Prevent access to arbitrary memory locations in gen_ndis_set_resp
via manipulation of buf->InformationBufferOffset. Original
implementation permits manipulation of InformationBufferOffset to
exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
within a 32byte offset as the devices packet filter. The packet filter
value may be next retrieved using gen_ndis_query_resp so it is possible
to extract specific memory regions two bytes a time.
The rndis_query_response was not modified as neither the buffer offset
nor length passed to gen_ndis_query_resp is used.
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Commit fbce985e28 to fix CVE-2022-2347
blocks DFU usb requests.
The verification of the transfer direction was done by an equality
but it is a bit mask.
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Tested-by: Marek Vasut <marex@denx.de>
As DM_ETH is required for all network drivers, it's now safe to remove
the non-DM_ETH support code fro usb_ether itself.
Signed-off-by: Tom Rini <trini@konsulko.com>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS namespace do
not easily transition to Kconfig. In many cases they likely should come
from the device tree instead. Move these out of CONFIG namespace and in
to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS_SDRAM
namespace do not easily transition to Kconfig. In many cases they likely
should come from the device tree instead. Move these out of CONFIG
namespace and in to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Drop support for quickly deprecated DT property "snps,ref-clock-period-ns"
to prevent its proliferation.
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
GUCTL.REFCLKPER can only account for clock frequencies with integer
periods. To address this, program REFCLK_FLADJ with the relative error
caused by period truncation. The formula given in the register reference
has been rearranged to allow calculation based on rate (instead of
period), and to allow for fixed-point arithmetic.
Additionally, calculate a value for 240MHZDECR. This configures a
simulated 240Mhz clock using a counter with one fractional bit (PLS1).
This register is programmed only for versions >= 2.50a, since this is
the check also used by commit db2be4e9e30c ("usb: dwc3: Add frame length
adjustment quirk").
[ marek: Ported from Linux kernel commit
596c87856e08d ("usb: dwc3: Program GFLADJ") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Instead of using a special property to determine the reference clock
period, use the rate of the reference clock. When we have a legacy
snps,ref-clock-period-ns property and no reference clock, use it
instead. Fractional clocks are not currently supported, and will be
dealt with in the next commit.
[ marek: Ported from Linux kernel commit
5114c3ee24875 ("usb: dwc3: Calculate REFCLKPER based on reference clock") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Set reference clock period when it differs from dwc3 default hardware
set.
We could calculate clock period based on reference clock frequency. But
this information is not always available. This is the case of PCI bus
attached USB host. For that reason we use a custom property.
Tested (USB2 only) on IPQ6010 SoC based board with 24 MHz reference
clock while hardware default is 19.2 MHz.
[ baruch: rewrite commit message; drop GFLADJ code; remove 'quirk-' from
property name; mention tested hardware ]
[ marek: Ported from Linux kernel commit
7bee318838890 ("usb: dwc3: reference clock period configuration") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Balaji Prakash J <bjagadee@codeaurora.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Cache ref_clk clock pointer in struct dwc3 . This is a preparatory
patch for subsequent backports from Linux kernel which configure
GFLADJ register content based on the ref_clk rate and therefore need
access to the ref_clk pointer.
It is possible to extract the clock pointer from existing clk_bulk
list of already claimed clock, no need to call clk_get*() again.
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
The "generic_bus_%x_dev_%x" string which is printed into this buffer
can be up to 34 characters long ("generic_bus_12345678_dev_12345678").
The buffer would be clipped by snprintf() if both %x were at maximum
range. Make sure the buffer is long enough to cover such possibility.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Invoking lseek() may result in an error. Handle it.
Addresses-Coverity-ID: 376212 ("Error handling issues (CHECKED_RETURN)")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.
CVE-2022-2347
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Unlike the other 64-bit mvebu SoCs the AlleyCat5 uses the older ehci
block from the 32-bit SoCs. Adapt the ehci-marvell.c driver to cope with
the fact that the ac5 does not have the mbus infrastructure the 32-bit
SoCs have and ensure USB_EHCI_IS_TDI is selected.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
The struct is only used to overlay the MMIO region, so the behavior is
the same. This obsoletes the Kconfig option for the number of ports.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Add test coverage for blk_write() as well.
The blk_erase() is not tested for now as the USB stor interface does not
support erase.
Signed-off-by: Simon Glass <sjg@chromium.org>
The code checks the return value from uclass_first_device as well as
that the device exists but it passes on the return value which may be
zero if there are no gadget devices. Just check that a device was
returned and return -ENODEV otherwise.
Also remove the dev variable which is not really used for anything.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Fix typo that was caused by the same feature being split in to 2 different
configuration options. Replace CONFIG_USBNET_DEVADDR with
CONFIG_USBNET_DEV_ADDR
Signed-off-by: Ignacio Zamora <nachopitt@gmail.com>
When host issues "fastboot reboot fastboot", it's expected that the
board drops the USB connection before resetting.
On some boards, such as Khadas VIM3L and SEI610, this is not the case.
We observe the following error:
$ fastboot reboot fastboot
Rebooting into fastboot OKAY [ 0.004s]
fastboot: error: Failed to boot into userspace fastboot; one or more components might be unbootable.
This does not happen when we use the RST button on the board.
It can be reproduced in linux with:
# echo b > /proc/sysrq-trigger
In this case, we hit a undefined hardware behavior, where D+ and D-
are in an unknown state. Therefore the host can't detect usb
disconnection.
Make sure we always call usb_gadget_release() when a "fastboot reboot"
command is issued.
Note: usb_gadget_release() should be called before g_dnl_unregister()
because g_dnl_unregister() triggers a complete() call on each
endpoint (thus calling do_reset()).
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Remove unused ehci_{setup,shutdown}_phy() helpers now replaced by
generic_{setup,shutdown}_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Replace ehci_setup_phy() and ehci_shutdown_phy () by respectively
generic_setup_phy() and generic_shutdown_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Replace ohci_setup_phy() and ohci_shutdown_phy () by respectively
generic_setup_phy() and generic_shutdown_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Take the USB_ETHER ifdef block apart and make use of obj-$(VAR) instead
to include the source files in build. The duplicate CI_UDC entry is now
removed, the USB_DEVICE ifdef is now reduced to core.o ep.o addition,
the ether.o can be conditionally compiled in using USB_ETHER.
No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and
USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access
can occur. This is caused by the wIndex field of the usb control packet
being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4).
Signed-off-by: Alison Huffman <alisn@google.com>
Move this code out of the helper function so we can (later) add it as part
of the shared emulation code. Set a default value of 0 for buff_used since
that is what we use when there is an error.
Signed-off-by: Simon Glass <sjg@chromium.org>
In preparation for sharing the emulation code between two drivers, move
some of the fields into a new struct. Use a separate header file so it
can be used by various drivers.
Signed-off-by: Simon Glass <sjg@chromium.org>
This has the same name as a field in our local private struct, which is
confusing. Change the name to xfer_len instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
This driver is not used by any system and is long unmaintained, drop it.
There is a DWC2 OTG driver which is maintained, see CONFIG_USB_GADGET_DWC2_OTG .
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Globally replace all occurances of WATCHDOG_RESET() with schedule(),
which handles the HW_WATCHDOG functionality and the cyclic
infrastructure.
Signed-off-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Tom Rini <trini@konsulko.com> [am335x_evm, mx6cuboxi, rpi_3,dra7xx_evm, pine64_plus, am65x_evm, j721e_evm]
The host will report such error message if the fastboot device work in
full-speed mode: "Duplicate descriptor for config 1 interface 0
altsetting 0, skipping"
Fastboot device ack both full and high speed interface descriptors when
work in full-speed mode, that's will cause this issue.
Fix it.
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
Reviewed-by: John Keeping <john@metanate.com>
This converts the following to Kconfig:
CONFIG_FSL_NGPIXIS
CONFIG_SYS_FSL_QMAN_V3
CONFIG_SYS_FSL_RAID_ENGINE
CONFIG_SYS_FSL_RMU
CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
CONFIG_SYS_FSL_SRIO_LIODN
CONFIG_SYS_FSL_TBCLK_DIV
CONFIG_SYS_FSL_USB1_PHY_ENABLE
CONFIG_SYS_FSL_USB2_PHY_ENABLE
CONFIG_SYS_FSL_USB_DUAL_PHY_ENABLE
CONFIG_SYS_FSL_USB_INTERNAL_UTMI_PHY
Signed-off-by: Tom Rini <trini@konsulko.com>
The imx6q arm2 board support has been removed from U-Boot
as it did not get converted to DM.
Remove the MX6Q_ARM2 related ifdefery in the driver.
Signed-off-by: Fabio Estevam <festevam@denx.de>
SPL on mvebu loads proper U-Boot from custom Marvell kwbimage format and
therefore support for other binary formats is not required to be present in
SPL. Boot source of proper U-Boot is defined by compile time options and
therefore it is not required to enable all possible and unused peripherals
in SPL by default.
This change decrease size of SPL binaries.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Now that the PHY driver will not try to drive VBUS if it is already
driven by an external supply, there is no need to check the VBUS voltage
before powering on the PHY.
Signed-off-by: Samuel Holland <samuel@sholland.org>
ISP1760/61/63 are a family of usb controllers, here the main
goal is to support the ISP1763 hcd part found in the MPS3 FPGA
board form Arm. This is based on the kernel driver and ported
to u-boot.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Move urb code from musb only use to a more common scope, so other
drivers in the future can use the handling of urb in usb.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
When usb PHY initialization is done, the PHY need to be reset.
Signed-off-by: T Karthik Reddy <t.karthik.reddy@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@amd.com>
With the last platform for this architecture removed, remove the rest of
the architecture support as well.
Cc: Marek Vasut <marex@denx.de>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
At this point, the only user of ohci-hcd that also uses PCI is using DM,
so we can drop CONFIG_PCI_OHCI* usage. No platforms set either of
CONFIG_SYS_USB_OHCI_BOARD_INIT or CONFIG_SYS_USB_OHCI_CPU_INIT so those
hooks can be removed as well.
Signed-off-by: Tom Rini <trini@konsulko.com>
This converts the following to Kconfig:
CONFIG_SYS_OHCI_SWAP_REG_ACCESS
CONFIG_SYS_USB_OHCI_CPU_INIT
CONFIG_SYS_USB_OHCI_MAX_ROOT_PORTS
CONFIG_SYS_USB_OHCI_SLOT_NAME
CONFIG_USB_ATMEL
CONFIG_USB_ATMEL_CLK_SEL_PLLB
CONFIG_USB_ATMEL_CLK_SEL_UPLL
CONFIG_USB_OHCI_LPC32XX
CONFIG_USB_OHCI_NEW
Signed-off-by: Tom Rini <trini@konsulko.com>
Commit 81755b8c20 ("usb: host: ehci-generic: Make resets and clocks
optional") improved the error check to cover the reset property being
optional. However this was using the wrong error variable for the
check, so would now never fail.
Use the correct error variable for checking the result of
reset_get_bulk(), to actually report genuine errors.
Fixes: 81755b8c20 ("usb: host: ehci-generic: Make resets and clocks optional")
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Add rk3066a/rk3188 support to rockchip_usb2_phy.c
They don't have completely identical usb phy registers,
so separate comapatible strings and data.
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Product id of rk3066 usb otg is 0x300a.
Signed-off-by: Paweł Jarosz <paweljarosz3691@gmail.com>
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
sandbox_flash_bulk uses priv->read_len to determine if priv->buff contains
the response data (such as from SCSI_INQUIRY). However, if priv->fd=-1 in
handle_read, then priv->read_len is not set even though we are going to
PHASE_DATA. This causes sandbox_flash_bulk to try and read len bytes from
priv->buff, which likely goes past the end of the buffer. Fix this by always
setting priv->read_len even if we aren't going to read anything.
Fixes: f4f715360c ("dm: usb: sandbox: Add an emulator for USB flash devices")
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Replace reference to the correct name STMicroelectronics
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The generic EHCI binding does not *require* resets and clocks
properties, and indeed for instance the Allwinner A20 SoCs does not
need or define any resets in its DT.
Don't easily give up if clk_get_bulk() or reset_get_bulk() return an
error, but check if that is due to the DT simply having no entries for
either of them.
This fixes USB operation on all boards with an Allwinner A10 or A20 SoC,
which were reporting an error after commit ba96176ab7:
=======================
Bus usb@1c14000: ehci_generic usb@1c14000: Failed to get resets (err=-2)
probe failed, error -2
=======================
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This is used to avoid the ports status of IPPC being brought in kernel
stage, it may cause ports error especially when the xhci controller is
a component of dual-role controller.
Reported-by: Yun-Chien Yu <yun-chien.yu@mediatek.com>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Move legacy spi_get_bus_and_cs() code to _spi_get_bus_and_cs().
Add new spi_get_bus_and_cs() implementation which rely on DT
for speed and mode and don't need any drv_name nor dev_name
parameters. This will prepare the ground for next patch.
Update all callers to use _spi_get_bus_and_cs() to keep the
same behavior.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Behun <marek.behun@nic.cz>
Cc: Jagan Teki <jagan@amarulasolutions.com>
Cc: Vignesh R <vigneshr@ti.com>
Cc: Joe Hershberger <joe.hershberger@ni.com>
Cc: Ramon Fried <rfried.dev@gmail.com>
Cc: Lukasz Majewski <lukma@denx.de>
Cc: Marek Vasut <marex@denx.de>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Cc: Stefan Roese <sr@denx.de>
Cc: "Pali Rohár" <pali@kernel.org>
Cc: Konstantin Porotchkin <kostap@marvell.com>
Cc: Igal Liberman <igall@marvell.com>
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Pratyush Yadav <p.yadav@ti.com>
Cc: Sean Anderson <seanga2@gmail.com>
Cc: Anji J <anji.jagarlmudi@nxp.com>
Cc: Biwen Li <biwen.li@nxp.com>
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Cc: Chaitanya Sakinam <chaitanya.sakinam@nxp.com>
Missing nodes may also be signaled via -ENODATA. We need to check for
that to prevent failing in non-usb3 setups.
Furthermore, dev.phy must be NULL'ed in case usb3-phy was not found.
Fixes: 142d50fbce ("usb: dwc3: Add support for usb3-phy PHY configuration")
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When the device tree indicates support for role switching through
the "usb-role-switch" property, take the "role-switch-default-mode"
property into account when deciding which role to put the
controller into.
This makes USB devices work on Apple M1 systems where the device
tree may include a "dr_mode" property that is set to "otg", but
where we need to put the controller into "host" mode to see
devices connected to the type-C ports.
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Since commit 16cc5ad0b4 ("power: regulator: add dummy helper")
regulator dummy helper are always available even if DM_REGULATOR
is not set.
DM_REGULATOR flag is no more needed to protect no DM core,
remove it.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add a mask parameter to control the lookup of the PCI region from which
the mapping can be made.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Evolve dm_pci_map_bar() to include an offset and length parameter. These
allow a portion of the memory to be mapped and range checks to be
applied.
Passing both the offset and length as zero results in the previous
behaviour and this is used to migrate the previous callers.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The buffer is 512 bytes but read requests can be 800 bytes. Limit the
request to the size of the buffer.
Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
When copying the string in copy_to_unicode(), check for the null
terminator in each position, not just at the start, to avoid reading
beyond the end of the string.
Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a bootdev driver for USB host. It can use the distro boot mechanism to
locate a file, or any other available bootmeth.
Signed-off-by: Simon Glass <sjg@chromium.org>
