1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2005-2008, Sam Leffler <sam@errno.com> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice unmodified, this list of conditions, and the following 12 * disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29#include <sys/param.h> 30#include <sys/errno.h> 31#include <sys/eventhandler.h> 32#include <sys/fcntl.h> 33#include <sys/firmware.h> 34#include <sys/kernel.h> 35#include <sys/linker.h> 36#include <sys/lock.h> 37#include <sys/malloc.h> 38#include <sys/module.h> 39#include <sys/mutex.h> 40#include <sys/namei.h> 41#include <sys/priv.h> 42#include <sys/proc.h> 43#include <sys/queue.h> 44#include <sys/sbuf.h> 45#include <sys/sysctl.h> 46#include <sys/systm.h> 47#include <sys/taskqueue.h> 48 49#include <sys/filedesc.h> 50#include <sys/vnode.h> 51 52/* 53 * Loadable firmware support. See sys/sys/firmware.h and firmware(9) 54 * form more details on the subsystem. 55 * 56 * 'struct firmware' is the user-visible part of the firmware table. 57 * Additional internal information is stored in a 'struct priv_fw', 58 * which embeds the public firmware structure. 59 */ 60 61/* 62 * fw.name != NULL when an image is registered; file != NULL for 63 * autoloaded images whose handling has not been completed. 64 * 65 * The state of a slot evolves as follows: 66 * firmware_register --> fw.name = image_name 67 * (autoloaded image) --> file = module reference 68 * firmware_unregister --> fw.name = NULL 69 * (unloadentry complete) --> file = NULL 70 * 71 * In order for the above to work, the 'file' field must remain 72 * unchanged in firmware_unregister(). 73 * 74 * Images residing in the same module are linked to each other 75 * through the 'parent' argument of firmware_register(). 76 * One image (typically, one with the same name as the module to let 77 * the autoloading mechanism work) is considered the parent image for 78 * all other images in the same module. Children affect the refcount 79 * on the parent image preventing improper unloading of the image itself. 80 */ 81 82struct priv_fw { 83 int refcnt; /* reference count */ 84 LIST_ENTRY(priv_fw) link; /* table linkage */ 85 86 /* 87 * parent entry, see above. Set on firmware_register(), 88 * cleared on firmware_unregister(). 89 */ 90 struct priv_fw *parent; 91 92 int flags; 93#define FW_BINARY 0x080 /* Firmware directly loaded, file == NULL */ 94#define FW_UNLOAD 0x100 /* record FIRMWARE_UNLOAD requests */ 95 96 /* 97 * 'file' is private info managed by the autoload/unload code. 98 * Set at the end of firmware_get(), cleared only in the 99 * firmware_unload_task, so the latter can depend on its value even 100 * while the lock is not held. 101 */ 102 linker_file_t file; /* module file, if autoloaded */ 103 104 /* 105 * 'fw' is the externally visible image information. 106 * We do not make it the first field in priv_fw, to avoid the 107 * temptation of casting pointers to each other. 108 * Use PRIV_FW(fw) to get a pointer to the cointainer of fw. 109 * Beware, PRIV_FW does not work for a NULL pointer. 110 */ 111 struct firmware fw; /* externally visible information */ 112}; 113 114/* 115 * PRIV_FW returns the pointer to the container of struct firmware *x. 116 * Cast to intptr_t to override the 'const' attribute of x 117 */ 118#define PRIV_FW(x) ((struct priv_fw *) \ 119 ((intptr_t)(x) - offsetof(struct priv_fw, fw)) ) 120 121/* 122 * Global firmware image registry. 123 */ 124static LIST_HEAD(, priv_fw) firmware_table; 125 126/* 127 * Firmware module operations are handled in a separate task as they 128 * might sleep and they require directory context to do i/o. We also 129 * use this when loading binaries directly. 130 */ 131static struct taskqueue *firmware_tq; 132static struct task firmware_unload_task; 133 134/* 135 * This mutex protects accesses to the firmware table. 136 */ 137static struct mtx firmware_mtx; 138MTX_SYSINIT(firmware, &firmware_mtx, "firmware table", MTX_DEF); 139 140static MALLOC_DEFINE(M_FIRMWARE, "firmware", "device firmware images"); 141 142static uint64_t firmware_max_size = 8u << 20; /* Default to 8MB cap */ 143SYSCTL_U64(_debug, OID_AUTO, firmware_max_size, 144 CTLFLAG_RWTUN, &firmware_max_size, 0, 145 "Max size permitted for a firmware file."); 146 147/* 148 * Helper function to lookup a name. 149 * As a side effect, it sets the pointer to a free slot, if any. 150 * This way we can concentrate most of the registry scanning in 151 * this function, which makes it easier to replace the registry 152 * with some other data structure. 153 */ 154static struct priv_fw * 155lookup(const char *name) 156{ 157 struct priv_fw *fp; 158 159 mtx_assert(&firmware_mtx, MA_OWNED); 160 161 LIST_FOREACH(fp, &firmware_table, link) { 162 if (fp->fw.name != NULL && strcasecmp(name, fp->fw.name) == 0) 163 break; 164 165 /* 166 * If the name looks like an absolute path, also try to match 167 * the last part of the string to the requested firmware if it 168 * matches the trailing components. This allows us to load 169 * /boot/firmware/abc/bca2233_fw.bin and match it against 170 * requests for bca2233_fw.bin or abc/bca2233_fw.bin. 171 */ 172 if (*fp->fw.name == '/' && strlen(fp->fw.name) > strlen(name)) { 173 const char *p = fp->fw.name + strlen(fp->fw.name) - strlen(name); 174 if (p[-1] == '/' && strcasecmp(name, p) == 0) 175 break; 176 } 177 } 178 return (fp); 179} 180 181/* 182 * Register a firmware image with the specified name. The 183 * image name must not already be registered. If this is a 184 * subimage then parent refers to a previously registered 185 * image that this should be associated with. 186 */ 187const struct firmware * 188firmware_register(const char *imagename, const void *data, size_t datasize, 189 unsigned int version, const struct firmware *parent) 190{ 191 struct priv_fw *frp; 192 char *name; 193 194 mtx_lock(&firmware_mtx); 195 frp = lookup(imagename); 196 if (frp != NULL) { 197 mtx_unlock(&firmware_mtx); 198 printf("%s: image %s already registered!\n", 199 __func__, imagename); 200 return (NULL); 201 } 202 mtx_unlock(&firmware_mtx); 203 204 frp = malloc(sizeof(*frp), M_FIRMWARE, M_WAITOK | M_ZERO); 205 name = strdup(imagename, M_FIRMWARE); 206 207 mtx_lock(&firmware_mtx); 208 if (lookup(imagename) != NULL) { 209 /* We lost a race. */ 210 mtx_unlock(&firmware_mtx); 211 free(name, M_FIRMWARE); 212 free(frp, M_FIRMWARE); 213 return (NULL); 214 } 215 frp->fw.name = name; 216 frp->fw.data = data; 217 frp->fw.datasize = datasize; 218 frp->fw.version = version; 219 if (parent != NULL) 220 frp->parent = PRIV_FW(parent); 221 LIST_INSERT_HEAD(&firmware_table, frp, link); 222 mtx_unlock(&firmware_mtx); 223 if (bootverbose) 224 printf("firmware: '%s' version %u: %zu bytes loaded at %p\n", 225 imagename, version, datasize, data); 226 return (&frp->fw); 227} 228 229/* 230 * Unregister/remove a firmware image. If there are outstanding 231 * references an error is returned and the image is not removed 232 * from the registry. 233 */ 234int 235firmware_unregister(const char *imagename) 236{ 237 struct priv_fw *fp; 238 int err; 239 240 mtx_lock(&firmware_mtx); 241 fp = lookup(imagename); 242 if (fp == NULL) { 243 /* 244 * It is ok for the lookup to fail; this can happen 245 * when a module is unloaded on last reference and the 246 * module unload handler unregister's each of its 247 * firmware images. 248 */ 249 err = 0; 250 } else if (fp->refcnt != 0) { /* cannot unregister */ 251 err = EBUSY; 252 } else { 253 LIST_REMOVE(fp, link); 254 free(__DECONST(char *, fp->fw.name), M_FIRMWARE); 255 free(fp, M_FIRMWARE); 256 err = 0; 257 } 258 mtx_unlock(&firmware_mtx); 259 return (err); 260} 261 262struct fw_loadimage { 263 const char *imagename; 264 uint32_t flags; 265}; 266 267static const char *fw_path = "/boot/firmware/"; 268 269static void 270try_binary_file(const char *imagename, uint32_t flags) 271{ 272 struct nameidata nd; 273 struct thread *td = curthread; 274 struct ucred *cred = td ? td->td_ucred : NULL; 275 struct sbuf *sb; 276 struct priv_fw *fp; 277 const char *fn; 278 struct vattr vattr; 279 void *data = NULL; 280 const struct firmware *fw; 281 int oflags; 282 size_t resid; 283 int error; 284 bool warn = flags & FIRMWARE_GET_NOWARN; 285 286 /* 287 * XXX TODO: Loop over some path instead of a single element path. 288 * and fetch this path from the 'firmware_path' kenv the loader sets. 289 */ 290 sb = sbuf_new_auto(); 291 sbuf_printf(sb, "%s%s", fw_path, imagename); 292 sbuf_finish(sb); 293 fn = sbuf_data(sb); 294 if (bootverbose) 295 printf("Trying to load binary firmware from %s\n", fn); 296 297 NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, fn); 298 oflags = FREAD; 299 error = vn_open(&nd, &oflags, 0, NULL); 300 if (error) 301 goto err; 302 NDFREE_PNBUF(&nd); 303 if (nd.ni_vp->v_type != VREG) 304 goto err2; 305 error = VOP_GETATTR(nd.ni_vp, &vattr, cred); 306 if (error) 307 goto err2; 308 309 /* 310 * Limit this to something sane, 8MB by default. 311 */ 312 if (vattr.va_size > firmware_max_size) { 313 printf("Firmware %s is too big: %lld bytes, %ld bytes max.\n", 314 fn, (long long)vattr.va_size, (long)firmware_max_size); 315 goto err2; 316 } 317 data = malloc(vattr.va_size, M_FIRMWARE, M_WAITOK); 318 error = vn_rdwr(UIO_READ, nd.ni_vp, (caddr_t)data, vattr.va_size, 0, 319 UIO_SYSSPACE, IO_NODELOCKED, cred, NOCRED, &resid, td); 320 /* XXX make data read only? */ 321 VOP_UNLOCK(nd.ni_vp); 322 vn_close(nd.ni_vp, FREAD, cred, td); 323 nd.ni_vp = NULL; 324 if (error != 0 || resid != 0) 325 goto err; 326 fw = firmware_register(fn, data, vattr.va_size, 0, NULL); 327 if (fw == NULL) 328 goto err; 329 fp = PRIV_FW(fw); 330 fp->flags |= FW_BINARY; 331 if (bootverbose) 332 printf("%s: Loaded binary firmware using %s\n", imagename, fn); 333 sbuf_delete(sb); 334 return; 335 336err2: /* cleanup in vn_open through vn_close */ 337 VOP_UNLOCK(nd.ni_vp); 338 vn_close(nd.ni_vp, FREAD, cred, td); 339err: 340 free(data, M_FIRMWARE); 341 if (bootverbose || warn) 342 printf("%s: could not load binary firmware %s either\n", imagename, fn); 343 sbuf_delete(sb); 344} 345 346static void 347loadimage(void *arg, int npending __unused) 348{ 349 struct fw_loadimage *fwli = arg; 350 struct priv_fw *fp; 351 linker_file_t result; 352 int error; 353 354 error = linker_reference_module(fwli->imagename, NULL, &result); 355 if (error != 0) { 356 if (bootverbose || (fwli->flags & FIRMWARE_GET_NOWARN) == 0) 357 printf("%s: could not load firmware image, error %d\n", 358 fwli->imagename, error); 359 try_binary_file(fwli->imagename, fwli->flags); 360 mtx_lock(&firmware_mtx); 361 goto done; 362 } 363 364 mtx_lock(&firmware_mtx); 365 fp = lookup(fwli->imagename); 366 if (fp == NULL || fp->file != NULL) { 367 mtx_unlock(&firmware_mtx); 368 if (fp == NULL) 369 printf("%s: firmware image loaded, " 370 "but did not register\n", fwli->imagename); 371 (void) linker_release_module(fwli->imagename, NULL, NULL); 372 mtx_lock(&firmware_mtx); 373 goto done; 374 } 375 fp->file = result; /* record the module identity */ 376done: 377 wakeup_one(arg); 378 mtx_unlock(&firmware_mtx); 379} 380 381/* 382 * Lookup and potentially load the specified firmware image. 383 * If the firmware is not found in the registry, try to load a kernel 384 * module named as the image name. 385 * If the firmware is located, a reference is returned. The caller must 386 * release this reference for the image to be eligible for removal/unload. 387 */ 388const struct firmware * 389firmware_get_flags(const char *imagename, uint32_t flags) 390{ 391 struct task fwload_task; 392 struct thread *td; 393 struct priv_fw *fp; 394 395 mtx_lock(&firmware_mtx); 396 fp = lookup(imagename); 397 if (fp != NULL) 398 goto found; 399 /* 400 * Image not present, try to load the module holding it. 401 */ 402 td = curthread; 403 if (priv_check(td, PRIV_FIRMWARE_LOAD) != 0 || 404 securelevel_gt(td->td_ucred, 0) != 0) { 405 mtx_unlock(&firmware_mtx); 406 printf("%s: insufficient privileges to " 407 "load firmware image %s\n", __func__, imagename); 408 return NULL; 409 } 410 /* 411 * Defer load to a thread with known context. linker_reference_module 412 * may do filesystem i/o which requires root & current dirs, etc. 413 * Also we must not hold any mtx's over this call which is problematic. 414 */ 415 if (!cold) { 416 struct fw_loadimage fwli; 417 418 fwli.imagename = imagename; 419 fwli.flags = flags; 420 TASK_INIT(&fwload_task, 0, loadimage, (void *)&fwli); 421 taskqueue_enqueue(firmware_tq, &fwload_task); 422 PHOLD(curproc); 423 msleep((void *)&fwli, &firmware_mtx, 0, "fwload", 0); 424 PRELE(curproc); 425 } 426 /* 427 * After attempting to load the module, see if the image is registered. 428 */ 429 fp = lookup(imagename); 430 if (fp == NULL) { 431 mtx_unlock(&firmware_mtx); 432 return NULL; 433 } 434found: /* common exit point on success */ 435 if (fp->refcnt == 0 && fp->parent != NULL) 436 fp->parent->refcnt++; 437 fp->refcnt++; 438 mtx_unlock(&firmware_mtx); 439 return &fp->fw; 440} 441 442const struct firmware * 443firmware_get(const char *imagename) 444{ 445 446 return (firmware_get_flags(imagename, 0)); 447} 448 449/* 450 * Release a reference to a firmware image returned by firmware_get. 451 * The caller may specify, with the FIRMWARE_UNLOAD flag, its desire 452 * to release the resource, but the flag is only advisory. 453 * 454 * If this is the last reference to the firmware image, and this is an 455 * autoloaded module, wake up the firmware_unload_task to figure out 456 * what to do with the associated module. 457 */ 458void 459firmware_put(const struct firmware *p, int flags) 460{ 461 struct priv_fw *fp = PRIV_FW(p); 462 463 mtx_lock(&firmware_mtx); 464 fp->refcnt--; 465 if (fp->refcnt == 0) { 466 if (fp->parent != NULL) 467 fp->parent->refcnt--; 468 if (flags & FIRMWARE_UNLOAD) 469 fp->flags |= FW_UNLOAD; 470 if (fp->file) 471 taskqueue_enqueue(firmware_tq, &firmware_unload_task); 472 } 473 mtx_unlock(&firmware_mtx); 474} 475 476/* 477 * Setup directory state for the firmware_tq thread so we can do i/o. 478 */ 479static void 480set_rootvnode(void *arg, int npending) 481{ 482 483 pwd_ensure_dirs(); 484 free(arg, M_TEMP); 485} 486 487/* 488 * Event handler called on mounting of /; bounce a task 489 * into the task queue thread to setup it's directories. 490 */ 491static void 492firmware_mountroot(void *arg) 493{ 494 struct task *setroot_task; 495 496 setroot_task = malloc(sizeof(struct task), M_TEMP, M_NOWAIT); 497 if (setroot_task != NULL) { 498 TASK_INIT(setroot_task, 0, set_rootvnode, setroot_task); 499 taskqueue_enqueue(firmware_tq, setroot_task); 500 } else 501 printf("%s: no memory for task!\n", __func__); 502} 503EVENTHANDLER_DEFINE(mountroot, firmware_mountroot, NULL, 0); 504 505/* 506 * The body of the task in charge of unloading autoloaded modules 507 * that are not needed anymore. 508 * Images can be cross-linked so we may need to make multiple passes, 509 * but the time we spend in the loop is bounded because we clear entries 510 * as we touch them. 511 */ 512static void 513unloadentry(void *unused1, int unused2) 514{ 515 struct priv_fw *fp, *tmp; 516 517 mtx_lock(&firmware_mtx); 518restart: 519 LIST_FOREACH_SAFE(fp, &firmware_table, link, tmp) { 520 if (((fp->flags & FW_BINARY) == 0 && fp->file == NULL) || 521 fp->refcnt != 0 || (fp->flags & FW_UNLOAD) == 0) 522 continue; 523 524 /* 525 * If we directly loaded the firmware, then we just need to 526 * remove the entry from the list and free the entry and go to 527 * the next one. There's no need for the indirection of the kld 528 * module case, we free memory and go to the next one. 529 */ 530 if ((fp->flags & FW_BINARY) != 0) { 531 LIST_REMOVE(fp, link); 532 free(__DECONST(char *, fp->fw.data), M_FIRMWARE); 533 free(__DECONST(char *, fp->fw.name), M_FIRMWARE); 534 free(fp, M_FIRMWARE); 535 continue; 536 } 537 538 /* 539 * Found an entry. This is the kld case, so we have a more 540 * complex dance. Now: 541 * 1. make sure we scan the table again 542 * 2. clear FW_UNLOAD so we don't try this entry again. 543 * 3. release the lock while trying to unload the module. 544 */ 545 fp->flags &= ~FW_UNLOAD; /* do not try again */ 546 547 /* 548 * We rely on the module to call firmware_unregister() 549 * on unload to actually free the entry. 550 */ 551 mtx_unlock(&firmware_mtx); 552 (void)linker_release_module(NULL, NULL, fp->file); 553 mtx_lock(&firmware_mtx); 554 555 /* 556 * When we dropped the lock, another thread could have 557 * removed an element, so we must restart the scan. 558 */ 559 goto restart; 560 } 561 mtx_unlock(&firmware_mtx); 562} 563 564/* 565 * Find all the binary firmware that was loaded in the boot loader via load -t 566 * firmware foo. There is only one firmware per file, it's the whole file, and 567 * there's no meaningful version passed in, so pass 0 for that. If version is 568 * needed by the consumer (and not just arbitrarily defined), the .ko version 569 * must be used instead. 570 */ 571static void 572firmware_binary_files(void) 573{ 574 caddr_t file; 575 char *name; 576 const char *type; 577 const void *addr; 578 size_t size; 579 unsigned int version = 0; 580 const struct firmware *fw; 581 struct priv_fw *fp; 582 583 file = 0; 584 for (;;) { 585 file = preload_search_next_name(file); 586 if (file == 0) 587 break; 588 type = (const char *)preload_search_info(file, MODINFO_TYPE); 589 if (type == NULL || strcmp(type, "firmware") != 0) 590 continue; 591 name = preload_search_info(file, MODINFO_NAME); 592 addr = preload_fetch_addr(file); 593 size = preload_fetch_size(file); 594 fw = firmware_register(name, addr, size, version, NULL); 595 fp = PRIV_FW(fw); 596 fp->refcnt++; /* Hold an extra reference so we never unload */ 597 } 598} 599 600/* 601 * Module glue. 602 */ 603static int 604firmware_modevent(module_t mod, int type, void *unused) 605{ 606 struct priv_fw *fp; 607 int err; 608 609 err = 0; 610 switch (type) { 611 case MOD_LOAD: 612 TASK_INIT(&firmware_unload_task, 0, unloadentry, NULL); 613 firmware_tq = taskqueue_create("taskqueue_firmware", M_WAITOK, 614 taskqueue_thread_enqueue, &firmware_tq); 615 /* NB: use our own loop routine that sets up context */ 616 (void) taskqueue_start_threads(&firmware_tq, 1, PWAIT, 617 "firmware taskq"); 618 firmware_binary_files(); 619 if (rootvnode != NULL) { 620 /* 621 * Root is already mounted so we won't get an event; 622 * simulate one here. 623 */ 624 firmware_mountroot(NULL); 625 } 626 break; 627 628 case MOD_UNLOAD: 629 /* request all autoloaded modules to be released */ 630 mtx_lock(&firmware_mtx); 631 LIST_FOREACH(fp, &firmware_table, link) 632 fp->flags |= FW_UNLOAD; 633 mtx_unlock(&firmware_mtx); 634 taskqueue_enqueue(firmware_tq, &firmware_unload_task); 635 taskqueue_drain(firmware_tq, &firmware_unload_task); 636 637 LIST_FOREACH(fp, &firmware_table, link) { 638 if (fp->fw.name != NULL) { 639 printf("%s: image %s still active, %d refs\n", 640 __func__, fp->fw.name, fp->refcnt); 641 err = EINVAL; 642 } 643 } 644 if (err == 0) 645 taskqueue_free(firmware_tq); 646 break; 647 648 default: 649 err = EOPNOTSUPP; 650 break; 651 } 652 return (err); 653} 654 655static moduledata_t firmware_mod = { 656 "firmware", 657 firmware_modevent, 658 NULL 659}; 660DECLARE_MODULE(firmware, firmware_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST); 661MODULE_VERSION(firmware, 1); 662