Sam Protsenko [Thu, 8 Aug 2024 03:14:16 +0000 (22:14 -0500)]
mmc: dw_mmc: Add support for 64-bit IDMAC
Some DW MMC blocks (e.g. those on modern Exynos chips) support 64-bit
DMA addressing mode. 64-bit DW MMC variants differ from their 32-bit
counterparts:
- the register layout is a bit different (because there are additional
IDMAC registers present for storing upper part of 64-bit addresses)
- DMA descriptor structure is bigger and different from 32-bit one
Introduce all necessary changes to enable support for 64-bit DMA capable
DW MMC blocks. Next changes were made:
1. Check which DMA address mode is supported in current IP-core
version. HCON register (bit 27) indicates whether it's 32-bit or
64-bit addressing. Add boolean .dma_64bit_address field to struct
dwmci_host and store the result there. dwmci_init_dma() function is
introduced for doing so, which is called on driver's init.
2. Add 64-bit DMA descriptor (struct dwmci_idmac64) and use it in
dwmci_prepare_desc() in case if .dma_64bit_address field is true.
A new dwmci_set_idma_desc64() function was added for populating that
descriptor.
3. Add registers for 64-bit DMA capable blocks. To make the access to
IDMAC registers universal between 32-bit / 64-bit cases, a new
struct dwmci_idmac_regs (and corresponding host->regs field) was
introduced, which abstracts the hardware by being set to
appropriate offset constants on init. All direct calls to IDMAC
registers were correspondingly replaced by accessing host->regs.
4. Allocate and use 64-bit DMA descriptors buffer in case when IDMAC
is 64-bit capable. Extract all the code (except for the IDMAC
descriptors buffer allocation) from dwmci_send_cmd() to
dwmci_send_cmd_common(), so that it's possible to keep IDMAC
buffer (either 32-bit or 64-bit) on stack during send_cmd routine.
The insights for this implementation were taken from Linux kernel DW MMC
driver.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
Prepare for adding 64-bit IDMAC descriptors by renaming current 32-bit
descriptor and its fields accordingly. While at it, make use of
virt_to_phys() to make it more obvious in which places the physical
addresses have to be used.
No functional change.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
Sam Protsenko [Thu, 8 Aug 2024 03:14:12 +0000 (22:14 -0500)]
mmc: dw_mmc: Extract FIFO data transfer into a separate routine
FIFO data transfer is implemented as quite a massive chunk of code.
Extract it into a dedicated function to make dwmci_data_transfer()
easier to read and reduce the indentation level of the code.
No functional change.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
Sam Protsenko [Thu, 8 Aug 2024 03:14:11 +0000 (22:14 -0500)]
mmc: dw_mmc: Extract divider update to a separate function
Extract the clock divider update into dwmci_update_div() function. It's
a procedure recommended in TRM, so it's better to keep it in a dedicated
function to make the code clearer.
While at it also extract the clock control code into a separate routine
to avoid code duplication in dwmci_setup_bus().
No functional change.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
Sam Protsenko [Thu, 8 Aug 2024 03:14:09 +0000 (22:14 -0500)]
mmc: dw_mmc: Extract waiting for data busy into a separate routine
Waiting for data busy is a logically separate operation and should be
implemented as a separate routine. Follow Linux kernel example and
extract it from dwmci_send_cmd(). This way it doesn't clutter
dwmci_send_cmd() function, and can be reused later in other cases.
No functional change.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
ext4: Fix integer overflow in ext4fs_read_symlink()
While zalloc() takes a size_t type, adding 1 to the le32 variable
will overflow.
A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
and as consequence zalloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at>
squashfs: Fix heap corruption in sqfs_search_dir()
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
squashfs: Fix stack overflow while symlink resolving
The squashfs driver blindly follows symlinks, and calls sqfs_size()
recursively. So an attacker can create a crafted filesystem and with
a deep enough nesting level a stack overflow can be achieved.
Fix by limiting the nesting level to 8.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
squashfs: Fix integer overflow in sqfs_inode_size()
A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.
Fix by using __builtin_add_overflow() to detect the overflow.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
squashfs: Fix integer overflow in sqfs_resolve_symlink()
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
as a consequence malloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
dlmalloc: Make sure allocation size is within malloc area
Since U-Boot does not support memory overcommit we can
enforce that the allocation size is within the malloc area.
This is a simple and efficient hardening measure to mitigate
further integer overflows in dlmalloc.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
Make sure that the new break is within mem_malloc_start
and mem_malloc_end before making progress.
ulong new = old + increment; can overflow for extremely large
increment values and memset() can get wrongly called.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
req is of type size_t, casting it to long opens the door
for an integer overflow.
Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
cause and overflow such that request2size() returns MINSIZE.
Fix by removing the cast.
The origin of the cast is unclear, it's in u-boot and ppcboot since ever
and predates the CVS history.
Doug Lea's original dlmalloc implementation also doesn't have it.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
by LONG_MIN/LONG_MAX.
So, use the long type, also to match the rest of the Linux ecosystem.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
bootstage: Fix out-of-bounds read in reloc_bootstage()
bootstage_get_size() returns the total size of the data structure
including associated records.
When copying from gd->bootstage, only the allocation size of gd->bootstage
must be used. Otherwise too much memory is copied.
This bug caused no harm so far because gd->new_bootstage is always
large enough and reading beyond the allocation length of gd->bootstage
caused no problem due to the U-Boot memory layout.
Fix by using the correct size and perform the initial copy directly
in bootstage_relocate() to have the whole relocation process in the
same function.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
Evaluate the filesystem incompat and ro_compat bit fields to judge
whether the filesystem can be read or written.
For the read side only a scary warning is shown so far.
I'd love to abort mounting too, but I fear this will break some setups
where the driver works by chance.
Signed-off-by: Richard Weinberger <richard@nod.at>
Do not load and flush segments whose program header type is not
PT_LOAD to avoid crash happen.
bootelf will load all program headers and then flush cache.
Since PT_GNU_STACK start address is 0x0, crash happens when
it flushes PT_GNU_STACK area for target that memory cannot be
accessed from address 0x0.
crash call stack:
====================================================================
bootelf -p
|-> do_bootelf (cmd/elf.c)
|-> load_elf_image_phdr (lib/elf.c) /* Load each program header */
|-> for (i = 0; i < ehdr->e_phnum; ++i) { /* e_phnum is 2 */
|-> flush_cache(start=0, size=0) (arch/arm/lib/cache.c) (*1)
|-> flush_dcache_range(start=0, 0); (arch/arm/cpu/armv8/cache_v8.c)
|-> __asm_flush_dcache_range(start=0, 0) (arch/arm/cpu/armv8/cache.S)
|-> /* clean & invalidate data or unified cache */
|-> dc civac, x0 <<== crash happen x0:start=0
====================================================================
*1 Here the p_paddr and p_filesz of the GNU_STACK program are 0.
hello_world elf image program headers
====================================================================
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000080ff0000 0x0000000080ff0000
0x0000000000010390 0x0000000000010390 R E 0x10000
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
Sean Anderson [Sat, 10 Aug 2024 13:59:37 +0000 (09:59 -0400)]
pinmux: generic: Use ENOENT instead of ENOSYS
ENOSYS should only be used when a subsystem is completely absent.
Convert its use in pinctrl-generic to ENOENT, which better reflects the
error condition (that a function/group/pin is missing).
Signed-off-by: Sean Anderson <seanga2@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Ravi Minnikanti [Sun, 11 Aug 2024 18:44:15 +0000 (11:44 -0700)]
env: remove vars that are not in default env
current env_set_default_vars() doesn't delete
var that are not in the imported env. hashtable
removes vars that are not in the imported
env but present in the current env only if H_NOCLEAR
flag is not set.
This change is to avoid passing H_NOCLEAR flag if
specific vars are passed to env_set_default_vars()
Without this change:
Marvell>> env default boot_mode
Marvell>>
With the change:
Marvell>> env default boot_mode
WARNING: 'boot_mode' not in imported env, deleting it!
Signed-off-by: Ravi Minnikanti <rminnikanti@marvell.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Yasuharu Shibata [Wed, 14 Aug 2024 12:41:07 +0000 (21:41 +0900)]
sandbox: fix wget test failure after fixing wget issue
After applying the following patch, wget test on sandbox failed[1].
Commit: cab7867cff ("net: wget: Support retransmission a dropped packet")
Here are two reasons why the test is failed and how to fix it:
1. tcp_ack is calculated by the wrong value.
tcp_ack needs to be calculated by the received TCP payload size.
2. wget command may have a problem that HTTP response from server
must be divided into more than two packets.
In this commit, HTTP response is divided into two packets.
In addition, I fixed the HTTP response returned at the correct timing.
cmd: led: fix led command usage for the LED_SW_BLINK enabled case
CONFIG_LED_BLINK and CONFIG_LED_SW_BLINK can be defined independently.
Led blinking works if any (or both) of them is enabled. Unfortunately
the led command help does not display blinking option if only
CONFIG_LED_SW_BLINK is enabled. This is definitely wrong.
This patch fix an issue.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu> Reviewed-by: Simon Glass <sjg@chromium.org> Acked-by: Alexander Dahl <ada@thorsis.com>
spi: soft_spi: Parse cs-gpios only if num-chipselects is not <0>
Some boards don't have chipselect lines for leds so cs-gpios is not
specified in the dts leading to probing error. Fix it by making
behavior similar to the one in Linux, parse num-chipselects and
if it is zero, ignore cs-gpios.
Signed-off-by: Michael Polyntsov <michael.polyntsov@iopsys.eu> Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
- Convert tqma6q_mba6 to watchdog DM to fix reset.
- Convert tqma6q_mba6 to PMIC and I2C DM.
- Convert tqma6q_mba6 to OF_UPSTREAM.
- Do not print the board name twice on tqma6.
- Enable CMD_ERASEENV for imx8mm/mp Phytec boards.
- Add imx8ulp binman support.
- Fix imx8 build when CONFIG_IMX_BOOTAUX is set.
Fabio Estevam [Fri, 9 Aug 2024 15:25:48 +0000 (12:25 -0300)]
imx6-tqma6: Convert to OF_UPSTREAM
Instead of using the local imx6-tqma6 devicetree copies from U-Boot,
convert the imx6-tqma6 target to OF_UPSTREAM so that the upstream
kernel devicetrees can be used instead.
Gary Bisson [Mon, 5 Aug 2024 21:25:10 +0000 (23:25 +0200)]
mach-imx: Add i.MX 8ULP binman support
- Re-use i.MX 93 Makefile target as similar boot process
- Create imx8ulp-u-boot.dtsi for binman image architecture
- Create both SPL and U-Boot containers configuration
Key differences between the 93 and 8ULP SPL container are:
- No LPDDR training library needed for 8ULP
- 8ULP requires a uPower binary (RISC-V core) for power management
- 8ULP also requires a M33 binary to work properly
Signed-off-by: Gary Bisson <bisson.gary@gmail.com> Reviewed-by: Peng Fan <peng.fan@nxp.com>
Gary Bisson [Mon, 5 Aug 2024 21:25:08 +0000 (23:25 +0200)]
tools: imx8image: add upower image support
Part of the upower management was included in a previous commit [1].
This patch only adds the bits required to properly parse a config file
that would include the binary as follows:
IMAGE PWR upower.bin
Gary Bisson [Mon, 5 Aug 2024 21:25:07 +0000 (23:25 +0200)]
tools: imx8image: fix soc variable for ULP
Currently the ULP token sets the soc as IMX9, making it impossible to
differentiate the two families of processors.
However, since the 8ULP requires specific binaries like upower which do
not exist in 93, they need to be separated.
Fixes: 6ec65c8558f (tools: image: support i.MX93) Signed-off-by: Gary Bisson <bisson.gary@gmail.com> Reviewed-by: Peng Fan <peng.fan@nxp.com>
Simon Glass [Sun, 11 Aug 2024 14:50:34 +0000 (08:50 -0600)]
armv8: ls2085a: Drop CMD_DATE
These boards use pre-driver model code and it is several years since the
migration deadline. Disable the 'date' command so that this old code can
be removed.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heiko Schocher <hs@denx.de>
Simon Glass [Sun, 11 Aug 2024 14:50:33 +0000 (08:50 -0600)]
mips: malta: Drop CMD_DATE
These boards use pre-driver model code and it is several years since the
migration deadline. Disable the 'date' command so that this old code can
be removed.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heiko Schocher <hs@denx.de>
Tom Rini [Mon, 12 Aug 2024 13:58:24 +0000 (07:58 -0600)]
Merge tag 'u-boot-rockchip-20240812' of https://source.denx.de/u-boot/custodians/u-boot-rockchip
Please pull the updates for rockchip platform:
- Add board support:
RK3566: Radxa ROCK 3 Model C
Radxa ZERO 3W/3E
Xunlong Orange Pi 3B
RK3568J: Radxa ROCK 3B
RK3308B: Radxa ROCK S0
RK3588: Radxa ROCK 5 ITX
FriendlyElec CM3588 NAS board
- dw-mmc: allow 4-bit mode;
- dts and config updates;
Tom Rini [Mon, 12 Aug 2024 13:57:34 +0000 (07:57 -0600)]
Merge tag 'efi-2024-10-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request efi-2024-10-rc3
UEFI:
* efi_loader: use list_count_nodes() in efi_protocols_per_handle()
* efi_loader: correct description of efi_get_distro_fdt_name
* boot: set correct block device name in set_efi_bootdev()
* configs: enable efidebug and EFI http boot on QEMU aarch64
Other:
* Makefile: don't use CFLAGS for environment text file
FUKAUMI Naoki [Tue, 6 Aug 2024 03:47:59 +0000 (12:47 +0900)]
configs: rockchip: enable "ums" command for Radxa ROCK 5B
USB Type-C port is configured as "peripheral" port. so enable "ums"
command to use as USB Mass Storage device.
("rockusb" command is already enabled and working)
Signed-off-by: FUKAUMI Naoki <naoki@radxa.com> Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Heiko Stuebner [Fri, 2 Aug 2024 21:00:28 +0000 (23:00 +0200)]
board: rockchip: Add Radxa ROCK 5 ITX
The Rock 5 ITX is a board in ITX form factor using the RK3588 SoC
It can be powered either by 12V, ATX power-supply or PoE.
Notable peripherals are the 4 SATA ports, M.2 M-Key slot, M.2 E-key slot,
2*2.5Gb PCIe-connected Ethernet NICs.
Display options are 2*HDMI, DP via USB-c, eDP + 2*DSI via PCB connectors.
USB ports are 4*USB3 + 2*USB2 on the back panel and 2-port front-panel
connector.
Schematics for the board can be found on
- https://dl.radxa.com/rock5/5itx/radxa_rock_5_itx_X1100_schematic.pdf
- https://dl.radxa.com/rock5/5itx/v1110/radxa_rock_5itx_v1110_schematic.pdf
The naming scheme with the dashes follows Dragan's comment on the mainline
devicetree commit:
"the name of this board deviates from the standard Radxa naming scheme,
which is something like "ROCK <number><letter>" thus, "rock-5a" is
fine, but it should be "rock-5-itx", simply because there's a space
between "5" and "ITX" in "ROCK 5 ITX"
Signed-off-by: Heiko Stuebner <heiko@sntech.de> Reviewed-by: Kever Yang <kever.yang@rock-chips.com> Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Makefile: don't use CFLAGS for environment text file
We use KCPPFLAGS to let the user set flags when invoking the C precompiler.
These should also be used when generating the environment text file.
Reported-by: Dave Jones <dave.jones@canonical.com> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Simon Glass <sjg@chromium.org>
configs: enable efidebug and EFI http boot on QEMU aarch64
EFI HTTP is a useful option to have by default and is working reliably on
QEMU. Let's enable it by default, since we have no size limitations.
While at it enable 'efidebug' as well, which is currently needed to
configure the EFI HTTP boot options.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Simon Glass <sjg@chromium.org>
Alexander Dahl [Wed, 3 Jul 2024 10:12:58 +0000 (12:12 +0200)]
fs: ubifs: Add volume mounted check
Safety guard in the U-Boot filesystem glue code, because these functions
are called from different parts of the codebase. For generic filesystem
handling this should have been checked in blk_get_device_part_str()
already. Commands from cmd/ubifs.c should also check this before
calling those functions, but you never know?!
Alexander Dahl [Wed, 3 Jul 2024 10:12:57 +0000 (12:12 +0200)]
fs: ubifs: Make k(z)alloc/kfree symmetric
Although kfree() is in fact only a slim wrapper to free() in U-Boot, use
kfree() here, because those structs where allocated with kalloc() or
kzalloc().
Alexander Dahl [Wed, 3 Jul 2024 10:12:56 +0000 (12:12 +0200)]
fs: ubifs: Set pointers to NULL after free
Global superblock pointer 'ubifs_sb' and volume pointer 'ubi' of type
struct ubi_volume_desc in private member sb->s_fs_info of type struct
ubifs_info, can be allocated and freed at runtime, and allocated and
freed again, depending which console or script commands are run. In
some cases ubifs_sb is even tested to determine if the filesystem is
mounted. Reset those pointers to NULL after free to clearly mark them
as not valid. This avoids potential double free on invalid pointers.
(The ubifs_sb pointer was already reset, but that statement was moved
now to directly after the free() to make it easier to understand.)
Alexander Dahl [Wed, 3 Jul 2024 10:12:55 +0000 (12:12 +0200)]
fs: ubifs: Fix memleak and double free in u-boot wrapper functions
When mounting ubifs e.g. through command 'ubifsmount' one global static
superblock 'ubifs_sb' is used _and_ the requested volume is opened (like
in Linux). The pointer returned by 'ubifs_open_volume()' is stored in
that superblock struct and freed later on cmd 'ubifsumount' or another
call to 'ubifsmount' with a different volume, through ubifs_umount() and
ubi_close_volume().
In ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() the volume
was opened again, which is technically no problem with regard to
refcounting, but here the still valid pointer in sb was overwritten,
leading to a memory leak. Even worse, when using one of those
functions and calling ubifsumount later, ubi_close_volume() was called
again but now on an already freed pointer, leading to a double free.
This actually crashed with different invalid memory accesses on a board
using the old distro boot and a rather long script handling RAUC
updates.
Example:
> ubi part UBI
> ubifsmount ubi0:boot
> test -e ubi ubi0:boot /boot.scr.uimg
> ubifsumount
The ubifs specific commands 'ubifsls' and 'ubifsload' check for a
mounted volume by themselves, for the generic fs variants 'ls', 'load',
(and 'size', and 'test -e') this is covered by special ubifs handling in
fs_set_blk_dev() and deeper down blk_get_device_part_str() then. So for
ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() we can be
sure the volume is opened and the necessary struct pointer in sb is
valid, so it is not needed to open volume again.
Fixes: 9eefe2a2b37 ("UBIFS: Implement read-only UBIFS support in U-Boot") Fixes: 29cc5bcadfc ("ubifs: Add functions for generic fs use") Signed-off-by: Alexander Dahl <ada@thorsis.com>
Tom Rini [Fri, 9 Aug 2024 22:03:21 +0000 (16:03 -0600)]
Merge patch series "Universal Payload initial series"
Simon Glass <sjg@chromium.org> says:
Universal Payload (UPL) is an Industry Standard for firmware
components[1]. UPL is designed to improve interoperability within the
firmware industry, allowing mixing and matching of projects with less
friction and fewer project-specific implementations. UPL is
cross-platform, supporting ARM, x86 and RISC-V initially.
This series provides some initial support for this, targeting 0.9.1 and
sandbox only.
Features still to come include:
- Support for architectures
- FIT validation
- Handoff validation
- Interoperability tests
Simon Glass [Wed, 7 Aug 2024 22:47:39 +0000 (16:47 -0600)]
upl: Add an end-to-end test
Now that sandbox_vpl supports UPL, add a test that checks that the
payload can be loaded by SPL and the handoff information passed through
to U-Boot proper.
projects / thirdparty / u-boot.git / log
