Avoid beyond bounds copy while caching ACL
[zen-stable.git] / drivers / firmware / dell_rbu.c
blob2f452f1f7c8a09c2f5cd1cdfcf07aa3751b808e0
1 /*
2 * dell_rbu.c
3 * Bios Update driver for Dell systems
4 * Author: Dell Inc
5 * Abhay Salunke <abhay_salunke@dell.com>
7 * Copyright (C) 2005 Dell Inc.
9 * Remote BIOS Update (rbu) driver is used for updating DELL BIOS by
10 * creating entries in the /sys file systems on Linux 2.6 and higher
11 * kernels. The driver supports two mechanism to update the BIOS namely
12 * contiguous and packetized. Both these methods still require having some
13 * application to set the CMOS bit indicating the BIOS to update itself
14 * after a reboot.
16 * Contiguous method:
17 * This driver writes the incoming data in a monolithic image by allocating
18 * contiguous physical pages large enough to accommodate the incoming BIOS
19 * image size.
21 * Packetized method:
22 * The driver writes the incoming packet image by allocating a new packet
23 * on every time the packet data is written. This driver requires an
24 * application to break the BIOS image in to fixed sized packet chunks.
26 * See Documentation/dell_rbu.txt for more info.
28 * This program is free software; you can redistribute it and/or modify
29 * it under the terms of the GNU General Public License v2.0 as published by
30 * the Free Software Foundation
32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
37 #include <linux/init.h>
38 #include <linux/module.h>
39 #include <linux/slab.h>
40 #include <linux/string.h>
41 #include <linux/errno.h>
42 #include <linux/blkdev.h>
43 #include <linux/platform_device.h>
44 #include <linux/spinlock.h>
45 #include <linux/moduleparam.h>
46 #include <linux/firmware.h>
47 #include <linux/dma-mapping.h>
49 MODULE_AUTHOR("Abhay Salunke <abhay_salunke@dell.com>");
50 MODULE_DESCRIPTION("Driver for updating BIOS image on DELL systems");
51 MODULE_LICENSE("GPL");
52 MODULE_VERSION("3.2");
54 #define BIOS_SCAN_LIMIT 0xffffffff
55 #define MAX_IMAGE_LENGTH 16
56 static struct _rbu_data {
57 void *image_update_buffer;
58 unsigned long image_update_buffer_size;
59 unsigned long bios_image_size;
60 int image_update_ordernum;
61 int dma_alloc;
62 spinlock_t lock;
63 unsigned long packet_read_count;
64 unsigned long num_packets;
65 unsigned long packetsize;
66 unsigned long imagesize;
67 int entry_created;
68 } rbu_data;
70 static char image_type[MAX_IMAGE_LENGTH + 1] = "mono";
71 module_param_string(image_type, image_type, sizeof (image_type), 0);
72 MODULE_PARM_DESC(image_type,
73 "BIOS image type. choose- mono or packet or init");
75 static unsigned long allocation_floor = 0x100000;
76 module_param(allocation_floor, ulong, 0644);
77 MODULE_PARM_DESC(allocation_floor,
78 "Minimum address for allocations when using Packet mode");
80 struct packet_data {
81 struct list_head list;
82 size_t length;
83 void *data;
84 int ordernum;
87 static struct packet_data packet_data_head;
89 static struct platform_device *rbu_device;
90 static int context;
91 static dma_addr_t dell_rbu_dmaaddr;
93 static void init_packet_head(void)
95 INIT_LIST_HEAD(&packet_data_head.list);
96 rbu_data.packet_read_count = 0;
97 rbu_data.num_packets = 0;
98 rbu_data.packetsize = 0;
99 rbu_data.imagesize = 0;
102 static int create_packet(void *data, size_t length)
104 struct packet_data *newpacket;
105 int ordernum = 0;
106 int retval = 0;
107 unsigned int packet_array_size = 0;
108 void **invalid_addr_packet_array = NULL;
109 void *packet_data_temp_buf = NULL;
110 unsigned int idx = 0;
112 pr_debug("create_packet: entry \n");
114 if (!rbu_data.packetsize) {
115 pr_debug("create_packet: packetsize not specified\n");
116 retval = -EINVAL;
117 goto out_noalloc;
120 spin_unlock(&rbu_data.lock);
122 newpacket = kzalloc(sizeof (struct packet_data), GFP_KERNEL);
124 if (!newpacket) {
125 printk(KERN_WARNING
126 "dell_rbu:%s: failed to allocate new "
127 "packet\n", __func__);
128 retval = -ENOMEM;
129 spin_lock(&rbu_data.lock);
130 goto out_noalloc;
133 ordernum = get_order(length);
136 * BIOS errata mean we cannot allocate packets below 1MB or they will
137 * be overwritten by BIOS.
139 * array to temporarily hold packets
140 * that are below the allocation floor
142 * NOTE: very simplistic because we only need the floor to be at 1MB
143 * due to BIOS errata. This shouldn't be used for higher floors
144 * or you will run out of mem trying to allocate the array.
146 packet_array_size = max(
147 (unsigned int)(allocation_floor / rbu_data.packetsize),
148 (unsigned int)1);
149 invalid_addr_packet_array = kzalloc(packet_array_size * sizeof(void*),
150 GFP_KERNEL);
152 if (!invalid_addr_packet_array) {
153 printk(KERN_WARNING
154 "dell_rbu:%s: failed to allocate "
155 "invalid_addr_packet_array \n",
156 __func__);
157 retval = -ENOMEM;
158 spin_lock(&rbu_data.lock);
159 goto out_alloc_packet;
162 while (!packet_data_temp_buf) {
163 packet_data_temp_buf = (unsigned char *)
164 __get_free_pages(GFP_KERNEL, ordernum);
165 if (!packet_data_temp_buf) {
166 printk(KERN_WARNING
167 "dell_rbu:%s: failed to allocate new "
168 "packet\n", __func__);
169 retval = -ENOMEM;
170 spin_lock(&rbu_data.lock);
171 goto out_alloc_packet_array;
174 if ((unsigned long)virt_to_phys(packet_data_temp_buf)
175 < allocation_floor) {
176 pr_debug("packet 0x%lx below floor at 0x%lx.\n",
177 (unsigned long)virt_to_phys(
178 packet_data_temp_buf),
179 allocation_floor);
180 invalid_addr_packet_array[idx++] = packet_data_temp_buf;
181 packet_data_temp_buf = NULL;
184 spin_lock(&rbu_data.lock);
186 newpacket->data = packet_data_temp_buf;
188 pr_debug("create_packet: newpacket at physical addr %lx\n",
189 (unsigned long)virt_to_phys(newpacket->data));
191 /* packets may not have fixed size */
192 newpacket->length = length;
193 newpacket->ordernum = ordernum;
194 ++rbu_data.num_packets;
196 /* initialize the newly created packet headers */
197 INIT_LIST_HEAD(&newpacket->list);
198 list_add_tail(&newpacket->list, &packet_data_head.list);
200 memcpy(newpacket->data, data, length);
202 pr_debug("create_packet: exit \n");
204 out_alloc_packet_array:
205 /* always free packet array */
206 for (;idx>0;idx--) {
207 pr_debug("freeing unused packet below floor 0x%lx.\n",
208 (unsigned long)virt_to_phys(
209 invalid_addr_packet_array[idx-1]));
210 free_pages((unsigned long)invalid_addr_packet_array[idx-1],
211 ordernum);
213 kfree(invalid_addr_packet_array);
215 out_alloc_packet:
216 /* if error, free data */
217 if (retval)
218 kfree(newpacket);
220 out_noalloc:
221 return retval;
224 static int packetize_data(const u8 *data, size_t length)
226 int rc = 0;
227 int done = 0;
228 int packet_length;
229 u8 *temp;
230 u8 *end = (u8 *) data + length;
231 pr_debug("packetize_data: data length %zd\n", length);
232 if (!rbu_data.packetsize) {
233 printk(KERN_WARNING
234 "dell_rbu: packetsize not specified\n");
235 return -EIO;
238 temp = (u8 *) data;
240 /* packetize the hunk */
241 while (!done) {
242 if ((temp + rbu_data.packetsize) < end)
243 packet_length = rbu_data.packetsize;
244 else {
245 /* this is the last packet */
246 packet_length = end - temp;
247 done = 1;
250 if ((rc = create_packet(temp, packet_length)))
251 return rc;
253 pr_debug("%p:%td\n", temp, (end - temp));
254 temp += packet_length;
257 rbu_data.imagesize = length;
259 return rc;
262 static int do_packet_read(char *data, struct list_head *ptemp_list,
263 int length, int bytes_read, int *list_read_count)
265 void *ptemp_buf;
266 struct packet_data *newpacket = NULL;
267 int bytes_copied = 0;
268 int j = 0;
270 newpacket = list_entry(ptemp_list, struct packet_data, list);
271 *list_read_count += newpacket->length;
273 if (*list_read_count > bytes_read) {
274 /* point to the start of unread data */
275 j = newpacket->length - (*list_read_count - bytes_read);
276 /* point to the offset in the packet buffer */
277 ptemp_buf = (u8 *) newpacket->data + j;
279 * check if there is enough room in
280 * * the incoming buffer
282 if (length > (*list_read_count - bytes_read))
284 * copy what ever is there in this
285 * packet and move on
287 bytes_copied = (*list_read_count - bytes_read);
288 else
289 /* copy the remaining */
290 bytes_copied = length;
291 memcpy(data, ptemp_buf, bytes_copied);
293 return bytes_copied;
296 static int packet_read_list(char *data, size_t * pread_length)
298 struct list_head *ptemp_list;
299 int temp_count = 0;
300 int bytes_copied = 0;
301 int bytes_read = 0;
302 int remaining_bytes = 0;
303 char *pdest = data;
305 /* check if we have any packets */
306 if (0 == rbu_data.num_packets)
307 return -ENOMEM;
309 remaining_bytes = *pread_length;
310 bytes_read = rbu_data.packet_read_count;
312 ptemp_list = (&packet_data_head.list)->next;
313 while (!list_empty(ptemp_list)) {
314 bytes_copied = do_packet_read(pdest, ptemp_list,
315 remaining_bytes, bytes_read, &temp_count);
316 remaining_bytes -= bytes_copied;
317 bytes_read += bytes_copied;
318 pdest += bytes_copied;
320 * check if we reached end of buffer before reaching the
321 * last packet
323 if (remaining_bytes == 0)
324 break;
326 ptemp_list = ptemp_list->next;
328 /*finally set the bytes read */
329 *pread_length = bytes_read - rbu_data.packet_read_count;
330 rbu_data.packet_read_count = bytes_read;
331 return 0;
334 static void packet_empty_list(void)
336 struct list_head *ptemp_list;
337 struct list_head *pnext_list;
338 struct packet_data *newpacket;
340 ptemp_list = (&packet_data_head.list)->next;
341 while (!list_empty(ptemp_list)) {
342 newpacket =
343 list_entry(ptemp_list, struct packet_data, list);
344 pnext_list = ptemp_list->next;
345 list_del(ptemp_list);
346 ptemp_list = pnext_list;
348 * zero out the RBU packet memory before freeing
349 * to make sure there are no stale RBU packets left in memory
351 memset(newpacket->data, 0, rbu_data.packetsize);
352 free_pages((unsigned long) newpacket->data,
353 newpacket->ordernum);
354 kfree(newpacket);
356 rbu_data.packet_read_count = 0;
357 rbu_data.num_packets = 0;
358 rbu_data.imagesize = 0;
362 * img_update_free: Frees the buffer allocated for storing BIOS image
363 * Always called with lock held and returned with lock held
365 static void img_update_free(void)
367 if (!rbu_data.image_update_buffer)
368 return;
370 * zero out this buffer before freeing it to get rid of any stale
371 * BIOS image copied in memory.
373 memset(rbu_data.image_update_buffer, 0,
374 rbu_data.image_update_buffer_size);
375 if (rbu_data.dma_alloc == 1)
376 dma_free_coherent(NULL, rbu_data.bios_image_size,
377 rbu_data.image_update_buffer, dell_rbu_dmaaddr);
378 else
379 free_pages((unsigned long) rbu_data.image_update_buffer,
380 rbu_data.image_update_ordernum);
383 * Re-initialize the rbu_data variables after a free
385 rbu_data.image_update_ordernum = -1;
386 rbu_data.image_update_buffer = NULL;
387 rbu_data.image_update_buffer_size = 0;
388 rbu_data.bios_image_size = 0;
389 rbu_data.dma_alloc = 0;
393 * img_update_realloc: This function allocates the contiguous pages to
394 * accommodate the requested size of data. The memory address and size
395 * values are stored globally and on every call to this function the new
396 * size is checked to see if more data is required than the existing size.
397 * If true the previous memory is freed and new allocation is done to
398 * accommodate the new size. If the incoming size is less then than the
399 * already allocated size, then that memory is reused. This function is
400 * called with lock held and returns with lock held.
402 static int img_update_realloc(unsigned long size)
404 unsigned char *image_update_buffer = NULL;
405 unsigned long rc;
406 unsigned long img_buf_phys_addr;
407 int ordernum;
408 int dma_alloc = 0;
411 * check if the buffer of sufficient size has been
412 * already allocated
414 if (rbu_data.image_update_buffer_size >= size) {
416 * check for corruption
418 if ((size != 0) && (rbu_data.image_update_buffer == NULL)) {
419 printk(KERN_ERR "dell_rbu:%s: corruption "
420 "check failed\n", __func__);
421 return -EINVAL;
424 * we have a valid pre-allocated buffer with
425 * sufficient size
427 return 0;
431 * free any previously allocated buffer
433 img_update_free();
435 spin_unlock(&rbu_data.lock);
437 ordernum = get_order(size);
438 image_update_buffer =
439 (unsigned char *) __get_free_pages(GFP_KERNEL, ordernum);
441 img_buf_phys_addr =
442 (unsigned long) virt_to_phys(image_update_buffer);
444 if (img_buf_phys_addr > BIOS_SCAN_LIMIT) {
445 free_pages((unsigned long) image_update_buffer, ordernum);
446 ordernum = -1;
447 image_update_buffer = dma_alloc_coherent(NULL, size,
448 &dell_rbu_dmaaddr, GFP_KERNEL);
449 dma_alloc = 1;
452 spin_lock(&rbu_data.lock);
454 if (image_update_buffer != NULL) {
455 rbu_data.image_update_buffer = image_update_buffer;
456 rbu_data.image_update_buffer_size = size;
457 rbu_data.bios_image_size =
458 rbu_data.image_update_buffer_size;
459 rbu_data.image_update_ordernum = ordernum;
460 rbu_data.dma_alloc = dma_alloc;
461 rc = 0;
462 } else {
463 pr_debug("Not enough memory for image update:"
464 "size = %ld\n", size);
465 rc = -ENOMEM;
468 return rc;
471 static ssize_t read_packet_data(char *buffer, loff_t pos, size_t count)
473 int retval;
474 size_t bytes_left;
475 size_t data_length;
476 char *ptempBuf = buffer;
478 /* check to see if we have something to return */
479 if (rbu_data.num_packets == 0) {
480 pr_debug("read_packet_data: no packets written\n");
481 retval = -ENOMEM;
482 goto read_rbu_data_exit;
485 if (pos > rbu_data.imagesize) {
486 retval = 0;
487 printk(KERN_WARNING "dell_rbu:read_packet_data: "
488 "data underrun\n");
489 goto read_rbu_data_exit;
492 bytes_left = rbu_data.imagesize - pos;
493 data_length = min(bytes_left, count);
495 if ((retval = packet_read_list(ptempBuf, &data_length)) < 0)
496 goto read_rbu_data_exit;
498 if ((pos + count) > rbu_data.imagesize) {
499 rbu_data.packet_read_count = 0;
500 /* this was the last copy */
501 retval = bytes_left;
502 } else
503 retval = count;
505 read_rbu_data_exit:
506 return retval;
509 static ssize_t read_rbu_mono_data(char *buffer, loff_t pos, size_t count)
511 /* check to see if we have something to return */
512 if ((rbu_data.image_update_buffer == NULL) ||
513 (rbu_data.bios_image_size == 0)) {
514 pr_debug("read_rbu_data_mono: image_update_buffer %p ,"
515 "bios_image_size %lu\n",
516 rbu_data.image_update_buffer,
517 rbu_data.bios_image_size);
518 return -ENOMEM;
521 return memory_read_from_buffer(buffer, count, &pos,
522 rbu_data.image_update_buffer, rbu_data.bios_image_size);
525 static ssize_t read_rbu_data(struct file *filp, struct kobject *kobj,
526 struct bin_attribute *bin_attr,
527 char *buffer, loff_t pos, size_t count)
529 ssize_t ret_count = 0;
531 spin_lock(&rbu_data.lock);
533 if (!strcmp(image_type, "mono"))
534 ret_count = read_rbu_mono_data(buffer, pos, count);
535 else if (!strcmp(image_type, "packet"))
536 ret_count = read_packet_data(buffer, pos, count);
537 else
538 pr_debug("read_rbu_data: invalid image type specified\n");
540 spin_unlock(&rbu_data.lock);
541 return ret_count;
544 static void callbackfn_rbu(const struct firmware *fw, void *context)
546 rbu_data.entry_created = 0;
548 if (!fw)
549 return;
551 if (!fw->size)
552 goto out;
554 spin_lock(&rbu_data.lock);
555 if (!strcmp(image_type, "mono")) {
556 if (!img_update_realloc(fw->size))
557 memcpy(rbu_data.image_update_buffer,
558 fw->data, fw->size);
559 } else if (!strcmp(image_type, "packet")) {
561 * we need to free previous packets if a
562 * new hunk of packets needs to be downloaded
564 packet_empty_list();
565 if (packetize_data(fw->data, fw->size))
566 /* Incase something goes wrong when we are
567 * in middle of packetizing the data, we
568 * need to free up whatever packets might
569 * have been created before we quit.
571 packet_empty_list();
572 } else
573 pr_debug("invalid image type specified.\n");
574 spin_unlock(&rbu_data.lock);
575 out:
576 release_firmware(fw);
579 static ssize_t read_rbu_image_type(struct file *filp, struct kobject *kobj,
580 struct bin_attribute *bin_attr,
581 char *buffer, loff_t pos, size_t count)
583 int size = 0;
584 if (!pos)
585 size = scnprintf(buffer, count, "%s\n", image_type);
586 return size;
589 static ssize_t write_rbu_image_type(struct file *filp, struct kobject *kobj,
590 struct bin_attribute *bin_attr,
591 char *buffer, loff_t pos, size_t count)
593 int rc = count;
594 int req_firm_rc = 0;
595 int i;
596 spin_lock(&rbu_data.lock);
598 * Find the first newline or space
600 for (i = 0; i < count; ++i)
601 if (buffer[i] == '\n' || buffer[i] == ' ') {
602 buffer[i] = '\0';
603 break;
605 if (i == count)
606 buffer[count] = '\0';
608 if (strstr(buffer, "mono"))
609 strcpy(image_type, "mono");
610 else if (strstr(buffer, "packet"))
611 strcpy(image_type, "packet");
612 else if (strstr(buffer, "init")) {
614 * If due to the user error the driver gets in a bad
615 * state where even though it is loaded , the
616 * /sys/class/firmware/dell_rbu entries are missing.
617 * to cover this situation the user can recreate entries
618 * by writing init to image_type.
620 if (!rbu_data.entry_created) {
621 spin_unlock(&rbu_data.lock);
622 req_firm_rc = request_firmware_nowait(THIS_MODULE,
623 FW_ACTION_NOHOTPLUG, "dell_rbu",
624 &rbu_device->dev, GFP_KERNEL, &context,
625 callbackfn_rbu);
626 if (req_firm_rc) {
627 printk(KERN_ERR
628 "dell_rbu:%s request_firmware_nowait"
629 " failed %d\n", __func__, rc);
630 rc = -EIO;
631 } else
632 rbu_data.entry_created = 1;
634 spin_lock(&rbu_data.lock);
636 } else {
637 printk(KERN_WARNING "dell_rbu: image_type is invalid\n");
638 spin_unlock(&rbu_data.lock);
639 return -EINVAL;
642 /* we must free all previous allocations */
643 packet_empty_list();
644 img_update_free();
645 spin_unlock(&rbu_data.lock);
647 return rc;
650 static ssize_t read_rbu_packet_size(struct file *filp, struct kobject *kobj,
651 struct bin_attribute *bin_attr,
652 char *buffer, loff_t pos, size_t count)
654 int size = 0;
655 if (!pos) {
656 spin_lock(&rbu_data.lock);
657 size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);
658 spin_unlock(&rbu_data.lock);
660 return size;
663 static ssize_t write_rbu_packet_size(struct file *filp, struct kobject *kobj,
664 struct bin_attribute *bin_attr,
665 char *buffer, loff_t pos, size_t count)
667 unsigned long temp;
668 spin_lock(&rbu_data.lock);
669 packet_empty_list();
670 sscanf(buffer, "%lu", &temp);
671 if (temp < 0xffffffff)
672 rbu_data.packetsize = temp;
674 spin_unlock(&rbu_data.lock);
675 return count;
678 static struct bin_attribute rbu_data_attr = {
679 .attr = {.name = "data", .mode = 0444},
680 .read = read_rbu_data,
683 static struct bin_attribute rbu_image_type_attr = {
684 .attr = {.name = "image_type", .mode = 0644},
685 .read = read_rbu_image_type,
686 .write = write_rbu_image_type,
689 static struct bin_attribute rbu_packet_size_attr = {
690 .attr = {.name = "packet_size", .mode = 0644},
691 .read = read_rbu_packet_size,
692 .write = write_rbu_packet_size,
695 static int __init dcdrbu_init(void)
697 int rc;
698 spin_lock_init(&rbu_data.lock);
700 init_packet_head();
701 rbu_device = platform_device_register_simple("dell_rbu", -1, NULL, 0);
702 if (IS_ERR(rbu_device)) {
703 printk(KERN_ERR
704 "dell_rbu:%s:platform_device_register_simple "
705 "failed\n", __func__);
706 return PTR_ERR(rbu_device);
709 rc = sysfs_create_bin_file(&rbu_device->dev.kobj, &rbu_data_attr);
710 if (rc)
711 goto out_devreg;
712 rc = sysfs_create_bin_file(&rbu_device->dev.kobj, &rbu_image_type_attr);
713 if (rc)
714 goto out_data;
715 rc = sysfs_create_bin_file(&rbu_device->dev.kobj,
716 &rbu_packet_size_attr);
717 if (rc)
718 goto out_imtype;
720 rbu_data.entry_created = 0;
721 return 0;
723 out_imtype:
724 sysfs_remove_bin_file(&rbu_device->dev.kobj, &rbu_image_type_attr);
725 out_data:
726 sysfs_remove_bin_file(&rbu_device->dev.kobj, &rbu_data_attr);
727 out_devreg:
728 platform_device_unregister(rbu_device);
729 return rc;
732 static __exit void dcdrbu_exit(void)
734 spin_lock(&rbu_data.lock);
735 packet_empty_list();
736 img_update_free();
737 spin_unlock(&rbu_data.lock);
738 platform_device_unregister(rbu_device);
741 module_exit(dcdrbu_exit);
742 module_init(dcdrbu_init);
744 /* vim:noet:ts=8:sw=8