2017-11-07 17:30:07 +01:00
// SPDX-License-Identifier: GPL-2.0
2005-04-16 15:20:36 -07:00
/*
* firmware_class . c - Multi purpose firmware loading support
*
2007-06-04 18:45:44 +02:00
* Copyright ( c ) 2003 Manuel Estrada Sainz
2005-04-16 15:20:36 -07:00
*
* Please see Documentation / firmware_class / for more information .
*
*/
2017-07-20 13:13:40 -07:00
# define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
2006-01-11 12:17:46 -08:00
# include <linux/capability.h>
2005-04-16 15:20:36 -07:00
# include <linux/device.h>
# include <linux/module.h>
# include <linux/init.h>
# include <linux/timer.h>
# include <linux/vmalloc.h>
# include <linux/interrupt.h>
# include <linux/bitops.h>
2006-05-23 23:22:38 +02:00
# include <linux/mutex.h>
2012-03-28 23:31:00 +02:00
# include <linux/workqueue.h>
2009-04-09 22:04:07 -07:00
# include <linux/highmem.h>
2005-04-16 15:20:36 -07:00
# include <linux/firmware.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 17:04:11 +09:00
# include <linux/slab.h>
2012-03-28 23:31:00 +02:00
# include <linux/sched.h>
2012-10-03 15:58:32 -07:00
# include <linux/file.h>
2012-08-04 12:01:21 +08:00
# include <linux/list.h>
2015-11-19 12:39:22 -05:00
# include <linux/fs.h>
2012-08-04 12:01:27 +08:00
# include <linux/async.h>
# include <linux/pm.h>
2012-08-04 12:01:29 +08:00
# include <linux/suspend.h>
2012-08-20 19:04:16 +08:00
# include <linux/syscore_ops.h>
2013-05-22 18:28:38 +02:00
# include <linux/reboot.h>
2014-02-25 13:06:00 -08:00
# include <linux/security.h>
2012-08-04 12:01:27 +08:00
2012-10-03 15:58:32 -07:00
# include <generated/utsrelease.h>
2012-08-04 12:01:27 +08:00
# include "base.h"
2018-03-10 06:14:49 -08:00
# include "firmware_loader.h"
# include "firmware_fallback.h"
2005-04-16 15:20:36 -07:00
2007-06-04 18:45:44 +02:00
MODULE_AUTHOR ( " Manuel Estrada Sainz " ) ;
2005-04-16 15:20:36 -07:00
MODULE_DESCRIPTION ( " Multi purpose firmware loading support " ) ;
MODULE_LICENSE ( " GPL " ) ;
2017-11-20 10:23:50 -08:00
struct firmware_cache {
/* firmware_buf instance will be added into the below list */
spinlock_t lock ;
struct list_head head ;
int state ;
# ifdef CONFIG_PM_SLEEP
/*
* Names of firmware images which have been cached successfully
* will be added into the below list so that device uncache
* helper can trace which firmware images have been cached
* before .
*/
spinlock_t name_lock ;
struct list_head fw_names ;
struct delayed_work work ;
struct notifier_block pm_notify ;
# endif
} ;
struct fw_cache_entry {
struct list_head list ;
const char * name ;
} ;
struct fw_name_devm {
unsigned long magic ;
const char * name ;
} ;
2017-11-20 10:23:55 -08:00
static inline struct fw_priv * to_fw_priv ( struct kref * ref )
{
return container_of ( ref , struct fw_priv , ref ) ;
}
2017-11-20 10:23:50 -08:00
# define FW_LOADER_NO_CACHE 0
# define FW_LOADER_START_CACHE 1
/* fw_lock could be moved to 'struct fw_sysfs' but since it is just
* guarding for corner cases a global lock should be OK */
2018-03-10 06:14:49 -08:00
DEFINE_MUTEX ( fw_lock ) ;
2017-11-20 10:23:50 -08:00
static struct firmware_cache fw_cache ;
2010-03-13 23:49:18 -08:00
/* Builtin firmware support */
# ifdef CONFIG_FW_LOADER
extern struct builtin_fw __start_builtin_fw [ ] ;
extern struct builtin_fw __end_builtin_fw [ ] ;
2017-11-20 10:23:56 -08:00
static void fw_copy_to_prealloc_buf ( struct firmware * fw ,
void * buf , size_t size )
{
if ( ! buf | | size < fw - > size )
return ;
memcpy ( buf , fw - > data , fw - > size ) ;
}
2016-08-02 14:04:28 -07:00
static bool fw_get_builtin_firmware ( struct firmware * fw , const char * name ,
void * buf , size_t size )
2010-03-13 23:49:18 -08:00
{
struct builtin_fw * b_fw ;
for ( b_fw = __start_builtin_fw ; b_fw ! = __end_builtin_fw ; b_fw + + ) {
if ( strcmp ( name , b_fw - > name ) = = 0 ) {
fw - > size = b_fw - > size ;
fw - > data = b_fw - > data ;
2017-11-20 10:23:56 -08:00
fw_copy_to_prealloc_buf ( fw , buf , size ) ;
2016-08-02 14:04:28 -07:00
2010-03-13 23:49:18 -08:00
return true ;
}
}
return false ;
}
static bool fw_is_builtin_firmware ( const struct firmware * fw )
{
struct builtin_fw * b_fw ;
for ( b_fw = __start_builtin_fw ; b_fw ! = __end_builtin_fw ; b_fw + + )
if ( fw - > data = = b_fw - > data )
return true ;
return false ;
}
# else /* Module case - no builtin firmware support */
2016-08-02 14:04:28 -07:00
static inline bool fw_get_builtin_firmware ( struct firmware * fw ,
const char * name , void * buf ,
size_t size )
2010-03-13 23:49:18 -08:00
{
return false ;
}
static inline bool fw_is_builtin_firmware ( const struct firmware * fw )
{
return false ;
}
# endif
2017-11-20 10:23:53 -08:00
static void fw_state_init ( struct fw_priv * fw_priv )
2016-11-17 11:00:48 +01:00
{
2017-11-20 10:23:53 -08:00
struct fw_state * fw_st = & fw_priv - > fw_st ;
firmware: fix batched requests - wake all waiters
The firmware cache mechanism serves two purposes, the secondary purpose is
not well documented nor understood. This fixes a regression with the
secondary purpose of the firmware cache mechanism: batched requests on
successful lookups. Without this fix *any* time a batched request is
triggered, secondary requests for which the batched request mechanism
was designed for will seem to last forver and seem to never return.
This issue is present for all kernel builds possible, and a hard reset
is required.
The firmware cache is used for:
1) Addressing races with file lookups during the suspend/resume cycle
by keeping firmware in memory during the suspend/resume cycle
2) Batched requests for the same file rely only on work from the first file
lookup, which keeps the firmware in memory until the last
release_firmware() is called
Batched requests *only* take effect if secondary requests come in prior to
the first user calling release_firmware(). The devres name used for the
internal firmware cache is used as a hint other pending requests are
ongoing, the firmware buffer data is kept in memory until the last user of
the buffer calls release_firmware(), therefore serializing requests and
delaying the release until all requests are done.
Batched requests wait for a wakup or signal so we can rely on the first file
fetch to write to the pending secondary requests. Commit 5b029624948d
("firmware: do not use fw_lock for fw_state protection") ported the firmware
API to use swait, and in doing so failed to convert complete_all() to
swake_up_all() -- it used swake_up(), loosing the ability for *some* batched
requests to take effect.
We *could* fix this by just using swake_up_all() *but* swait is now known
to be very special use case, so its best to just move away from it. So we
just go back to using completions as before commit 5b029624948d ("firmware:
do not use fw_lock for fw_state protection") given this was using
complete_all().
Without this fix it has been reported plugging in two Intel 6260 Wifi cards
on a system will end up enumerating the two devices only 50% of the time
[0]. The ported swake_up() should have actually handled the case with two
devices, however, *if more than two cards are used* the swake_up() would
not have sufficed. This change is only part of the required fixes for
batched requests. Another fix is provided in the next patch.
This particular change should fix the cases where more than three requests
with the same firmware name is used, otherwise batched requests will wait
for MAX_SCHEDULE_TIMEOUT and just timeout eventually.
Below is a summary of tests triggering batched requests on different
kernel builds.
Before this patch:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL FAIL
request_firmware_direct() FAIL FAIL
request_firmware_nowait(uevent=true) FAIL FAIL
request_firmware_nowait(uevent=false) FAIL FAIL
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL FAIL
request_firmware_direct() FAIL FAIL
request_firmware_nowait(uevent=true) FAIL FAIL
request_firmware_nowait(uevent=false) FAIL FAIL
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL FAIL
request_firmware_direct() FAIL FAIL
request_firmware_nowait(uevent=true) FAIL FAIL
request_firmware_nowait(uevent=false) FAIL FAIL
============================================================================
After this patch:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
[0] https://bugzilla.kernel.org/show_bug.cgi?id=195477
CC: <stable@vger.kernel.org> [4.10+]
Cc: Ming Lei <ming.lei@redhat.com>
Fixes: 5b029624948d ("firmware: do not use fw_lock for fw_state protection")
Reported-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-20 13:13:09 -07:00
init_completion ( & fw_st - > completion ) ;
2016-11-17 11:00:48 +01:00
fw_st - > status = FW_STATUS_UNKNOWN ;
}
2017-11-20 10:23:53 -08:00
static inline int fw_state_wait ( struct fw_priv * fw_priv )
{
return __fw_state_wait_common ( fw_priv , MAX_SCHEDULE_TIMEOUT ) ;
}
2016-11-17 11:00:48 +01:00
2012-08-20 19:04:16 +08:00
static int fw_cache_piggyback_on_request ( const char * name ) ;
2017-11-20 10:23:48 -08:00
static struct fw_priv * __allocate_fw_priv ( const char * fw_name ,
struct firmware_cache * fwc ,
void * dbuf , size_t size )
2012-08-04 12:01:21 +08:00
{
2017-11-20 10:23:48 -08:00
struct fw_priv * fw_priv ;
2012-08-04 12:01:21 +08:00
2017-11-20 10:23:48 -08:00
fw_priv = kzalloc ( sizeof ( * fw_priv ) , GFP_ATOMIC ) ;
if ( ! fw_priv )
2015-05-12 14:49:43 -07:00
return NULL ;
2017-11-20 10:23:49 -08:00
fw_priv - > fw_name = kstrdup_const ( fw_name , GFP_ATOMIC ) ;
if ( ! fw_priv - > fw_name ) {
2017-11-20 10:23:48 -08:00
kfree ( fw_priv ) ;
2015-05-12 14:49:43 -07:00
return NULL ;
}
2012-08-04 12:01:21 +08:00
2017-11-20 10:23:48 -08:00
kref_init ( & fw_priv - > ref ) ;
fw_priv - > fwc = fwc ;
fw_priv - > data = dbuf ;
fw_priv - > allocated_size = size ;
2017-11-20 10:23:53 -08:00
fw_state_init ( fw_priv ) ;
2013-05-22 18:28:38 +02:00
# ifdef CONFIG_FW_LOADER_USER_HELPER
2017-11-20 10:23:48 -08:00
INIT_LIST_HEAD ( & fw_priv - > pending_list ) ;
2013-05-22 18:28:38 +02:00
# endif
2012-08-04 12:01:21 +08:00
2017-11-20 10:23:48 -08:00
pr_debug ( " %s: fw-%s fw_priv=%p \n " , __func__ , fw_name , fw_priv ) ;
2012-08-04 12:01:21 +08:00
2017-11-20 10:23:48 -08:00
return fw_priv ;
2012-08-04 12:01:21 +08:00
}
2017-11-20 10:23:48 -08:00
static struct fw_priv * __lookup_fw_priv ( const char * fw_name )
2012-08-04 12:01:22 +08:00
{
2017-11-20 10:23:48 -08:00
struct fw_priv * tmp ;
2012-08-04 12:01:22 +08:00
struct firmware_cache * fwc = & fw_cache ;
list_for_each_entry ( tmp , & fwc - > head , list )
2017-11-20 10:23:49 -08:00
if ( ! strcmp ( tmp - > fw_name , fw_name ) )
2012-08-04 12:01:22 +08:00
return tmp ;
return NULL ;
}
2017-07-20 13:13:41 -07:00
/* Returns 1 for batching firmware requests with the same name */
2017-11-20 10:23:48 -08:00
static int alloc_lookup_fw_priv ( const char * fw_name ,
struct firmware_cache * fwc ,
struct fw_priv * * fw_priv , void * dbuf ,
size_t size )
2012-08-04 12:01:21 +08:00
{
2017-11-20 10:23:48 -08:00
struct fw_priv * tmp ;
2012-08-04 12:01:21 +08:00
spin_lock ( & fwc - > lock ) ;
2017-11-20 10:23:48 -08:00
tmp = __lookup_fw_priv ( fw_name ) ;
2012-08-04 12:01:22 +08:00
if ( tmp ) {
kref_get ( & tmp - > ref ) ;
spin_unlock ( & fwc - > lock ) ;
2017-11-20 10:23:48 -08:00
* fw_priv = tmp ;
pr_debug ( " batched request - sharing the same struct fw_priv and lookup for multiple requests \n " ) ;
2012-08-04 12:01:22 +08:00
return 1 ;
}
2017-11-20 10:23:48 -08:00
tmp = __allocate_fw_priv ( fw_name , fwc , dbuf , size ) ;
2012-08-04 12:01:21 +08:00
if ( tmp )
list_add ( & tmp - > list , & fwc - > head ) ;
spin_unlock ( & fwc - > lock ) ;
2017-11-20 10:23:48 -08:00
* fw_priv = tmp ;
2012-08-04 12:01:21 +08:00
return tmp ? 0 : - ENOMEM ;
}
2017-11-20 10:23:48 -08:00
static void __free_fw_priv ( struct kref * ref )
2014-01-04 14:20:36 +01:00
__releases ( & fwc - > lock )
2012-08-04 12:01:21 +08:00
{
2017-11-20 10:23:48 -08:00
struct fw_priv * fw_priv = to_fw_priv ( ref ) ;
struct firmware_cache * fwc = fw_priv - > fwc ;
2012-08-04 12:01:21 +08:00
2017-11-20 10:23:48 -08:00
pr_debug ( " %s: fw-%s fw_priv=%p data=%p size=%u \n " ,
2017-11-20 10:23:49 -08:00
__func__ , fw_priv - > fw_name , fw_priv , fw_priv - > data ,
2017-11-20 10:23:48 -08:00
( unsigned int ) fw_priv - > size ) ;
2012-08-04 12:01:21 +08:00
2017-11-20 10:23:48 -08:00
list_del ( & fw_priv - > list ) ;
2012-08-04 12:01:21 +08:00
spin_unlock ( & fwc - > lock ) ;
2013-01-31 11:13:55 +01:00
# ifdef CONFIG_FW_LOADER_USER_HELPER
2017-11-20 10:23:48 -08:00
if ( fw_priv - > is_paged_buf ) {
2013-01-31 11:13:55 +01:00
int i ;
2017-11-20 10:23:48 -08:00
vunmap ( fw_priv - > data ) ;
for ( i = 0 ; i < fw_priv - > nr_pages ; i + + )
__free_page ( fw_priv - > pages [ i ] ) ;
vfree ( fw_priv - > pages ) ;
2012-10-09 12:01:03 +08:00
} else
2013-01-31 11:13:55 +01:00
# endif
2017-11-20 10:23:48 -08:00
if ( ! fw_priv - > allocated_size )
vfree ( fw_priv - > data ) ;
2017-11-20 10:23:49 -08:00
kfree_const ( fw_priv - > fw_name ) ;
2017-11-20 10:23:48 -08:00
kfree ( fw_priv ) ;
2012-08-04 12:01:21 +08:00
}
2017-11-20 10:23:48 -08:00
static void free_fw_priv ( struct fw_priv * fw_priv )
2012-08-04 12:01:21 +08:00
{
2017-11-20 10:23:48 -08:00
struct firmware_cache * fwc = fw_priv - > fwc ;
2012-11-10 01:27:22 +08:00
spin_lock ( & fwc - > lock ) ;
2017-11-20 10:23:48 -08:00
if ( ! kref_put ( & fw_priv - > ref , __free_fw_priv ) )
2012-11-10 01:27:22 +08:00
spin_unlock ( & fwc - > lock ) ;
2012-08-04 12:01:21 +08:00
}
2012-10-09 12:01:03 +08:00
/* direct firmware loading support */
2012-11-03 17:47:58 +08:00
static char fw_path_para [ 256 ] ;
static const char * const fw_path [ ] = {
fw_path_para ,
2012-10-09 12:01:03 +08:00
" /lib/firmware/updates/ " UTS_RELEASE ,
" /lib/firmware/updates " ,
" /lib/firmware/ " UTS_RELEASE ,
" /lib/firmware "
} ;
2012-11-03 17:47:58 +08:00
/*
* Typical usage is that passing ' firmware_class . path = $ CUSTOMIZED_PATH '
* from kernel command line because firmware_class is generally built in
* kernel instead of module .
*/
module_param_string ( path , fw_path_para , sizeof ( fw_path_para ) , 0644 ) ;
MODULE_PARM_DESC ( path , " customized firmware image search path with a higher priority than default path " ) ;
2016-08-02 14:04:28 -07:00
static int
2017-11-20 10:23:48 -08:00
fw_get_filesystem_firmware ( struct device * device , struct fw_priv * fw_priv )
2012-10-09 12:01:03 +08:00
{
2015-11-19 12:39:22 -05:00
loff_t size ;
2015-05-12 14:49:41 -07:00
int i , len ;
2013-09-06 15:36:08 -04:00
int rc = - ENOENT ;
2015-05-12 14:49:40 -07:00
char * path ;
2016-08-02 14:04:28 -07:00
enum kernel_read_file_id id = READING_FIRMWARE ;
size_t msize = INT_MAX ;
/* Already populated data member means we're loading into a buffer */
2017-11-20 10:23:48 -08:00
if ( fw_priv - > data ) {
2016-08-02 14:04:28 -07:00
id = READING_FIRMWARE_PREALLOC_BUFFER ;
2017-11-20 10:23:48 -08:00
msize = fw_priv - > allocated_size ;
2016-08-02 14:04:28 -07:00
}
2015-05-12 14:49:40 -07:00
path = __getname ( ) ;
if ( ! path )
return - ENOMEM ;
2012-10-09 12:01:03 +08:00
for ( i = 0 ; i < ARRAY_SIZE ( fw_path ) ; i + + ) {
2012-11-03 17:47:58 +08:00
/* skip the unset customized path */
if ( ! fw_path [ i ] [ 0 ] )
continue ;
2015-05-12 14:49:41 -07:00
len = snprintf ( path , PATH_MAX , " %s/%s " ,
2017-11-20 10:23:49 -08:00
fw_path [ i ] , fw_priv - > fw_name ) ;
2015-05-12 14:49:41 -07:00
if ( len > = PATH_MAX ) {
rc = - ENAMETOOLONG ;
break ;
}
2012-10-09 12:01:03 +08:00
2017-11-20 10:23:48 -08:00
fw_priv - > size = 0 ;
rc = kernel_read_file_from_path ( path , & fw_priv - > data , & size ,
msize , id ) ;
2016-02-04 13:15:02 -08:00
if ( rc ) {
2016-02-28 21:57:55 +01:00
if ( rc = = - ENOENT )
dev_dbg ( device , " loading %s failed with error %d \n " ,
path , rc ) ;
else
dev_warn ( device , " loading %s failed with error %d \n " ,
path , rc ) ;
2016-02-04 13:15:02 -08:00
continue ;
}
2017-11-20 10:23:49 -08:00
dev_dbg ( device , " direct-loading %s \n " , fw_priv - > fw_name ) ;
2017-11-20 10:23:48 -08:00
fw_priv - > size = size ;
2017-11-20 10:23:53 -08:00
fw_state_done ( fw_priv ) ;
2016-02-04 13:15:02 -08:00
break ;
2013-01-31 11:13:54 +01:00
}
2016-02-04 13:15:02 -08:00
__putname ( path ) ;
2013-01-31 11:13:54 +01:00
2013-09-06 15:36:08 -04:00
return rc ;
2012-10-09 12:01:03 +08:00
}
2013-01-31 11:13:55 +01:00
/* firmware holds the ownership of pages */
static void firmware_free_data ( const struct firmware * fw )
{
/* Loaded directly? */
if ( ! fw - > priv ) {
vfree ( fw - > data ) ;
return ;
}
2017-11-20 10:23:48 -08:00
free_fw_priv ( fw - > priv ) ;
2013-01-31 11:13:55 +01:00
}
2013-01-31 11:13:56 +01:00
/* store the pages buffer info firmware from buf */
2017-11-20 10:23:48 -08:00
static void fw_set_page_data ( struct fw_priv * fw_priv , struct firmware * fw )
2013-01-31 11:13:56 +01:00
{
2017-11-20 10:23:48 -08:00
fw - > priv = fw_priv ;
2013-01-31 11:13:56 +01:00
# ifdef CONFIG_FW_LOADER_USER_HELPER
2017-11-20 10:23:48 -08:00
fw - > pages = fw_priv - > pages ;
2013-01-31 11:13:56 +01:00
# endif
2017-11-20 10:23:48 -08:00
fw - > size = fw_priv - > size ;
fw - > data = fw_priv - > data ;
2013-01-31 11:13:56 +01:00
2017-11-20 10:23:48 -08:00
pr_debug ( " %s: fw-%s fw_priv=%p data=%p size=%u \n " ,
2017-11-20 10:23:49 -08:00
__func__ , fw_priv - > fw_name , fw_priv , fw_priv - > data ,
2017-11-20 10:23:48 -08:00
( unsigned int ) fw_priv - > size ) ;
2013-01-31 11:13:56 +01:00
}
# ifdef CONFIG_PM_SLEEP
static void fw_name_devm_release ( struct device * dev , void * res )
{
struct fw_name_devm * fwn = res ;
if ( fwn - > magic = = ( unsigned long ) & fw_cache )
pr_debug ( " %s: fw_name-%s devm-%p released \n " ,
__func__ , fwn - > name , res ) ;
2015-05-12 14:49:43 -07:00
kfree_const ( fwn - > name ) ;
2013-01-31 11:13:56 +01:00
}
static int fw_devm_match ( struct device * dev , void * res ,
void * match_data )
{
struct fw_name_devm * fwn = res ;
return ( fwn - > magic = = ( unsigned long ) & fw_cache ) & &
! strcmp ( fwn - > name , match_data ) ;
}
static struct fw_name_devm * fw_find_devm_name ( struct device * dev ,
const char * name )
{
struct fw_name_devm * fwn ;
fwn = devres_find ( dev , fw_name_devm_release ,
fw_devm_match , ( void * ) name ) ;
return fwn ;
}
/* add firmware name into devres list */
static int fw_add_devm_name ( struct device * dev , const char * name )
{
struct fw_name_devm * fwn ;
fwn = fw_find_devm_name ( dev , name ) ;
if ( fwn )
return 1 ;
2015-05-12 14:49:43 -07:00
fwn = devres_alloc ( fw_name_devm_release , sizeof ( struct fw_name_devm ) ,
GFP_KERNEL ) ;
2013-01-31 11:13:56 +01:00
if ( ! fwn )
return - ENOMEM ;
2015-05-12 14:49:43 -07:00
fwn - > name = kstrdup_const ( name , GFP_KERNEL ) ;
if ( ! fwn - > name ) {
2015-07-29 23:26:28 +03:00
devres_free ( fwn ) ;
2015-05-12 14:49:43 -07:00
return - ENOMEM ;
}
2013-01-31 11:13:56 +01:00
fwn - > magic = ( unsigned long ) & fw_cache ;
devres_add ( dev , fwn ) ;
return 0 ;
}
# else
static int fw_add_devm_name ( struct device * dev , const char * name )
{
return 0 ;
}
# endif
2018-03-10 06:14:49 -08:00
int assign_fw ( struct firmware * fw , struct device * device ,
unsigned int opt_flags )
2017-05-02 01:31:06 -07:00
{
2017-11-20 10:23:48 -08:00
struct fw_priv * fw_priv = fw - > priv ;
2017-05-02 01:31:06 -07:00
mutex_lock ( & fw_lock ) ;
2017-11-20 10:23:53 -08:00
if ( ! fw_priv - > size | | fw_state_is_aborted ( fw_priv ) ) {
2017-05-02 01:31:06 -07:00
mutex_unlock ( & fw_lock ) ;
return - ENOENT ;
}
/*
* add firmware name into devres list so that we can auto cache
* and uncache firmware for device .
*
* device may has been deleted already , but the problem
* should be fixed in devres or driver core .
*/
/* don't cache firmware handled without uevent */
if ( device & & ( opt_flags & FW_OPT_UEVENT ) & &
! ( opt_flags & FW_OPT_NOCACHE ) )
2017-11-20 10:23:49 -08:00
fw_add_devm_name ( device , fw_priv - > fw_name ) ;
2017-05-02 01:31:06 -07:00
/*
* After caching firmware image is started , let it piggyback
* on request firmware .
*/
if ( ! ( opt_flags & FW_OPT_NOCACHE ) & &
2017-11-20 10:23:48 -08:00
fw_priv - > fwc - > state = = FW_LOADER_START_CACHE ) {
2017-11-20 10:23:49 -08:00
if ( fw_cache_piggyback_on_request ( fw_priv - > fw_name ) )
2017-11-20 10:23:48 -08:00
kref_get ( & fw_priv - > ref ) ;
2017-05-02 01:31:06 -07:00
}
/* pass the pages buffer to driver at the last minute */
2017-11-20 10:23:48 -08:00
fw_set_page_data ( fw_priv , fw ) ;
2017-05-02 01:31:06 -07:00
mutex_unlock ( & fw_lock ) ;
return 0 ;
}
2013-01-31 11:13:56 +01:00
2013-01-31 11:13:54 +01:00
/* prepare firmware and firmware_buf structs;
* return 0 if a firmware is already assigned , 1 if need to load one ,
* or a negative error code
*/
static int
_request_firmware_prepare ( struct firmware * * firmware_p , const char * name ,
2016-08-02 14:04:28 -07:00
struct device * device , void * dbuf , size_t size )
2005-04-16 15:20:36 -07:00
{
struct firmware * firmware ;
2017-11-20 10:23:48 -08:00
struct fw_priv * fw_priv ;
2012-08-04 12:01:21 +08:00
int ret ;
2005-04-16 15:20:36 -07:00
2005-09-13 01:25:01 -07:00
* firmware_p = firmware = kzalloc ( sizeof ( * firmware ) , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ! firmware ) {
2008-10-15 22:04:20 -07:00
dev_err ( device , " %s: kmalloc(struct firmware) failed \n " ,
__func__ ) ;
2013-01-31 11:13:54 +01:00
return - ENOMEM ;
2005-04-16 15:20:36 -07:00
}
2016-08-02 14:04:28 -07:00
if ( fw_get_builtin_firmware ( firmware , name , dbuf , size ) ) {
2015-04-29 16:30:43 -07:00
dev_dbg ( device , " using built-in %s \n " , name ) ;
2013-01-31 11:13:54 +01:00
return 0 ; /* assigned */
2008-05-23 13:52:42 +01:00
}
2017-11-20 10:23:48 -08:00
ret = alloc_lookup_fw_priv ( name , & fw_cache , & fw_priv , dbuf , size ) ;
2013-01-31 11:13:54 +01:00
/*
2017-11-20 10:23:48 -08:00
* bind with ' priv ' now to avoid warning in failure path
2013-01-31 11:13:54 +01:00
* of requesting firmware .
*/
2017-11-20 10:23:48 -08:00
firmware - > priv = fw_priv ;
2013-01-31 11:13:54 +01:00
if ( ret > 0 ) {
2017-11-20 10:23:53 -08:00
ret = fw_state_wait ( fw_priv ) ;
2013-01-31 11:13:54 +01:00
if ( ! ret ) {
2017-11-20 10:23:48 -08:00
fw_set_page_data ( fw_priv , firmware ) ;
2013-01-31 11:13:54 +01:00
return 0 ; /* assigned */
}
2012-03-28 23:30:43 +02:00
}
2012-03-28 23:29:55 +02:00
2013-01-31 11:13:54 +01:00
if ( ret < 0 )
return ret ;
return 1 ; /* need to load */
}
firmware: fix batched requests - send wake up on failure on direct lookups
Fix batched requests from waiting forever on failure.
The firmware API batched requests feature has been broken since the API call
request_firmware_direct() was introduced on commit bba3a87e982ad ("firmware:
Introduce request_firmware_direct()"), added on v3.14 *iff* the firmware
being requested was not present in *certain kernel builds* [0].
When no firmware is found the worker which goes on to finish never informs
waiters queued up of this, so any batched request will stall in what seems
to be forever (MAX_SCHEDULE_TIMEOUT). Sadly, a reboot will also stall, as
the reboot notifier was only designed to kill custom fallback workers. The
issue seems to the user as a type of soft lockup, what *actually* happens
underneath the hood is a wait call which never completes as we failed to
issue a completion on error.
For device drivers with optional firmware schemes (ie, Intel iwlwifi, or
Netronome -- even though it uses request_firmware() and not
request_firmware_direct()), this could mean that when you boot a system with
multiple cards the firmware will seem to never load on the system, or that
the card is just not responsive even the driver initialization. Due to
differences in scheduling possible this should not always trigger --
one would need to to ensure that multiple requests are in place at the
right time for this to work, also release_firmware() must not be called
prior to any other incoming request. The complexity may not be worth
supporting batched requests in the future given the wait mechanism is
only used also for the fallback mechanism. We'll keep it for now and
just fix it.
Its reported that at least with the Intel WiFi cards on one system this
issue was creeping up 50% of the boots [0].
Before this commit batched requests testing revealed:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
Ater this commit batched testing results:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
[0] https://bugzilla.kernel.org/show_bug.cgi?id=195477
Cc: stable <stable@vger.kernel.org> # v3.14
Fixes: bba3a87e982ad ("firmware: Introduce request_firmware_direct()"
Reported-by: Nicolas <nbroeking@me.com>
Reported-by: John Ewalt <jewalt@lgsinnovations.com>
Reported-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-20 13:13:10 -07:00
/*
* Batched requests need only one wake , we need to do this step last due to the
* fallback mechanism . The buf is protected with kref_get ( ) , and it won ' t be
* released until the last user calls release_firmware ( ) .
*
* Failed batched requests are possible as well , in such cases we just share
2017-11-20 10:23:48 -08:00
* the struct fw_priv and won ' t release it until all requests are woken
firmware: fix batched requests - send wake up on failure on direct lookups
Fix batched requests from waiting forever on failure.
The firmware API batched requests feature has been broken since the API call
request_firmware_direct() was introduced on commit bba3a87e982ad ("firmware:
Introduce request_firmware_direct()"), added on v3.14 *iff* the firmware
being requested was not present in *certain kernel builds* [0].
When no firmware is found the worker which goes on to finish never informs
waiters queued up of this, so any batched request will stall in what seems
to be forever (MAX_SCHEDULE_TIMEOUT). Sadly, a reboot will also stall, as
the reboot notifier was only designed to kill custom fallback workers. The
issue seems to the user as a type of soft lockup, what *actually* happens
underneath the hood is a wait call which never completes as we failed to
issue a completion on error.
For device drivers with optional firmware schemes (ie, Intel iwlwifi, or
Netronome -- even though it uses request_firmware() and not
request_firmware_direct()), this could mean that when you boot a system with
multiple cards the firmware will seem to never load on the system, or that
the card is just not responsive even the driver initialization. Due to
differences in scheduling possible this should not always trigger --
one would need to to ensure that multiple requests are in place at the
right time for this to work, also release_firmware() must not be called
prior to any other incoming request. The complexity may not be worth
supporting batched requests in the future given the wait mechanism is
only used also for the fallback mechanism. We'll keep it for now and
just fix it.
Its reported that at least with the Intel WiFi cards on one system this
issue was creeping up 50% of the boots [0].
Before this commit batched requests testing revealed:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
Ater this commit batched testing results:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
[0] https://bugzilla.kernel.org/show_bug.cgi?id=195477
Cc: stable <stable@vger.kernel.org> # v3.14
Fixes: bba3a87e982ad ("firmware: Introduce request_firmware_direct()"
Reported-by: Nicolas <nbroeking@me.com>
Reported-by: John Ewalt <jewalt@lgsinnovations.com>
Reported-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-20 13:13:10 -07:00
* and have gone through this same path .
*/
static void fw_abort_batch_reqs ( struct firmware * fw )
{
2017-11-20 10:23:48 -08:00
struct fw_priv * fw_priv ;
firmware: fix batched requests - send wake up on failure on direct lookups
Fix batched requests from waiting forever on failure.
The firmware API batched requests feature has been broken since the API call
request_firmware_direct() was introduced on commit bba3a87e982ad ("firmware:
Introduce request_firmware_direct()"), added on v3.14 *iff* the firmware
being requested was not present in *certain kernel builds* [0].
When no firmware is found the worker which goes on to finish never informs
waiters queued up of this, so any batched request will stall in what seems
to be forever (MAX_SCHEDULE_TIMEOUT). Sadly, a reboot will also stall, as
the reboot notifier was only designed to kill custom fallback workers. The
issue seems to the user as a type of soft lockup, what *actually* happens
underneath the hood is a wait call which never completes as we failed to
issue a completion on error.
For device drivers with optional firmware schemes (ie, Intel iwlwifi, or
Netronome -- even though it uses request_firmware() and not
request_firmware_direct()), this could mean that when you boot a system with
multiple cards the firmware will seem to never load on the system, or that
the card is just not responsive even the driver initialization. Due to
differences in scheduling possible this should not always trigger --
one would need to to ensure that multiple requests are in place at the
right time for this to work, also release_firmware() must not be called
prior to any other incoming request. The complexity may not be worth
supporting batched requests in the future given the wait mechanism is
only used also for the fallback mechanism. We'll keep it for now and
just fix it.
Its reported that at least with the Intel WiFi cards on one system this
issue was creeping up 50% of the boots [0].
Before this commit batched requests testing revealed:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
Ater this commit batched testing results:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
[0] https://bugzilla.kernel.org/show_bug.cgi?id=195477
Cc: stable <stable@vger.kernel.org> # v3.14
Fixes: bba3a87e982ad ("firmware: Introduce request_firmware_direct()"
Reported-by: Nicolas <nbroeking@me.com>
Reported-by: John Ewalt <jewalt@lgsinnovations.com>
Reported-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-20 13:13:10 -07:00
/* Loaded directly? */
if ( ! fw | | ! fw - > priv )
return ;
2017-11-20 10:23:48 -08:00
fw_priv = fw - > priv ;
2017-11-20 10:23:53 -08:00
if ( ! fw_state_is_aborted ( fw_priv ) )
fw_state_aborted ( fw_priv ) ;
firmware: fix batched requests - send wake up on failure on direct lookups
Fix batched requests from waiting forever on failure.
The firmware API batched requests feature has been broken since the API call
request_firmware_direct() was introduced on commit bba3a87e982ad ("firmware:
Introduce request_firmware_direct()"), added on v3.14 *iff* the firmware
being requested was not present in *certain kernel builds* [0].
When no firmware is found the worker which goes on to finish never informs
waiters queued up of this, so any batched request will stall in what seems
to be forever (MAX_SCHEDULE_TIMEOUT). Sadly, a reboot will also stall, as
the reboot notifier was only designed to kill custom fallback workers. The
issue seems to the user as a type of soft lockup, what *actually* happens
underneath the hood is a wait call which never completes as we failed to
issue a completion on error.
For device drivers with optional firmware schemes (ie, Intel iwlwifi, or
Netronome -- even though it uses request_firmware() and not
request_firmware_direct()), this could mean that when you boot a system with
multiple cards the firmware will seem to never load on the system, or that
the card is just not responsive even the driver initialization. Due to
differences in scheduling possible this should not always trigger --
one would need to to ensure that multiple requests are in place at the
right time for this to work, also release_firmware() must not be called
prior to any other incoming request. The complexity may not be worth
supporting batched requests in the future given the wait mechanism is
only used also for the fallback mechanism. We'll keep it for now and
just fix it.
Its reported that at least with the Intel WiFi cards on one system this
issue was creeping up 50% of the boots [0].
Before this commit batched requests testing revealed:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
Ater this commit batched testing results:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
[0] https://bugzilla.kernel.org/show_bug.cgi?id=195477
Cc: stable <stable@vger.kernel.org> # v3.14
Fixes: bba3a87e982ad ("firmware: Introduce request_firmware_direct()"
Reported-by: Nicolas <nbroeking@me.com>
Reported-by: John Ewalt <jewalt@lgsinnovations.com>
Reported-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-20 13:13:10 -07:00
}
2013-01-31 11:13:54 +01:00
/* called from request_firmware() and request_firmware_work_func() */
static int
_request_firmware ( const struct firmware * * firmware_p , const char * name ,
2016-08-02 14:04:28 -07:00
struct device * device , void * buf , size_t size ,
unsigned int opt_flags )
2013-01-31 11:13:54 +01:00
{
2015-12-09 14:50:28 -08:00
struct firmware * fw = NULL ;
2013-01-31 11:13:54 +01:00
int ret ;
if ( ! firmware_p )
return - EINVAL ;
2015-12-09 14:50:28 -08:00
if ( ! name | | name [ 0 ] = = ' \0 ' ) {
ret = - EINVAL ;
goto out ;
}
2014-09-18 11:25:37 -07:00
2016-08-02 14:04:28 -07:00
ret = _request_firmware_prepare ( & fw , name , device , buf , size ) ;
2013-01-31 11:13:54 +01:00
if ( ret < = 0 ) /* error or already assigned */
goto out ;
2013-09-06 15:36:08 -04:00
ret = fw_get_filesystem_firmware ( device , fw - > priv ) ;
if ( ret ) {
2014-07-02 09:55:05 -07:00
if ( ! ( opt_flags & FW_OPT_NO_WARN ) )
2013-12-02 15:38:16 +01:00
dev_warn ( device ,
2014-07-02 09:55:05 -07:00
" Direct firmware load for %s failed with error %d \n " ,
name , ret ) ;
2017-11-20 10:23:57 -08:00
ret = fw_sysfs_fallback ( fw , name , device , opt_flags , ret ) ;
2017-05-02 01:31:07 -07:00
} else
2017-11-20 10:23:48 -08:00
ret = assign_fw ( fw , device , opt_flags ) ;
2013-01-31 11:13:54 +01:00
out :
if ( ret < 0 ) {
firmware: fix batched requests - send wake up on failure on direct lookups
Fix batched requests from waiting forever on failure.
The firmware API batched requests feature has been broken since the API call
request_firmware_direct() was introduced on commit bba3a87e982ad ("firmware:
Introduce request_firmware_direct()"), added on v3.14 *iff* the firmware
being requested was not present in *certain kernel builds* [0].
When no firmware is found the worker which goes on to finish never informs
waiters queued up of this, so any batched request will stall in what seems
to be forever (MAX_SCHEDULE_TIMEOUT). Sadly, a reboot will also stall, as
the reboot notifier was only designed to kill custom fallback workers. The
issue seems to the user as a type of soft lockup, what *actually* happens
underneath the hood is a wait call which never completes as we failed to
issue a completion on error.
For device drivers with optional firmware schemes (ie, Intel iwlwifi, or
Netronome -- even though it uses request_firmware() and not
request_firmware_direct()), this could mean that when you boot a system with
multiple cards the firmware will seem to never load on the system, or that
the card is just not responsive even the driver initialization. Due to
differences in scheduling possible this should not always trigger --
one would need to to ensure that multiple requests are in place at the
right time for this to work, also release_firmware() must not be called
prior to any other incoming request. The complexity may not be worth
supporting batched requests in the future given the wait mechanism is
only used also for the fallback mechanism. We'll keep it for now and
just fix it.
Its reported that at least with the Intel WiFi cards on one system this
issue was creeping up 50% of the boots [0].
Before this commit batched requests testing revealed:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() FAIL OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) FAIL OK
request_firmware_nowait(uevent=false) FAIL OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() FAIL OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
Ater this commit batched testing results:
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=y
Most common Linux distribution setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=n
CONFIG_FW_LOADER_USER_HELPER=n
Only possible if CONFIG_DELL_RBU=n and CONFIG_LEDS_LP55XX_COMMON=n, rare.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
CONFIG_FW_LOADER_USER_HELPER=y
Google Android setup.
API-type no-firmware-found firmware-found
----------------------------------------------------------------------
request_firmware() OK OK
request_firmware_direct() OK OK
request_firmware_nowait(uevent=true) OK OK
request_firmware_nowait(uevent=false) OK OK
============================================================================
[0] https://bugzilla.kernel.org/show_bug.cgi?id=195477
Cc: stable <stable@vger.kernel.org> # v3.14
Fixes: bba3a87e982ad ("firmware: Introduce request_firmware_direct()"
Reported-by: Nicolas <nbroeking@me.com>
Reported-by: John Ewalt <jewalt@lgsinnovations.com>
Reported-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-20 13:13:10 -07:00
fw_abort_batch_reqs ( fw ) ;
2013-01-31 11:13:54 +01:00
release_firmware ( fw ) ;
fw = NULL ;
}
* firmware_p = fw ;
return ret ;
}
2005-09-06 15:17:13 -07:00
/**
2005-11-16 09:00:00 +01:00
* request_firmware : - send firmware request and wait for it
2005-10-30 15:03:01 -08:00
* @ firmware_p : pointer to firmware image
* @ name : name of firmware file
* @ device : device for which firmware is being loaded
*
* @ firmware_p will be used to return a firmware image by the name
2005-09-06 15:17:13 -07:00
* of @ name for device @ device .
*
* Should be called from user context where sleeping is allowed .
*
2005-11-16 09:00:00 +01:00
* @ name will be used as $ FIRMWARE in the uevent environment and
2005-09-06 15:17:13 -07:00
* should be distinctive enough not to be confused with any other
* firmware image for this or any other device .
2012-08-04 12:01:23 +08:00
*
* Caller must hold the reference count of @ device .
2012-11-03 17:48:16 +08:00
*
* The function can be called safely inside device ' s suspend and
* resume callback .
2005-09-06 15:17:13 -07:00
* */
int
request_firmware ( const struct firmware * * firmware_p , const char * name ,
2015-03-08 12:41:15 +02:00
struct device * device )
2005-09-06 15:17:13 -07:00
{
2013-06-06 20:01:48 +08:00
int ret ;
/* Need to pin this module until return */
__module_get ( THIS_MODULE ) ;
2016-08-02 14:04:28 -07:00
ret = _request_firmware ( firmware_p , name , device , NULL , 0 ,
2017-11-20 10:23:58 -08:00
FW_OPT_UEVENT ) ;
2013-06-06 20:01:48 +08:00
module_put ( THIS_MODULE ) ;
return ret ;
2005-09-06 15:17:13 -07:00
}
2013-05-23 22:17:18 +02:00
EXPORT_SYMBOL ( request_firmware ) ;
2005-09-06 15:17:13 -07:00
2013-12-02 15:38:16 +01:00
/**
2014-12-03 22:46:37 +01:00
* request_firmware_direct : - load firmware directly without usermode helper
2013-12-02 15:38:16 +01:00
* @ firmware_p : pointer to firmware image
* @ name : name of firmware file
* @ device : device for which firmware is being loaded
*
* This function works pretty much like request_firmware ( ) , but this doesn ' t
* fall back to usermode helper even if the firmware couldn ' t be loaded
* directly from fs . Hence it ' s useful for loading optional firmwares , which
* aren ' t always present , without extra long timeouts of udev .
* */
int request_firmware_direct ( const struct firmware * * firmware_p ,
const char * name , struct device * device )
{
int ret ;
2015-03-08 12:41:15 +02:00
2013-12-02 15:38:16 +01:00
__module_get ( THIS_MODULE ) ;
2016-08-02 14:04:28 -07:00
ret = _request_firmware ( firmware_p , name , device , NULL , 0 ,
2017-11-20 10:23:58 -08:00
FW_OPT_UEVENT | FW_OPT_NO_WARN |
FW_OPT_NOFALLBACK ) ;
2013-12-02 15:38:16 +01:00
module_put ( THIS_MODULE ) ;
return ret ;
}
EXPORT_SYMBOL_GPL ( request_firmware_direct ) ;
2016-08-02 14:04:28 -07:00
/**
* request_firmware_into_buf - load firmware into a previously allocated buffer
* @ firmware_p : pointer to firmware image
* @ name : name of firmware file
* @ device : device for which firmware is being loaded and DMA region allocated
* @ buf : address of buffer to load firmware into
* @ size : size of buffer
*
* This function works pretty much like request_firmware ( ) , but it doesn ' t
* allocate a buffer to hold the firmware data . Instead , the firmware
* is loaded directly into the buffer pointed to by @ buf and the @ firmware_p
* data member is pointed at @ buf .
*
* This function doesn ' t cache firmware either .
*/
int
request_firmware_into_buf ( const struct firmware * * firmware_p , const char * name ,
struct device * device , void * buf , size_t size )
{
int ret ;
__module_get ( THIS_MODULE ) ;
ret = _request_firmware ( firmware_p , name , device , buf , size ,
2017-11-20 10:23:58 -08:00
FW_OPT_UEVENT | FW_OPT_NOCACHE ) ;
2016-08-02 14:04:28 -07:00
module_put ( THIS_MODULE ) ;
return ret ;
}
EXPORT_SYMBOL ( request_firmware_into_buf ) ;
2005-04-16 15:20:36 -07:00
/**
* release_firmware : - release the resource associated with a firmware image
2005-10-30 15:03:01 -08:00
* @ fw : firmware resource to release
2005-04-16 15:20:36 -07:00
* */
2010-03-13 23:49:18 -08:00
void release_firmware ( const struct firmware * fw )
2005-04-16 15:20:36 -07:00
{
if ( fw ) {
2010-03-13 23:49:18 -08:00
if ( ! fw_is_builtin_firmware ( fw ) )
firmware_free_data ( fw ) ;
2005-04-16 15:20:36 -07:00
kfree ( fw ) ;
}
}
2013-05-23 22:17:18 +02:00
EXPORT_SYMBOL ( release_firmware ) ;
2005-04-16 15:20:36 -07:00
/* Async support */
struct firmware_work {
struct work_struct work ;
struct module * module ;
const char * name ;
struct device * device ;
void * context ;
void ( * cont ) ( const struct firmware * fw , void * context ) ;
2013-12-02 15:38:18 +01:00
unsigned int opt_flags ;
2005-04-16 15:20:36 -07:00
} ;
2012-03-28 23:31:00 +02:00
static void request_firmware_work_func ( struct work_struct * work )
2005-04-16 15:20:36 -07:00
{
2012-03-28 23:31:00 +02:00
struct firmware_work * fw_work ;
2005-04-16 15:20:36 -07:00
const struct firmware * fw ;
2010-06-04 00:54:43 -07:00
2012-03-28 23:31:00 +02:00
fw_work = container_of ( work , struct firmware_work , work ) ;
2012-03-28 23:29:55 +02:00
2016-08-02 14:04:28 -07:00
_request_firmware ( & fw , fw_work - > name , fw_work - > device , NULL , 0 ,
2013-12-02 15:38:18 +01:00
fw_work - > opt_flags ) ;
2009-10-29 12:36:02 +01:00
fw_work - > cont ( fw , fw_work - > context ) ;
2013-01-31 11:13:54 +01:00
put_device ( fw_work - > device ) ; /* taken in request_firmware_nowait() */
2009-10-29 12:36:02 +01:00
2005-04-16 15:20:36 -07:00
module_put ( fw_work - > module ) ;
firmware: fix possible use after free on name on asynchronous request
Asynchronous firmware loading copies the pointer to the
name passed as an argument only to be scheduled later and
used. This behaviour works well for synchronous calling
but in asynchronous mode there's a chance the caller could
immediately free the passed string after making the
asynchronous call. This could trigger a use after free
having the kernel look on disk for arbitrary file names.
In order to force-test the issue you can use a test-driver
designed to illustrate this issue on github [0], use the
next-20150505-fix-use-after-free branch.
With this patch applied you get:
[ 283.512445] firmware name: test_module_stuff.bin
[ 287.514020] firmware name: test_module_stuff.bin
[ 287.532489] firmware found
Without this patch applied you can end up with something such as:
[ 135.624216] firmware name: \xffffff80BJ
[ 135.624249] platform fake-dev.0: Direct firmware load for \xffffff80Bi failed with error -2
[ 135.624252] No firmware found
[ 135.624252] firmware found
Unfortunatley in the worst and most common case however you
can typically crash your system with a page fault by trying to
free something which you cannot, and/or a NULL pointer
dereference [1].
The fix and issue using schedule_work() for asynchronous
runs is generalized in the following SmPL grammar patch,
when applied to next-20150505 only the firmware_class
code is affected. This grammar patch can and should further
be generalized to vet for for other kernel asynchronous
mechanisms.
@ calls_schedule_work @
type T;
T *priv_work;
identifier func, work_func;
identifier work;
identifier priv_name, name;
expression gfp;
@@
func(..., const char *name, ...)
{
...
priv_work = kzalloc(sizeof(T), gfp);
...
- priv_work->priv_name = name;
+ priv_work->priv_name = kstrdup_const(name, gfp);
...
(... when any
if (...)
{
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
) ... when any
INIT_WORK(&priv_work->work, work_func);
...
schedule_work(&priv_work->work);
...
}
@ the_work_func depends on calls_schedule_work @
type calls_schedule_work.T;
T *priv_work;
identifier calls_schedule_work.work_func;
identifier calls_schedule_work.priv_name;
identifier calls_schedule_work.work;
identifier some_work;
@@
work_func(...)
{
...
priv_work = container_of(some_work, T, work);
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
[0] https://github.com/mcgrof/fake-firmware-test.git
[1] The following kernel ring buffer splat:
firmware name: test_module_stuff.bin
firmware name:
firmware found
general protection fault: 0000 [#1] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
Workqueue: events request_firmware_work_func
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff814a586c>] [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP: 0000:ffff8800c7f97d78 EFLAGS: 00010286
RAX: ffffffff81ae3700 RBX: ffffffff816d1181 RCX: 0000000000000006
RDX: 0001ee850ff68500 RSI: 0000000000000246 RDI: c35d5f415e415d41
RBP: ffff8800c7f97d88 R08: 000000000000000a R09: 0000000000000000
R10: 0000000000000358 R11: ffff8800c7f97a7e R12: ffff8800c7ec1e80
R13: ffff88021e2d4cc0 R14: ffff88021e2dff00 R15: 00000000000000c0
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000034b8cd8 CR3: 000000021073c000 CR4: 00000000001407e0
Stack:
ffffffff816d1181 ffff8800c7ec1e80 ffff8800c7f97da8 ffffffff814a58f8
000000000000000a ffffffff816d1181 ffff8800c7f97dc8 ffffffffa047002c
ffff88021e2dff00 ffff8802116ac1c0 ffff8800c7f97df8 ffffffff814a65fe
Call Trace:
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: c7 c6 dd ad a3 81 48 c7 c7 20 97 ce 81 31 c0 e8 0b b2 ed ff e9 78 ff ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 53 <4c> 8b 67 38 48 89 fb 4c 89 e7 e8 85 f7 22 00 f0 83 2b 01 74 0f
RIP [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP <ffff8800c7f97d78>
---[ end trace 4e62c56a58d0eac1 ]---
BUG: unable to handle kernel paging request at ffffffffffffffd8
IP: [<ffffffff81093ee0>] kthread_data+0x10/0x20
PGD 1c13067 PUD 1c15067 PMD 0
Oops: 0000 [#2] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G D O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff81092ee0>] [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP: 0018:ffff8800c7f97b18 EFLAGS: 00010096
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 000000000000000d
RDX: 0000000000000003 RSI: 0000000000000003 RDI: ffff8800c7f8e290
RBP: ffff8800c7f97b18 R08: 000000000000bc00 R09: 0000000000007e76
R10: 0000000000000001 R11: 000000000000002f R12: ffff8800c7f8e290
R13: 00000000000154c0 R14: 0000000000000003 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000210675000 CR4: 00000000001407e0
Stack:
ffff8800c7f97b38 ffffffff8108dcd5 ffff8800c7f97b38 ffff88021e2d54c0
ffff8800c7f97b88 ffffffff816d1500 ffff880213d42368 ffff8800c7f8e290
ffff8800c7f97b88 ffff8800c7f97fd8 ffff8800c7f8e710 0000000000000246
Call Trace:
[<ffffffff8108dcd5>] wq_worker_sleeping+0x15/0xa0
[<ffffffff816d1500>] __schedule+0x6e0/0x940
[<ffffffff816d1797>] schedule+0x37/0x90
[<ffffffff810779bc>] do_exit+0x6bc/0xb40
[<ffffffff8101898f>] oops_end+0x9f/0xe0
[<ffffffff81018efb>] die+0x4b/0x70
[<ffffffff81015622>] do_general_protection+0xe2/0x170
[<ffffffff816d74e8>] general_protection+0x28/0x30
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a586c>] ? fw_free_buf+0xc/0x40
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: 00 48 89 e5 5d 48 8b 40 c8 48 c1 e8 02 83 e0 01 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 87 30 05 00 00 55 48 89 e5 <48> 8b 40 d8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
RIP [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP <ffff8800c7f97b18>
CR2: ffffffffffffffd8
---[ end trace 4e62c56a58d0eac2 ]---
Fixing recursive fault but reboot is needed!
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: David Howells <dhowells@redhat.com>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Kyle McMartin <kyle@kernel.org>
Generated-by: Coccinelle SmPL
Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-05-12 14:49:42 -07:00
kfree_const ( fw_work - > name ) ;
2005-04-16 15:20:36 -07:00
kfree ( fw_work ) ;
}
/**
2010-02-14 14:18:53 +00:00
* request_firmware_nowait - asynchronous version of request_firmware
2005-10-30 15:03:01 -08:00
* @ module : module requesting the firmware
2005-11-16 09:00:00 +01:00
* @ uevent : sends uevent to copy the firmware image if this flag
2005-10-30 15:03:01 -08:00
* is non - zero else the firmware copy must be done manually .
* @ name : name of firmware file
* @ device : device for which firmware is being loaded
2009-10-29 12:36:02 +01:00
* @ gfp : allocation flags
2005-10-30 15:03:01 -08:00
* @ context : will be passed over to @ cont , and
* @ fw may be % NULL if firmware request fails .
* @ cont : function will be called asynchronously when the firmware
* request is over .
2005-04-16 15:20:36 -07:00
*
2012-08-04 12:01:23 +08:00
* Caller must hold the reference count of @ device .
*
2012-08-04 12:01:24 +08:00
* Asynchronous variant of request_firmware ( ) for user contexts :
* - sleep for as small periods as possible since it may
2016-11-25 15:59:47 +01:00
* increase kernel boot time of built - in device drivers
* requesting firmware in their - > probe ( ) methods , if
* @ gfp is GFP_KERNEL .
2012-08-04 12:01:24 +08:00
*
* - can ' t sleep at all if @ gfp is GFP_ATOMIC .
2005-04-16 15:20:36 -07:00
* */
int
request_firmware_nowait (
2011-01-26 18:33:32 +08:00
struct module * module , bool uevent ,
2009-10-29 12:36:02 +01:00
const char * name , struct device * device , gfp_t gfp , void * context ,
2005-04-16 15:20:36 -07:00
void ( * cont ) ( const struct firmware * fw , void * context ) )
{
2010-06-04 00:54:43 -07:00
struct firmware_work * fw_work ;
2005-04-16 15:20:36 -07:00
2015-03-08 12:41:15 +02:00
fw_work = kzalloc ( sizeof ( struct firmware_work ) , gfp ) ;
2005-04-16 15:20:36 -07:00
if ( ! fw_work )
return - ENOMEM ;
2010-06-04 00:54:43 -07:00
fw_work - > module = module ;
firmware: fix possible use after free on name on asynchronous request
Asynchronous firmware loading copies the pointer to the
name passed as an argument only to be scheduled later and
used. This behaviour works well for synchronous calling
but in asynchronous mode there's a chance the caller could
immediately free the passed string after making the
asynchronous call. This could trigger a use after free
having the kernel look on disk for arbitrary file names.
In order to force-test the issue you can use a test-driver
designed to illustrate this issue on github [0], use the
next-20150505-fix-use-after-free branch.
With this patch applied you get:
[ 283.512445] firmware name: test_module_stuff.bin
[ 287.514020] firmware name: test_module_stuff.bin
[ 287.532489] firmware found
Without this patch applied you can end up with something such as:
[ 135.624216] firmware name: \xffffff80BJ
[ 135.624249] platform fake-dev.0: Direct firmware load for \xffffff80Bi failed with error -2
[ 135.624252] No firmware found
[ 135.624252] firmware found
Unfortunatley in the worst and most common case however you
can typically crash your system with a page fault by trying to
free something which you cannot, and/or a NULL pointer
dereference [1].
The fix and issue using schedule_work() for asynchronous
runs is generalized in the following SmPL grammar patch,
when applied to next-20150505 only the firmware_class
code is affected. This grammar patch can and should further
be generalized to vet for for other kernel asynchronous
mechanisms.
@ calls_schedule_work @
type T;
T *priv_work;
identifier func, work_func;
identifier work;
identifier priv_name, name;
expression gfp;
@@
func(..., const char *name, ...)
{
...
priv_work = kzalloc(sizeof(T), gfp);
...
- priv_work->priv_name = name;
+ priv_work->priv_name = kstrdup_const(name, gfp);
...
(... when any
if (...)
{
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
) ... when any
INIT_WORK(&priv_work->work, work_func);
...
schedule_work(&priv_work->work);
...
}
@ the_work_func depends on calls_schedule_work @
type calls_schedule_work.T;
T *priv_work;
identifier calls_schedule_work.work_func;
identifier calls_schedule_work.priv_name;
identifier calls_schedule_work.work;
identifier some_work;
@@
work_func(...)
{
...
priv_work = container_of(some_work, T, work);
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
[0] https://github.com/mcgrof/fake-firmware-test.git
[1] The following kernel ring buffer splat:
firmware name: test_module_stuff.bin
firmware name:
firmware found
general protection fault: 0000 [#1] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
Workqueue: events request_firmware_work_func
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff814a586c>] [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP: 0000:ffff8800c7f97d78 EFLAGS: 00010286
RAX: ffffffff81ae3700 RBX: ffffffff816d1181 RCX: 0000000000000006
RDX: 0001ee850ff68500 RSI: 0000000000000246 RDI: c35d5f415e415d41
RBP: ffff8800c7f97d88 R08: 000000000000000a R09: 0000000000000000
R10: 0000000000000358 R11: ffff8800c7f97a7e R12: ffff8800c7ec1e80
R13: ffff88021e2d4cc0 R14: ffff88021e2dff00 R15: 00000000000000c0
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000034b8cd8 CR3: 000000021073c000 CR4: 00000000001407e0
Stack:
ffffffff816d1181 ffff8800c7ec1e80 ffff8800c7f97da8 ffffffff814a58f8
000000000000000a ffffffff816d1181 ffff8800c7f97dc8 ffffffffa047002c
ffff88021e2dff00 ffff8802116ac1c0 ffff8800c7f97df8 ffffffff814a65fe
Call Trace:
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: c7 c6 dd ad a3 81 48 c7 c7 20 97 ce 81 31 c0 e8 0b b2 ed ff e9 78 ff ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 53 <4c> 8b 67 38 48 89 fb 4c 89 e7 e8 85 f7 22 00 f0 83 2b 01 74 0f
RIP [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP <ffff8800c7f97d78>
---[ end trace 4e62c56a58d0eac1 ]---
BUG: unable to handle kernel paging request at ffffffffffffffd8
IP: [<ffffffff81093ee0>] kthread_data+0x10/0x20
PGD 1c13067 PUD 1c15067 PMD 0
Oops: 0000 [#2] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G D O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff81092ee0>] [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP: 0018:ffff8800c7f97b18 EFLAGS: 00010096
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 000000000000000d
RDX: 0000000000000003 RSI: 0000000000000003 RDI: ffff8800c7f8e290
RBP: ffff8800c7f97b18 R08: 000000000000bc00 R09: 0000000000007e76
R10: 0000000000000001 R11: 000000000000002f R12: ffff8800c7f8e290
R13: 00000000000154c0 R14: 0000000000000003 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000210675000 CR4: 00000000001407e0
Stack:
ffff8800c7f97b38 ffffffff8108dcd5 ffff8800c7f97b38 ffff88021e2d54c0
ffff8800c7f97b88 ffffffff816d1500 ffff880213d42368 ffff8800c7f8e290
ffff8800c7f97b88 ffff8800c7f97fd8 ffff8800c7f8e710 0000000000000246
Call Trace:
[<ffffffff8108dcd5>] wq_worker_sleeping+0x15/0xa0
[<ffffffff816d1500>] __schedule+0x6e0/0x940
[<ffffffff816d1797>] schedule+0x37/0x90
[<ffffffff810779bc>] do_exit+0x6bc/0xb40
[<ffffffff8101898f>] oops_end+0x9f/0xe0
[<ffffffff81018efb>] die+0x4b/0x70
[<ffffffff81015622>] do_general_protection+0xe2/0x170
[<ffffffff816d74e8>] general_protection+0x28/0x30
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a586c>] ? fw_free_buf+0xc/0x40
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: 00 48 89 e5 5d 48 8b 40 c8 48 c1 e8 02 83 e0 01 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 87 30 05 00 00 55 48 89 e5 <48> 8b 40 d8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
RIP [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP <ffff8800c7f97b18>
CR2: ffffffffffffffd8
---[ end trace 4e62c56a58d0eac2 ]---
Fixing recursive fault but reboot is needed!
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: David Howells <dhowells@redhat.com>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Kyle McMartin <kyle@kernel.org>
Generated-by: Coccinelle SmPL
Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-05-12 14:49:42 -07:00
fw_work - > name = kstrdup_const ( name , gfp ) ;
2015-05-28 17:46:42 -07:00
if ( ! fw_work - > name ) {
kfree ( fw_work ) ;
firmware: fix possible use after free on name on asynchronous request
Asynchronous firmware loading copies the pointer to the
name passed as an argument only to be scheduled later and
used. This behaviour works well for synchronous calling
but in asynchronous mode there's a chance the caller could
immediately free the passed string after making the
asynchronous call. This could trigger a use after free
having the kernel look on disk for arbitrary file names.
In order to force-test the issue you can use a test-driver
designed to illustrate this issue on github [0], use the
next-20150505-fix-use-after-free branch.
With this patch applied you get:
[ 283.512445] firmware name: test_module_stuff.bin
[ 287.514020] firmware name: test_module_stuff.bin
[ 287.532489] firmware found
Without this patch applied you can end up with something such as:
[ 135.624216] firmware name: \xffffff80BJ
[ 135.624249] platform fake-dev.0: Direct firmware load for \xffffff80Bi failed with error -2
[ 135.624252] No firmware found
[ 135.624252] firmware found
Unfortunatley in the worst and most common case however you
can typically crash your system with a page fault by trying to
free something which you cannot, and/or a NULL pointer
dereference [1].
The fix and issue using schedule_work() for asynchronous
runs is generalized in the following SmPL grammar patch,
when applied to next-20150505 only the firmware_class
code is affected. This grammar patch can and should further
be generalized to vet for for other kernel asynchronous
mechanisms.
@ calls_schedule_work @
type T;
T *priv_work;
identifier func, work_func;
identifier work;
identifier priv_name, name;
expression gfp;
@@
func(..., const char *name, ...)
{
...
priv_work = kzalloc(sizeof(T), gfp);
...
- priv_work->priv_name = name;
+ priv_work->priv_name = kstrdup_const(name, gfp);
...
(... when any
if (...)
{
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
) ... when any
INIT_WORK(&priv_work->work, work_func);
...
schedule_work(&priv_work->work);
...
}
@ the_work_func depends on calls_schedule_work @
type calls_schedule_work.T;
T *priv_work;
identifier calls_schedule_work.work_func;
identifier calls_schedule_work.priv_name;
identifier calls_schedule_work.work;
identifier some_work;
@@
work_func(...)
{
...
priv_work = container_of(some_work, T, work);
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
[0] https://github.com/mcgrof/fake-firmware-test.git
[1] The following kernel ring buffer splat:
firmware name: test_module_stuff.bin
firmware name:
firmware found
general protection fault: 0000 [#1] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
Workqueue: events request_firmware_work_func
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff814a586c>] [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP: 0000:ffff8800c7f97d78 EFLAGS: 00010286
RAX: ffffffff81ae3700 RBX: ffffffff816d1181 RCX: 0000000000000006
RDX: 0001ee850ff68500 RSI: 0000000000000246 RDI: c35d5f415e415d41
RBP: ffff8800c7f97d88 R08: 000000000000000a R09: 0000000000000000
R10: 0000000000000358 R11: ffff8800c7f97a7e R12: ffff8800c7ec1e80
R13: ffff88021e2d4cc0 R14: ffff88021e2dff00 R15: 00000000000000c0
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000034b8cd8 CR3: 000000021073c000 CR4: 00000000001407e0
Stack:
ffffffff816d1181 ffff8800c7ec1e80 ffff8800c7f97da8 ffffffff814a58f8
000000000000000a ffffffff816d1181 ffff8800c7f97dc8 ffffffffa047002c
ffff88021e2dff00 ffff8802116ac1c0 ffff8800c7f97df8 ffffffff814a65fe
Call Trace:
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: c7 c6 dd ad a3 81 48 c7 c7 20 97 ce 81 31 c0 e8 0b b2 ed ff e9 78 ff ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 53 <4c> 8b 67 38 48 89 fb 4c 89 e7 e8 85 f7 22 00 f0 83 2b 01 74 0f
RIP [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP <ffff8800c7f97d78>
---[ end trace 4e62c56a58d0eac1 ]---
BUG: unable to handle kernel paging request at ffffffffffffffd8
IP: [<ffffffff81093ee0>] kthread_data+0x10/0x20
PGD 1c13067 PUD 1c15067 PMD 0
Oops: 0000 [#2] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G D O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff81092ee0>] [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP: 0018:ffff8800c7f97b18 EFLAGS: 00010096
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 000000000000000d
RDX: 0000000000000003 RSI: 0000000000000003 RDI: ffff8800c7f8e290
RBP: ffff8800c7f97b18 R08: 000000000000bc00 R09: 0000000000007e76
R10: 0000000000000001 R11: 000000000000002f R12: ffff8800c7f8e290
R13: 00000000000154c0 R14: 0000000000000003 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000210675000 CR4: 00000000001407e0
Stack:
ffff8800c7f97b38 ffffffff8108dcd5 ffff8800c7f97b38 ffff88021e2d54c0
ffff8800c7f97b88 ffffffff816d1500 ffff880213d42368 ffff8800c7f8e290
ffff8800c7f97b88 ffff8800c7f97fd8 ffff8800c7f8e710 0000000000000246
Call Trace:
[<ffffffff8108dcd5>] wq_worker_sleeping+0x15/0xa0
[<ffffffff816d1500>] __schedule+0x6e0/0x940
[<ffffffff816d1797>] schedule+0x37/0x90
[<ffffffff810779bc>] do_exit+0x6bc/0xb40
[<ffffffff8101898f>] oops_end+0x9f/0xe0
[<ffffffff81018efb>] die+0x4b/0x70
[<ffffffff81015622>] do_general_protection+0xe2/0x170
[<ffffffff816d74e8>] general_protection+0x28/0x30
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a586c>] ? fw_free_buf+0xc/0x40
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: 00 48 89 e5 5d 48 8b 40 c8 48 c1 e8 02 83 e0 01 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 87 30 05 00 00 55 48 89 e5 <48> 8b 40 d8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
RIP [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP <ffff8800c7f97b18>
CR2: ffffffffffffffd8
---[ end trace 4e62c56a58d0eac2 ]---
Fixing recursive fault but reboot is needed!
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: David Howells <dhowells@redhat.com>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Kyle McMartin <kyle@kernel.org>
Generated-by: Coccinelle SmPL
Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-05-12 14:49:42 -07:00
return - ENOMEM ;
2015-05-28 17:46:42 -07:00
}
2010-06-04 00:54:43 -07:00
fw_work - > device = device ;
fw_work - > context = context ;
fw_work - > cont = cont ;
2017-11-20 10:23:58 -08:00
fw_work - > opt_flags = FW_OPT_NOWAIT |
firmware loader: allow disabling of udev as firmware loader
[The patch was originally proposed by Tom Gundersen, and rewritten
afterwards by me; most of changelogs below borrowed from Tom's
original patch -- tiwai]
Currently (at least) the dell-rbu driver selects FW_LOADER_USER_HELPER,
which means that distros can't really stop loading firmware through
udev without breaking other users (though some have).
Ideally we would remove/disable the udev firmware helper in both the
kernel and in udev, but if we were to disable it in udev and not the
kernel, the result would be (seemingly) hung kernels as no one would
be around to cancel firmware requests.
This patch allows udev firmware loading to be disabled while still
allowing non-udev firmware loading, as done by the dell-rbu driver, to
continue working. This is achieved by only using the fallback
mechanism when the uevent is suppressed.
The patch renames the user-selectable Kconfig from FW_LOADER_USER_HELPER
to FW_LOADER_USER_HELPER_FALLBACK, and the former is reverse-selected
by the latter or the drivers that need userhelper like dell-rbu.
Also, the "default y" is removed together with this change, since it's
been deprecated in udev upstream, thus rather better to disable it
nowadays.
Tested with
FW_LOADER_USER_HELPER=n
LATTICE_ECP3_CONFIG=y
DELL_RBU=y
and udev without the firmware loading support, but I don't have the
hardware to test the lattice/dell drivers, so additional testing would
be appreciated.
Reviewed-by: Tom Gundersen <teg@jklm.no>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Abhay Salunke <Abhay_Salunke@dell.com>
Cc: Stefan Roese <sr@denx.de>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kay Sievers <kay@vrfy.org>
Tested-by: Balaji Singh <B_B_Singh@DELL.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-04 17:48:15 +02:00
( uevent ? FW_OPT_UEVENT : FW_OPT_USERHELPER ) ;
2010-06-04 00:54:43 -07:00
2005-04-16 15:20:36 -07:00
if ( ! try_module_get ( module ) ) {
firmware: fix possible use after free on name on asynchronous request
Asynchronous firmware loading copies the pointer to the
name passed as an argument only to be scheduled later and
used. This behaviour works well for synchronous calling
but in asynchronous mode there's a chance the caller could
immediately free the passed string after making the
asynchronous call. This could trigger a use after free
having the kernel look on disk for arbitrary file names.
In order to force-test the issue you can use a test-driver
designed to illustrate this issue on github [0], use the
next-20150505-fix-use-after-free branch.
With this patch applied you get:
[ 283.512445] firmware name: test_module_stuff.bin
[ 287.514020] firmware name: test_module_stuff.bin
[ 287.532489] firmware found
Without this patch applied you can end up with something such as:
[ 135.624216] firmware name: \xffffff80BJ
[ 135.624249] platform fake-dev.0: Direct firmware load for \xffffff80Bi failed with error -2
[ 135.624252] No firmware found
[ 135.624252] firmware found
Unfortunatley in the worst and most common case however you
can typically crash your system with a page fault by trying to
free something which you cannot, and/or a NULL pointer
dereference [1].
The fix and issue using schedule_work() for asynchronous
runs is generalized in the following SmPL grammar patch,
when applied to next-20150505 only the firmware_class
code is affected. This grammar patch can and should further
be generalized to vet for for other kernel asynchronous
mechanisms.
@ calls_schedule_work @
type T;
T *priv_work;
identifier func, work_func;
identifier work;
identifier priv_name, name;
expression gfp;
@@
func(..., const char *name, ...)
{
...
priv_work = kzalloc(sizeof(T), gfp);
...
- priv_work->priv_name = name;
+ priv_work->priv_name = kstrdup_const(name, gfp);
...
(... when any
if (...)
{
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
) ... when any
INIT_WORK(&priv_work->work, work_func);
...
schedule_work(&priv_work->work);
...
}
@ the_work_func depends on calls_schedule_work @
type calls_schedule_work.T;
T *priv_work;
identifier calls_schedule_work.work_func;
identifier calls_schedule_work.priv_name;
identifier calls_schedule_work.work;
identifier some_work;
@@
work_func(...)
{
...
priv_work = container_of(some_work, T, work);
...
+ kfree_const(priv_work->priv_name);
kfree(priv_work);
...
}
[0] https://github.com/mcgrof/fake-firmware-test.git
[1] The following kernel ring buffer splat:
firmware name: test_module_stuff.bin
firmware name:
firmware found
general protection fault: 0000 [#1] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
Workqueue: events request_firmware_work_func
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff814a586c>] [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP: 0000:ffff8800c7f97d78 EFLAGS: 00010286
RAX: ffffffff81ae3700 RBX: ffffffff816d1181 RCX: 0000000000000006
RDX: 0001ee850ff68500 RSI: 0000000000000246 RDI: c35d5f415e415d41
RBP: ffff8800c7f97d88 R08: 000000000000000a R09: 0000000000000000
R10: 0000000000000358 R11: ffff8800c7f97a7e R12: ffff8800c7ec1e80
R13: ffff88021e2d4cc0 R14: ffff88021e2dff00 R15: 00000000000000c0
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000034b8cd8 CR3: 000000021073c000 CR4: 00000000001407e0
Stack:
ffffffff816d1181 ffff8800c7ec1e80 ffff8800c7f97da8 ffffffff814a58f8
000000000000000a ffffffff816d1181 ffff8800c7f97dc8 ffffffffa047002c
ffff88021e2dff00 ffff8802116ac1c0 ffff8800c7f97df8 ffffffff814a65fe
Call Trace:
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: c7 c6 dd ad a3 81 48 c7 c7 20 97 ce 81 31 c0 e8 0b b2 ed ff e9 78 ff ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 53 <4c> 8b 67 38 48 89 fb 4c 89 e7 e8 85 f7 22 00 f0 83 2b 01 74 0f
RIP [<ffffffff814a586c>] fw_free_buf+0xc/0x40
RSP <ffff8800c7f97d78>
---[ end trace 4e62c56a58d0eac1 ]---
BUG: unable to handle kernel paging request at ffffffffffffffd8
IP: [<ffffffff81093ee0>] kthread_data+0x10/0x20
PGD 1c13067 PUD 1c15067 PMD 0
Oops: 0000 [#2] SMP
Modules linked in: test(O) <...etc-it-does-not-matter>
drm sr_mod cdrom xhci_pci xhci_hcd rtsx_pci mfd_core video button sg
CPU: 3 PID: 87 Comm: kworker/3:2 Tainted: G D O 4.0.0-00010-g22b5bb0-dirty #176
Hardware name: LENOVO 20AW000LUS/20AW000LUS, BIOS GLET43WW (1.18 ) 12/04/2013
task: ffff8800c7f8e290 ti: ffff8800c7f94000 task.ti: ffff8800c7f94000
RIP: 0010:[<ffffffff81092ee0>] [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP: 0018:ffff8800c7f97b18 EFLAGS: 00010096
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 000000000000000d
RDX: 0000000000000003 RSI: 0000000000000003 RDI: ffff8800c7f8e290
RBP: ffff8800c7f97b18 R08: 000000000000bc00 R09: 0000000000007e76
R10: 0000000000000001 R11: 000000000000002f R12: ffff8800c7f8e290
R13: 00000000000154c0 R14: 0000000000000003 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000210675000 CR4: 00000000001407e0
Stack:
ffff8800c7f97b38 ffffffff8108dcd5 ffff8800c7f97b38 ffff88021e2d54c0
ffff8800c7f97b88 ffffffff816d1500 ffff880213d42368 ffff8800c7f8e290
ffff8800c7f97b88 ffff8800c7f97fd8 ffff8800c7f8e710 0000000000000246
Call Trace:
[<ffffffff8108dcd5>] wq_worker_sleeping+0x15/0xa0
[<ffffffff816d1500>] __schedule+0x6e0/0x940
[<ffffffff816d1797>] schedule+0x37/0x90
[<ffffffff810779bc>] do_exit+0x6bc/0xb40
[<ffffffff8101898f>] oops_end+0x9f/0xe0
[<ffffffff81018efb>] die+0x4b/0x70
[<ffffffff81015622>] do_general_protection+0xe2/0x170
[<ffffffff816d74e8>] general_protection+0x28/0x30
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a586c>] ? fw_free_buf+0xc/0x40
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff814a58f8>] release_firmware+0x58/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffffa047002c>] test_mod_cb+0x2c/0x43 [test]
[<ffffffff814a65fe>] request_firmware_work_func+0x5e/0x80
[<ffffffff816d1181>] ? __schedule+0x361/0x940
[<ffffffff8108d23a>] process_one_work+0x14a/0x3f0
[<ffffffff8108d911>] worker_thread+0x121/0x460
[<ffffffff8108d7f0>] ? rescuer_thread+0x310/0x310
[<ffffffff810928f9>] kthread+0xc9/0xe0
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
[<ffffffff816d52d8>] ret_from_fork+0x58/0x90
[<ffffffff81092830>] ? kthread_create_on_node+0x180/0x180
Code: 00 48 89 e5 5d 48 8b 40 c8 48 c1 e8 02 83 e0 01 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 87 30 05 00 00 55 48 89 e5 <48> 8b 40 d8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
RIP [<ffffffff81092ee0>] kthread_data+0x10/0x20
RSP <ffff8800c7f97b18>
CR2: ffffffffffffffd8
---[ end trace 4e62c56a58d0eac2 ]---
Fixing recursive fault but reboot is needed!
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: David Howells <dhowells@redhat.com>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Kyle McMartin <kyle@kernel.org>
Generated-by: Coccinelle SmPL
Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-05-12 14:49:42 -07:00
kfree_const ( fw_work - > name ) ;
2005-04-16 15:20:36 -07:00
kfree ( fw_work ) ;
return - EFAULT ;
}
2012-08-04 12:01:23 +08:00
get_device ( fw_work - > device ) ;
2012-03-28 23:31:00 +02:00
INIT_WORK ( & fw_work - > work , request_firmware_work_func ) ;
schedule_work ( & fw_work - > work ) ;
2005-04-16 15:20:36 -07:00
return 0 ;
}
2013-05-23 22:17:18 +02:00
EXPORT_SYMBOL ( request_firmware_nowait ) ;
2005-04-16 15:20:36 -07:00
2013-06-20 12:30:16 +08:00
# ifdef CONFIG_PM_SLEEP
static ASYNC_DOMAIN_EXCLUSIVE ( fw_cache_domain ) ;
2012-08-04 12:01:22 +08:00
/**
* cache_firmware - cache one firmware image in kernel memory space
* @ fw_name : the firmware image name
*
* Cache firmware in kernel memory so that drivers can use it when
* system isn ' t ready for them to request firmware image from userspace .
* Once it returns successfully , driver can use request_firmware or its
* nowait version to get the cached firmware without any interacting
* with userspace
*
* Return 0 if the firmware image has been cached successfully
* Return ! 0 otherwise
*
*/
2013-06-06 20:01:47 +08:00
static int cache_firmware ( const char * fw_name )
2012-08-04 12:01:22 +08:00
{
int ret ;
const struct firmware * fw ;
pr_debug ( " %s: %s \n " , __func__ , fw_name ) ;
ret = request_firmware ( & fw , fw_name , NULL ) ;
if ( ! ret )
kfree ( fw ) ;
pr_debug ( " %s: %s ret=%d \n " , __func__ , fw_name , ret ) ;
return ret ;
}
2017-11-20 10:23:48 -08:00
static struct fw_priv * lookup_fw_priv ( const char * fw_name )
2013-06-26 09:28:17 +08:00
{
2017-11-20 10:23:48 -08:00
struct fw_priv * tmp ;
2013-06-26 09:28:17 +08:00
struct firmware_cache * fwc = & fw_cache ;
spin_lock ( & fwc - > lock ) ;
2017-11-20 10:23:48 -08:00
tmp = __lookup_fw_priv ( fw_name ) ;
2013-06-26 09:28:17 +08:00
spin_unlock ( & fwc - > lock ) ;
return tmp ;
}
2012-08-04 12:01:22 +08:00
/**
* uncache_firmware - remove one cached firmware image
* @ fw_name : the firmware image name
*
* Uncache one firmware image which has been cached successfully
* before .
*
* Return 0 if the firmware cache has been removed successfully
* Return ! 0 otherwise
*
*/
2013-06-06 20:01:47 +08:00
static int uncache_firmware ( const char * fw_name )
2012-08-04 12:01:22 +08:00
{
2017-11-20 10:23:48 -08:00
struct fw_priv * fw_priv ;
2012-08-04 12:01:22 +08:00
struct firmware fw ;
pr_debug ( " %s: %s \n " , __func__ , fw_name ) ;
2016-08-02 14:04:28 -07:00
if ( fw_get_builtin_firmware ( & fw , fw_name , NULL , 0 ) )
2012-08-04 12:01:22 +08:00
return 0 ;
2017-11-20 10:23:48 -08:00
fw_priv = lookup_fw_priv ( fw_name ) ;
if ( fw_priv ) {
free_fw_priv ( fw_priv ) ;
2012-08-04 12:01:22 +08:00
return 0 ;
}
return - EINVAL ;
}
2012-08-04 12:01:27 +08:00
static struct fw_cache_entry * alloc_fw_cache_entry ( const char * name )
{
struct fw_cache_entry * fce ;
2015-05-12 14:49:43 -07:00
fce = kzalloc ( sizeof ( * fce ) , GFP_ATOMIC ) ;
2012-08-04 12:01:27 +08:00
if ( ! fce )
goto exit ;
2015-05-12 14:49:43 -07:00
fce - > name = kstrdup_const ( name , GFP_ATOMIC ) ;
if ( ! fce - > name ) {
kfree ( fce ) ;
fce = NULL ;
goto exit ;
}
2012-08-04 12:01:27 +08:00
exit :
return fce ;
}
2012-10-09 12:01:01 +08:00
static int __fw_entry_found ( const char * name )
2012-08-20 19:04:16 +08:00
{
struct firmware_cache * fwc = & fw_cache ;
struct fw_cache_entry * fce ;
list_for_each_entry ( fce , & fwc - > fw_names , list ) {
if ( ! strcmp ( fce - > name , name ) )
2012-10-09 12:01:01 +08:00
return 1 ;
2012-08-20 19:04:16 +08:00
}
2012-10-09 12:01:01 +08:00
return 0 ;
}
static int fw_cache_piggyback_on_request ( const char * name )
{
struct firmware_cache * fwc = & fw_cache ;
struct fw_cache_entry * fce ;
int ret = 0 ;
spin_lock ( & fwc - > name_lock ) ;
if ( __fw_entry_found ( name ) )
goto found ;
2012-08-20 19:04:16 +08:00
fce = alloc_fw_cache_entry ( name ) ;
if ( fce ) {
ret = 1 ;
list_add ( & fce - > list , & fwc - > fw_names ) ;
pr_debug ( " %s: fw: %s \n " , __func__ , name ) ;
}
found :
spin_unlock ( & fwc - > name_lock ) ;
return ret ;
}
2012-08-04 12:01:27 +08:00
static void free_fw_cache_entry ( struct fw_cache_entry * fce )
{
2015-05-12 14:49:43 -07:00
kfree_const ( fce - > name ) ;
2012-08-04 12:01:27 +08:00
kfree ( fce ) ;
}
static void __async_dev_cache_fw_image ( void * fw_entry ,
async_cookie_t cookie )
{
struct fw_cache_entry * fce = fw_entry ;
struct firmware_cache * fwc = & fw_cache ;
int ret ;
ret = cache_firmware ( fce - > name ) ;
2012-08-20 19:04:16 +08:00
if ( ret ) {
spin_lock ( & fwc - > name_lock ) ;
list_del ( & fce - > list ) ;
spin_unlock ( & fwc - > name_lock ) ;
2012-08-04 12:01:27 +08:00
2012-08-20 19:04:16 +08:00
free_fw_cache_entry ( fce ) ;
}
2012-08-04 12:01:27 +08:00
}
/* called with dev->devres_lock held */
static void dev_create_fw_entry ( struct device * dev , void * res ,
void * data )
{
struct fw_name_devm * fwn = res ;
const char * fw_name = fwn - > name ;
struct list_head * head = data ;
struct fw_cache_entry * fce ;
fce = alloc_fw_cache_entry ( fw_name ) ;
if ( fce )
list_add ( & fce - > list , head ) ;
}
static int devm_name_match ( struct device * dev , void * res ,
void * match_data )
{
struct fw_name_devm * fwn = res ;
return ( fwn - > magic = = ( unsigned long ) match_data ) ;
}
2012-08-17 22:07:00 +08:00
static void dev_cache_fw_image ( struct device * dev , void * data )
2012-08-04 12:01:27 +08:00
{
LIST_HEAD ( todo ) ;
struct fw_cache_entry * fce ;
struct fw_cache_entry * fce_next ;
struct firmware_cache * fwc = & fw_cache ;
devres_for_each_res ( dev , fw_name_devm_release ,
devm_name_match , & fw_cache ,
dev_create_fw_entry , & todo ) ;
list_for_each_entry_safe ( fce , fce_next , & todo , list ) {
list_del ( & fce - > list ) ;
spin_lock ( & fwc - > name_lock ) ;
2012-10-09 12:01:01 +08:00
/* only one cache entry for one firmware */
if ( ! __fw_entry_found ( fce - > name ) ) {
list_add ( & fce - > list , & fwc - > fw_names ) ;
} else {
free_fw_cache_entry ( fce ) ;
fce = NULL ;
}
2012-08-04 12:01:27 +08:00
spin_unlock ( & fwc - > name_lock ) ;
2012-10-09 12:01:01 +08:00
if ( fce )
2012-10-09 12:01:04 +08:00
async_schedule_domain ( __async_dev_cache_fw_image ,
( void * ) fce ,
& fw_cache_domain ) ;
2012-08-04 12:01:27 +08:00
}
}
static void __device_uncache_fw_images ( void )
{
struct firmware_cache * fwc = & fw_cache ;
struct fw_cache_entry * fce ;
spin_lock ( & fwc - > name_lock ) ;
while ( ! list_empty ( & fwc - > fw_names ) ) {
fce = list_entry ( fwc - > fw_names . next ,
struct fw_cache_entry , list ) ;
list_del ( & fce - > list ) ;
spin_unlock ( & fwc - > name_lock ) ;
uncache_firmware ( fce - > name ) ;
free_fw_cache_entry ( fce ) ;
spin_lock ( & fwc - > name_lock ) ;
}
spin_unlock ( & fwc - > name_lock ) ;
}
/**
* device_cache_fw_images - cache devices ' firmware
*
* If one device called request_firmware or its nowait version
* successfully before , the firmware names are recored into the
* device ' s devres link list , so device_cache_fw_images can call
* cache_firmware ( ) to cache these firmwares for the device ,
* then the device driver can load its firmwares easily at
* time when system is not ready to complete loading firmware .
*/
static void device_cache_fw_images ( void )
{
struct firmware_cache * fwc = & fw_cache ;
DEFINE_WAIT ( wait ) ;
pr_debug ( " %s \n " , __func__ ) ;
2012-10-09 12:01:01 +08:00
/* cancel uncache work */
cancel_delayed_work_sync ( & fwc - > work ) ;
2018-03-10 06:14:47 -08:00
fw_fallback_set_cache_timeout ( ) ;
2012-08-04 12:01:28 +08:00
2012-08-20 19:04:16 +08:00
mutex_lock ( & fw_lock ) ;
fwc - > state = FW_LOADER_START_CACHE ;
2012-08-17 22:07:00 +08:00
dpm_for_each_dev ( NULL , dev_cache_fw_image ) ;
2012-08-20 19:04:16 +08:00
mutex_unlock ( & fw_lock ) ;
2012-08-04 12:01:27 +08:00
/* wait for completion of caching firmware for all devices */
2012-10-09 12:01:04 +08:00
async_synchronize_full_domain ( & fw_cache_domain ) ;
2012-08-04 12:01:28 +08:00
2018-03-10 06:14:47 -08:00
fw_fallback_set_default_timeout ( ) ;
2012-08-04 12:01:27 +08:00
}
/**
* device_uncache_fw_images - uncache devices ' firmware
*
* uncache all firmwares which have been cached successfully
* by device_uncache_fw_images earlier
*/
static void device_uncache_fw_images ( void )
{
pr_debug ( " %s \n " , __func__ ) ;
__device_uncache_fw_images ( ) ;
}
static void device_uncache_fw_images_work ( struct work_struct * work )
{
device_uncache_fw_images ( ) ;
}
/**
* device_uncache_fw_images_delay - uncache devices firmwares
* @ delay : number of milliseconds to delay uncache device firmwares
*
* uncache all devices ' s firmwares which has been cached successfully
* by device_cache_fw_images after @ delay milliseconds .
*/
static void device_uncache_fw_images_delay ( unsigned long delay )
{
2014-01-31 15:44:58 -08:00
queue_delayed_work ( system_power_efficient_wq , & fw_cache . work ,
msecs_to_jiffies ( delay ) ) ;
2012-08-04 12:01:27 +08:00
}
2012-08-04 12:01:29 +08:00
static int fw_pm_notify ( struct notifier_block * notify_block ,
unsigned long mode , void * unused )
{
switch ( mode ) {
case PM_HIBERNATION_PREPARE :
case PM_SUSPEND_PREPARE :
2014-02-18 17:52:08 -08:00
case PM_RESTORE_PREPARE :
2017-05-02 01:31:03 -07:00
/*
* kill pending fallback requests with a custom fallback
* to avoid stalling suspend .
*/
kill_pending_fw_fallback_reqs ( true ) ;
2012-08-04 12:01:29 +08:00
device_cache_fw_images ( ) ;
break ;
case PM_POST_SUSPEND :
case PM_POST_HIBERNATION :
case PM_POST_RESTORE :
2012-08-20 19:04:16 +08:00
/*
* In case that system sleep failed and syscore_suspend is
* not called .
*/
mutex_lock ( & fw_lock ) ;
fw_cache . state = FW_LOADER_NO_CACHE ;
mutex_unlock ( & fw_lock ) ;
2012-08-04 12:01:29 +08:00
device_uncache_fw_images_delay ( 10 * MSEC_PER_SEC ) ;
break ;
}
return 0 ;
}
2012-08-20 19:04:16 +08:00
/* stop caching firmware once syscore_suspend is reached */
static int fw_suspend ( void )
{
fw_cache . state = FW_LOADER_NO_CACHE ;
return 0 ;
}
static struct syscore_ops fw_syscore_ops = {
. suspend = fw_suspend ,
} ;
2017-11-20 09:45:31 -08:00
2017-11-20 09:45:32 -08:00
static int __init register_fw_pm_ops ( void )
{
int ret ;
spin_lock_init ( & fw_cache . name_lock ) ;
INIT_LIST_HEAD ( & fw_cache . fw_names ) ;
INIT_DELAYED_WORK ( & fw_cache . work ,
device_uncache_fw_images_work ) ;
fw_cache . pm_notify . notifier_call = fw_pm_notify ;
ret = register_pm_notifier ( & fw_cache . pm_notify ) ;
if ( ret )
return ret ;
register_syscore_ops ( & fw_syscore_ops ) ;
return ret ;
}
2017-11-20 09:45:31 -08:00
static inline void unregister_fw_pm_ops ( void )
{
unregister_syscore_ops ( & fw_syscore_ops ) ;
unregister_pm_notifier ( & fw_cache . pm_notify ) ;
}
2012-09-08 17:32:30 +08:00
# else
static int fw_cache_piggyback_on_request ( const char * name )
{
return 0 ;
}
2017-11-20 09:45:32 -08:00
static inline int register_fw_pm_ops ( void )
{
return 0 ;
}
2017-11-20 09:45:31 -08:00
static inline void unregister_fw_pm_ops ( void )
{
}
2012-09-08 17:32:30 +08:00
# endif
2012-08-20 19:04:16 +08:00
2012-08-04 12:01:27 +08:00
static void __init fw_cache_init ( void )
{
spin_lock_init ( & fw_cache . lock ) ;
INIT_LIST_HEAD ( & fw_cache . head ) ;
2012-09-08 17:32:30 +08:00
fw_cache . state = FW_LOADER_NO_CACHE ;
2012-08-04 12:01:27 +08:00
}
2017-05-02 01:31:04 -07:00
static int fw_shutdown_notify ( struct notifier_block * unused1 ,
unsigned long unused2 , void * unused3 )
{
/*
* Kill all pending fallback requests to avoid both stalling shutdown ,
* and avoid a deadlock with the usermode_lock .
*/
kill_pending_fw_fallback_reqs ( false ) ;
return NOTIFY_DONE ;
}
static struct notifier_block fw_shutdown_nb = {
. notifier_call = fw_shutdown_notify ,
} ;
2010-03-13 23:49:13 -08:00
static int __init firmware_class_init ( void )
2005-04-16 15:20:36 -07:00
{
2017-11-20 09:45:32 -08:00
int ret ;
/* No need to unfold these on exit */
2012-08-04 12:01:21 +08:00
fw_cache_init ( ) ;
2017-11-20 09:45:32 -08:00
ret = register_fw_pm_ops ( ) ;
if ( ret )
return ret ;
2017-11-20 09:45:34 -08:00
ret = register_reboot_notifier ( & fw_shutdown_nb ) ;
if ( ret )
goto out ;
2017-11-20 09:45:33 -08:00
return register_sysfs_loader ( ) ;
2017-11-20 09:45:34 -08:00
out :
unregister_fw_pm_ops ( ) ;
return ret ;
2005-04-16 15:20:36 -07:00
}
2010-03-13 23:49:13 -08:00
static void __exit firmware_class_exit ( void )
2005-04-16 15:20:36 -07:00
{
2017-11-20 09:45:31 -08:00
unregister_fw_pm_ops ( ) ;
2013-05-22 18:28:38 +02:00
unregister_reboot_notifier ( & fw_shutdown_nb ) ;
2017-11-20 09:45:33 -08:00
unregister_sysfs_loader ( ) ;
2005-04-16 15:20:36 -07:00
}
2006-09-27 01:50:52 -07:00
fs_initcall ( firmware_class_init ) ;
2005-04-16 15:20:36 -07:00
module_exit ( firmware_class_exit ) ;