARE=%s", fw_sysfs->fw_priv->fw_name)) 169 return -ENOMEM; 170 if (add_uevent_var(env, "TIMEOUT=%i", __firmware_loading_timeout())) 171 return -ENOMEM; 172 if (add_uevent_var(env, "ASYNC=%d", fw_sysfs->nowait)) 173 return -ENOMEM; 174 175 return 0; 176 } 177 178 static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) 179 { 180 struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev); 181 int err = 0; 182 183 mutex_lock(&fw_lock); 184 if (fw_sysfs->fw_priv) 185 err = do_firmware_uevent(fw_sysfs, env); 186 mutex_unlock(&fw_lock); 187 return err; 188 } 189 190 static struct class firmware_class = { 191 .name = "firmware", 192 .class_groups = firmware_class_groups, 193 .dev_uevent = firmware_uevent, 194 .dev_release = fw_dev_release, 195 }; 196 197 int register_sysfs_loader(void) 198 { 199 return class_register(&firmware_class); 200 } 201 202 void unregister_sysfs_loader(void) 203 { 204 class_unregister(&firmware_class); 205 } 206 207 static ssize_t firmware_loading_show(struct device *dev, 208 struct device_attribute *attr, char *buf) 209 { 210 struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev); 211 int loading = 0; 212 213 mutex_lock(&fw_lock); 214 if (fw_sysfs->fw_priv) 215 loading = fw_sysfs_loading(fw_sysfs->fw_priv); 216 mutex_unlock(&fw_lock); 217 218 return sprintf(buf, "%d\n", loading); 219 } 220 221 /* Some architectures don't have PAGE_KERNEL_RO */ 222 #ifndef PAGE_KERNEL_RO 223 #define PAGE_KERNEL_RO PAGE_KERNEL 224 #endif 225 226 /* one pages buffer should be mapped/unmapped only once */ 227 static int map_fw_priv_pages(struct fw_priv *fw_priv) 228 { 229 if (!fw_priv->is_paged_buf) 230 return 0; 231 232 vunmap(fw_priv->data); 233 fw_priv->data = vmap(fw_priv->pages, fw_priv->nr_pages, 0, 234 PAGE_KERNEL_RO); 235 if (!fw_priv->data) 236 return -ENOMEM; 237 return 0; 238 } 239 240 /** 241 * firmware_loading_store - set value in the 'loading' control file 242 * @dev: device pointer 243 * @attr: device attribute pointer 244 * @buf: buffer to scan for loading control value 245 * @count: number of bytes in @buf 246 * 247 * The relevant values are: 248 * 249 * 1: Start a load, discarding any previous partial load. 250 * 0: Conclude the load and hand the data to the driver code. 251 * -1: Conclude the load with an error and discard any written data. 252 **/ 253 static ssize_t firmware_loading_store(struct device *dev, 254 struct device_attribute *attr, 255 const char *buf, size_t count) 256 { 257 struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev); 258 struct fw_priv *fw_priv; 259 ssize_t written = count; 260 int loading = simple_strtol(buf, NULL, 10); 261 int i; 262 263 mutex_lock(&fw_lock); 264 fw_priv = fw_sysfs->fw_priv; 265 if (fw_state_is_aborted(fw_priv)) 266 goto out; 267 268 switch (loading) { 269 case 1: 270 /* discarding any previous partial load */ 271 if (!fw_sysfs_done(fw_priv)) { 272 for (i = 0; i < fw_priv->nr_pages; i++) 273 __free_page(fw_priv->pages[i]); 274 vfree(fw_priv->pages); 275 fw_priv->pages = NULL; 276 fw_priv->page_array_size = 0; 277 fw_priv->nr_pages = 0; 278 fw_state_start(fw_priv); 279 } 280 break; 281 case 0: 282 if (fw_sysfs_loading(fw_priv)) { 283 int rc; 284 285 /* 286 * Several loading requests may be pending on 287 * one same firmware buf, so let all requests 288 * see the mapped 'buf->data' once the loading 289 * is completed. 290 * */ 291 rc = map_fw_priv_pages(fw_priv); 292 if (rc) 293 dev_err(dev, "%s: map pages failed\n", 294 __func__); 295 else 296 rc = security_kernel_post_read_file(NULL, 297 fw_priv->data, fw_priv->size, 298 READING_FIRMWARE); 299 300 /* 301 * Same logic as fw_load_abort, only the DONE bit 302 * is ignored and we set ABORT only on failure. 303 */ 304 list_del_init(&fw_priv->pending_list); 305 if (rc) { 306 fw_state_aborted(fw_priv); 307 written = rc; 308 } else { 309 fw_state_done(fw_priv); 310 } 311 break; 312 } 313 /* fallthrough */ 314 default: 315 dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading); 316 /* fallthrough */ 317 case -1: 318 fw_load_abort(fw_sysfs); 319 break; 320 } 321 out: 322 mutex_unlock(&fw_lock); 323 return written; 324 } 325 326 static DEVICE_ATTR(loading, 0644, firmware_loading_show, firmware_loading_store); 327 328 static void firmware_rw_data(struct fw_priv *fw_priv, char *buffer, 329 loff_t offset, size_t count, bool read) 330 { 331 if (read) 332 memcpy(buffer, fw_priv->data + offset, count); 333 else 334 memcpy(fw_priv->data + offset, buffer, count); 335 } 336 337 static void firmware_rw(struct fw_priv *fw_priv, char *buffer, 338 loff_t offset, size_t count, bool read) 339 { 340 while (count) { 341 void *page_data; 342 int page_nr = offset >> PAGE_SHIFT; 343 int page_ofs = offset & (PAGE_SIZE-1); 344 int page_cnt = min_t(size_t, PAGE_SIZE - page_ofs, count); 345 346 page_data = kmap(fw_priv->pages[page_nr]); 347 348 if (read) 349 memcpy(buffer, page_data + page_ofs, page_cnt); 350 else 351 memcpy(page_data + page_ofs, buffer, page_cnt); 352 353 kunmap(fw_priv->pages[page_nr]); 354 buffer += page_cnt; 355 offset += page_cnt; 356 count -= page_cnt; 357 } 358 } 359 360 static ssize_t firmware_data_read(struct file *filp, struct kobject *kobj, 361 struct bin_attribute *bin_attr, 362 char *buffer, loff_t offset, size_t count) 363 { 364 struct device *dev = kobj_to_dev(kobj); 365 struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev); 366 struct fw_priv *fw_priv; 367 ssize_t ret_count; 368 369 mutex_lock(&fw_lock); 370 fw_priv = fw_sysfs->fw_priv; 371 if (!fw_priv || fw_sysfs_done(fw_priv)) { 372 ret_count = -ENODEV; 373 goto out; 374 } 375 if (offset > fw_priv->size) { 376 ret_count = 0; 377 goto out; 378 } 379 if (count > fw_priv->size - offset) 380 count = fw_priv->size - offset; 381 382 ret_count = count; 383 384 if (fw_priv->data) 385 firmware_rw_data(fw_priv, buffer, offset, count, true); 386 else 387 firmware_rw(fw_priv, buffer, offset, count, true); 388 389 out: 390 mutex_unlock(&fw_lock); 391 return ret_count; 392 } 393 394 static int fw_realloc_pages(struct fw_sysfs *fw_sysfs, int min_size) 395 { 396 struct fw_priv *fw_priv= fw_sysfs->fw_priv; 397 int pages_needed = PAGE_ALIGN(min_size) >> PAGE_SHIFT; 398 399 /* If the array of pages is too small, grow it... */ 400 if (fw_priv->page_array_size < pages_needed) { 401 int new_array_size = max(pages_needed, 402 fw_priv->page_array_size * 2); 403 struct page **new_pages; 404 405 new_pages = vmalloc(new_array_size * sizeof(void *)); 406 if (!new_pages) { 407 fw_load_abort(fw_sysfs); 408 return -ENOMEM; 409 } 410 memcpy(new_pages, fw_priv->pages, 411 fw_priv->page_array_size * sizeof(void *)); 412 memset(&new_pages[fw_priv->page_array_size], 0, sizeof(void *) * 413 (new_array_size - fw_priv->page_array_size)); 414 vfree(fw_priv->pages); 415 fw_priv->pages = new_pages; 416 fw_priv->page_array_size = new_array_size; 417 } 418 419 while (fw_priv->nr_pages < pages_needed) { 420 fw_priv->pages[fw_priv->nr_pages] = 421 alloc_page(GFP_KERNEL | __GFP_HIGHMEM); 422 423 if (!fw_priv->pages[fw_priv->nr_pages]) { 424 fw_load_abort(fw_sysfs); 425 return -ENOMEM; 426 } 427 fw_priv->nr_pages++; 428 } 429 return 0; 430 } 431 432 /** 433 * firmware_data_write - write method for firmware 434 * @filp: open sysfs file 435 * @kobj: kobject for the device 436 * @bin_attr: bin_attr structure 437 * @buffer: buffer being written 438 * @offset: buffer offset for write in total data store area 439 * @count: buffer size 440 * 441 * Data written to the 'data' attribute will be later handed to 442 * the driver as a firmware image. 443 **/ 444 static ssize_t firmware_data_write(struct file *filp, struct kobject *kobj, 445 struct bin_attribute *bin_attr, 446 char *buffer, loff_t offset, size_t count) 447 { 448 struct device *dev = kobj_to_dev(kobj); 449 struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev); 450 struct fw_priv *fw_priv; 451 ssize_t retval; 452 453 if (!capable(CAP_SYS_RAWIO)) 454 return -EPERM; 455 456 mutex_lock(&fw_lock); 457 fw_priv = fw_sysfs->fw_priv; 458 if (!fw_priv || fw_sysfs_done(fw_priv)) { 459 retval = -ENODEV; 460 goto out; 461 } 462 463 if (fw_priv->data) { 464 if (offset + count > fw_priv->allocated_size) { 465 retval = -ENOMEM; 466 goto out; 467 } 468 firmware_rw_data(fw_priv, buffer, offset, count, false); 469 retval = count; 470 } else { 471 retval = fw_realloc_pages(fw_sysfs, offset + count); 472 if (retval) 473 goto out; 474 475 retval = count; 476 firmware_rw(fw_priv, buffer, offset, count, false); 477 } 478 479 fw_priv->size = max_t(size_t, offset + count, fw_priv->size); 480 out: 481 mutex_unlock(&fw_lock); 482 return retval; 483 } 484 485 static struct bin_attribute firmware_attr_data = { 486 .attr = { .name = "data", .mode = 0644 }, 487 .size = 0, 488 .read = firmware_data_read, 489 .write = firmware_data_write, 490 }; 491 492 static struct attribute *fw_dev_attrs[] = { 493 &dev_attr_loading.attr, 494 NULL 495 }; 496 497 static struct bin_attribute *fw_dev_bin_attrs[] = { 498 &firmware_attr_data, 499 NULL 500 }; 501 502 static const struct attribute_group fw_dev_attr_group = { 503 .attrs = fw_dev_attrs, 504 .bin_attrs = fw_dev_bin_attrs, 505 }; 506 507 static const struct attribute_group *fw_dev_attr_groups[] = { 508 &fw_dev_attr_group, 509 NULL 510 }; 511 512 static struct fw_sysfs * 513 fw_create_instance(struct firmware *firmware, const char *fw_name, 514 struct device *device, unsigned int opt_flags) 515 { 516 struct fw_sysfs *fw_sysfs; 517 struct device *f_dev; 518 519 fw_sysfs = kzalloc(sizeof(*fw_sysfs), GFP_KERNEL); 520 if (!fw_sysfs) { 521 fw_sysfs = ERR_PTR(-ENOMEM); 522 goto exit; 523 } 524 525 fw_sysfs->nowait = !!(opt_flags & FW_OPT_NOWAIT); 526 fw_sysfs->fw = firmware; 527 f_dev = &fw_sysfs->dev; 528 529 device_initialize(f_dev); 530 dev_set_name(f_dev, "%s", fw_name); 531 f_dev->parent = device; 532 f_dev->class = &firmware_class; 533 f_dev->groups = fw_dev_attr_groups; 534 exit: 535 return fw_sysfs; 536 } 537 538 /** 539 * fw_load_sysfs_fallback - load a firmware via the syfs fallback mechanism 540 * @fw_sysfs: firmware syfs information for the firmware to load 541 * @opt_flags: flags of options, FW_OPT_* 542 * @timeout: timeout to wait for the load 543 * 544 * In charge of constructing a sysfs fallback interface for firmware loading. 545 **/ 546 static int fw_load_sysfs_fallback(struct fw_sysfs *fw_sysfs, 547 unsigned int opt_flags, long timeout) 548 { 549 int retval = 0; 550 struct device *f_dev = &fw_sysfs->dev; 551 struct fw_priv *fw_priv = fw_sysfs->fw_priv; 552 553 /* fall back on userspace loading */ 554 if (!fw_priv->data) 555 fw_priv->is_paged_buf = true; 556 557 dev_set_uevent_suppress(f_dev, true); 558 559 retval = device_add(f_dev); 560 if (retval) { 561 dev_err(f_dev, "%s: device_register failed\n", __func__); 562 goto err_put_dev; 563 } 564 565 mutex_lock(&fw_lock); 566 list_add(&fw_priv->pending_list, &pending_fw_head); 567 mutex_unlock(&fw_lock); 568 569 if (opt_flags & FW_OPT_UEVENT) { 570 fw_priv->need_uevent = true; 571 dev_set_uevent_suppress(f_dev, false); 572 dev_dbg(f_dev, "firmware: requesting %s\n", fw_priv->fw_name); 573 kobject_uevent(&fw_sysfs->dev.kobj, KOBJ_ADD); 574 } else { 575 timeout = MAX_JIFFY_OFFSET; 576 } 577 578 retval = fw_sysfs_wait_timeout(fw_priv, timeout); 579 if (retval < 0) { 580 mutex_lock(&fw_lock); 581 fw_load_abort(fw_sysfs); 582 mutex_unlock(&fw_lock); 583 } 584 585 if (fw_state_is_aborted(fw_priv)) { 586 if (retval == -ERESTARTSYS) 587 retval = -EINTR; 588 else 589 retval = -EAGAIN; 590 } else if (fw_priv->is_paged_buf && !fw_priv->data) 591 retval = -ENOMEM; 592 593 device_del(f_dev); 594 err_put_dev: 595 put_device(f_dev); 596 return retval; 597 } 598 599 static int fw_load_from_user_helper(struct firmware *firmware, 600 const char *name, struct device *device, 601 unsigned int opt_flags) 602 { 603 struct fw_sysfs *fw_sysfs; 604 long timeout; 605 int ret; 606 607 timeout = firmware_loading_timeout(); 608 if (opt_flags & FW_OPT_NOWAIT) { 609 timeout = usermodehelper_read_lock_wait(timeout); 610 if (!timeout) { 611 dev_dbg(device, "firmware: %s loading timed out\n", 612 name); 613 return -EBUSY; 614 } 615 } else { 616 ret = usermodehelper_read_trylock(); 617 if (WARN_ON(ret)) { 618 dev_err(device, "firmware: %s will not be loaded\n", 619 name); 620 return ret; 621 } 622 } 623 624 fw_sysfs = fw_create_instance(firmware, name, device, opt_flags); 625 if (IS_ERR(fw_sysfs)) { 626 ret = PTR_ERR(fw_sysfs); 627 goto out_unlock; 628 } 629 630 fw_sysfs->fw_priv = firmware->priv; 631 ret = fw_load_sysfs_fallback(fw_sysfs, opt_flags, timeout); 632 633 if (!ret) 634 ret = assign_fw(firmware, device, opt_flags); 635 636 out_unlock: 637 usermodehelper_read_unlock(); 638 639 return ret; 640 } 641 642 static bool fw_force_sysfs_fallback(unsigned int opt_flags) 643 { 644 if (fw_fallback_config.force_sysfs_fallback) 645 return true; 646 if (!(opt_flags & FW_OPT_USERHELPER)) 647 return false; 648 return true; 649 } 650 651 static bool fw_run_sysfs_fallback(unsigned int opt_flags) 652 { 653 if (fw_fallback_config.ignore_sysfs_fallback) { 654 pr_info_once("Ignoring firmware sysfs fallback due to debugfs knob\n"); 655 return false; 656 } 657 658 if ((opt_flags & FW_OPT_NOFALLBACK)) 659 return false; 660 661 return fw_force_sysfs_fallback(opt_flags); 662 } 663 664 int fw_sysfs_fallback(struct firmware *fw, const char *name, 665 struct device *device, 666 unsigned int opt_flags, 667 int ret) 668 { 669 if (!fw_run_sysfs_fallback(opt_flags)) 670 return ret; 671 672 dev_warn(device, "Falling back to user helper\n"); 673 return fw_load_from_user_helper(fw, name, device, opt_flags); 674 } 675