Commit graph

34 commits

Author SHA1 Message Date
Venkatesh Yadav Abbarapu
fbce985e28 usb: gadget: dfu: Fix the unchecked length field
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.

CVE-2022-2347

Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
2022-11-21 09:23:00 -05:00
Patrick Delaunay
86b6a38863 dfu: handle short frame result of UPLOAD in state_dfu_idle
In DFU v1.1 specification [1] the DFU_UPLOAD (Short Frame)
is handled only in dfuUPLOADIDLE state:

- Figure A.1 Interface state transition diagram

- the state description in chapter A.2

A.2.3 State 2 dfuIDLE
  on Receipt of the DFU_UPLOAD request,and bitCanUpload = 1
  the Next State is dfuUPLOADIDLE

A.2.10 State 9 dfuUPLOAD-IDLE
  When the length of the data transferred by the device in response
  to a DFU_UPLOAD request is less than wLength. (Short frame)
  the Next State is dfuIDLE

In current code, when an UPLOAD is completely performed after the first
request (for example with wLength=200 and data read = 9), the DFU state
stay at dfuUPLOADIDLE until receiving a DFU_UPLOAD or a DFU_ABORT request
even it is unnecessary as the previous DFU_UPLOAD request already reached
the EOF.

This patch proposes to finish the DFU uploading (don't go to dfuUPLOADIDLE)
and completes the control-read operation (go to DFU_STATE_dfuIDLE) when
the first UPLOAD response has a short frame as an end of file (EOF)
indicator even if it is not explicitly allowed in the DFU specification
but this seems logical.

[1] https://www.usb.org/sites/default/files/DFU_1.1.pdf

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
2022-01-28 10:21:51 -05:00
Simon Glass
f7ae49fc4f common: Drop log.h from common header
Move this header out of the common header.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 21:19:18 -04:00
Andy Shevchenko
53d9bd4a56 dfu: Reset timeout in case of DFU request
In case dfu command is being executed with timeout option,
the timer may expire in the middle of DFU operation. If there
is DFU request coming, we may simple reset timeout value
to prevent aborting of ongoing DFU operation.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Tested-by: Ferry Toth <ftoth@exalondelft.nl>
2020-03-01 21:58:54 +01:00
Simon Glass
7b51b576d6 env: Move env_get() to env.h
Move env_get() over to the new header file.

Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
2019-08-11 16:43:41 -04:00
Ralph Siemsen
fe876984a4 usb: gadget: f_dfu.c: fix memory leak
dfu_prepare_function() allocates N+1 descriptor header structures,
the last one being the "DFU Functional Descriptor".

dfu_unbind() handles de-allocation, but fails to free the final
one (eg. "DFU Functional Descriptor"), leading to memory leak.

Fixed by incrementing counter, as in dfu_prepare_function().

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
2019-08-08 11:35:02 +02:00
Tom Rini
83d290c56f SPDX: Convert all of our single license tags to Linux Kernel style
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-07 09:34:12 -04:00
Simon Glass
00caae6d47 env: Rename getenv/_f() to env_get()
We are now using an env_ prefix for environment functions. Rename these
two functions for consistency. Also add function comments in common.h.

Quite a few places use getenv() in a condition context, provoking a
warning from checkpatch. These are fixed up in this patch also.

Suggested-by: Wolfgang Denk <wd@denx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
2017-08-16 08:30:24 -04:00
Felipe Balbi
9bf9e81358 usb: gadget: f_dfu: set serial number if serial# is valid
With this patch, USB Command Verifier is happy with our DFU
implementation on Chapter 9 tests.

Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-02-26 13:24:30 +01:00
Felipe Balbi
00e9d69629 usb: gadget: f_dfu: write req->actual bytes
If last packet is short, we shouldn't write req->length bytes to
non-volatile media, we should write only what's available to us, which
is held in req->actual.

Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2017-02-26 13:24:30 +01:00
Patrick Delaunay
d428776657 usb: gadget: dfu: add result for handle_getstatus()
harmonize result with other handle_XXX() functions: return int for size
remove the define RET_STAT_LEN : no more necessary

Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay73@gmail.com>
2017-02-26 13:24:30 +01:00
Patrick Delaunay
f11bb25245 usb: gadget: dfu: correct size for USB_REQ_DFU_GETSTATE result
return the correct size for DFU_GETSTATE result (1 byte in DFU 1.1 spec)
to avoid issue in USB protocol and the variable "value" is propagated
to req->lenght as all the in the other request with answer
- DFU_GETSTATUS
- DFU_DNLOAD
- DFU_UPLOAD
Then the buffer is correctly treated in USB driver

NB: it was the only request witch directly change "req->actual"

Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay73@gmail.com>
2017-02-26 13:24:30 +01:00
Patrick Delaunay
8987012fe5 usb: gadget: dfu: add functional descriptor in descriptor set
The "DFU descriptor set" must contain the "DFU functional descriptor"
but it is missing today in U-Boot code
(cf: DFU spec 1.1, chapter 4.2 DFU Mode Descriptor Set)
This patch only allocate buffer and copy DFU functional descriptor
after interfaces.

Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay73@gmail.com>
2017-02-26 13:24:30 +01:00
Peng Fan
12ff19dbfd usb: gadget: dfu: discard dead code
Reported by Coverity:
Logically dead code (DEADCODE)
dead_error_line: Execution cannot reach this statement:
(f_dfu->strings + --i).s = ....

If calloc failed, i is still 0 and no need to call free,
so discard the dead code.

Signed-off-by: Peng Fan <van.freenix@gmail.com>
Cc: "Łukasz Majewski" <l.majewski@samsung.com>
Cc: Marek Vasut <marex@denx.de>
2016-05-06 20:06:56 +02:00
Lukasz Majewski
fc18f8d170 dfu: usb: f_dfu: Set deferred call for dfu_flush() function
This patch fixes situation when one would like to write large file into
medium with the file system (fat, ext4, etc).
This change sets file size limitation to the DFU internal buffer size.

Since u-boot is not supporting interrupts and seek on file systems, it
becomes challenging to store large file appropriately.

To reproduce this error - create large file (around 26 MiB) and sent it
to the target board.

Lets examine the flow of USB transactions:

0. DFU uses EP0 with 64B MPS [Max Packet Size]

1. Send file - OUT (PC->target) - dat_26MiB.img is sent with 4096 B transactions

2. Get status - OUT (PC->target) - wait for DFU_STATE_dfuDNLOAD_IDLE (0x05) sent
				   from target board - IN transaction
				   (target->PC)

3. The whole file content is sent to target - OUT (PC->target) with ZLP [Zero
					      Length Packet]

Now the interesting part starts:

4. OUT (PC->target) Setup transaction (request to share DFU state)

5. IN (target->PC) - reply the current DFU state
	- In the UDC driver the req->completion (with dfu_flush) is called
	  after successful IN transfer.
	- The dfu_flush() (called from req->completion callback) saves the
	  whole file at once (u-boot doesn't support seek on fs).
	  Such operation takes considerable time. When the file
	  is large - e.g. 26MiB - this time may be more than 5 seconds.

6. OUT (PC->target) - ZLP, is send in the same time when dfu_flush()
 writes data to eMMC memory.
 The dfu-util application has hard coded timeout on USB transaction
 completion set to 5 seconds (it uses libusb calls).

When the file to store is large (e.g. 26 MiB) the time needed to write it
may excess the dfu-util timeout and following error message will be displayed:
"unable to read DFU status" on the HOST PC console.

This change is supposed to leverage DFU's part responsible for storing files
on file systems. Other DFU operations - i.e. raw/partition write to NAND and
eMMC should work as before.

The only functional change is the error reporting. When dfu_flush() fails
the u-boot prompt will exit with error information and dfu-util application
exits afterwards as well.

Test HW:
- Odroid XU3 (Exynos5433) - test with large file
- Trats (Exynos4210) - test for regression - eMMC, raw,

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Reported-by: Alex Gdalevich <agdalevich@axion-biosystems.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Heiko Schocher <hs@denx.de>
2016-02-24 19:12:32 +01:00
Stefan Roese
1fd81b7c23 usb: gadget: f_dfu: Add get_alt function to pass the USB compliance test
Without this function the USB compliance test (USB 2.0 Command Verifier) will
fail in the "Interface Descriptor Test" with this error message:

FAIL
(1.2.51) A successful GetInterface request must return the alternate setting
set by a prior call to SetInterface.

Lets add this function to read back the value so that the DFU device fully
passes the USB compliance test.

Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Roger Meier <r.meier@siemens.com>
Cc: Samuel Egli <samuel.egli@siemens.com>
Cc: Enrico Leto <enrico.leto@siemens.com>
Acked-by: Heiko Schocher <hs@denx.de>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Marek Vasut <marex@denx.de>
2015-01-18 12:31:00 +01:00
Rob Herring
fe1b28c9f0 usb, g_dnl: generalize DFU detach functions
In order to add detach functions for fastboot, make the DFU detach related
functions common so they can be shared.

Signed-off-by: Rob Herring <robh@kernel.org>
Tested-by: Lukasz Majewski <l.majewski@samsung.com>
[TestHW: Exynos4412-Trats2]
2014-12-18 12:26:05 +01:00
Heiko Schocher
9f3b8ed14c usb: dfu: add fullspeed support for DFU
DFU now can use also fullspeed.

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Liu Bin <b-liu@ti.com>
Cc: Lukas Stockmann <lukas.stockmann@siemens.com>
2014-10-06 14:50:43 +02:00
Lukasz Majewski
b9c99d3246 usb: dfu: thor: gadget: Remove dead code
This code is not used anymore in the current DFU implementation and
can be safely removed.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
2014-10-06 14:50:43 +02:00
Lukasz Majewski
1cc03c5c53 dfu: Provide means to find difference between dfu-util -e and -R
This commit provides distinction between DFU device detach and reset.
The -R behavior is preserved with proper handling of the dfu-util's -e
switch, which detach the DFU device.

By running dfu-util -e; one can force device to finish the execution of
dfu command on target and execute some other scripted commands.

Moreover, some naming has been changed - the dfu_reset() method now is known
as dfu_detach(). New name better reflects the purpose of the code.

It was also necessary to increase the number of usb_gadget_handle_interrupts()
calls since we also must wait for detection of the USB reset event.

Example usage:
1. -e (detach) switch
 dfu-util -a0 -D file1.bin;dfu-util -a3 -D uImage;dfu-util -e

 access to u-boot prompt.

2. -R (reset) switch
 dfu-util -a0 -D file1.bin;dfu-util -R -a3 -D uImage

 target board reset

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Reviewed-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
2014-09-02 14:29:28 +02:00
Stephen Warren
3ee9593fce dfu: add write error handling
Fix calls to dfu_write() and dfu_flush() to detect errors in the I/O
itself. This could happen due to problems with the storage medium, or
simply when trying to write a FAT/ext file that is larger than the buffer
dfu_mmc.c maintains for this purpose.

Signal the error by switching the DFU state/status. This will be picked
up by the DFU client when it sends the next DFU request. Note that errors
can't simply be returned from e.g. dnload_request_complete(), since that
function has no way to pass errors back to the DFU client; a call to
dnload_request_complete() simply means that a USB OUT completed.

This error state/status needs to be cleared when the next DFU client
connects. While there is a DFU_CLRSTATUS request, no DFU client seems to
send this. Hence, clear this when selecting the USB alternate setting on
the USB interface.

Finally, dfu.c relies on a call to dfu_flush() to clear up the internal
state of the write transaction. Now that errors in dfu_write() are
detected, dfu_flush() may no longer be called for every transaction.
Separate out the cleanup code into a new function, and call it whenever
dfu_write() fails, as well as from any call to dfu_flush().

Signed-off-by: Stephen Warren <swarren@nvidia.com>
2014-08-09 11:16:58 -04:00
Heiko Schocher
fc25fa27e5 dfu, nand: add medium specific polltimeout function
add a possibility to add a medium specific polltimeout
function. So it is possible to define different
poll timeouts.

Used on nand medium, for setting the DFU_MANIFEST_POLL_TIMEOUT
only on nand ubi partitions, which is currently the only
usecase.

Change-Id: If1db5f49b32d93fefa7481e8dfe5b7ccc0e65af4
Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <panto@antoniou-consulting.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Acked-by: Lukasz Majewski <l.majewski@samsung.com>
2014-05-08 10:38:30 +02:00
Mateusz Zalega
c4d0e85604 USB: gadget: added a saner gadget downloader registration API
Preprocessor definitions and hardcoded implementation selection in
g_dnl core were replaced by a linker list made of (usb_function_name,
bind_callback) pairs.

Signed-off-by: Mateusz Zalega <m.zalega@samsung.com>
Acked-by: Lukasz Majewski <l.majewski@samsung.com>
Acked-by: Marek Vasut <marex@denx.de>
2014-05-05 08:21:47 +02:00
Heiko Schocher
001a831986 usb: dfu: introduce dfuMANIFEST state
on nand flash using ubi, after the download of the new image into
the flash, the "rest" of the nand sectors get erased while flushing
the medium. With current u-boot version dfu-util may show:

Starting download: [##################################################] finished!
state(7) = dfuMANIFEST, status(0) = No error condition is present
unable to read DFU status

as get_status is not answered while erasing sectors, if erasing
needs some time.

So do the following changes to prevent this:

- introduce dfuManifest state
  According to dfu specification
  ( http://www.usb.org/developers/devclass_docs/usbdfu10.pdf ) section 7:
  "the device enters the dfuMANIFEST-SYNC state and awaits the solicitation
   of the status report by the host. Upon receipt of the anticipated
   DFU_GETSTATUS, the device enters the dfuMANIFEST state, where it
   completes its reprogramming operations."

- when stepping into dfuManifest state, sending a PollTimeout
  DFU_MANIFEST_POLL_TIMEOUT in ms, to the host, so the host
  (dfu-util) waits the PollTimeout before sending a get_status again.

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <panto@antoniou-consulting.com>
2014-03-23 02:20:09 +01:00
Lukasz Majewski
77b9504288 usb: f_dfu: cosmetic: Code cleanup
Code cleanup for dfu_bind_config function

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
2013-12-18 19:53:19 +01:00
Lukasz Majewski
33fac4a6a2 usb: dfu: f_dfu: Provide infrastructure to adjust DFU's Poll Timeout value
It is necessary to deter the host from sending subsequent DFU_GETSTATUS
request in the case of e.g. writing the buffer to medium.

Here the timeout is increased when we fill up the whole buffer. This delay
allows eMMC memory to perform its internal operations.
Otherwise we end up with HOST's error regarding GET_STATUS receive timeout.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
2013-12-18 19:53:19 +01:00
Lukasz Majewski
6bed7ce569 dfu: Implementation of target reset after communication with dfu-util's -R switch
This patch extends dfu code to support transmission with -R switch
specified at dfu-util.

When -R is specified, the extra USB_REQ_DFU_DETACH request is sent after
successful data transmission. Then dfu resources are released and reset
command is issued.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
2013-07-29 23:01:33 +02:00
Wolfgang Denk
1a4596601f Add GPL-2.0+ SPDX-License-Identifier to source files
Signed-off-by: Wolfgang Denk <wd@denx.de>
[trini: Fixup common/cmd_io.c]
Signed-off-by: Tom Rini <trini@ti.com>
2013-07-24 09:44:38 -04:00
Łukasz Majewski
81c065d2a0 dfu: Update DFU's authorship history
The DFU's state machine original implementation author and copyright were
missing.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
2013-07-10 20:18:57 +02:00
Lukasz Majewski
e059a400ad dfu:function: Fix number of allocated DFU function pointers
This subtle change fix problem with too small amount of allocated
memory to store DFU function pointers.

One needs to allocate extra space for sentinel NULL pointer in this array
of function pointers.

With the previous code, the NULL value overwrites malloc internal data
and afterwards free(f_dfu->function) crashes.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
2013-06-30 18:41:08 +02:00
Heiko Schocher
ad5f977889 usb, dfu gadget: switch to dfu mode in dfu_bind
- set in to_dfu_mode() f_dfu->dfu_state = DFU_STATE_dfuIDLE
  as after every to_dfu_mode call this is done, so move
  this into to_dfu_mode
- switch in dfu_bind() into dfu mode:
  This fixes wrong "dfu-util -l" output, when calling
  "dfu-util -l" after a board reset, without doing a
  download before. See also discussion here:

http://lists.denx.de/pipermail/u-boot/2013-June/157272.html

Signed-off-by: Heiko Schocher <hs@denx.de>
Cc: Lukasz Majewski <l.majewski@samsung.com>
Cc: Pantelis Antoniou <panto@antoniou-consulting.com>
Cc: Tom Rini <trini@ti.com>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Samuel Egli <samuel.egli@siemens.com>
Acked-by: Lukasz Majewski <l.majewski@samsung.com>
Tested-by: Lukasz Majewski <l.majewski@samsung.com>
2013-06-30 18:41:07 +02:00
Pantelis Antoniou
80eb1bd02d dfu: Properly zero out timeout value
Zero out timeout value; letting it filled with undefined values
ends up with the dfu host hanging.

Signed-off-by: Pantelis Antoniou <panto@antoniou-consulting.com>
2013-03-16 21:12:01 +01:00
Pantelis Antoniou
66dc452bfe Remove obsolete header file
usbdescriptors.h conflicts with linux/usb/ch9.h
Remove it.

Signed-off-by: Pantelis Antoniou <panto@antoniou-consulting.com>
2012-11-27 09:41:10 -07:00
Lukasz Majewski
b819ddbf56 dfu:usb: DFU USB function (f_dfu) support for g_dnl composite gadget
Support for f_dfu USB function.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
2012-09-01 16:21:50 +02:00