【前言】
Android系统为了保证各商业公司的利益,允许在系统中使用不开源的固件。因此我们可以看到比如用于音频处理的、用于键盘支持的等等大量固件。既然这么多模块要用到固件,那么我们也有必要来了解一下固件在崩溃后的自恢复过程。这篇博文是基于 Intel x86 平台写的,所分析的固件是 Intel 平台的一款音频 DSP 固件,使用 uevent 机制来收发固件恢复消息。所以如果读者使用的其它平台或其它固件,在内容上也许会有所出入,但这不影响我们的分析思路。
【填充并发送uevent消息】
在设备检测到固件崩溃之后,会调用恢复函数。在我使用的平台下,这对应的是 sst_do_recovery() 函数。在这个函数中,主要完成 填充uevent消息、dump固件崩溃信息、重置Intel平台音频配置、清除内存中旧的固件信息、发送uevent消息 这5件事。代码如下:
-
void sst_do_recovery(struct intel_sst_drv *sst)
-
{
-
char iram_event[IRAM_EVENT_SIZE_MAX], dram_event[DRAM_EVENT_SIZE_MAX];
-
char ddr_imr_event[DDR_EVENT_SIZE_MAX], event_type[EVENT_TYPE_SIZE_MAX];
-
char *envp[NUM_EVENT_MAX];
-
int env_offset = 0;
-
-
pr_err("Audio: Intel SST engine encountered an unrecoverable error\n");
-
snprintf(event_type, sizeof(event_type), "EVENT_TYPE=SST_CRASHED"); // 填充uevent消息
-
envp[env_offset++] = event_type;
-
snprintf(iram_event, sizeof(iram_event), "IRAM_DUMP_SIZE=%d", // 填充uevent消息
-
sst->dump_buf.iram_buf.size);
-
envp[env_offset++] = iram_event;
-
snprintf(dram_event, sizeof(dram_event), "DRAM_DUMP_SIZE=%d", // 填充uevent消息
-
sst->dump_buf.dram_buf.size);
-
envp[env_offset++] = dram_event;
-
-
if (sst->ddr != NULL) {
-
snprintf(ddr_imr_event, sizeof(ddr_imr_event),
-
"DDR_IMR_DUMP_SIZE=%d DDR_IMR_ADDRESS=%p", (sst->ddr_end - sst->ddr_base), sst->ddr);
-
envp[env_offset++] = ddr_imr_event;
-
}
-
envp[env_offset] = NULL;
-
kobject_uevent_env(&sst->dev->kobj, KOBJ_CHANGE, envp); // 发送uevent消息向上层报告固件已崩溃
-
pr_err("SST Crash Uevent Sent!!\n");
-
-
/*
-
* setting firmware state as RESET so that the firmware will get
-
* redownloaded on next request.This is because firmare not responding
-
* for 1 sec is equalant to some unrecoverable error of FW.
-
*/
-
pr_err("Audio: trying to reset the dsp now\n");
-
mutex_lock(&sst->sst_lock);
-
sst->sst_state = SST_RECOVERY; // 将Intel平台的当前状态置为“恢复中”
-
mutex_unlock(&sst->sst_lock);
-
-
dump_stack(); // dump信息
-
dump_sst_shim(sst); // dump信息
-
-
mutex_lock(&sst->sst_lock);
-
sst_stall_lpe_n_wait(sst);
-
mutex_unlock(&sst->sst_lock);
-
-
/* dump mailbox and sram */
-
pr_debug("Audio: Dumping Mailbox IA to LPE...\n");
-
dump_buffer_fromio(sst->ipc_mailbox, NUM_DWORDS); // dump信息
-
pr_debug("Audio: Dumping Mailbox LPE to IA...\n");
-
dump_buffer_fromio((sst->ipc_mailbox + sst->mailbox_recv_offset), // dump信息
-
NUM_DWORDS);
-
pr_debug("Audio: Dumping SRAM CHECKPOINT...\n");
-
dump_buffer_fromio((sst->mailbox +
-
sst->pdata->debugfs_data->checkpoint_offset),
-
DUMP_SRAM_CHECKPOINT_DWORDS);
-
-
if (sst_drv_ctx->ops->set_bypass) {
-
mutex_lock(&sst->sst_lock);
-
sst_drv_ctx->ops->set_bypass(true);
-
dump_ram_area(sst, &(sst->dump_buf), SST_IRAM); // dump信息
-
dump_ram_area(sst, &(sst->dump_buf), SST_DRAM); // dump信息
-
sst_drv_ctx->ops->set_bypass(false);
-
mutex_unlock(&sst->sst_lock);
-
}
-
-
/* Send IPC to SCU to power gate and reset the LPE */
-
sst_send_scu_reset_ipc(sst); // 重置Intel平台配置
-
-
pr_err("reset the pvt id from val %d\n", sst_drv_ctx->pvt_id);
-
spin_lock(&sst_drv_ctx->block_lock);
-
sst_drv_ctx->pvt_id = 0;
-
spin_unlock(&sst_drv_ctx->block_lock);
-
sst_dump_ipc_dispatch_lists(sst_drv_ctx); // dump信息
-
sst_dump_rx_lists(sst_drv_ctx); // dump信息
-
-
if (sst_drv_ctx->fw_in_mem) {
-
pr_err("Clearing the cached FW copy...\n");
-
kfree(sst_drv_ctx->fw_in_mem); // 清除内存中旧的固件内容
-
sst_drv_ctx->fw_in_mem = NULL; // 清除内存中旧的固件内容
-
sst_memcpy_free_resources(); // 清除内存中旧的固件内容
-
kfree(sst_drv_ctx->fw_sg_list.src); // 清除内存中旧的固件内容
-
kfree(sst_drv_ctx->fw_sg_list.dst); // 清除内存中旧的固件内容
-
sst_drv_ctx->fw_sg_list.list_len = 0; // 清除内存中旧的固件内容
-
}
-
-
mutex_lock(&sst->sst_lock);
-
sst->sst_state = SST_RESET; // 将Intel平台的当前状态置为“正在重置”
-
sst_stream_recovery(sst); // 重置Intel平台音频配置
-
mutex_unlock(&sst->sst_lock);
-
-
/* Delay is to ensure that the stream is closed before
-
* powering on DAPM widget
-
*/
-
usleep_range(STREAM_CLOSE_DELAY_MIN, STREAM_CLOSE_DELAY_MAX);
-
-
env_offset = 0;
-
snprintf(event_type, sizeof(event_type), "EVENT_TYPE=SST_RECOVERY"); // 填充uevent消息
-
envp[env_offset++] = event_type;
-
envp[env_offset] = NULL;
-
kobject_uevent_env(&sst->dev->kobj, KOBJ_CHANGE, envp); // 发送uevent消息通知上层开始重载固件
-
pr_err("SST Recovery Uevent Sent!!\n");
-
-
}
【接收并处理uevent消息】
在 Android 系统中,底层发送的 uevent 消息在上层由 ueventd 进行接收和处理。ueventd 是 Android 系统启动后就运行的一个服务进程,它通过 while死循环 不断检查系统是否接收到新的 uevent 消息,如果有就调用 handle_device_fd() 函数进行处理。我们可以在 system/core/init/ueventd.cpp 中找到 ueventd 的主函数。代码如下:
-
int ueventd_main(int argc, char **argv)
-
{
-
/*
-
* init sets the umask to 077 for forked processes. We need to
-
* create files with exact permissions, without modification by
-
* the umask.
-
*/
-
umask(000);
-
-
/* Prevent fire-and-forget children from becoming zombies.
-
* If we should need to wait() for some children in the future
-
* (as opposed to none right now), double-forking here instead
-
* of ignoring SIGCHLD may be the better solution.
-
*/
-
signal(SIGCHLD, SIG_IGN);
-
-
open_devnull_stdio();
-
klog_init();
-
klog_set_level(KLOG_NOTICE_LEVEL);
-
-
NOTICE("ueventd started!\n");
-
-
selinux_callback cb;
-
cb.func_log = selinux_klog_callback;
-
selinux_set_callback(SELINUX_CB_LOG, cb);
-
-
std::string hardware = property_get("ro.hardware");
-
-
ueventd_parse_config_file("/ueventd.rc");
-
ueventd_parse_config_file(android::base::StringPrintf("/ueventd.%s.rc", hardware.c_str()).c_str());
-
-
device_init();
-
-
pollfd ufd;
-
ufd.events = POLLIN;
-
ufd.fd = get_device_fd();
-
-
while (true) { // 使用死循环,不断查询是否有新的消息需要处理
-
ufd.revents = 0;
-
int nr = poll(&ufd, 1, -1);
-
if (nr <= 0) {
-
continue;
-
}
-
if (ufd.revents & POLLIN) {
-
handle_device_fd(); // 如果检查到有待处理的消息,在这里进行处理
-
}
-
}
-
-
return 0;
-
}
handle_device_fd()函数主要负责解析 uevent 消息,然后将解析出的消息分别传递给 handle_device_event() 函数和 handle_firmware_event() 函数。后2者会分别检查 uevent 消息是否是 device 类型或 firmware 类型,并且在满足检验条件的情况下进行相应操作。这些函数都可以在 /system/core/init/devices.cpp 文件中找到,代码如下:
-
void handle_device_fd()
-
{
-
char msg[UEVENT_MSG_LEN+2];
-
int n;
-
while ((n = uevent_kernel_multicast_recv(device_fd, msg, UEVENT_MSG_LEN)) > 0) {
-
if(n >= UEVENT_MSG_LEN) /* overflow -- discard */
-
continue;
-
-
msg[n] = '\0';
-
msg[n+1] = '\0';
-
-
struct uevent uevent;
-
parse_event(msg, &uevent); // 从消息中解析出uevent事件,保存在uevent结构体变量中
-
-
if (selinux_status_updated() > 0) {
-
struct selabel_handle *sehandle2;
-
sehandle2 = selinux_android_file_context_handle();
-
if (sehandle2) {
-
selabel_close(sehandle);
-
sehandle = sehandle2;
-
}
-
}
-
-
handle_device_event(&uevent);
-
handle_firmware_event(&uevent); // 检查是否需要处理固件uevent事件
-
}
-
}
因为我们是分析固件崩溃后重载的过程,所以来看看 handle_firmware_event() 函数。这个函数的内容比较简洁,在检查传递来的 uevent 消息属于 firmware 子系统和 add 操作后,创建一个子线程并调用 process_firmware_event() 函数对 uevent 消息进行最终的处理。代码如下:
-
static void handle_firmware_event(struct uevent *uevent)
-
{
-
pid_t pid;
-
-
if(strcmp(uevent->subsystem, "firmware")) // 固件uevent事件所属的子系统参数值必须要是"firmware"
-
return;
-
-
if(strcmp(uevent->action, "add")) // 固件uevent事件所属的动作参数值必须要是"add"
-
return;
-
-
/* we fork, to avoid making large memory allocations in init proper */
-
pid = fork();
-
if (!pid) {
-
process_firmware_event(uevent); // 开始处理固件事件
-
_exit(EXIT_SUCCESS);
-
} else if (pid < 0) {
-
ERROR("could not fork to process firmware event: %s\n", strerror(errno));
-
}
-
}
不出意外地,在 proces_firmware_event() 函数中进行了读写文件节点和加载固件的操作。代码如下:
-
static void process_firmware_event(struct uevent *uevent)
-
{
-
char *root, *loading, *data;
-
int l, loading_fd, data_fd, fw_fd;
-
size_t i;
-
int booting = is_booting();
-
-
INFO("firmware: loading '%s' for '%s'\n",
-
uevent->firmware, uevent->path);
-
-
l = asprintf(&root, SYSFS_PREFIX"%s/", uevent->path);
-
if (l == -1)
-
return;
-
-
l = asprintf(&loading, "%sloading", root); // 获取loading文件的路径
-
if (l == -1)
-
goto root_free_out;
-
-
l = asprintf(&data, "%sdata", root); // 获取data文件的路径
-
if (l == -1)
-
goto loading_free_out;
-
-
loading_fd = open(loading, O_WRONLY|O_CLOEXEC); // 打开loading文件
-
if(loading_fd < 0)
-
goto data_free_out;
-
-
data_fd = open(data, O_WRONLY|O_CLOEXEC); // 打开data文件
-
if(data_fd < 0)
-
goto loading_close_out;
-
-
try_loading_again:
-
for (i = 0; i < ARRAY_SIZE(firmware_dirs); i++) {
-
char *file = NULL;
-
l = asprintf(&file, "%s/%s", firmware_dirs[i], uevent->firmware); // 获取固件文件路径
-
if (l == -1)
-
goto data_free_out;
-
fw_fd = open(file, O_RDONLY|O_CLOEXEC); // 打开固件文件
-
free(file);
-
if (fw_fd >= 0) {
-
if(!load_firmware(fw_fd, loading_fd, data_fd)) // 加载固件
-
INFO("firmware: copy success { '%s', '%s' }\n", root, uevent->firmware);
-
else
-
INFO("firmware: copy failure { '%s', '%s' }\n", root, uevent->firmware);
-
break;
-
}
-
}
-
if (fw_fd < 0) {
-
if (booting) {
-
/* If we're not fully booted, we may be missing
-
* filesystems needed for firmware, wait and retry.
-
*/
-
usleep(100000); // 如果固件加载失败,并且系统仍处于启动过程中,那么等待100ms后尝试重新加载固件
-
booting = is_booting();
-
goto try_loading_again; // 重新加载固件
-
}
-
INFO("firmware: could not open '%s': %s\n", uevent->firmware, strerror(errno));
-
write(loading_fd, "-1", 2);
-
goto data_close_out;
-
}
-
-
close(fw_fd);
-
data_close_out:
-
close(data_fd);
-
loading_close_out:
-
close(loading_fd);
-
data_free_out:
-
free(data);
-
loading_free_out:
-
free(loading);
-
root_free_out:
-
free(root);
-
}
阅读(4030) | 评论(0) | 转发(0) |