sahara.c 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /* Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. */
  3. #include <linux/devcoredump.h>
  4. #include <linux/firmware.h>
  5. #include <linux/limits.h>
  6. #include <linux/mhi.h>
  7. #include <linux/minmax.h>
  8. #include <linux/mod_devicetable.h>
  9. #include <linux/overflow.h>
  10. #include <linux/types.h>
  11. #include <linux/vmalloc.h>
  12. #include <linux/workqueue.h>
  13. #include "sahara.h"
  14. #define SAHARA_HELLO_CMD 0x1 /* Min protocol version 1.0 */
  15. #define SAHARA_HELLO_RESP_CMD 0x2 /* Min protocol version 1.0 */
  16. #define SAHARA_READ_DATA_CMD 0x3 /* Min protocol version 1.0 */
  17. #define SAHARA_END_OF_IMAGE_CMD 0x4 /* Min protocol version 1.0 */
  18. #define SAHARA_DONE_CMD 0x5 /* Min protocol version 1.0 */
  19. #define SAHARA_DONE_RESP_CMD 0x6 /* Min protocol version 1.0 */
  20. #define SAHARA_RESET_CMD 0x7 /* Min protocol version 1.0 */
  21. #define SAHARA_RESET_RESP_CMD 0x8 /* Min protocol version 1.0 */
  22. #define SAHARA_MEM_DEBUG_CMD 0x9 /* Min protocol version 2.0 */
  23. #define SAHARA_MEM_READ_CMD 0xa /* Min protocol version 2.0 */
  24. #define SAHARA_CMD_READY_CMD 0xb /* Min protocol version 2.1 */
  25. #define SAHARA_SWITCH_MODE_CMD 0xc /* Min protocol version 2.1 */
  26. #define SAHARA_EXECUTE_CMD 0xd /* Min protocol version 2.1 */
  27. #define SAHARA_EXECUTE_RESP_CMD 0xe /* Min protocol version 2.1 */
  28. #define SAHARA_EXECUTE_DATA_CMD 0xf /* Min protocol version 2.1 */
  29. #define SAHARA_MEM_DEBUG64_CMD 0x10 /* Min protocol version 2.5 */
  30. #define SAHARA_MEM_READ64_CMD 0x11 /* Min protocol version 2.5 */
  31. #define SAHARA_READ_DATA64_CMD 0x12 /* Min protocol version 2.8 */
  32. #define SAHARA_RESET_STATE_CMD 0x13 /* Min protocol version 2.9 */
  33. #define SAHARA_WRITE_DATA_CMD 0x14 /* Min protocol version 3.0 */
  34. #define SAHARA_PACKET_MAX_SIZE 0xffffU /* MHI_MAX_MTU */
  35. #define SAHARA_TRANSFER_MAX_SIZE 0x80000
  36. #define SAHARA_READ_MAX_SIZE 0xfff0U /* Avoid unaligned requests */
  37. #define SAHARA_NUM_TX_BUF DIV_ROUND_UP(SAHARA_TRANSFER_MAX_SIZE,\
  38. SAHARA_PACKET_MAX_SIZE)
  39. #define SAHARA_IMAGE_ID_NONE U32_MAX
  40. #define SAHARA_VERSION 2
  41. #define SAHARA_SUCCESS 0
  42. #define SAHARA_TABLE_ENTRY_STR_LEN 20
  43. #define SAHARA_MODE_IMAGE_TX_PENDING 0x0
  44. #define SAHARA_MODE_IMAGE_TX_COMPLETE 0x1
  45. #define SAHARA_MODE_MEMORY_DEBUG 0x2
  46. #define SAHARA_MODE_COMMAND 0x3
  47. #define SAHARA_HELLO_LENGTH 0x30
  48. #define SAHARA_READ_DATA_LENGTH 0x14
  49. #define SAHARA_END_OF_IMAGE_LENGTH 0x10
  50. #define SAHARA_DONE_LENGTH 0x8
  51. #define SAHARA_RESET_LENGTH 0x8
  52. #define SAHARA_MEM_DEBUG64_LENGTH 0x18
  53. #define SAHARA_MEM_READ64_LENGTH 0x18
  54. struct sahara_packet {
  55. __le32 cmd;
  56. __le32 length;
  57. union {
  58. struct {
  59. __le32 version;
  60. __le32 version_compat;
  61. __le32 max_length;
  62. __le32 mode;
  63. } hello;
  64. struct {
  65. __le32 version;
  66. __le32 version_compat;
  67. __le32 status;
  68. __le32 mode;
  69. } hello_resp;
  70. struct {
  71. __le32 image;
  72. __le32 offset;
  73. __le32 length;
  74. } read_data;
  75. struct {
  76. __le32 image;
  77. __le32 status;
  78. } end_of_image;
  79. struct {
  80. __le64 table_address;
  81. __le64 table_length;
  82. } memory_debug64;
  83. struct {
  84. __le64 memory_address;
  85. __le64 memory_length;
  86. } memory_read64;
  87. };
  88. };
  89. struct sahara_debug_table_entry64 {
  90. __le64 type;
  91. __le64 address;
  92. __le64 length;
  93. char description[SAHARA_TABLE_ENTRY_STR_LEN];
  94. char filename[SAHARA_TABLE_ENTRY_STR_LEN];
  95. };
  96. struct sahara_dump_table_entry {
  97. u64 type;
  98. u64 address;
  99. u64 length;
  100. char description[SAHARA_TABLE_ENTRY_STR_LEN];
  101. char filename[SAHARA_TABLE_ENTRY_STR_LEN];
  102. };
  103. #define SAHARA_DUMP_V1_MAGIC 0x1234567890abcdef
  104. #define SAHARA_DUMP_V1_VER 1
  105. struct sahara_memory_dump_meta_v1 {
  106. u64 magic;
  107. u64 version;
  108. u64 dump_size;
  109. u64 table_size;
  110. };
  111. /*
  112. * Layout of crashdump provided to user via devcoredump
  113. * +------------------------------------------+
  114. * | Crashdump Meta structure |
  115. * | type: struct sahara_memory_dump_meta_v1 |
  116. * +------------------------------------------+
  117. * | Crashdump Table |
  118. * | type: array of struct |
  119. * | sahara_dump_table_entry |
  120. * | |
  121. * | |
  122. * +------------------------------------------+
  123. * | Crashdump |
  124. * | |
  125. * | |
  126. * | |
  127. * | |
  128. * | |
  129. * +------------------------------------------+
  130. *
  131. * First is the metadata header. Userspace can use the magic number to verify
  132. * the content type, and then check the version for the rest of the format.
  133. * New versions should keep the magic number location/value, and version
  134. * location, but increment the version value.
  135. *
  136. * For v1, the metadata lists the size of the entire dump (header + table +
  137. * dump) and the size of the table. Then the dump image table, which describes
  138. * the contents of the dump. Finally all the images are listed in order, with
  139. * no deadspace in between. Userspace can use the sizes listed in the image
  140. * table to reconstruct the individual images.
  141. */
  142. struct sahara_context {
  143. struct sahara_packet *tx[SAHARA_NUM_TX_BUF];
  144. struct sahara_packet *rx;
  145. struct work_struct fw_work;
  146. struct work_struct dump_work;
  147. struct work_struct read_data_work;
  148. struct mhi_device *mhi_dev;
  149. const char * const *image_table;
  150. u32 table_size;
  151. u32 active_image_id;
  152. const struct firmware *firmware;
  153. u64 dump_table_address;
  154. u64 dump_table_length;
  155. size_t rx_size;
  156. size_t rx_size_requested;
  157. void *mem_dump;
  158. size_t mem_dump_sz;
  159. struct sahara_dump_table_entry *dump_image;
  160. u64 dump_image_offset;
  161. void *mem_dump_freespace;
  162. u64 dump_images_left;
  163. u32 read_data_offset;
  164. u32 read_data_length;
  165. bool is_mem_dump_mode;
  166. bool non_streaming;
  167. };
  168. static const char * const aic100_image_table[] = {
  169. [1] = "qcom/aic100/fw1.bin",
  170. [2] = "qcom/aic100/fw2.bin",
  171. [4] = "qcom/aic100/fw4.bin",
  172. [5] = "qcom/aic100/fw5.bin",
  173. [6] = "qcom/aic100/fw6.bin",
  174. [8] = "qcom/aic100/fw8.bin",
  175. [9] = "qcom/aic100/fw9.bin",
  176. [10] = "qcom/aic100/fw10.bin",
  177. };
  178. static const char * const aic200_image_table[] = {
  179. [5] = "qcom/aic200/uefi.elf",
  180. [12] = "qcom/aic200/aic200-nsp.bin",
  181. [23] = "qcom/aic200/aop.mbn",
  182. [32] = "qcom/aic200/tz.mbn",
  183. [33] = "qcom/aic200/hypvm.mbn",
  184. [38] = "qcom/aic200/xbl_config.elf",
  185. [39] = "qcom/aic200/aic200_abl.elf",
  186. [40] = "qcom/aic200/apdp.mbn",
  187. [41] = "qcom/aic200/devcfg.mbn",
  188. [42] = "qcom/aic200/sec.elf",
  189. [43] = "qcom/aic200/aic200-hlos.elf",
  190. [49] = "qcom/aic200/shrm.elf",
  191. [50] = "qcom/aic200/cpucp.elf",
  192. [51] = "qcom/aic200/aop_devcfg.mbn",
  193. [54] = "qcom/aic200/qupv3fw.elf",
  194. [57] = "qcom/aic200/cpucp_dtbs.elf",
  195. [62] = "qcom/aic200/uefi_dtbs.elf",
  196. [63] = "qcom/aic200/xbl_ac_config.mbn",
  197. [64] = "qcom/aic200/tz_ac_config.mbn",
  198. [65] = "qcom/aic200/hyp_ac_config.mbn",
  199. [66] = "qcom/aic200/pdp.elf",
  200. [67] = "qcom/aic200/pdp_cdb.elf",
  201. [68] = "qcom/aic200/sdi.mbn",
  202. [69] = "qcom/aic200/dcd.mbn",
  203. [73] = "qcom/aic200/gearvm.mbn",
  204. [74] = "qcom/aic200/sti.bin",
  205. [76] = "qcom/aic200/tz_qti_config.mbn",
  206. [78] = "qcom/aic200/pvs.bin",
  207. };
  208. static bool is_streaming(struct sahara_context *context)
  209. {
  210. return !context->non_streaming;
  211. }
  212. static int sahara_find_image(struct sahara_context *context, u32 image_id)
  213. {
  214. int ret;
  215. if (image_id == context->active_image_id)
  216. return 0;
  217. if (context->active_image_id != SAHARA_IMAGE_ID_NONE) {
  218. dev_err(&context->mhi_dev->dev, "image id %d is not valid as %d is active\n",
  219. image_id, context->active_image_id);
  220. return -EINVAL;
  221. }
  222. if (image_id >= context->table_size || !context->image_table[image_id]) {
  223. dev_err(&context->mhi_dev->dev, "request for unknown image: %d\n", image_id);
  224. return -EINVAL;
  225. }
  226. /*
  227. * This image might be optional. The device may continue without it.
  228. * Only the device knows. Suppress error messages that could suggest an
  229. * a problem when we were actually able to continue.
  230. */
  231. ret = firmware_request_nowarn(&context->firmware,
  232. context->image_table[image_id],
  233. &context->mhi_dev->dev);
  234. if (ret) {
  235. dev_dbg(&context->mhi_dev->dev, "request for image id %d / file %s failed %d\n",
  236. image_id, context->image_table[image_id], ret);
  237. return ret;
  238. }
  239. context->active_image_id = image_id;
  240. return 0;
  241. }
  242. static void sahara_release_image(struct sahara_context *context)
  243. {
  244. if (context->active_image_id != SAHARA_IMAGE_ID_NONE)
  245. release_firmware(context->firmware);
  246. context->active_image_id = SAHARA_IMAGE_ID_NONE;
  247. }
  248. static void sahara_send_reset(struct sahara_context *context)
  249. {
  250. int ret;
  251. context->is_mem_dump_mode = false;
  252. context->read_data_offset = 0;
  253. context->read_data_length = 0;
  254. context->tx[0]->cmd = cpu_to_le32(SAHARA_RESET_CMD);
  255. context->tx[0]->length = cpu_to_le32(SAHARA_RESET_LENGTH);
  256. ret = mhi_queue_buf(context->mhi_dev, DMA_TO_DEVICE, context->tx[0],
  257. SAHARA_RESET_LENGTH, MHI_EOT);
  258. if (ret)
  259. dev_err(&context->mhi_dev->dev, "Unable to send reset response %d\n", ret);
  260. }
  261. static void sahara_hello(struct sahara_context *context)
  262. {
  263. int ret;
  264. dev_dbg(&context->mhi_dev->dev,
  265. "HELLO cmd received. length:%d version:%d version_compat:%d max_length:%d mode:%d\n",
  266. le32_to_cpu(context->rx->length),
  267. le32_to_cpu(context->rx->hello.version),
  268. le32_to_cpu(context->rx->hello.version_compat),
  269. le32_to_cpu(context->rx->hello.max_length),
  270. le32_to_cpu(context->rx->hello.mode));
  271. if (le32_to_cpu(context->rx->length) != SAHARA_HELLO_LENGTH) {
  272. dev_err(&context->mhi_dev->dev, "Malformed hello packet - length %d\n",
  273. le32_to_cpu(context->rx->length));
  274. return;
  275. }
  276. if (le32_to_cpu(context->rx->hello.version) != SAHARA_VERSION) {
  277. dev_err(&context->mhi_dev->dev, "Unsupported hello packet - version %d\n",
  278. le32_to_cpu(context->rx->hello.version));
  279. return;
  280. }
  281. if (le32_to_cpu(context->rx->hello.mode) != SAHARA_MODE_IMAGE_TX_PENDING &&
  282. le32_to_cpu(context->rx->hello.mode) != SAHARA_MODE_IMAGE_TX_COMPLETE &&
  283. le32_to_cpu(context->rx->hello.mode) != SAHARA_MODE_MEMORY_DEBUG) {
  284. dev_err(&context->mhi_dev->dev, "Unsupported hello packet - mode %d\n",
  285. le32_to_cpu(context->rx->hello.mode));
  286. return;
  287. }
  288. context->tx[0]->cmd = cpu_to_le32(SAHARA_HELLO_RESP_CMD);
  289. context->tx[0]->length = cpu_to_le32(SAHARA_HELLO_LENGTH);
  290. context->tx[0]->hello_resp.version = cpu_to_le32(SAHARA_VERSION);
  291. context->tx[0]->hello_resp.version_compat = cpu_to_le32(SAHARA_VERSION);
  292. context->tx[0]->hello_resp.status = cpu_to_le32(SAHARA_SUCCESS);
  293. context->tx[0]->hello_resp.mode = context->rx->hello_resp.mode;
  294. ret = mhi_queue_buf(context->mhi_dev, DMA_TO_DEVICE, context->tx[0],
  295. SAHARA_HELLO_LENGTH, MHI_EOT);
  296. if (ret)
  297. dev_err(&context->mhi_dev->dev, "Unable to send hello response %d\n", ret);
  298. }
  299. static int read_data_helper(struct sahara_context *context, int buf_index)
  300. {
  301. enum mhi_flags mhi_flag;
  302. u32 pkt_data_len;
  303. int ret;
  304. pkt_data_len = min(context->read_data_length, SAHARA_PACKET_MAX_SIZE);
  305. memcpy(context->tx[buf_index],
  306. &context->firmware->data[context->read_data_offset],
  307. pkt_data_len);
  308. context->read_data_offset += pkt_data_len;
  309. context->read_data_length -= pkt_data_len;
  310. if (is_streaming(context) || !context->read_data_length)
  311. mhi_flag = MHI_EOT;
  312. else
  313. mhi_flag = MHI_CHAIN;
  314. ret = mhi_queue_buf(context->mhi_dev, DMA_TO_DEVICE,
  315. context->tx[buf_index], pkt_data_len, mhi_flag);
  316. if (ret) {
  317. dev_err(&context->mhi_dev->dev, "Unable to send read_data response %d\n", ret);
  318. return ret;
  319. }
  320. return 0;
  321. }
  322. static void sahara_read_data(struct sahara_context *context)
  323. {
  324. u32 image_id, data_offset, data_len;
  325. int ret;
  326. int i;
  327. dev_dbg(&context->mhi_dev->dev,
  328. "READ_DATA cmd received. length:%d image:%d offset:%d data_length:%d\n",
  329. le32_to_cpu(context->rx->length),
  330. le32_to_cpu(context->rx->read_data.image),
  331. le32_to_cpu(context->rx->read_data.offset),
  332. le32_to_cpu(context->rx->read_data.length));
  333. if (le32_to_cpu(context->rx->length) != SAHARA_READ_DATA_LENGTH) {
  334. dev_err(&context->mhi_dev->dev, "Malformed read_data packet - length %d\n",
  335. le32_to_cpu(context->rx->length));
  336. return;
  337. }
  338. image_id = le32_to_cpu(context->rx->read_data.image);
  339. data_offset = le32_to_cpu(context->rx->read_data.offset);
  340. data_len = le32_to_cpu(context->rx->read_data.length);
  341. ret = sahara_find_image(context, image_id);
  342. if (ret) {
  343. sahara_send_reset(context);
  344. return;
  345. }
  346. /*
  347. * Image is released when the device is done with it via
  348. * SAHARA_END_OF_IMAGE_CMD. sahara_send_reset() will either cause the
  349. * device to retry the operation with a modification, or decide to be
  350. * done with the image and trigger SAHARA_END_OF_IMAGE_CMD.
  351. * release_image() is called from SAHARA_END_OF_IMAGE_CMD. processing
  352. * and is not needed here on error.
  353. */
  354. if (context->non_streaming && data_len > SAHARA_TRANSFER_MAX_SIZE) {
  355. dev_err(&context->mhi_dev->dev, "Malformed read_data packet - data len %d exceeds max xfer size %d\n",
  356. data_len, SAHARA_TRANSFER_MAX_SIZE);
  357. sahara_send_reset(context);
  358. return;
  359. }
  360. if (data_offset >= context->firmware->size) {
  361. dev_err(&context->mhi_dev->dev, "Malformed read_data packet - data offset %d exceeds file size %zu\n",
  362. data_offset, context->firmware->size);
  363. sahara_send_reset(context);
  364. return;
  365. }
  366. if (size_add(data_offset, data_len) > context->firmware->size) {
  367. dev_err(&context->mhi_dev->dev, "Malformed read_data packet - data offset %d and length %d exceeds file size %zu\n",
  368. data_offset, data_len, context->firmware->size);
  369. sahara_send_reset(context);
  370. return;
  371. }
  372. context->read_data_offset = data_offset;
  373. context->read_data_length = data_len;
  374. if (is_streaming(context)) {
  375. schedule_work(&context->read_data_work);
  376. return;
  377. }
  378. for (i = 0; i < SAHARA_NUM_TX_BUF && context->read_data_length; ++i) {
  379. ret = read_data_helper(context, i);
  380. if (ret)
  381. break;
  382. }
  383. }
  384. static void sahara_end_of_image(struct sahara_context *context)
  385. {
  386. int ret;
  387. dev_dbg(&context->mhi_dev->dev,
  388. "END_OF_IMAGE cmd received. length:%d image:%d status:%d\n",
  389. le32_to_cpu(context->rx->length),
  390. le32_to_cpu(context->rx->end_of_image.image),
  391. le32_to_cpu(context->rx->end_of_image.status));
  392. if (le32_to_cpu(context->rx->length) != SAHARA_END_OF_IMAGE_LENGTH) {
  393. dev_err(&context->mhi_dev->dev, "Malformed end_of_image packet - length %d\n",
  394. le32_to_cpu(context->rx->length));
  395. return;
  396. }
  397. if (context->active_image_id != SAHARA_IMAGE_ID_NONE &&
  398. le32_to_cpu(context->rx->end_of_image.image) != context->active_image_id) {
  399. dev_err(&context->mhi_dev->dev, "Malformed end_of_image packet - image %d is not the active image\n",
  400. le32_to_cpu(context->rx->end_of_image.image));
  401. return;
  402. }
  403. sahara_release_image(context);
  404. if (le32_to_cpu(context->rx->end_of_image.status))
  405. return;
  406. context->tx[0]->cmd = cpu_to_le32(SAHARA_DONE_CMD);
  407. context->tx[0]->length = cpu_to_le32(SAHARA_DONE_LENGTH);
  408. ret = mhi_queue_buf(context->mhi_dev, DMA_TO_DEVICE, context->tx[0],
  409. SAHARA_DONE_LENGTH, MHI_EOT);
  410. if (ret)
  411. dev_dbg(&context->mhi_dev->dev, "Unable to send done response %d\n", ret);
  412. }
  413. static void sahara_memory_debug64(struct sahara_context *context)
  414. {
  415. int ret;
  416. dev_dbg(&context->mhi_dev->dev,
  417. "MEMORY DEBUG64 cmd received. length:%d table_address:%#llx table_length:%#llx\n",
  418. le32_to_cpu(context->rx->length),
  419. le64_to_cpu(context->rx->memory_debug64.table_address),
  420. le64_to_cpu(context->rx->memory_debug64.table_length));
  421. if (le32_to_cpu(context->rx->length) != SAHARA_MEM_DEBUG64_LENGTH) {
  422. dev_err(&context->mhi_dev->dev, "Malformed memory debug64 packet - length %d\n",
  423. le32_to_cpu(context->rx->length));
  424. return;
  425. }
  426. context->dump_table_address = le64_to_cpu(context->rx->memory_debug64.table_address);
  427. context->dump_table_length = le64_to_cpu(context->rx->memory_debug64.table_length);
  428. if (context->dump_table_length % sizeof(struct sahara_debug_table_entry64) != 0 ||
  429. !context->dump_table_length) {
  430. dev_err(&context->mhi_dev->dev, "Malformed memory debug64 packet - table length %lld\n",
  431. context->dump_table_length);
  432. return;
  433. }
  434. /*
  435. * From this point, the protocol flips. We make memory_read requests to
  436. * the device, and the device responds with the raw data. If the device
  437. * has an error, it will send an End of Image command. First we need to
  438. * request the memory dump table so that we know where all the pieces
  439. * of the dump are that we can consume.
  440. */
  441. context->is_mem_dump_mode = true;
  442. /*
  443. * Assume that the table is smaller than our MTU so that we can read it
  444. * in one shot. The spec does not put an upper limit on the table, but
  445. * no known device will exceed this.
  446. */
  447. if (context->dump_table_length > SAHARA_PACKET_MAX_SIZE) {
  448. dev_err(&context->mhi_dev->dev, "Memory dump table length %lld exceeds supported size. Discarding dump\n",
  449. context->dump_table_length);
  450. sahara_send_reset(context);
  451. return;
  452. }
  453. context->tx[0]->cmd = cpu_to_le32(SAHARA_MEM_READ64_CMD);
  454. context->tx[0]->length = cpu_to_le32(SAHARA_MEM_READ64_LENGTH);
  455. context->tx[0]->memory_read64.memory_address = cpu_to_le64(context->dump_table_address);
  456. context->tx[0]->memory_read64.memory_length = cpu_to_le64(context->dump_table_length);
  457. context->rx_size_requested = context->dump_table_length;
  458. ret = mhi_queue_buf(context->mhi_dev, DMA_TO_DEVICE, context->tx[0],
  459. SAHARA_MEM_READ64_LENGTH, MHI_EOT);
  460. if (ret)
  461. dev_err(&context->mhi_dev->dev, "Unable to send read for dump table %d\n", ret);
  462. }
  463. static void sahara_processing(struct work_struct *work)
  464. {
  465. struct sahara_context *context = container_of(work, struct sahara_context, fw_work);
  466. int ret;
  467. switch (le32_to_cpu(context->rx->cmd)) {
  468. case SAHARA_HELLO_CMD:
  469. sahara_hello(context);
  470. break;
  471. case SAHARA_READ_DATA_CMD:
  472. sahara_read_data(context);
  473. break;
  474. case SAHARA_END_OF_IMAGE_CMD:
  475. sahara_end_of_image(context);
  476. break;
  477. case SAHARA_DONE_RESP_CMD:
  478. /* Intentional do nothing as we don't need to exit an app */
  479. break;
  480. case SAHARA_RESET_RESP_CMD:
  481. /* Intentional do nothing as we don't need to exit an app */
  482. break;
  483. case SAHARA_MEM_DEBUG64_CMD:
  484. sahara_memory_debug64(context);
  485. break;
  486. default:
  487. dev_err(&context->mhi_dev->dev, "Unknown command %d\n",
  488. le32_to_cpu(context->rx->cmd));
  489. break;
  490. }
  491. ret = mhi_queue_buf(context->mhi_dev, DMA_FROM_DEVICE, context->rx,
  492. SAHARA_PACKET_MAX_SIZE, MHI_EOT);
  493. if (ret)
  494. dev_err(&context->mhi_dev->dev, "Unable to requeue rx buf %d\n", ret);
  495. }
  496. static void sahara_parse_dump_table(struct sahara_context *context)
  497. {
  498. struct sahara_dump_table_entry *image_out_table;
  499. struct sahara_debug_table_entry64 *dev_table;
  500. struct sahara_memory_dump_meta_v1 *dump_meta;
  501. u64 table_nents;
  502. u64 dump_length;
  503. u64 mul_bytes;
  504. int ret;
  505. u64 i;
  506. table_nents = context->dump_table_length / sizeof(*dev_table);
  507. context->dump_images_left = table_nents;
  508. dump_length = 0;
  509. dev_table = (struct sahara_debug_table_entry64 *)(context->rx);
  510. for (i = 0; i < table_nents; ++i) {
  511. /* Do not trust the device, ensure the strings are terminated */
  512. dev_table[i].description[SAHARA_TABLE_ENTRY_STR_LEN - 1] = 0;
  513. dev_table[i].filename[SAHARA_TABLE_ENTRY_STR_LEN - 1] = 0;
  514. if (check_add_overflow(dump_length,
  515. le64_to_cpu(dev_table[i].length),
  516. &dump_length)) {
  517. /* Discard the dump */
  518. sahara_send_reset(context);
  519. return;
  520. }
  521. dev_dbg(&context->mhi_dev->dev,
  522. "Memory dump table entry %lld type: %lld address: %#llx length: %#llx description: \"%s\" filename \"%s\"\n",
  523. i,
  524. le64_to_cpu(dev_table[i].type),
  525. le64_to_cpu(dev_table[i].address),
  526. le64_to_cpu(dev_table[i].length),
  527. dev_table[i].description,
  528. dev_table[i].filename);
  529. }
  530. if (check_add_overflow(dump_length, (u64)sizeof(*dump_meta), &dump_length)) {
  531. /* Discard the dump */
  532. sahara_send_reset(context);
  533. return;
  534. }
  535. if (check_mul_overflow((u64)sizeof(*image_out_table), table_nents, &mul_bytes)) {
  536. /* Discard the dump */
  537. sahara_send_reset(context);
  538. return;
  539. }
  540. if (check_add_overflow(dump_length, mul_bytes, &dump_length)) {
  541. /* Discard the dump */
  542. sahara_send_reset(context);
  543. return;
  544. }
  545. context->mem_dump_sz = dump_length;
  546. context->mem_dump = vzalloc(dump_length);
  547. if (!context->mem_dump) {
  548. /* Discard the dump */
  549. sahara_send_reset(context);
  550. return;
  551. }
  552. /* Populate the dump metadata and table for userspace */
  553. dump_meta = context->mem_dump;
  554. dump_meta->magic = SAHARA_DUMP_V1_MAGIC;
  555. dump_meta->version = SAHARA_DUMP_V1_VER;
  556. dump_meta->dump_size = dump_length;
  557. dump_meta->table_size = context->dump_table_length;
  558. image_out_table = context->mem_dump + sizeof(*dump_meta);
  559. for (i = 0; i < table_nents; ++i) {
  560. image_out_table[i].type = le64_to_cpu(dev_table[i].type);
  561. image_out_table[i].address = le64_to_cpu(dev_table[i].address);
  562. image_out_table[i].length = le64_to_cpu(dev_table[i].length);
  563. strscpy(image_out_table[i].description, dev_table[i].description,
  564. SAHARA_TABLE_ENTRY_STR_LEN);
  565. strscpy(image_out_table[i].filename,
  566. dev_table[i].filename,
  567. SAHARA_TABLE_ENTRY_STR_LEN);
  568. }
  569. context->mem_dump_freespace = &image_out_table[i];
  570. /* Done parsing the table, switch to image dump mode */
  571. context->dump_table_length = 0;
  572. /* Request the first chunk of the first image */
  573. context->dump_image = &image_out_table[0];
  574. dump_length = min_t(u64, context->dump_image->length, SAHARA_READ_MAX_SIZE);
  575. /* Avoid requesting EOI sized data so that we can identify errors */
  576. if (dump_length == SAHARA_END_OF_IMAGE_LENGTH)
  577. dump_length = SAHARA_END_OF_IMAGE_LENGTH / 2;
  578. context->dump_image_offset = dump_length;
  579. context->tx[0]->cmd = cpu_to_le32(SAHARA_MEM_READ64_CMD);
  580. context->tx[0]->length = cpu_to_le32(SAHARA_MEM_READ64_LENGTH);
  581. context->tx[0]->memory_read64.memory_address = cpu_to_le64(context->dump_image->address);
  582. context->tx[0]->memory_read64.memory_length = cpu_to_le64(dump_length);
  583. context->rx_size_requested = dump_length;
  584. ret = mhi_queue_buf(context->mhi_dev, DMA_TO_DEVICE, context->tx[0],
  585. SAHARA_MEM_READ64_LENGTH, MHI_EOT);
  586. if (ret)
  587. dev_err(&context->mhi_dev->dev, "Unable to send read for dump content %d\n", ret);
  588. }
  589. static void sahara_parse_dump_image(struct sahara_context *context)
  590. {
  591. u64 dump_length;
  592. int ret;
  593. memcpy(context->mem_dump_freespace, context->rx, context->rx_size);
  594. context->mem_dump_freespace += context->rx_size;
  595. if (context->dump_image_offset >= context->dump_image->length) {
  596. /* Need to move to next image */
  597. context->dump_image++;
  598. context->dump_images_left--;
  599. context->dump_image_offset = 0;
  600. if (!context->dump_images_left) {
  601. /* Dump done */
  602. dev_coredumpv(context->mhi_dev->mhi_cntrl->cntrl_dev,
  603. context->mem_dump,
  604. context->mem_dump_sz,
  605. GFP_KERNEL);
  606. context->mem_dump = NULL;
  607. sahara_send_reset(context);
  608. return;
  609. }
  610. }
  611. /* Get next image chunk */
  612. dump_length = context->dump_image->length - context->dump_image_offset;
  613. dump_length = min_t(u64, dump_length, SAHARA_READ_MAX_SIZE);
  614. /* Avoid requesting EOI sized data so that we can identify errors */
  615. if (dump_length == SAHARA_END_OF_IMAGE_LENGTH)
  616. dump_length = SAHARA_END_OF_IMAGE_LENGTH / 2;
  617. context->tx[0]->cmd = cpu_to_le32(SAHARA_MEM_READ64_CMD);
  618. context->tx[0]->length = cpu_to_le32(SAHARA_MEM_READ64_LENGTH);
  619. context->tx[0]->memory_read64.memory_address =
  620. cpu_to_le64(context->dump_image->address + context->dump_image_offset);
  621. context->tx[0]->memory_read64.memory_length = cpu_to_le64(dump_length);
  622. context->dump_image_offset += dump_length;
  623. context->rx_size_requested = dump_length;
  624. ret = mhi_queue_buf(context->mhi_dev, DMA_TO_DEVICE, context->tx[0],
  625. SAHARA_MEM_READ64_LENGTH, MHI_EOT);
  626. if (ret)
  627. dev_err(&context->mhi_dev->dev,
  628. "Unable to send read for dump content %d\n", ret);
  629. }
  630. static void sahara_dump_processing(struct work_struct *work)
  631. {
  632. struct sahara_context *context = container_of(work, struct sahara_context, dump_work);
  633. int ret;
  634. /*
  635. * We should get the expected raw data, but if the device has an error
  636. * it is supposed to send EOI with an error code.
  637. */
  638. if (context->rx_size != context->rx_size_requested &&
  639. context->rx_size != SAHARA_END_OF_IMAGE_LENGTH) {
  640. dev_err(&context->mhi_dev->dev,
  641. "Unexpected response to read_data. Expected size: %#zx got: %#zx\n",
  642. context->rx_size_requested,
  643. context->rx_size);
  644. goto error;
  645. }
  646. if (context->rx_size == SAHARA_END_OF_IMAGE_LENGTH &&
  647. le32_to_cpu(context->rx->cmd) == SAHARA_END_OF_IMAGE_CMD) {
  648. dev_err(&context->mhi_dev->dev,
  649. "Unexpected EOI response to read_data. Status: %d\n",
  650. le32_to_cpu(context->rx->end_of_image.status));
  651. goto error;
  652. }
  653. if (context->rx_size == SAHARA_END_OF_IMAGE_LENGTH &&
  654. le32_to_cpu(context->rx->cmd) != SAHARA_END_OF_IMAGE_CMD) {
  655. dev_err(&context->mhi_dev->dev,
  656. "Invalid EOI response to read_data. CMD: %d\n",
  657. le32_to_cpu(context->rx->cmd));
  658. goto error;
  659. }
  660. /*
  661. * Need to know if we received the dump table, or part of a dump image.
  662. * Since we get raw data, we cannot tell from the data itself. Instead,
  663. * we use the stored dump_table_length, which we zero after we read and
  664. * process the entire table.
  665. */
  666. if (context->dump_table_length)
  667. sahara_parse_dump_table(context);
  668. else
  669. sahara_parse_dump_image(context);
  670. ret = mhi_queue_buf(context->mhi_dev, DMA_FROM_DEVICE, context->rx,
  671. SAHARA_PACKET_MAX_SIZE, MHI_EOT);
  672. if (ret)
  673. dev_err(&context->mhi_dev->dev, "Unable to requeue rx buf %d\n", ret);
  674. return;
  675. error:
  676. vfree(context->mem_dump);
  677. context->mem_dump = NULL;
  678. sahara_send_reset(context);
  679. }
  680. static void sahara_read_data_processing(struct work_struct *work)
  681. {
  682. struct sahara_context *context = container_of(work, struct sahara_context, read_data_work);
  683. read_data_helper(context, 0);
  684. }
  685. static int sahara_mhi_probe(struct mhi_device *mhi_dev, const struct mhi_device_id *id)
  686. {
  687. struct sahara_context *context;
  688. int ret;
  689. int i;
  690. context = devm_kzalloc(&mhi_dev->dev, sizeof(*context), GFP_KERNEL);
  691. if (!context)
  692. return -ENOMEM;
  693. context->rx = devm_kzalloc(&mhi_dev->dev, SAHARA_PACKET_MAX_SIZE, GFP_KERNEL);
  694. if (!context->rx)
  695. return -ENOMEM;
  696. if (!strcmp(mhi_dev->mhi_cntrl->name, "AIC200")) {
  697. context->image_table = aic200_image_table;
  698. context->table_size = ARRAY_SIZE(aic200_image_table);
  699. } else {
  700. context->image_table = aic100_image_table;
  701. context->table_size = ARRAY_SIZE(aic100_image_table);
  702. context->non_streaming = true;
  703. }
  704. /*
  705. * There are two firmware implementations for READ_DATA handling.
  706. * The older "SBL" implementation defines a Sahara transfer size, and
  707. * expects that the response is a single transport transfer. If the
  708. * FW wants to transfer a file that is larger than the transfer size,
  709. * the FW will issue multiple READ_DATA commands. For this
  710. * implementation, we need to allocate enough buffers to contain the
  711. * entire Sahara transfer size.
  712. *
  713. * The newer "XBL" implementation does not define a maximum transfer
  714. * size and instead expects the data to be streamed over using the
  715. * transport level MTU. The FW will issue a single READ_DATA command
  716. * of whatever size, and consume multiple transport level transfers
  717. * until the expected amount of data is consumed. For this
  718. * implementation we only need a single buffer of the transport MTU
  719. * but we'll need to be able to use it multiple times for a single
  720. * READ_DATA request.
  721. *
  722. * AIC100 is the SBL implementation and defines SAHARA_TRANSFER_MAX_SIZE
  723. * and we need 9x SAHARA_PACKET_MAX_SIZE to cover that. We can use
  724. * MHI_CHAIN to link multiple buffers into a single transfer but the
  725. * remote side will not consume the buffers until it sees an EOT, thus
  726. * we need to allocate enough buffers to put in the tx fifo to cover an
  727. * entire READ_DATA request of the max size.
  728. *
  729. * AIC200 is the XBL implementation, and so a single buffer will work.
  730. */
  731. for (i = 0; i < SAHARA_NUM_TX_BUF; ++i) {
  732. context->tx[i] = devm_kzalloc(&mhi_dev->dev,
  733. SAHARA_PACKET_MAX_SIZE,
  734. GFP_KERNEL);
  735. if (!context->tx[i])
  736. return -ENOMEM;
  737. if (is_streaming(context))
  738. break;
  739. }
  740. context->mhi_dev = mhi_dev;
  741. INIT_WORK(&context->fw_work, sahara_processing);
  742. INIT_WORK(&context->dump_work, sahara_dump_processing);
  743. INIT_WORK(&context->read_data_work, sahara_read_data_processing);
  744. context->active_image_id = SAHARA_IMAGE_ID_NONE;
  745. dev_set_drvdata(&mhi_dev->dev, context);
  746. ret = mhi_prepare_for_transfer(mhi_dev);
  747. if (ret)
  748. return ret;
  749. ret = mhi_queue_buf(mhi_dev, DMA_FROM_DEVICE, context->rx, SAHARA_PACKET_MAX_SIZE, MHI_EOT);
  750. if (ret) {
  751. mhi_unprepare_from_transfer(mhi_dev);
  752. return ret;
  753. }
  754. return 0;
  755. }
  756. static void sahara_mhi_remove(struct mhi_device *mhi_dev)
  757. {
  758. struct sahara_context *context = dev_get_drvdata(&mhi_dev->dev);
  759. cancel_work_sync(&context->fw_work);
  760. cancel_work_sync(&context->dump_work);
  761. vfree(context->mem_dump);
  762. sahara_release_image(context);
  763. mhi_unprepare_from_transfer(mhi_dev);
  764. }
  765. static void sahara_mhi_ul_xfer_cb(struct mhi_device *mhi_dev, struct mhi_result *mhi_result)
  766. {
  767. struct sahara_context *context = dev_get_drvdata(&mhi_dev->dev);
  768. if (!mhi_result->transaction_status && context->read_data_length && is_streaming(context))
  769. schedule_work(&context->read_data_work);
  770. }
  771. static void sahara_mhi_dl_xfer_cb(struct mhi_device *mhi_dev, struct mhi_result *mhi_result)
  772. {
  773. struct sahara_context *context = dev_get_drvdata(&mhi_dev->dev);
  774. if (!mhi_result->transaction_status) {
  775. context->rx_size = mhi_result->bytes_xferd;
  776. if (context->is_mem_dump_mode)
  777. schedule_work(&context->dump_work);
  778. else
  779. schedule_work(&context->fw_work);
  780. }
  781. }
  782. static const struct mhi_device_id sahara_mhi_match_table[] = {
  783. { .chan = "QAIC_SAHARA", },
  784. {},
  785. };
  786. static struct mhi_driver sahara_mhi_driver = {
  787. .id_table = sahara_mhi_match_table,
  788. .remove = sahara_mhi_remove,
  789. .probe = sahara_mhi_probe,
  790. .ul_xfer_cb = sahara_mhi_ul_xfer_cb,
  791. .dl_xfer_cb = sahara_mhi_dl_xfer_cb,
  792. .driver = {
  793. .name = "sahara",
  794. },
  795. };
  796. int sahara_register(void)
  797. {
  798. return mhi_driver_register(&sahara_mhi_driver);
  799. }
  800. void sahara_unregister(void)
  801. {
  802. mhi_driver_unregister(&sahara_mhi_driver);
  803. }