The ChipIdea device controller wasn't properly cleaned up when disabled.
So enabling it again left it in a broken state. The problem occurred for
example when the host unbinds the driver and binds it again.
During the first setup, when the out request is queued, the endpoint is
primed (`epprime`). If the endpoint is then disabled, it stayed primed
with the initial buffer. So after the endpoint is re-enabled, the device
controller and device driver were out of sync: the new out request was
in the driver queue head, yet not submitted, but the "complete" function
was still called, since the endpoint was primed with the old buffer.
With the fastboot function this error led to the (rather confusing)
error message "buffer overflow".
Fixed by clearing the primed buffers with the `epflush` (`ENDPTFLUSH`)
register.
Signed-off-by: Simon Holesch <simon@holesch.de>
Reviewed-by: Marek Vasut <marex@denx.de>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Link: https://lore.kernel.org/r/20231120002024.32865-1-simon@holesch.de
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Make sure we have an IMX header before calling spl_load_imx_container,
since if we don't it will fail with -ENOENT. This allows us to fall back to
legacy/raw images if they are also enabled.
This is a functional change, one which likely should have been in place
from the start, but a functional change nonetheless. Previously, all
non-IMX8 images (except FITs without FIT_FULL) would be optimized out if
the only image load method enabled supported IMX8 images. With this change,
support for other image types now has an effect.
There are seven boards with SPL_LOAD_IMX_CONTAINER enabled: three with
SPL_BOOTROM_SUPPORT:
imx93_11x11_evk_ld imx93_11x11_evk imx8ulp_evk
and four with SPL_MMC:
deneb imx8qxp_mek giedi imx8qm_mek
All of these boards also have SPL_RAW_IMAGE_SUPPORT and
SPL_LEGACY_IMAGE_FORMAT enabled as well. However, none have FIT support
enabled. Of the six load methods affected by this patch, only SPL_MMC and
SPL_BOOTROM_SUPPORT are enabled with SPL_LOAD_IMX_CONTAINER.
spl_romapi_load_image_seekable does not support legacy or raw images, so
there is no growth. However, mmc_load_image_raw_sector does support loading
legacy/raw images. Since these images could not have been booted before, I
have disabled support for legacy/raw images on these four boards. This
reduces bloat from around 800 bytes to around 200.
There are no in-tree boards with SPL_LOAD_IMX_CONTAINER and AHAB_BOOT both
enabled, so we do not need to worry about potentially falling back to
legacy images in a secure boot scenario.
Future work could include merging imx_container.h with imx8image.h, since
they appear to define mostly the same structures.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
In the existing implementation, multiple requests queued up on an
endpoint are subject to getting evicted without transmission.
For both control and bulk endpoints, their respective logic found in
usba_control_irq()/usba_ep_irq() guarantees that TX FIFO is empty before
data is sent out, and that request_complete() gets called once the
transaction has been finished. At this point however, if any additional
requests are found on the endpoint queue, they will be processed by
submit_next_request(), which makes no checks against the above
conditions, trashing data on a busy FIFO and neglecting completion
handlers.
Fix the above issues by removing the calls to submit_next_request(),
and thus forcing the pending requests to be processed on the next pass
of the respective endpoint logic. While at it, remove a DBG message, as
that branch becomes part of regular flow.
This restores mass storage mode operation on Microchip ATSAMA5D27 SoC.
Signed-off-by: Artur Rojek <artur@conclusive.pl>
This old patch was marked as deferred. Bring it back to life, to continue
towards the removal of common.h
Move this out of the common header and include it only where needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
The usb_gadget_handle_interrupts() is no longer used anywhere,
replace the remaining uses with dm_usb_gadget_handle_interrupts()
which takes udevice as a parameter.
Some of the UDC drivers currently ignore the index parameter altogether,
those also ignore the udevice and have to be reworked. Other like the
dwc3_uboot_handle_interrupt() had to be switched from index to udevice
look up to avoid breakage.
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com> # on khadas vim3
Signed-off-by: Marek Vasut <marex@denx.de>
Remove legacy functions limited by the dev_array array,
those are no longer used anywhere, all the code uses
plain udevice based access now.
The usb_gadget_handle_interrupts() is doing udevice look up
until all call sites use dm_usb_gadget_handle_interrupts().
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Convert to plain udevice interaction with UDC controller
device, avoid the use of UDC uclass dev_array .
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Convert to plain udevice interaction with UDC controller
device, avoid the use of UDC uclass dev_array .
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Convert to plain udevice interaction with UDC controller
device, avoid the use of UDC uclass dev_array .
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Convert to plain udevice interaction with UDC controller
device, avoid the use of UDC uclass dev_array .
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Convert to plain udevice interaction with UDC controller
device, avoid the use of UDC uclass dev_array .
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com> # on khadas vim3
Signed-off-by: Marek Vasut <marex@denx.de>
Pull the functionality of UDC uclass that operates on plain udevice
and does not use this dev_array array into separate functions and
expose those functions, so that as much code as possible can be
switched over to these functions and the dev_array can be dropped.
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Marek Vasut <marex@denx.de>
It is not a parse error to have a default value of "0" for a "hex" type
entry, instead of "0x0". However, "0" and "0x0" are not treated the
same even by the tools themselves. Correct this by changing the default
value from "0" to "0x0" for all hex type questions that had the
incorrect default. Fix one instance (in two configs) of a default of "0"
being used on a hex question to be "0x0". Remove the cases where a
defconfig had set a value of "0x0" to be used as the default had been
"0".
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Move the ethernet gadget driver registration and removal from ethernet
bind and unbind callbacks into driver DM probe and remove callbacks.
This way, when the driver is bound, which is triggered deliberately
using 'bind' command, the USB ethernet gadget driver is instantiated
and bound to the matching UDC. In reverse, when the driver is unbound,
which is again triggered deliberately using 'unbind' command, the USB
ethernet gadget driver instance is removed.
Effectively, this now behaves like running either 'ums' or 'dfu' or
any other commands utilizing USB gadget functionality.
This also drops use of usb_gadget_release() and moves the use of
usb_gadget_initialize() into usb_ether_init() used only by legacy
platforms that do not use 'bind' command properly yet. Those have
no place in drivers.
Signed-off-by: Marek Vasut <marex@denx.de>
Tested-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Move the driver probe function above the driver structure, so it
can be placed alongside other related functions, like upcoming
remove function. No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Tested-by: Tom Rini <trini@konsulko.com>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
These functions here are only ever called once since drop of non-DM
networking code. Inline them. No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Tested-by: Tom Rini <trini@konsulko.com>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Define SPL_USB_ETH_RNDIS symbol to make it possible to select USB
gadget ethernet support in SPL and U-Boot separately in Kconfig .
Make use of the new symbols in gadget Makefile and move the rndis.o
just below the now merged USB_ETHER symbol in Makefile.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
To avoid piling up all the various Kconfig symbols in one place, i.e.
common/spl/Kconfig, move the USB Kconfig symbols into drivers/usb/ .
This commit moves SPL_USB_GADGET and related symbols. Fix typo and
rename SPL_USB_GADGET to "USB Gadget Support in SPL" .
Update the gadget Makefile to match the symbol changes.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
When building with clang, it notes that sdinfo may be unused
uninitialized in some cases. This appears to be true from reading the
code, and we can simply set the variable to zero to start with and be as
correct as before.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Marek Vasut <marex@denx.de>
The spl_board_prepare_for_boot() should be called before jump_to_image_no_args()
to perform board-specific deinitialization before jumping to the next stage.
This board-specific deinitialization can be very much anything, e.g. disable
dcache in case it was enabled, or such.
Add the missing spl_board_prepare_for_boot() call into f_sdp .
Signed-off-by: Marek Vasut <marex@denx.de>
All Nvidia boards use the same manufacturer, vendor ID and product ID
for the gadgets. Make them the defaults to remove some boilerplate from
the defconfigs.
Inspired by commit e02687bda9 ("sunxi: provide default USB gadget
setup") which did the same for Allwinner boards.
Tested-by: Thierry Reding <treding@nvidia.com> # T30 and T124
Signed-off-by: Maxim Schwalm <maxim.schwalm@gmail.com>
Signed-off-by: Tom <twarren@nvidia.com>
When dropping the unused fotg210 gadget driver a leading 0 was
introduced to the next line, drop it.
Fixes: e9b4678bc7 ("usb: Drop unused fotg210 gadget")
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
This is not used and appears to be associated with the faraday board which
has been removed. Drop the driver and Kconfig options.
Signed-off-by: Simon Glass <sjg@chromium.org>
At this point, the remaining places where we have a symbol that is
defined as CONFIG_... are in fairly odd locations. While as much dead
code has been removed as possible, some of these locations are simply
less obvious at first. In other cases, this code is used, but was
defined in such a way as to have been missed by earlier checks. Perform
a rename of all such remaining symbols to be CFG_... rather than
CONFIG_...
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We should use the cmd/ directory for commands rather than for common code
used elsewhere in U-Boot. Move the common 'source' code into
image-board.c to achieve this.
The image_source_script() function needs to call run_command_list() so
seems to belong better in the command library. Move and rename it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Pullup is used by the usb framework in order to do software-controlled
usb_gadget_connect() and usb_gadget_disconnect().
Implement pullup() for dwc2 using the SOFT_DISCONNECT bit in the dctl
register:
* when pullup is on, clear SOFT_DISCONNECT
* when pullup is off, set SOFT_DISCONNECT
This is especially useful when a gadget disconnection is initiated but
no board_usb_cleanup() is called.
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
The patch fixes the following error when updating a BSH SMM S2 board:
3:72>Start Cmd:FB[-t 8000]: ucmd nand write ${loadaddr} nanddtb ${filesize}
3:72>Okay (0.023s)
3:72>Start Cmd:FB: reboot
3:72>Fail Bulk(R):LIBUSB_ERROR_IO(0s)
The "fastboot reboot" command detaches the USB when it still needs to be
used. So let's detach the USB just before the reset.
CC: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Fixes: 5f7e01e9d5 ("usb: gadget: fastboot: detach usb on reboot commands")
Suggested-by: Michael Trimarchi <michael@amarulasolutions.com>
Co-developed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Much of the fastboot code predates the introduction of Kconfig and
has quite a few #ifdefs in it which is unnecessary now that we can use
IS_ENABLED() et al.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Reviewed-by: Sean Anderson <sean.anderson@seco.com>
Tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com> # on vim3l
As discussed previously [1,2], the source command is not safe to use with
verified boot unless there is a key with required = "images" (which has its
own problems). This is because if such a key is absent, signatures are
verified but not required. It is assumed that configuration nodes will
provide the signature. Because the source command does not use
configurations to determine the image to source, effectively no
verification takes place.
To address this, allow specifying configuration nodes. We use the same
syntax as the bootm command (helpfully provided for us by fit_parse_conf).
By default, we first try the default config and then the default image. To
force using a config, # must be present in the command (e.g. `source
$loadaddr#my-conf`). For convenience, the config may be omitted, just like
the address may be (e.g. `source \#`). This also works for images
(`source :` behaves exactly like `source` currently does).
[1] https://lore.kernel.org/u-boot/7d711133-d513-5bcb-52f2-a9dbaa9eeded@prevas.dk/
[2] https://lore.kernel.org/u-boot/042dcb34-f85f-351e-1b0e-513f89005fdd@gmail.com/
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Two callers of image_source_script specify an image name. However, both
use the deprecated @ syntax, indicating that they have not been updated
in a while. If CONFIG_FIT_SIGNATURE is enabled, we will reject such
names outright. Back in commit 152576a598 ("stm32mp: stm32prog: handle
U-Boot script in flashlayout alternate"), we even renamed one of the
nodes. Instead of hard-coding a script image name, just use the default
image.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
This define is not enabled by the only platform which currently enables
the legacy option of CONFIG_USB_DEVICE. We can drop this code.
Signed-off-by: Tom Rini <trini@konsulko.com>
Prevent access to arbitrary memory locations in gen_ndis_set_resp
via manipulation of buf->InformationBufferOffset. Original
implementation permits manipulation of InformationBufferOffset to
exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
within a 32byte offset as the devices packet filter. The packet filter
value may be next retrieved using gen_ndis_query_resp so it is possible
to extract specific memory regions two bytes a time.
The rndis_query_response was not modified as neither the buffer offset
nor length passed to gen_ndis_query_resp is used.
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Commit fbce985e28 to fix CVE-2022-2347
blocks DFU usb requests.
The verification of the transfer direction was done by an equality
but it is a bit mask.
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Tested-by: Marek Vasut <marex@denx.de>
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.
CVE-2022-2347
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
The code checks the return value from uclass_first_device as well as
that the device exists but it passes on the return value which may be
zero if there are no gadget devices. Just check that a device was
returned and return -ENODEV otherwise.
Also remove the dev variable which is not really used for anything.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Fix typo that was caused by the same feature being split in to 2 different
configuration options. Replace CONFIG_USBNET_DEVADDR with
CONFIG_USBNET_DEV_ADDR
Signed-off-by: Ignacio Zamora <nachopitt@gmail.com>
When host issues "fastboot reboot fastboot", it's expected that the
board drops the USB connection before resetting.
On some boards, such as Khadas VIM3L and SEI610, this is not the case.
We observe the following error:
$ fastboot reboot fastboot
Rebooting into fastboot OKAY [ 0.004s]
fastboot: error: Failed to boot into userspace fastboot; one or more components might be unbootable.
This does not happen when we use the RST button on the board.
It can be reproduced in linux with:
# echo b > /proc/sysrq-trigger
In this case, we hit a undefined hardware behavior, where D+ and D-
are in an unknown state. Therefore the host can't detect usb
disconnection.
Make sure we always call usb_gadget_release() when a "fastboot reboot"
command is issued.
Note: usb_gadget_release() should be called before g_dnl_unregister()
because g_dnl_unregister() triggers a complete() call on each
endpoint (thus calling do_reset()).
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Take the USB_ETHER ifdef block apart and make use of obj-$(VAR) instead
to include the source files in build. The duplicate CI_UDC entry is now
removed, the USB_DEVICE ifdef is now reduced to core.o ep.o addition,
the ether.o can be conditionally compiled in using USB_ETHER.
No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and
USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access
can occur. This is caused by the wIndex field of the usb control packet
being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4).
Signed-off-by: Alison Huffman <alisn@google.com>
This driver is not used by any system and is long unmaintained, drop it.
There is a DWC2 OTG driver which is maintained, see CONFIG_USB_GADGET_DWC2_OTG .
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
