u-boot/drivers/usb/gadget/f_dfu.c
Lukasz Majewski e059a400ad dfu:function: Fix number of allocated DFU function pointers
This subtle change fix problem with too small amount of allocated
memory to store DFU function pointers.

One needs to allocate extra space for sentinel NULL pointer in this array
of function pointers.

With the previous code, the NULL value overwrites malloc internal data
and afterwards free(f_dfu->function) crashes.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
2013-06-30 18:41:08 +02:00

753 lines
17 KiB
C

/*
* f_dfu.c -- Device Firmware Update USB function
*
* Copyright (C) 2012 Samsung Electronics
* authors: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
* Lukasz Majewski <l.majewski@samsung.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <errno.h>
#include <common.h>
#include <malloc.h>
#include <linux/usb/ch9.h>
#include <linux/usb/gadget.h>
#include <linux/usb/composite.h>
#include <dfu.h>
#include "f_dfu.h"
struct f_dfu {
struct usb_function usb_function;
struct usb_descriptor_header **function;
struct usb_string *strings;
/* when configured, we have one config */
u8 config;
u8 altsetting;
enum dfu_state dfu_state;
unsigned int dfu_status;
/* Send/received block number is handy for data integrity check */
int blk_seq_num;
};
typedef int (*dfu_state_fn) (struct f_dfu *,
const struct usb_ctrlrequest *,
struct usb_gadget *,
struct usb_request *);
static inline struct f_dfu *func_to_dfu(struct usb_function *f)
{
return container_of(f, struct f_dfu, usb_function);
}
static const struct dfu_function_descriptor dfu_func = {
.bLength = sizeof dfu_func,
.bDescriptorType = DFU_DT_FUNC,
.bmAttributes = DFU_BIT_WILL_DETACH |
DFU_BIT_MANIFESTATION_TOLERANT |
DFU_BIT_CAN_UPLOAD |
DFU_BIT_CAN_DNLOAD,
.wDetachTimeOut = 0,
.wTransferSize = DFU_USB_BUFSIZ,
.bcdDFUVersion = __constant_cpu_to_le16(0x0110),
};
static struct usb_interface_descriptor dfu_intf_runtime = {
.bLength = sizeof dfu_intf_runtime,
.bDescriptorType = USB_DT_INTERFACE,
.bNumEndpoints = 0,
.bInterfaceClass = USB_CLASS_APP_SPEC,
.bInterfaceSubClass = 1,
.bInterfaceProtocol = 1,
/* .iInterface = DYNAMIC */
};
static struct usb_descriptor_header *dfu_runtime_descs[] = {
(struct usb_descriptor_header *) &dfu_intf_runtime,
NULL,
};
static const struct usb_qualifier_descriptor dev_qualifier = {
.bLength = sizeof dev_qualifier,
.bDescriptorType = USB_DT_DEVICE_QUALIFIER,
.bcdUSB = __constant_cpu_to_le16(0x0200),
.bDeviceClass = USB_CLASS_VENDOR_SPEC,
.bNumConfigurations = 1,
};
static const char dfu_name[] = "Device Firmware Upgrade";
/*
* static strings, in UTF-8
*
* dfu_generic configuration
*/
static struct usb_string strings_dfu_generic[] = {
[0].s = dfu_name,
{ } /* end of list */
};
static struct usb_gadget_strings stringtab_dfu_generic = {
.language = 0x0409, /* en-us */
.strings = strings_dfu_generic,
};
static struct usb_gadget_strings *dfu_generic_strings[] = {
&stringtab_dfu_generic,
NULL,
};
/*
* usb_function specific
*/
static struct usb_gadget_strings stringtab_dfu = {
.language = 0x0409, /* en-us */
/*
* .strings
*
* assigned during initialization,
* depends on number of flash entities
*
*/
};
static struct usb_gadget_strings *dfu_strings[] = {
&stringtab_dfu,
NULL,
};
/*-------------------------------------------------------------------------*/
static void dnload_request_complete(struct usb_ep *ep, struct usb_request *req)
{
struct f_dfu *f_dfu = req->context;
dfu_write(dfu_get_entity(f_dfu->altsetting), req->buf,
req->length, f_dfu->blk_seq_num);
if (req->length == 0)
puts("DOWNLOAD ... OK\nCtrl+C to exit ...\n");
}
static void handle_getstatus(struct usb_request *req)
{
struct dfu_status *dstat = (struct dfu_status *)req->buf;
struct f_dfu *f_dfu = req->context;
switch (f_dfu->dfu_state) {
case DFU_STATE_dfuDNLOAD_SYNC:
case DFU_STATE_dfuDNBUSY:
f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_IDLE;
break;
case DFU_STATE_dfuMANIFEST_SYNC:
break;
default:
break;
}
/* send status response */
dstat->bStatus = f_dfu->dfu_status;
dstat->bwPollTimeout[0] = 0;
dstat->bwPollTimeout[1] = 0;
dstat->bwPollTimeout[2] = 0;
dstat->bState = f_dfu->dfu_state;
dstat->iString = 0;
}
static void handle_getstate(struct usb_request *req)
{
struct f_dfu *f_dfu = req->context;
((u8 *)req->buf)[0] = f_dfu->dfu_state;
req->actual = sizeof(u8);
}
static inline void to_dfu_mode(struct f_dfu *f_dfu)
{
f_dfu->usb_function.strings = dfu_strings;
f_dfu->usb_function.hs_descriptors = f_dfu->function;
f_dfu->dfu_state = DFU_STATE_dfuIDLE;
}
static inline void to_runtime_mode(struct f_dfu *f_dfu)
{
f_dfu->usb_function.strings = NULL;
f_dfu->usb_function.hs_descriptors = dfu_runtime_descs;
}
static int handle_upload(struct usb_request *req, u16 len)
{
struct f_dfu *f_dfu = req->context;
return dfu_read(dfu_get_entity(f_dfu->altsetting), req->buf,
req->length, f_dfu->blk_seq_num);
}
static int handle_dnload(struct usb_gadget *gadget, u16 len)
{
struct usb_composite_dev *cdev = get_gadget_data(gadget);
struct usb_request *req = cdev->req;
struct f_dfu *f_dfu = req->context;
if (len == 0)
f_dfu->dfu_state = DFU_STATE_dfuMANIFEST_SYNC;
req->complete = dnload_request_complete;
return len;
}
/*-------------------------------------------------------------------------*/
/* DFU state machine */
static int state_app_idle(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
case USB_REQ_DFU_DETACH:
f_dfu->dfu_state = DFU_STATE_appDETACH;
to_dfu_mode(f_dfu);
value = RET_ZLP;
break;
default:
value = RET_STALL;
break;
}
return value;
}
static int state_app_detach(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
default:
f_dfu->dfu_state = DFU_STATE_appIDLE;
value = RET_STALL;
break;
}
return value;
}
static int state_dfu_idle(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
u16 w_value = le16_to_cpu(ctrl->wValue);
u16 len = le16_to_cpu(ctrl->wLength);
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_DNLOAD:
if (len == 0) {
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
f_dfu->blk_seq_num = w_value;
value = handle_dnload(gadget, len);
break;
case USB_REQ_DFU_UPLOAD:
f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
f_dfu->blk_seq_num = 0;
value = handle_upload(req, len);
break;
case USB_REQ_DFU_ABORT:
/* no zlp? */
value = RET_ZLP;
break;
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
case USB_REQ_DFU_DETACH:
/*
* Proprietary extension: 'detach' from idle mode and
* get back to runtime mode in case of USB Reset. As
* much as I dislike this, we just can't use every USB
* bus reset to switch back to runtime mode, since at
* least the Linux USB stack likes to send a number of
* resets in a row :(
*/
f_dfu->dfu_state =
DFU_STATE_dfuMANIFEST_WAIT_RST;
to_runtime_mode(f_dfu);
f_dfu->dfu_state = DFU_STATE_appIDLE;
break;
default:
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
return value;
}
static int state_dfu_dnload_sync(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
default:
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
return value;
}
static int state_dfu_dnbusy(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
default:
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
return value;
}
static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
u16 w_value = le16_to_cpu(ctrl->wValue);
u16 len = le16_to_cpu(ctrl->wLength);
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_DNLOAD:
f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
f_dfu->blk_seq_num = w_value;
value = handle_dnload(gadget, len);
break;
case USB_REQ_DFU_ABORT:
f_dfu->dfu_state = DFU_STATE_dfuIDLE;
value = RET_ZLP;
break;
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
default:
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
return value;
}
static int state_dfu_manifest_sync(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_GETSTATUS:
/* We're MainfestationTolerant */
f_dfu->dfu_state = DFU_STATE_dfuIDLE;
handle_getstatus(req);
f_dfu->blk_seq_num = 0;
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
default:
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
return value;
}
static int state_dfu_upload_idle(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
u16 w_value = le16_to_cpu(ctrl->wValue);
u16 len = le16_to_cpu(ctrl->wLength);
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_UPLOAD:
/* state transition if less data then requested */
f_dfu->blk_seq_num = w_value;
value = handle_upload(req, len);
if (value >= 0 && value < len)
f_dfu->dfu_state = DFU_STATE_dfuIDLE;
break;
case USB_REQ_DFU_ABORT:
f_dfu->dfu_state = DFU_STATE_dfuIDLE;
/* no zlp? */
value = RET_ZLP;
break;
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
default:
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
return value;
}
static int state_dfu_error(struct f_dfu *f_dfu,
const struct usb_ctrlrequest *ctrl,
struct usb_gadget *gadget,
struct usb_request *req)
{
int value = 0;
switch (ctrl->bRequest) {
case USB_REQ_DFU_GETSTATUS:
handle_getstatus(req);
value = RET_STAT_LEN;
break;
case USB_REQ_DFU_GETSTATE:
handle_getstate(req);
break;
case USB_REQ_DFU_CLRSTATUS:
f_dfu->dfu_state = DFU_STATE_dfuIDLE;
f_dfu->dfu_status = DFU_STATUS_OK;
/* no zlp? */
value = RET_ZLP;
break;
default:
f_dfu->dfu_state = DFU_STATE_dfuERROR;
value = RET_STALL;
break;
}
return value;
}
static dfu_state_fn dfu_state[] = {
state_app_idle, /* DFU_STATE_appIDLE */
state_app_detach, /* DFU_STATE_appDETACH */
state_dfu_idle, /* DFU_STATE_dfuIDLE */
state_dfu_dnload_sync, /* DFU_STATE_dfuDNLOAD_SYNC */
state_dfu_dnbusy, /* DFU_STATE_dfuDNBUSY */
state_dfu_dnload_idle, /* DFU_STATE_dfuDNLOAD_IDLE */
state_dfu_manifest_sync, /* DFU_STATE_dfuMANIFEST_SYNC */
NULL, /* DFU_STATE_dfuMANIFEST */
NULL, /* DFU_STATE_dfuMANIFEST_WAIT_RST */
state_dfu_upload_idle, /* DFU_STATE_dfuUPLOAD_IDLE */
state_dfu_error /* DFU_STATE_dfuERROR */
};
static int
dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
{
struct usb_gadget *gadget = f->config->cdev->gadget;
struct usb_request *req = f->config->cdev->req;
struct f_dfu *f_dfu = f->config->cdev->req->context;
u16 len = le16_to_cpu(ctrl->wLength);
u16 w_value = le16_to_cpu(ctrl->wValue);
int value = 0;
u8 req_type = ctrl->bRequestType & USB_TYPE_MASK;
debug("w_value: 0x%x len: 0x%x\n", w_value, len);
debug("req_type: 0x%x ctrl->bRequest: 0x%x f_dfu->dfu_state: 0x%x\n",
req_type, ctrl->bRequest, f_dfu->dfu_state);
if (req_type == USB_TYPE_STANDARD) {
if (ctrl->bRequest == USB_REQ_GET_DESCRIPTOR &&
(w_value >> 8) == DFU_DT_FUNC) {
value = min(len, (u16) sizeof(dfu_func));
memcpy(req->buf, &dfu_func, value);
}
} else /* DFU specific request */
value = dfu_state[f_dfu->dfu_state] (f_dfu, ctrl, gadget, req);
if (value >= 0) {
req->length = value;
req->zero = value < len;
value = usb_ep_queue(gadget->ep0, req, 0);
if (value < 0) {
debug("ep_queue --> %d\n", value);
req->status = 0;
}
}
return value;
}
/*-------------------------------------------------------------------------*/
static int
dfu_prepare_strings(struct f_dfu *f_dfu, int n)
{
struct dfu_entity *de = NULL;
int i = 0;
f_dfu->strings = calloc(sizeof(struct usb_string), n + 1);
if (!f_dfu->strings)
goto enomem;
for (i = 0; i < n; ++i) {
de = dfu_get_entity(i);
f_dfu->strings[i].s = de->name;
}
f_dfu->strings[i].id = 0;
f_dfu->strings[i].s = NULL;
return 0;
enomem:
while (i)
f_dfu->strings[--i].s = NULL;
free(f_dfu->strings);
return -ENOMEM;
}
static int dfu_prepare_function(struct f_dfu *f_dfu, int n)
{
struct usb_interface_descriptor *d;
int i = 0;
f_dfu->function = calloc(sizeof(struct usb_descriptor_header *), n + 1);
if (!f_dfu->function)
goto enomem;
for (i = 0; i < n; ++i) {
d = calloc(sizeof(*d), 1);
if (!d)
goto enomem;
d->bLength = sizeof(*d);
d->bDescriptorType = USB_DT_INTERFACE;
d->bAlternateSetting = i;
d->bNumEndpoints = 0;
d->bInterfaceClass = USB_CLASS_APP_SPEC;
d->bInterfaceSubClass = 1;
d->bInterfaceProtocol = 2;
f_dfu->function[i] = (struct usb_descriptor_header *)d;
}
f_dfu->function[i] = NULL;
return 0;
enomem:
while (i) {
free(f_dfu->function[--i]);
f_dfu->function[i] = NULL;
}
free(f_dfu->function);
return -ENOMEM;
}
static int dfu_bind(struct usb_configuration *c, struct usb_function *f)
{
struct usb_composite_dev *cdev = c->cdev;
struct f_dfu *f_dfu = func_to_dfu(f);
int alt_num = dfu_get_alt_number();
int rv, id, i;
id = usb_interface_id(c, f);
if (id < 0)
return id;
dfu_intf_runtime.bInterfaceNumber = id;
f_dfu->dfu_state = DFU_STATE_appIDLE;
f_dfu->dfu_status = DFU_STATUS_OK;
rv = dfu_prepare_function(f_dfu, alt_num);
if (rv)
goto error;
rv = dfu_prepare_strings(f_dfu, alt_num);
if (rv)
goto error;
for (i = 0; i < alt_num; i++) {
id = usb_string_id(cdev);
if (id < 0)
return id;
f_dfu->strings[i].id = id;
((struct usb_interface_descriptor *)f_dfu->function[i])
->iInterface = id;
}
to_dfu_mode(f_dfu);
stringtab_dfu.strings = f_dfu->strings;
cdev->req->context = f_dfu;
error:
return rv;
}
static void dfu_unbind(struct usb_configuration *c, struct usb_function *f)
{
struct f_dfu *f_dfu = func_to_dfu(f);
int alt_num = dfu_get_alt_number();
int i;
if (f_dfu->strings) {
i = alt_num;
while (i)
f_dfu->strings[--i].s = NULL;
free(f_dfu->strings);
}
if (f_dfu->function) {
i = alt_num;
while (i) {
free(f_dfu->function[--i]);
f_dfu->function[i] = NULL;
}
free(f_dfu->function);
}
free(f_dfu);
}
static int dfu_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
{
struct f_dfu *f_dfu = func_to_dfu(f);
debug("%s: intf:%d alt:%d\n", __func__, intf, alt);
f_dfu->altsetting = alt;
return 0;
}
/* TODO: is this really what we need here? */
static void dfu_disable(struct usb_function *f)
{
struct f_dfu *f_dfu = func_to_dfu(f);
if (f_dfu->config == 0)
return;
debug("%s: reset config\n", __func__);
f_dfu->config = 0;
}
static int dfu_bind_config(struct usb_configuration *c)
{
struct f_dfu *f_dfu;
int status;
f_dfu = calloc(sizeof(*f_dfu), 1);
if (!f_dfu)
return -ENOMEM;
f_dfu->usb_function.name = "dfu";
f_dfu->usb_function.hs_descriptors = dfu_runtime_descs;
f_dfu->usb_function.bind = dfu_bind;
f_dfu->usb_function.unbind = dfu_unbind;
f_dfu->usb_function.set_alt = dfu_set_alt;
f_dfu->usb_function.disable = dfu_disable;
f_dfu->usb_function.strings = dfu_generic_strings,
f_dfu->usb_function.setup = dfu_handle,
status = usb_add_function(c, &f_dfu->usb_function);
if (status)
free(f_dfu);
return status;
}
int dfu_add(struct usb_configuration *c)
{
int id;
id = usb_string_id(c->cdev);
if (id < 0)
return id;
strings_dfu_generic[0].id = id;
dfu_intf_runtime.iInterface = id;
debug("%s: cdev: 0x%p gadget:0x%p gadget->ep0: 0x%p\n", __func__,
c->cdev, c->cdev->gadget, c->cdev->gadget->ep0);
return dfu_bind_config(c);
}