1// SPDX-License-Identifier: GPL-2.0-only
2
3/* Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. */
4
5#include <linux/devcoredump.h>
6#include <linux/firmware.h>
7#include <linux/limits.h>
8#include <linux/mhi.h>
9#include <linux/minmax.h>
10#include <linux/mod_devicetable.h>
11#include <linux/overflow.h>
12#include <linux/types.h>
13#include <linux/vmalloc.h>
14#include <linux/workqueue.h>
15
16#include "sahara.h"
17
18#define SAHARA_HELLO_CMD 0x1 /* Min protocol version 1.0 */
19#define SAHARA_HELLO_RESP_CMD 0x2 /* Min protocol version 1.0 */
20#define SAHARA_READ_DATA_CMD 0x3 /* Min protocol version 1.0 */
21#define SAHARA_END_OF_IMAGE_CMD 0x4 /* Min protocol version 1.0 */
22#define SAHARA_DONE_CMD 0x5 /* Min protocol version 1.0 */
23#define SAHARA_DONE_RESP_CMD 0x6 /* Min protocol version 1.0 */
24#define SAHARA_RESET_CMD 0x7 /* Min protocol version 1.0 */
25#define SAHARA_RESET_RESP_CMD 0x8 /* Min protocol version 1.0 */
26#define SAHARA_MEM_DEBUG_CMD 0x9 /* Min protocol version 2.0 */
27#define SAHARA_MEM_READ_CMD 0xa /* Min protocol version 2.0 */
28#define SAHARA_CMD_READY_CMD 0xb /* Min protocol version 2.1 */
29#define SAHARA_SWITCH_MODE_CMD 0xc /* Min protocol version 2.1 */
30#define SAHARA_EXECUTE_CMD 0xd /* Min protocol version 2.1 */
31#define SAHARA_EXECUTE_RESP_CMD 0xe /* Min protocol version 2.1 */
32#define SAHARA_EXECUTE_DATA_CMD 0xf /* Min protocol version 2.1 */
33#define SAHARA_MEM_DEBUG64_CMD 0x10 /* Min protocol version 2.5 */
34#define SAHARA_MEM_READ64_CMD 0x11 /* Min protocol version 2.5 */
35#define SAHARA_READ_DATA64_CMD 0x12 /* Min protocol version 2.8 */
36#define SAHARA_RESET_STATE_CMD 0x13 /* Min protocol version 2.9 */
37#define SAHARA_WRITE_DATA_CMD 0x14 /* Min protocol version 3.0 */
38
39#define SAHARA_PACKET_MAX_SIZE 0xffffU /* MHI_MAX_MTU */
40#define SAHARA_TRANSFER_MAX_SIZE 0x80000
41#define SAHARA_READ_MAX_SIZE 0xfff0U /* Avoid unaligned requests */
42#define SAHARA_NUM_TX_BUF DIV_ROUND_UP(SAHARA_TRANSFER_MAX_SIZE,\
43 SAHARA_PACKET_MAX_SIZE)
44#define SAHARA_IMAGE_ID_NONE U32_MAX
45
46#define SAHARA_VERSION 2
47#define SAHARA_SUCCESS 0
48#define SAHARA_TABLE_ENTRY_STR_LEN 20
49
50#define SAHARA_MODE_IMAGE_TX_PENDING 0x0
51#define SAHARA_MODE_IMAGE_TX_COMPLETE 0x1
52#define SAHARA_MODE_MEMORY_DEBUG 0x2
53#define SAHARA_MODE_COMMAND 0x3
54
55#define SAHARA_HELLO_LENGTH 0x30
56#define SAHARA_READ_DATA_LENGTH 0x14
57#define SAHARA_END_OF_IMAGE_LENGTH 0x10
58#define SAHARA_DONE_LENGTH 0x8
59#define SAHARA_RESET_LENGTH 0x8
60#define SAHARA_MEM_DEBUG64_LENGTH 0x18
61#define SAHARA_MEM_READ64_LENGTH 0x18
62
63struct sahara_packet {
64 __le32 cmd;
65 __le32 length;
66
67 union {
68 struct {
69 __le32 version;
70 __le32 version_compat;
71 __le32 max_length;
72 __le32 mode;
73 } hello;
74 struct {
75 __le32 version;
76 __le32 version_compat;
77 __le32 status;
78 __le32 mode;
79 } hello_resp;
80 struct {
81 __le32 image;
82 __le32 offset;
83 __le32 length;
84 } read_data;
85 struct {
86 __le32 image;
87 __le32 status;
88 } end_of_image;
89 struct {
90 __le64 table_address;
91 __le64 table_length;
92 } memory_debug64;
93 struct {
94 __le64 memory_address;
95 __le64 memory_length;
96 } memory_read64;
97 };
98};
99
100struct sahara_debug_table_entry64 {
101 __le64 type;
102 __le64 address;
103 __le64 length;
104 char description[SAHARA_TABLE_ENTRY_STR_LEN];
105 char filename[SAHARA_TABLE_ENTRY_STR_LEN];
106};
107
108struct sahara_dump_table_entry {
109 u64 type;
110 u64 address;
111 u64 length;
112 char description[SAHARA_TABLE_ENTRY_STR_LEN];
113 char filename[SAHARA_TABLE_ENTRY_STR_LEN];
114};
115
116#define SAHARA_DUMP_V1_MAGIC 0x1234567890abcdef
117#define SAHARA_DUMP_V1_VER 1
118struct sahara_memory_dump_meta_v1 {
119 u64 magic;
120 u64 version;
121 u64 dump_size;
122 u64 table_size;
123};
124
125/*
126 * Layout of crashdump provided to user via devcoredump
127 * +------------------------------------------+
128 * | Crashdump Meta structure |
129 * | type: struct sahara_memory_dump_meta_v1 |
130 * +------------------------------------------+
131 * | Crashdump Table |
132 * | type: array of struct |
133 * | sahara_dump_table_entry |
134 * | |
135 * | |
136 * +------------------------------------------+
137 * | Crashdump |
138 * | |
139 * | |
140 * | |
141 * | |
142 * | |
143 * +------------------------------------------+
144 *
145 * First is the metadata header. Userspace can use the magic number to verify
146 * the content type, and then check the version for the rest of the format.
147 * New versions should keep the magic number location/value, and version
148 * location, but increment the version value.
149 *
150 * For v1, the metadata lists the size of the entire dump (header + table +
151 * dump) and the size of the table. Then the dump image table, which describes
152 * the contents of the dump. Finally all the images are listed in order, with
153 * no deadspace in between. Userspace can use the sizes listed in the image
154 * table to reconstruct the individual images.
155 */
156
157struct sahara_context {
158 struct sahara_packet *tx[SAHARA_NUM_TX_BUF];
159 struct sahara_packet *rx;
160 struct work_struct fw_work;
161 struct work_struct dump_work;
162 struct work_struct read_data_work;
163 struct mhi_device *mhi_dev;
164 const char * const *image_table;
165 u32 table_size;
166 u32 active_image_id;
167 const struct firmware *firmware;
168 u64 dump_table_address;
169 u64 dump_table_length;
170 size_t rx_size;
171 size_t rx_size_requested;
172 void *mem_dump;
173 size_t mem_dump_sz;
174 struct sahara_dump_table_entry *dump_image;
175 u64 dump_image_offset;
176 void *mem_dump_freespace;
177 u64 dump_images_left;
178 u32 read_data_offset;
179 u32 read_data_length;
180 bool is_mem_dump_mode;
181 bool non_streaming;
182};
183
184static const char * const aic100_image_table[] = {
185 [1] = "qcom/aic100/fw1.bin",
186 [2] = "qcom/aic100/fw2.bin",
187 [4] = "qcom/aic100/fw4.bin",
188 [5] = "qcom/aic100/fw5.bin",
189 [6] = "qcom/aic100/fw6.bin",
190 [8] = "qcom/aic100/fw8.bin",
191 [9] = "qcom/aic100/fw9.bin",
192 [10] = "qcom/aic100/fw10.bin",
193};
194
195static const char * const aic200_image_table[] = {
196 [5] = "qcom/aic200/uefi.elf",
197 [12] = "qcom/aic200/aic200-nsp.bin",
198 [23] = "qcom/aic200/aop.mbn",
199 [32] = "qcom/aic200/tz.mbn",
200 [33] = "qcom/aic200/hypvm.mbn",
201 [38] = "qcom/aic200/xbl_config.elf",
202 [39] = "qcom/aic200/aic200_abl.elf",
203 [40] = "qcom/aic200/apdp.mbn",
204 [41] = "qcom/aic200/devcfg.mbn",
205 [42] = "qcom/aic200/sec.elf",
206 [43] = "qcom/aic200/aic200-hlos.elf",
207 [49] = "qcom/aic200/shrm.elf",
208 [50] = "qcom/aic200/cpucp.elf",
209 [51] = "qcom/aic200/aop_devcfg.mbn",
210 [54] = "qcom/aic200/qupv3fw.elf",
211 [57] = "qcom/aic200/cpucp_dtbs.elf",
212 [62] = "qcom/aic200/uefi_dtbs.elf",
213 [63] = "qcom/aic200/xbl_ac_config.mbn",
214 [64] = "qcom/aic200/tz_ac_config.mbn",
215 [65] = "qcom/aic200/hyp_ac_config.mbn",
216 [66] = "qcom/aic200/pdp.elf",
217 [67] = "qcom/aic200/pdp_cdb.elf",
218 [68] = "qcom/aic200/sdi.mbn",
219 [69] = "qcom/aic200/dcd.mbn",
220 [73] = "qcom/aic200/gearvm.mbn",
221 [74] = "qcom/aic200/sti.bin",
222 [76] = "qcom/aic200/tz_qti_config.mbn",
223 [78] = "qcom/aic200/pvs.bin",
224};
225
226static bool is_streaming(struct sahara_context *context)
227{
228 return !context->non_streaming;
229}
230
231static int sahara_find_image(struct sahara_context *context, u32 image_id)
232{
233 int ret;
234
235 if (image_id == context->active_image_id)
236 return 0;
237
238 if (context->active_image_id != SAHARA_IMAGE_ID_NONE) {
239 dev_err(&context->mhi_dev->dev, "image id %d is not valid as %d is active\n",
240 image_id, context->active_image_id);
241 return -EINVAL;
242 }
243
244 if (image_id >= context->table_size || !context->image_table[image_id]) {
245 dev_err(&context->mhi_dev->dev, "request for unknown image: %d\n", image_id);
246 return -EINVAL;
247 }
248
249 /*
250 * This image might be optional. The device may continue without it.
251 * Only the device knows. Suppress error messages that could suggest an
252 * a problem when we were actually able to continue.
253 */
254 ret = firmware_request_nowarn(fw: &context->firmware,
255 name: context->image_table[image_id],
256 device: &context->mhi_dev->dev);
257 if (ret) {
258 dev_dbg(&context->mhi_dev->dev, "request for image id %d / file %s failed %d\n",
259 image_id, context->image_table[image_id], ret);
260 return ret;
261 }
262
263 context->active_image_id = image_id;
264
265 return 0;
266}
267
268static void sahara_release_image(struct sahara_context *context)
269{
270 if (context->active_image_id != SAHARA_IMAGE_ID_NONE)
271 release_firmware(fw: context->firmware);
272 context->active_image_id = SAHARA_IMAGE_ID_NONE;
273}
274
275static void sahara_send_reset(struct sahara_context *context)
276{
277 int ret;
278
279 context->is_mem_dump_mode = false;
280 context->read_data_offset = 0;
281 context->read_data_length = 0;
282
283 context->tx[0]->cmd = cpu_to_le32(SAHARA_RESET_CMD);
284 context->tx[0]->length = cpu_to_le32(SAHARA_RESET_LENGTH);
285
286 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_TO_DEVICE, buf: context->tx[0],
287 SAHARA_RESET_LENGTH, mflags: MHI_EOT);
288 if (ret)
289 dev_err(&context->mhi_dev->dev, "Unable to send reset response %d\n", ret);
290}
291
292static void sahara_hello(struct sahara_context *context)
293{
294 int ret;
295
296 dev_dbg(&context->mhi_dev->dev,
297 "HELLO cmd received. length:%d version:%d version_compat:%d max_length:%d mode:%d\n",
298 le32_to_cpu(context->rx->length),
299 le32_to_cpu(context->rx->hello.version),
300 le32_to_cpu(context->rx->hello.version_compat),
301 le32_to_cpu(context->rx->hello.max_length),
302 le32_to_cpu(context->rx->hello.mode));
303
304 if (le32_to_cpu(context->rx->length) != SAHARA_HELLO_LENGTH) {
305 dev_err(&context->mhi_dev->dev, "Malformed hello packet - length %d\n",
306 le32_to_cpu(context->rx->length));
307 return;
308 }
309 if (le32_to_cpu(context->rx->hello.version) != SAHARA_VERSION) {
310 dev_err(&context->mhi_dev->dev, "Unsupported hello packet - version %d\n",
311 le32_to_cpu(context->rx->hello.version));
312 return;
313 }
314
315 if (le32_to_cpu(context->rx->hello.mode) != SAHARA_MODE_IMAGE_TX_PENDING &&
316 le32_to_cpu(context->rx->hello.mode) != SAHARA_MODE_IMAGE_TX_COMPLETE &&
317 le32_to_cpu(context->rx->hello.mode) != SAHARA_MODE_MEMORY_DEBUG) {
318 dev_err(&context->mhi_dev->dev, "Unsupported hello packet - mode %d\n",
319 le32_to_cpu(context->rx->hello.mode));
320 return;
321 }
322
323 context->tx[0]->cmd = cpu_to_le32(SAHARA_HELLO_RESP_CMD);
324 context->tx[0]->length = cpu_to_le32(SAHARA_HELLO_LENGTH);
325 context->tx[0]->hello_resp.version = cpu_to_le32(SAHARA_VERSION);
326 context->tx[0]->hello_resp.version_compat = cpu_to_le32(SAHARA_VERSION);
327 context->tx[0]->hello_resp.status = cpu_to_le32(SAHARA_SUCCESS);
328 context->tx[0]->hello_resp.mode = context->rx->hello_resp.mode;
329
330 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_TO_DEVICE, buf: context->tx[0],
331 SAHARA_HELLO_LENGTH, mflags: MHI_EOT);
332 if (ret)
333 dev_err(&context->mhi_dev->dev, "Unable to send hello response %d\n", ret);
334}
335
336static int read_data_helper(struct sahara_context *context, int buf_index)
337{
338 enum mhi_flags mhi_flag;
339 u32 pkt_data_len;
340 int ret;
341
342 pkt_data_len = min(context->read_data_length, SAHARA_PACKET_MAX_SIZE);
343
344 memcpy(context->tx[buf_index],
345 &context->firmware->data[context->read_data_offset],
346 pkt_data_len);
347
348 context->read_data_offset += pkt_data_len;
349 context->read_data_length -= pkt_data_len;
350
351 if (is_streaming(context) || !context->read_data_length)
352 mhi_flag = MHI_EOT;
353 else
354 mhi_flag = MHI_CHAIN;
355
356 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_TO_DEVICE,
357 buf: context->tx[buf_index], len: pkt_data_len, mflags: mhi_flag);
358 if (ret) {
359 dev_err(&context->mhi_dev->dev, "Unable to send read_data response %d\n", ret);
360 return ret;
361 }
362
363 return 0;
364}
365
366static void sahara_read_data(struct sahara_context *context)
367{
368 u32 image_id, data_offset, data_len;
369 int ret;
370 int i;
371
372 dev_dbg(&context->mhi_dev->dev,
373 "READ_DATA cmd received. length:%d image:%d offset:%d data_length:%d\n",
374 le32_to_cpu(context->rx->length),
375 le32_to_cpu(context->rx->read_data.image),
376 le32_to_cpu(context->rx->read_data.offset),
377 le32_to_cpu(context->rx->read_data.length));
378
379 if (le32_to_cpu(context->rx->length) != SAHARA_READ_DATA_LENGTH) {
380 dev_err(&context->mhi_dev->dev, "Malformed read_data packet - length %d\n",
381 le32_to_cpu(context->rx->length));
382 return;
383 }
384
385 image_id = le32_to_cpu(context->rx->read_data.image);
386 data_offset = le32_to_cpu(context->rx->read_data.offset);
387 data_len = le32_to_cpu(context->rx->read_data.length);
388
389 ret = sahara_find_image(context, image_id);
390 if (ret) {
391 sahara_send_reset(context);
392 return;
393 }
394
395 /*
396 * Image is released when the device is done with it via
397 * SAHARA_END_OF_IMAGE_CMD. sahara_send_reset() will either cause the
398 * device to retry the operation with a modification, or decide to be
399 * done with the image and trigger SAHARA_END_OF_IMAGE_CMD.
400 * release_image() is called from SAHARA_END_OF_IMAGE_CMD. processing
401 * and is not needed here on error.
402 */
403
404 if (context->non_streaming && data_len > SAHARA_TRANSFER_MAX_SIZE) {
405 dev_err(&context->mhi_dev->dev, "Malformed read_data packet - data len %d exceeds max xfer size %d\n",
406 data_len, SAHARA_TRANSFER_MAX_SIZE);
407 sahara_send_reset(context);
408 return;
409 }
410
411 if (data_offset >= context->firmware->size) {
412 dev_err(&context->mhi_dev->dev, "Malformed read_data packet - data offset %d exceeds file size %zu\n",
413 data_offset, context->firmware->size);
414 sahara_send_reset(context);
415 return;
416 }
417
418 if (size_add(addend1: data_offset, addend2: data_len) > context->firmware->size) {
419 dev_err(&context->mhi_dev->dev, "Malformed read_data packet - data offset %d and length %d exceeds file size %zu\n",
420 data_offset, data_len, context->firmware->size);
421 sahara_send_reset(context);
422 return;
423 }
424
425 context->read_data_offset = data_offset;
426 context->read_data_length = data_len;
427
428 if (is_streaming(context)) {
429 schedule_work(work: &context->read_data_work);
430 return;
431 }
432
433 for (i = 0; i < SAHARA_NUM_TX_BUF && context->read_data_length; ++i) {
434 ret = read_data_helper(context, buf_index: i);
435 if (ret)
436 break;
437 }
438}
439
440static void sahara_end_of_image(struct sahara_context *context)
441{
442 int ret;
443
444 dev_dbg(&context->mhi_dev->dev,
445 "END_OF_IMAGE cmd received. length:%d image:%d status:%d\n",
446 le32_to_cpu(context->rx->length),
447 le32_to_cpu(context->rx->end_of_image.image),
448 le32_to_cpu(context->rx->end_of_image.status));
449
450 if (le32_to_cpu(context->rx->length) != SAHARA_END_OF_IMAGE_LENGTH) {
451 dev_err(&context->mhi_dev->dev, "Malformed end_of_image packet - length %d\n",
452 le32_to_cpu(context->rx->length));
453 return;
454 }
455
456 if (context->active_image_id != SAHARA_IMAGE_ID_NONE &&
457 le32_to_cpu(context->rx->end_of_image.image) != context->active_image_id) {
458 dev_err(&context->mhi_dev->dev, "Malformed end_of_image packet - image %d is not the active image\n",
459 le32_to_cpu(context->rx->end_of_image.image));
460 return;
461 }
462
463 sahara_release_image(context);
464
465 if (le32_to_cpu(context->rx->end_of_image.status))
466 return;
467
468 context->tx[0]->cmd = cpu_to_le32(SAHARA_DONE_CMD);
469 context->tx[0]->length = cpu_to_le32(SAHARA_DONE_LENGTH);
470
471 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_TO_DEVICE, buf: context->tx[0],
472 SAHARA_DONE_LENGTH, mflags: MHI_EOT);
473 if (ret)
474 dev_dbg(&context->mhi_dev->dev, "Unable to send done response %d\n", ret);
475}
476
477static void sahara_memory_debug64(struct sahara_context *context)
478{
479 int ret;
480
481 dev_dbg(&context->mhi_dev->dev,
482 "MEMORY DEBUG64 cmd received. length:%d table_address:%#llx table_length:%#llx\n",
483 le32_to_cpu(context->rx->length),
484 le64_to_cpu(context->rx->memory_debug64.table_address),
485 le64_to_cpu(context->rx->memory_debug64.table_length));
486
487 if (le32_to_cpu(context->rx->length) != SAHARA_MEM_DEBUG64_LENGTH) {
488 dev_err(&context->mhi_dev->dev, "Malformed memory debug64 packet - length %d\n",
489 le32_to_cpu(context->rx->length));
490 return;
491 }
492
493 context->dump_table_address = le64_to_cpu(context->rx->memory_debug64.table_address);
494 context->dump_table_length = le64_to_cpu(context->rx->memory_debug64.table_length);
495
496 if (context->dump_table_length % sizeof(struct sahara_debug_table_entry64) != 0 ||
497 !context->dump_table_length) {
498 dev_err(&context->mhi_dev->dev, "Malformed memory debug64 packet - table length %lld\n",
499 context->dump_table_length);
500 return;
501 }
502
503 /*
504 * From this point, the protocol flips. We make memory_read requests to
505 * the device, and the device responds with the raw data. If the device
506 * has an error, it will send an End of Image command. First we need to
507 * request the memory dump table so that we know where all the pieces
508 * of the dump are that we can consume.
509 */
510
511 context->is_mem_dump_mode = true;
512
513 /*
514 * Assume that the table is smaller than our MTU so that we can read it
515 * in one shot. The spec does not put an upper limit on the table, but
516 * no known device will exceed this.
517 */
518 if (context->dump_table_length > SAHARA_PACKET_MAX_SIZE) {
519 dev_err(&context->mhi_dev->dev, "Memory dump table length %lld exceeds supported size. Discarding dump\n",
520 context->dump_table_length);
521 sahara_send_reset(context);
522 return;
523 }
524
525 context->tx[0]->cmd = cpu_to_le32(SAHARA_MEM_READ64_CMD);
526 context->tx[0]->length = cpu_to_le32(SAHARA_MEM_READ64_LENGTH);
527 context->tx[0]->memory_read64.memory_address = cpu_to_le64(context->dump_table_address);
528 context->tx[0]->memory_read64.memory_length = cpu_to_le64(context->dump_table_length);
529
530 context->rx_size_requested = context->dump_table_length;
531
532 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_TO_DEVICE, buf: context->tx[0],
533 SAHARA_MEM_READ64_LENGTH, mflags: MHI_EOT);
534 if (ret)
535 dev_err(&context->mhi_dev->dev, "Unable to send read for dump table %d\n", ret);
536}
537
538static void sahara_processing(struct work_struct *work)
539{
540 struct sahara_context *context = container_of(work, struct sahara_context, fw_work);
541 int ret;
542
543 switch (le32_to_cpu(context->rx->cmd)) {
544 case SAHARA_HELLO_CMD:
545 sahara_hello(context);
546 break;
547 case SAHARA_READ_DATA_CMD:
548 sahara_read_data(context);
549 break;
550 case SAHARA_END_OF_IMAGE_CMD:
551 sahara_end_of_image(context);
552 break;
553 case SAHARA_DONE_RESP_CMD:
554 /* Intentional do nothing as we don't need to exit an app */
555 break;
556 case SAHARA_RESET_RESP_CMD:
557 /* Intentional do nothing as we don't need to exit an app */
558 break;
559 case SAHARA_MEM_DEBUG64_CMD:
560 sahara_memory_debug64(context);
561 break;
562 default:
563 dev_err(&context->mhi_dev->dev, "Unknown command %d\n",
564 le32_to_cpu(context->rx->cmd));
565 break;
566 }
567
568 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_FROM_DEVICE, buf: context->rx,
569 SAHARA_PACKET_MAX_SIZE, mflags: MHI_EOT);
570 if (ret)
571 dev_err(&context->mhi_dev->dev, "Unable to requeue rx buf %d\n", ret);
572}
573
574static void sahara_parse_dump_table(struct sahara_context *context)
575{
576 struct sahara_dump_table_entry *image_out_table;
577 struct sahara_debug_table_entry64 *dev_table;
578 struct sahara_memory_dump_meta_v1 *dump_meta;
579 u64 table_nents;
580 u64 dump_length;
581 u64 mul_bytes;
582 int ret;
583 u64 i;
584
585 table_nents = context->dump_table_length / sizeof(*dev_table);
586 context->dump_images_left = table_nents;
587 dump_length = 0;
588
589 dev_table = (struct sahara_debug_table_entry64 *)(context->rx);
590 for (i = 0; i < table_nents; ++i) {
591 /* Do not trust the device, ensure the strings are terminated */
592 dev_table[i].description[SAHARA_TABLE_ENTRY_STR_LEN - 1] = 0;
593 dev_table[i].filename[SAHARA_TABLE_ENTRY_STR_LEN - 1] = 0;
594
595 if (check_add_overflow(dump_length,
596 le64_to_cpu(dev_table[i].length),
597 &dump_length)) {
598 /* Discard the dump */
599 sahara_send_reset(context);
600 return;
601 }
602
603 dev_dbg(&context->mhi_dev->dev,
604 "Memory dump table entry %lld type: %lld address: %#llx length: %#llx description: \"%s\" filename \"%s\"\n",
605 i,
606 le64_to_cpu(dev_table[i].type),
607 le64_to_cpu(dev_table[i].address),
608 le64_to_cpu(dev_table[i].length),
609 dev_table[i].description,
610 dev_table[i].filename);
611 }
612
613 if (check_add_overflow(dump_length, (u64)sizeof(*dump_meta), &dump_length)) {
614 /* Discard the dump */
615 sahara_send_reset(context);
616 return;
617 }
618 if (check_mul_overflow((u64)sizeof(*image_out_table), table_nents, &mul_bytes)) {
619 /* Discard the dump */
620 sahara_send_reset(context);
621 return;
622 }
623 if (check_add_overflow(dump_length, mul_bytes, &dump_length)) {
624 /* Discard the dump */
625 sahara_send_reset(context);
626 return;
627 }
628
629 context->mem_dump_sz = dump_length;
630 context->mem_dump = vzalloc(dump_length);
631 if (!context->mem_dump) {
632 /* Discard the dump */
633 sahara_send_reset(context);
634 return;
635 }
636
637 /* Populate the dump metadata and table for userspace */
638 dump_meta = context->mem_dump;
639 dump_meta->magic = SAHARA_DUMP_V1_MAGIC;
640 dump_meta->version = SAHARA_DUMP_V1_VER;
641 dump_meta->dump_size = dump_length;
642 dump_meta->table_size = context->dump_table_length;
643
644 image_out_table = context->mem_dump + sizeof(*dump_meta);
645 for (i = 0; i < table_nents; ++i) {
646 image_out_table[i].type = le64_to_cpu(dev_table[i].type);
647 image_out_table[i].address = le64_to_cpu(dev_table[i].address);
648 image_out_table[i].length = le64_to_cpu(dev_table[i].length);
649 strscpy(image_out_table[i].description, dev_table[i].description,
650 SAHARA_TABLE_ENTRY_STR_LEN);
651 strscpy(image_out_table[i].filename,
652 dev_table[i].filename,
653 SAHARA_TABLE_ENTRY_STR_LEN);
654 }
655
656 context->mem_dump_freespace = &image_out_table[i];
657
658 /* Done parsing the table, switch to image dump mode */
659 context->dump_table_length = 0;
660
661 /* Request the first chunk of the first image */
662 context->dump_image = &image_out_table[0];
663 dump_length = min_t(u64, context->dump_image->length, SAHARA_READ_MAX_SIZE);
664 /* Avoid requesting EOI sized data so that we can identify errors */
665 if (dump_length == SAHARA_END_OF_IMAGE_LENGTH)
666 dump_length = SAHARA_END_OF_IMAGE_LENGTH / 2;
667
668 context->dump_image_offset = dump_length;
669
670 context->tx[0]->cmd = cpu_to_le32(SAHARA_MEM_READ64_CMD);
671 context->tx[0]->length = cpu_to_le32(SAHARA_MEM_READ64_LENGTH);
672 context->tx[0]->memory_read64.memory_address = cpu_to_le64(context->dump_image->address);
673 context->tx[0]->memory_read64.memory_length = cpu_to_le64(dump_length);
674
675 context->rx_size_requested = dump_length;
676
677 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_TO_DEVICE, buf: context->tx[0],
678 SAHARA_MEM_READ64_LENGTH, mflags: MHI_EOT);
679 if (ret)
680 dev_err(&context->mhi_dev->dev, "Unable to send read for dump content %d\n", ret);
681}
682
683static void sahara_parse_dump_image(struct sahara_context *context)
684{
685 u64 dump_length;
686 int ret;
687
688 memcpy(context->mem_dump_freespace, context->rx, context->rx_size);
689 context->mem_dump_freespace += context->rx_size;
690
691 if (context->dump_image_offset >= context->dump_image->length) {
692 /* Need to move to next image */
693 context->dump_image++;
694 context->dump_images_left--;
695 context->dump_image_offset = 0;
696
697 if (!context->dump_images_left) {
698 /* Dump done */
699 dev_coredumpv(dev: context->mhi_dev->mhi_cntrl->cntrl_dev,
700 data: context->mem_dump,
701 datalen: context->mem_dump_sz,
702 GFP_KERNEL);
703 context->mem_dump = NULL;
704 sahara_send_reset(context);
705 return;
706 }
707 }
708
709 /* Get next image chunk */
710 dump_length = context->dump_image->length - context->dump_image_offset;
711 dump_length = min_t(u64, dump_length, SAHARA_READ_MAX_SIZE);
712 /* Avoid requesting EOI sized data so that we can identify errors */
713 if (dump_length == SAHARA_END_OF_IMAGE_LENGTH)
714 dump_length = SAHARA_END_OF_IMAGE_LENGTH / 2;
715
716 context->tx[0]->cmd = cpu_to_le32(SAHARA_MEM_READ64_CMD);
717 context->tx[0]->length = cpu_to_le32(SAHARA_MEM_READ64_LENGTH);
718 context->tx[0]->memory_read64.memory_address =
719 cpu_to_le64(context->dump_image->address + context->dump_image_offset);
720 context->tx[0]->memory_read64.memory_length = cpu_to_le64(dump_length);
721
722 context->dump_image_offset += dump_length;
723 context->rx_size_requested = dump_length;
724
725 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_TO_DEVICE, buf: context->tx[0],
726 SAHARA_MEM_READ64_LENGTH, mflags: MHI_EOT);
727 if (ret)
728 dev_err(&context->mhi_dev->dev,
729 "Unable to send read for dump content %d\n", ret);
730}
731
732static void sahara_dump_processing(struct work_struct *work)
733{
734 struct sahara_context *context = container_of(work, struct sahara_context, dump_work);
735 int ret;
736
737 /*
738 * We should get the expected raw data, but if the device has an error
739 * it is supposed to send EOI with an error code.
740 */
741 if (context->rx_size != context->rx_size_requested &&
742 context->rx_size != SAHARA_END_OF_IMAGE_LENGTH) {
743 dev_err(&context->mhi_dev->dev,
744 "Unexpected response to read_data. Expected size: %#zx got: %#zx\n",
745 context->rx_size_requested,
746 context->rx_size);
747 goto error;
748 }
749
750 if (context->rx_size == SAHARA_END_OF_IMAGE_LENGTH &&
751 le32_to_cpu(context->rx->cmd) == SAHARA_END_OF_IMAGE_CMD) {
752 dev_err(&context->mhi_dev->dev,
753 "Unexpected EOI response to read_data. Status: %d\n",
754 le32_to_cpu(context->rx->end_of_image.status));
755 goto error;
756 }
757
758 if (context->rx_size == SAHARA_END_OF_IMAGE_LENGTH &&
759 le32_to_cpu(context->rx->cmd) != SAHARA_END_OF_IMAGE_CMD) {
760 dev_err(&context->mhi_dev->dev,
761 "Invalid EOI response to read_data. CMD: %d\n",
762 le32_to_cpu(context->rx->cmd));
763 goto error;
764 }
765
766 /*
767 * Need to know if we received the dump table, or part of a dump image.
768 * Since we get raw data, we cannot tell from the data itself. Instead,
769 * we use the stored dump_table_length, which we zero after we read and
770 * process the entire table.
771 */
772 if (context->dump_table_length)
773 sahara_parse_dump_table(context);
774 else
775 sahara_parse_dump_image(context);
776
777 ret = mhi_queue_buf(mhi_dev: context->mhi_dev, dir: DMA_FROM_DEVICE, buf: context->rx,
778 SAHARA_PACKET_MAX_SIZE, mflags: MHI_EOT);
779 if (ret)
780 dev_err(&context->mhi_dev->dev, "Unable to requeue rx buf %d\n", ret);
781
782 return;
783
784error:
785 vfree(addr: context->mem_dump);
786 context->mem_dump = NULL;
787 sahara_send_reset(context);
788}
789
790static void sahara_read_data_processing(struct work_struct *work)
791{
792 struct sahara_context *context = container_of(work, struct sahara_context, read_data_work);
793
794 read_data_helper(context, buf_index: 0);
795}
796
797static int sahara_mhi_probe(struct mhi_device *mhi_dev, const struct mhi_device_id *id)
798{
799 struct sahara_context *context;
800 int ret;
801 int i;
802
803 context = devm_kzalloc(dev: &mhi_dev->dev, size: sizeof(*context), GFP_KERNEL);
804 if (!context)
805 return -ENOMEM;
806
807 context->rx = devm_kzalloc(dev: &mhi_dev->dev, SAHARA_PACKET_MAX_SIZE, GFP_KERNEL);
808 if (!context->rx)
809 return -ENOMEM;
810
811 if (!strcmp(mhi_dev->mhi_cntrl->name, "AIC200")) {
812 context->image_table = aic200_image_table;
813 context->table_size = ARRAY_SIZE(aic200_image_table);
814 } else {
815 context->image_table = aic100_image_table;
816 context->table_size = ARRAY_SIZE(aic100_image_table);
817 context->non_streaming = true;
818 }
819
820 /*
821 * There are two firmware implementations for READ_DATA handling.
822 * The older "SBL" implementation defines a Sahara transfer size, and
823 * expects that the response is a single transport transfer. If the
824 * FW wants to transfer a file that is larger than the transfer size,
825 * the FW will issue multiple READ_DATA commands. For this
826 * implementation, we need to allocate enough buffers to contain the
827 * entire Sahara transfer size.
828 *
829 * The newer "XBL" implementation does not define a maximum transfer
830 * size and instead expects the data to be streamed over using the
831 * transport level MTU. The FW will issue a single READ_DATA command
832 * of whatever size, and consume multiple transport level transfers
833 * until the expected amount of data is consumed. For this
834 * implementation we only need a single buffer of the transport MTU
835 * but we'll need to be able to use it multiple times for a single
836 * READ_DATA request.
837 *
838 * AIC100 is the SBL implementation and defines SAHARA_TRANSFER_MAX_SIZE
839 * and we need 9x SAHARA_PACKET_MAX_SIZE to cover that. We can use
840 * MHI_CHAIN to link multiple buffers into a single transfer but the
841 * remote side will not consume the buffers until it sees an EOT, thus
842 * we need to allocate enough buffers to put in the tx fifo to cover an
843 * entire READ_DATA request of the max size.
844 *
845 * AIC200 is the XBL implementation, and so a single buffer will work.
846 */
847 for (i = 0; i < SAHARA_NUM_TX_BUF; ++i) {
848 context->tx[i] = devm_kzalloc(dev: &mhi_dev->dev,
849 SAHARA_PACKET_MAX_SIZE,
850 GFP_KERNEL);
851 if (!context->tx[i])
852 return -ENOMEM;
853 if (is_streaming(context))
854 break;
855 }
856
857 context->mhi_dev = mhi_dev;
858 INIT_WORK(&context->fw_work, sahara_processing);
859 INIT_WORK(&context->dump_work, sahara_dump_processing);
860 INIT_WORK(&context->read_data_work, sahara_read_data_processing);
861
862 context->active_image_id = SAHARA_IMAGE_ID_NONE;
863 dev_set_drvdata(dev: &mhi_dev->dev, data: context);
864
865 ret = mhi_prepare_for_transfer(mhi_dev);
866 if (ret)
867 return ret;
868
869 ret = mhi_queue_buf(mhi_dev, dir: DMA_FROM_DEVICE, buf: context->rx, SAHARA_PACKET_MAX_SIZE, mflags: MHI_EOT);
870 if (ret) {
871 mhi_unprepare_from_transfer(mhi_dev);
872 return ret;
873 }
874
875 return 0;
876}
877
878static void sahara_mhi_remove(struct mhi_device *mhi_dev)
879{
880 struct sahara_context *context = dev_get_drvdata(dev: &mhi_dev->dev);
881
882 cancel_work_sync(work: &context->fw_work);
883 cancel_work_sync(work: &context->dump_work);
884 vfree(addr: context->mem_dump);
885 sahara_release_image(context);
886 mhi_unprepare_from_transfer(mhi_dev);
887}
888
889static void sahara_mhi_ul_xfer_cb(struct mhi_device *mhi_dev, struct mhi_result *mhi_result)
890{
891 struct sahara_context *context = dev_get_drvdata(dev: &mhi_dev->dev);
892
893 if (!mhi_result->transaction_status && context->read_data_length && is_streaming(context))
894 schedule_work(work: &context->read_data_work);
895}
896
897static void sahara_mhi_dl_xfer_cb(struct mhi_device *mhi_dev, struct mhi_result *mhi_result)
898{
899 struct sahara_context *context = dev_get_drvdata(dev: &mhi_dev->dev);
900
901 if (!mhi_result->transaction_status) {
902 context->rx_size = mhi_result->bytes_xferd;
903 if (context->is_mem_dump_mode)
904 schedule_work(work: &context->dump_work);
905 else
906 schedule_work(work: &context->fw_work);
907 }
908
909}
910
911static const struct mhi_device_id sahara_mhi_match_table[] = {
912 { .chan = "QAIC_SAHARA", },
913 {},
914};
915
916static struct mhi_driver sahara_mhi_driver = {
917 .id_table = sahara_mhi_match_table,
918 .remove = sahara_mhi_remove,
919 .probe = sahara_mhi_probe,
920 .ul_xfer_cb = sahara_mhi_ul_xfer_cb,
921 .dl_xfer_cb = sahara_mhi_dl_xfer_cb,
922 .driver = {
923 .name = "sahara",
924 },
925};
926
927int sahara_register(void)
928{
929 return mhi_driver_register(&sahara_mhi_driver);
930}
931
932void sahara_unregister(void)
933{
934 mhi_driver_unregister(mhi_drv: &sahara_mhi_driver);
935}
936

source code of linux/drivers/accel/qaic/sahara.c