To quote the author:
Make the virtio ring code resilient against corruption of the buffers
shared with the device.
It follows the example of Linux by keeping a private copy of the
descriptors and metadata for state tracking and only ever writing to the
descriptors that are shared with the device. I was able to test these
hardening steps in the sandbox by simulating device writes to the
queues.
Add a regression test for virtio-rng reading beyond the end of its
buffer if the virtio device provides an invalid length.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Check the length of data written by the device is consistent with the
size of the buffers to avoid out-of-bounds memory accesses in case
values aren't consistent.
Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Once the virtio-rng driver has been bound, probe it to trigger the pre
and post child probe hooks of the virtio uclass driver. Check the status
of the virtio device to confirm it reached the expected state.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The virtio-rng driver is extremely simple, making it suitable for
testing more of the virtio uclass logic. Have the sandbox driver bind
the virtio-rng driver rather than the virtio-blk driver so it can be
used in tests.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Virtio tests that find a child device require the virtio device driver
to be included in the build so it can probe. The sandbox virtio
transport driver currently reports a virtio-blk device so make sure the
corresponding driver is built before running tests that need it.
Signed-off-by: Andrew Scull <ascull@google.com>
The virtqueue is passed to virtio_notify() so move the virtqueue
deletion to the end of the test when it's no longer needed. This wasn't
causing any problems because the sandbox virtio transport driver doesn't
do anything for notifications, but it could cause problems if things
change and it was a bad example.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The virtio sandbox transport was setting the device features value to
the bit index rather than shifting a bit to the right index. Fix this
using the bit manipulation macros.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The virtio ring is the basis of virtio communication. Test its basic
functionality and its resilience against corruption from the device.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When the device returns used buffers, it should refer to the descriptor
that is the head of the descriptor chain for that buffer. Confirm this
to be the case by tracking the head of descriptor chains that have been
made available to the device.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The shared descriptors should only be written by the guest driver,
however, the device is still able to overwrite and corrupt them.
Maintain a private shadow copy of the descriptors for the driver to
use for state tracking, removing the need to read from the shared
descriptors.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Move the logic for attaching a descriptor to its own function.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The variables `total_sg` and `descs_used` have the same value. Replace
the few uses of `total_sg` with `descs_used` to simplify the situation.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
This patch adds a driver for configuration of the Microchip USB251xB/xBi
USB 2.0 hub controller series with USB 2.0 upstream connectivity, SMBus
configuration interface and two to four USB 2.0 downstream ports.
This is ported from Linux as of Linux kernel commit
5c2b9c61ae5d8 ("usb: usb251xb: add boost-up property support")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Michal Simek <michal.simek@xilinx.com>
Cc: Simon Glass <sjg@chromium.org>
This is used to avoid the ports status of IPPC being brought in kernel
stage, it may cause ports error especially when the xhci controller is
a component of dual-role controller.
Reported-by: Yun-Chien Yu <yun-chien.yu@mediatek.com>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Allow to compile assembler files in SPL build which calls WATCHDOG_RESET
function when watchdog is disabled in SPL and enabled in U-Boot proper.
This issue was fixed in past by commit 7fbd42f5af ("watchdog: Handle SPL
build with watchdog disabled") for C source files, but not for assembler
source files.
Currently the only assembler source file which calls WATCHDOG_RESET is
arch/powerpc/lib/ticks.S, so this patch affects and fixes powerpc SPL
builds.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
CONFIG_VAL(DEBUG_UART_BASE) expands to CONFIG_DEBUG_UART_BASE or
CONFIG_SPL_DEBUG_UART_BASE or CONFIG_TPL_DEBUG_UART_BASE and allows boards
to set different values for SPL, TPL and U-Boot Proper.
For ns16550 driver this support is there since commit d293759d55
("serial: ns16550: Add support for SPL_DEBUG_UART_BASE").
Signed-off-by: Pali Rohár <pali@kernel.org>
Skip missing setup data (which is valid) rather than failing with an
error.
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
Reported-by: Andrew Walbran <qwandor@google.com>
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
GZIP option can be manually de-selected when UBIFS is enabled. This cause
following compile error because ubifs calls gzip functions.
/tmp/ccxVrh2c.ltrans1.ltrans.o: in function `gzip_decompress.lto_priv.566':
<artificial>:(.text+0x768): undefined reference to `zunzip'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1813: u-boot] Error 1
So add missing dependency on GZIP.
Signed-off-by: Pali Rohár <pali@kernel.org>
rootwait=1 is not a valid kernel boot parameters. According
to the documenation is only rootwait
rootwait [KNL] Wait (indefinitely) for root device to show up.
Useful for devices that are detected asynchronously
(e.g. USB and MMC devices).
Fix:
Unknown kernel command line parameters "rootwait=1", will be passed to user space.
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
The bi_enetaddr field in struct bd_info is write-only; nothing ever
reads back the value.
Moreover, the value we write is more or less random, and certainly not
something one can rely on: If the board has a writable environment and
the mac address has been stored there, we fetch that value. But if the
board doesn't, this code runs before initr_net() -> eth_initialize(),
and thus before the code in eth-uclass which fetches MAC addresses
from eeprom, fuses or whatnot and populates the (run-time) environment
with those values.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Tom Rini <trini@konsulko.com>
Linux determines its console based on several sources:
1. the console command line parameter
2. device tree (e.g. /chosen/stdout-path)
3. various other board- and arch-specific sources
If the console parameter specifies a real console (e.g. ttyS0) then that is
used as /dev/console. However, if it does not specify a real console (e.g.
ttyDoesntExist) then *nothing* will be used as /dev/console.
Reading/writing it will return ENODEV. Additionally, no other source will
be used as a console source.
Linux commit ab4af56ae250 ("printk/console: Allow to disable console output
by using console="" or console=null") recently changed the semantics of the
parameter. Previously, specifying console="" would be treated like
specifying some other bad console. This commit changed things so that it
added /dev/ttynull as a console (if available). However, it also allows
for other console sources. If the device tree specifies a console (such as
if U-Boot and Linux share a device tree), then it will be used in addition
to /dev/ttynull. This can result in a non-silent console.
To avoid this, explicitly set ttynull as the console. This will disable
other console sources. If CONFIG_NULL_TTY is disabled, then this will have
the same behavior as in the past (no output, and writing /dev/console
returns ENODEV).
[1] and [2] have additional background on this kernel change.
[1] https://lore.kernel.org/all/20201006025935.GA597@jagdpanzerIV.localdomain/
[2] https://lore.kernel.org/all/20201111135450.11214-1-pmladek@suse.com/
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Add a check for calloc() failing to allocate the requested memory.
Make decode_regions() return an error code.
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Stefan Roese <sr@denx.de>
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Reviewed-by: Stefan Roese <sr@denx.de>
Asking if the alias we found actually points at the device tree node
we passed in (in the guise of its offset from blob) can be done simply
by asking if the fdt_path_offset() of the alias' path is identical to
offset.
In fact, the current method suffers from the possibility of false
negatives: dtc does not necessarily emit a phandle property for a node
just because it is referenced in /aliases; it only emits a phandle
property for a node if it is referenced in <angle brackets>
somewhere. So if both the node we passed in and the alias node we're
considering don't have phandles, fdt_get_phandle() returns 0 for both.
Since the proper check is so simple, there's no reason to hide that
behind a config option (and if one really wanted that, it should be
called something else because there's no need to involve phandle in
the check).
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Acked-by: Aswath Govindraju <a-govindraju@ti.com>
CONFIG_MMC only initializes drivers for devices in UCLASS_MMC, we need
to initialize drivers for devices of type IF_TYPE_MMC in UCLASS_BLK as
well because they are the child devices of devices in UCLASS_MMC. This
is required for feature RPMB since it will access eMMC in optee-os.
Signed-off-by: Judy Wang <wangjudy@microsoft.com>
[trini: Add my SoB line and adjust Judy's name in git, having emailed
off-list]
Signed-off-by: Tom Rini <trini@konsulko.com>
ARM semihosting provides no provisions for determining if there is
pending input. The only way to determine if there is console input is to
do a read (and block until the user types something). For this reason,
we always return true for tstc (since you will always get input if you
try). However, this behavior can cause problems for code which expects
tstc to eventually be empty. In query_console_serial, there is the
following construct:
/* empty input buffer */
while (tstc())
getchar();
with the current implementation, this effectively turns into an infinite
loop. To avoid this, fake tstc by returning false half of the time. This
is generally OK because the other common construct looks like
do {
if (tstc())
process(getchar());
} while (!timeout());
so it's fine if we only read a new character every other loop. This will
break things like CYGACC_COMM_IF_GETC_TIMEOUT, but that could be
reworked to test on the timeout instead of calling tstc again (and
ymodem over semihosted serial is not that useful in the first place).
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Replace in the function of_machine_is_compatible(), the used API
fdt_node_check_compatible() by ofnode_device_is_compatible()
to support a live tree.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This adds support for signing images in auto-generated FITs. To do this,
we need to add a signature node. The algorithm name property already has
its own option, but we need one for the key name hint. We could have
gone the -G route and added an explicit name for the public key (like
what is done for the private key). However, many places assume the
public key can be constructed from the key dir and hint, and I don't
want to do the refactoring necessary.
As a consequence of this, it is now easier to add public keys to an
existing image without signing something. This could be done all along,
but now you don't have to create an its just to do it. Ideally, we
wouldn't create a FIT at the end. This could be done by calling
fit_image_setup_sig/info.crypto->add_verify_data directly.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Document -G and the secondary image types which can be used with -R.
Also reword the documentation of -s for clarity.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Static events do not currently work post-relocation for boards that enable
CONFIG_NEEDS_MANUAL_RELOC. Relocate event handler pointers for all event
spies to fix this.
Tested on Microblaze.
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
The whole event_register() function is wrapped in EVENT_DYNAMIC #ifdef
checks, so the inner check is not needed:
#if CONFIG_IS_ENABLED(EVENT_DYNAMIC)
...
int event_register(...)
{
...
if (!CONFIG_IS_ENABLED(EVENT_DYNAMIC))
return -ENOSYS;
}
#endif
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
Set correct type for 3rd argument of ofnode_get_addr_size_index_notrans()
function. It expects fdt_size_t * and not fdt_addr_t *.
When these two types do not have same size then U-Boot throw compile
warning:
drivers/mtd/mtdpart.c: In function ‘add_mtd_partitions_of’:
drivers/mtd/mtdpart.c:906:57: warning: passing argument 3 of ‘ofnode_get_addr_size_index_notrans’ from incompatible pointer type [-Wincompatible-pointer-types]
offset = ofnode_get_addr_size_index_notrans(child, 0, &size);
^~~~~
In file included from include/dm/device.h:13,
from include/linux/mtd/mtd.h:26,
from include/ubi_uboot.h:28,
from drivers/mtd/mtdpart.c:27:
include/dm/ofnode.h:530:25: note: expected ‘fdt_size_t *’ {aka ‘long long unsigned int *’} but argument is of type ‘fdt_addr_t *’ {aka ‘long unsigned int *’}
fdt_size_t *size);
~~~~~~~~~~~~^~~~
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Marek Behún <marek.behun@nic.cz>
Add a make command to compile binary files as C data through bin2c with
$(call,bin2c,<data_name_prefix>)
Note that this requires BUILD_BIN2C=y.
Cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Setting sblk = NULL has no effect on the caller.
We want to set *sblk = NULL if an error occurrs to avoid usage after free.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
After returning if ret <= 0 we know that ret > 0. No need to check it.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Anand Jain <anand.jain>
While our copy of zlib is missing upstream commit 263b1a05b04e ("Allow
deflatePrime() to insert bits in the middle of a stream.") we do have
Z_FIXED support, and so the majority of the code changes in 5c44459c3b28
("Fix a bug that can crash deflate on some input when using Z_FIXED.")
apply here directly and cleanly. As this has been assigned a CVE, lets
go and apply these changes.
Link: 5c44459c3b
Reported-by: "Gan, Yau Wai" <yau.wai.gan@intel.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
We have many cases of SPL (or TPL or VPL) drivers that don't depend on
SPL_MISC (and so on) but rather just MISC.
Cc: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Sean Anderson <sean.anderson@seco.com>
The actual support was added in commit fec8c900c8 ("power: regulator:
Add support for regulator-force-boot-off"), update the docs to include
this.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Migrate dm command to use U_BOOT_CMD_WITH_SUBCMDS() helper macro, to reduce
duplicated code. We can also drop the CONFIG_NEEDS_MANUAL_RELOC exception,
as the command list is updated post relocation in board_r.c initcall
initr_manual_reloc_cmdtable().
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
CONFIG_DM_EVENT without CONFIG_EVENT is non-functional.
Let CONFIG_DM_EVENT depend on CONFIG_EVENT.
Remove superfluous stub in include/event.h.
Fixes: 5b896ed585 ("event: Add events for device probe/remove")
Reported-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
- Bring in a number of series of patches that migrate all remaining
CONFIG_SPL symbols to Kconfig, remove some dead code that this
uncovered and then start to tighten the dependencies in Kconfig now
that everything is migrated and these relationships can be clearly
expressed.
- In a few places, add missing "depends on" that can be implied from the
option name (i.e. SPL_DM_xxx depends on SPL_DM).
- Make less use of "if SPL_xxx ... endif" clauses as most of the time
this reads better as depends on. In the case of UBI however, move it
all to a sub-menu.
- Rework SPL_NO_CPU_SUPPORT as it's very specific to the
non-SPL_FRAMEWORK implementation used on those platforms, and a
tangent to how CONFIG_SPL_START_S_PATH was used.
Signed-off-by: Tom Rini <trini@konsulko.com>
- Move all PowerPC (and some shared with Layerscape) options to
common/spl/Kconfig.nxp
- Move all other TPL related options to common/spl/Kconfig.tpl
- Move all VPL related options to common/spl/Kconfig.vpl
This makes the whole of common/spl/Kconfig slightly more readable.
Signed-off-by: Tom Rini <trini@konsulko.com>