Commit e2140588dd2f3e619f21d9575281b7c7ea771c09
Committed by
Marek Vasut
Marek Vasut
1 parent
16b61d13ba
Exists in
v2017.01-smarct4x
and in
37 other branches
usb: gadget: fastboot: terminate commands with NULL
Without NULL termination, various commands will read past the end of input. In particular, this was noticed with error() calls in cb_getvar and simple_strtoul() in cb_download. Since the download callback happens elsewhere, the 4k buffer should always be sufficient to handle command arguments. Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com>
Showing 1 changed file with 8 additions and 1 deletions Inline Diff
drivers/usb/gadget/f_fastboot.c
| 1 | /* | 1 | /* |
| 2 | * (C) Copyright 2008 - 2009 | 2 | * (C) Copyright 2008 - 2009 |
| 3 | * Windriver, <www.windriver.com> | 3 | * Windriver, <www.windriver.com> |
| 4 | * Tom Rix <Tom.Rix@windriver.com> | 4 | * Tom Rix <Tom.Rix@windriver.com> |
| 5 | * | 5 | * |
| 6 | * Copyright 2011 Sebastian Andrzej Siewior <bigeasy@linutronix.de> | 6 | * Copyright 2011 Sebastian Andrzej Siewior <bigeasy@linutronix.de> |
| 7 | * | 7 | * |
| 8 | * Copyright 2014 Linaro, Ltd. | 8 | * Copyright 2014 Linaro, Ltd. |
| 9 | * Rob Herring <robh@kernel.org> | 9 | * Rob Herring <robh@kernel.org> |
| 10 | * | 10 | * |
| 11 | * SPDX-License-Identifier: GPL-2.0+ | 11 | * SPDX-License-Identifier: GPL-2.0+ |
| 12 | */ | 12 | */ |
| 13 | #include <config.h> | 13 | #include <config.h> |
| 14 | #include <common.h> | 14 | #include <common.h> |
| 15 | #include <errno.h> | 15 | #include <errno.h> |
| 16 | #include <malloc.h> | 16 | #include <malloc.h> |
| 17 | #include <linux/usb/ch9.h> | 17 | #include <linux/usb/ch9.h> |
| 18 | #include <linux/usb/gadget.h> | 18 | #include <linux/usb/gadget.h> |
| 19 | #include <linux/usb/composite.h> | 19 | #include <linux/usb/composite.h> |
| 20 | #include <linux/compiler.h> | 20 | #include <linux/compiler.h> |
| 21 | #include <version.h> | 21 | #include <version.h> |
| 22 | #include <g_dnl.h> | 22 | #include <g_dnl.h> |
| 23 | #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV | 23 | #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV |
| 24 | #include <fb_mmc.h> | 24 | #include <fb_mmc.h> |
| 25 | #endif | 25 | #endif |
| 26 | 26 | ||
| 27 | #define FASTBOOT_VERSION "0.4" | 27 | #define FASTBOOT_VERSION "0.4" |
| 28 | 28 | ||
| 29 | #define FASTBOOT_INTERFACE_CLASS 0xff | 29 | #define FASTBOOT_INTERFACE_CLASS 0xff |
| 30 | #define FASTBOOT_INTERFACE_SUB_CLASS 0x42 | 30 | #define FASTBOOT_INTERFACE_SUB_CLASS 0x42 |
| 31 | #define FASTBOOT_INTERFACE_PROTOCOL 0x03 | 31 | #define FASTBOOT_INTERFACE_PROTOCOL 0x03 |
| 32 | 32 | ||
| 33 | #define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_2_0 (0x0200) | 33 | #define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_2_0 (0x0200) |
| 34 | #define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_1_1 (0x0040) | 34 | #define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_1_1 (0x0040) |
| 35 | #define TX_ENDPOINT_MAXIMUM_PACKET_SIZE (0x0040) | 35 | #define TX_ENDPOINT_MAXIMUM_PACKET_SIZE (0x0040) |
| 36 | 36 | ||
| 37 | /* The 64 defined bytes plus \0 */ | 37 | /* The 64 defined bytes plus \0 */ |
| 38 | #define RESPONSE_LEN (64 + 1) | 38 | #define RESPONSE_LEN (64 + 1) |
| 39 | 39 | ||
| 40 | #define EP_BUFFER_SIZE 4096 | 40 | #define EP_BUFFER_SIZE 4096 |
| 41 | 41 | ||
| 42 | struct f_fastboot { | 42 | struct f_fastboot { |
| 43 | struct usb_function usb_function; | 43 | struct usb_function usb_function; |
| 44 | 44 | ||
| 45 | /* IN/OUT EP's and corresponding requests */ | 45 | /* IN/OUT EP's and corresponding requests */ |
| 46 | struct usb_ep *in_ep, *out_ep; | 46 | struct usb_ep *in_ep, *out_ep; |
| 47 | struct usb_request *in_req, *out_req; | 47 | struct usb_request *in_req, *out_req; |
| 48 | }; | 48 | }; |
| 49 | 49 | ||
| 50 | static inline struct f_fastboot *func_to_fastboot(struct usb_function *f) | 50 | static inline struct f_fastboot *func_to_fastboot(struct usb_function *f) |
| 51 | { | 51 | { |
| 52 | return container_of(f, struct f_fastboot, usb_function); | 52 | return container_of(f, struct f_fastboot, usb_function); |
| 53 | } | 53 | } |
| 54 | 54 | ||
| 55 | static struct f_fastboot *fastboot_func; | 55 | static struct f_fastboot *fastboot_func; |
| 56 | static unsigned int download_size; | 56 | static unsigned int download_size; |
| 57 | static unsigned int download_bytes; | 57 | static unsigned int download_bytes; |
| 58 | 58 | ||
| 59 | static struct usb_endpoint_descriptor fs_ep_in = { | 59 | static struct usb_endpoint_descriptor fs_ep_in = { |
| 60 | .bLength = USB_DT_ENDPOINT_SIZE, | 60 | .bLength = USB_DT_ENDPOINT_SIZE, |
| 61 | .bDescriptorType = USB_DT_ENDPOINT, | 61 | .bDescriptorType = USB_DT_ENDPOINT, |
| 62 | .bEndpointAddress = USB_DIR_IN, | 62 | .bEndpointAddress = USB_DIR_IN, |
| 63 | .bmAttributes = USB_ENDPOINT_XFER_BULK, | 63 | .bmAttributes = USB_ENDPOINT_XFER_BULK, |
| 64 | .wMaxPacketSize = TX_ENDPOINT_MAXIMUM_PACKET_SIZE, | 64 | .wMaxPacketSize = TX_ENDPOINT_MAXIMUM_PACKET_SIZE, |
| 65 | .bInterval = 0x00, | 65 | .bInterval = 0x00, |
| 66 | }; | 66 | }; |
| 67 | 67 | ||
| 68 | static struct usb_endpoint_descriptor fs_ep_out = { | 68 | static struct usb_endpoint_descriptor fs_ep_out = { |
| 69 | .bLength = USB_DT_ENDPOINT_SIZE, | 69 | .bLength = USB_DT_ENDPOINT_SIZE, |
| 70 | .bDescriptorType = USB_DT_ENDPOINT, | 70 | .bDescriptorType = USB_DT_ENDPOINT, |
| 71 | .bEndpointAddress = USB_DIR_OUT, | 71 | .bEndpointAddress = USB_DIR_OUT, |
| 72 | .bmAttributes = USB_ENDPOINT_XFER_BULK, | 72 | .bmAttributes = USB_ENDPOINT_XFER_BULK, |
| 73 | .wMaxPacketSize = RX_ENDPOINT_MAXIMUM_PACKET_SIZE_1_1, | 73 | .wMaxPacketSize = RX_ENDPOINT_MAXIMUM_PACKET_SIZE_1_1, |
| 74 | .bInterval = 0x00, | 74 | .bInterval = 0x00, |
| 75 | }; | 75 | }; |
| 76 | 76 | ||
| 77 | static struct usb_endpoint_descriptor hs_ep_out = { | 77 | static struct usb_endpoint_descriptor hs_ep_out = { |
| 78 | .bLength = USB_DT_ENDPOINT_SIZE, | 78 | .bLength = USB_DT_ENDPOINT_SIZE, |
| 79 | .bDescriptorType = USB_DT_ENDPOINT, | 79 | .bDescriptorType = USB_DT_ENDPOINT, |
| 80 | .bEndpointAddress = USB_DIR_OUT, | 80 | .bEndpointAddress = USB_DIR_OUT, |
| 81 | .bmAttributes = USB_ENDPOINT_XFER_BULK, | 81 | .bmAttributes = USB_ENDPOINT_XFER_BULK, |
| 82 | .wMaxPacketSize = RX_ENDPOINT_MAXIMUM_PACKET_SIZE_2_0, | 82 | .wMaxPacketSize = RX_ENDPOINT_MAXIMUM_PACKET_SIZE_2_0, |
| 83 | .bInterval = 0x00, | 83 | .bInterval = 0x00, |
| 84 | }; | 84 | }; |
| 85 | 85 | ||
| 86 | static struct usb_interface_descriptor interface_desc = { | 86 | static struct usb_interface_descriptor interface_desc = { |
| 87 | .bLength = USB_DT_INTERFACE_SIZE, | 87 | .bLength = USB_DT_INTERFACE_SIZE, |
| 88 | .bDescriptorType = USB_DT_INTERFACE, | 88 | .bDescriptorType = USB_DT_INTERFACE, |
| 89 | .bInterfaceNumber = 0x00, | 89 | .bInterfaceNumber = 0x00, |
| 90 | .bAlternateSetting = 0x00, | 90 | .bAlternateSetting = 0x00, |
| 91 | .bNumEndpoints = 0x02, | 91 | .bNumEndpoints = 0x02, |
| 92 | .bInterfaceClass = FASTBOOT_INTERFACE_CLASS, | 92 | .bInterfaceClass = FASTBOOT_INTERFACE_CLASS, |
| 93 | .bInterfaceSubClass = FASTBOOT_INTERFACE_SUB_CLASS, | 93 | .bInterfaceSubClass = FASTBOOT_INTERFACE_SUB_CLASS, |
| 94 | .bInterfaceProtocol = FASTBOOT_INTERFACE_PROTOCOL, | 94 | .bInterfaceProtocol = FASTBOOT_INTERFACE_PROTOCOL, |
| 95 | }; | 95 | }; |
| 96 | 96 | ||
| 97 | static struct usb_descriptor_header *fb_runtime_descs[] = { | 97 | static struct usb_descriptor_header *fb_runtime_descs[] = { |
| 98 | (struct usb_descriptor_header *)&interface_desc, | 98 | (struct usb_descriptor_header *)&interface_desc, |
| 99 | (struct usb_descriptor_header *)&fs_ep_in, | 99 | (struct usb_descriptor_header *)&fs_ep_in, |
| 100 | (struct usb_descriptor_header *)&hs_ep_out, | 100 | (struct usb_descriptor_header *)&hs_ep_out, |
| 101 | NULL, | 101 | NULL, |
| 102 | }; | 102 | }; |
| 103 | 103 | ||
| 104 | /* | 104 | /* |
| 105 | * static strings, in UTF-8 | 105 | * static strings, in UTF-8 |
| 106 | */ | 106 | */ |
| 107 | static const char fastboot_name[] = "Android Fastboot"; | 107 | static const char fastboot_name[] = "Android Fastboot"; |
| 108 | 108 | ||
| 109 | static struct usb_string fastboot_string_defs[] = { | 109 | static struct usb_string fastboot_string_defs[] = { |
| 110 | [0].s = fastboot_name, | 110 | [0].s = fastboot_name, |
| 111 | { } /* end of list */ | 111 | { } /* end of list */ |
| 112 | }; | 112 | }; |
| 113 | 113 | ||
| 114 | static struct usb_gadget_strings stringtab_fastboot = { | 114 | static struct usb_gadget_strings stringtab_fastboot = { |
| 115 | .language = 0x0409, /* en-us */ | 115 | .language = 0x0409, /* en-us */ |
| 116 | .strings = fastboot_string_defs, | 116 | .strings = fastboot_string_defs, |
| 117 | }; | 117 | }; |
| 118 | 118 | ||
| 119 | static struct usb_gadget_strings *fastboot_strings[] = { | 119 | static struct usb_gadget_strings *fastboot_strings[] = { |
| 120 | &stringtab_fastboot, | 120 | &stringtab_fastboot, |
| 121 | NULL, | 121 | NULL, |
| 122 | }; | 122 | }; |
| 123 | 123 | ||
| 124 | static void rx_handler_command(struct usb_ep *ep, struct usb_request *req); | 124 | static void rx_handler_command(struct usb_ep *ep, struct usb_request *req); |
| 125 | 125 | ||
| 126 | static void fastboot_complete(struct usb_ep *ep, struct usb_request *req) | 126 | static void fastboot_complete(struct usb_ep *ep, struct usb_request *req) |
| 127 | { | 127 | { |
| 128 | int status = req->status; | 128 | int status = req->status; |
| 129 | if (!status) | 129 | if (!status) |
| 130 | return; | 130 | return; |
| 131 | printf("status: %d ep '%s' trans: %d\n", status, ep->name, req->actual); | 131 | printf("status: %d ep '%s' trans: %d\n", status, ep->name, req->actual); |
| 132 | } | 132 | } |
| 133 | 133 | ||
| 134 | static int fastboot_bind(struct usb_configuration *c, struct usb_function *f) | 134 | static int fastboot_bind(struct usb_configuration *c, struct usb_function *f) |
| 135 | { | 135 | { |
| 136 | int id; | 136 | int id; |
| 137 | struct usb_gadget *gadget = c->cdev->gadget; | 137 | struct usb_gadget *gadget = c->cdev->gadget; |
| 138 | struct f_fastboot *f_fb = func_to_fastboot(f); | 138 | struct f_fastboot *f_fb = func_to_fastboot(f); |
| 139 | 139 | ||
| 140 | /* DYNAMIC interface numbers assignments */ | 140 | /* DYNAMIC interface numbers assignments */ |
| 141 | id = usb_interface_id(c, f); | 141 | id = usb_interface_id(c, f); |
| 142 | if (id < 0) | 142 | if (id < 0) |
| 143 | return id; | 143 | return id; |
| 144 | interface_desc.bInterfaceNumber = id; | 144 | interface_desc.bInterfaceNumber = id; |
| 145 | 145 | ||
| 146 | id = usb_string_id(c->cdev); | 146 | id = usb_string_id(c->cdev); |
| 147 | if (id < 0) | 147 | if (id < 0) |
| 148 | return id; | 148 | return id; |
| 149 | fastboot_string_defs[0].id = id; | 149 | fastboot_string_defs[0].id = id; |
| 150 | interface_desc.iInterface = id; | 150 | interface_desc.iInterface = id; |
| 151 | 151 | ||
| 152 | f_fb->in_ep = usb_ep_autoconfig(gadget, &fs_ep_in); | 152 | f_fb->in_ep = usb_ep_autoconfig(gadget, &fs_ep_in); |
| 153 | if (!f_fb->in_ep) | 153 | if (!f_fb->in_ep) |
| 154 | return -ENODEV; | 154 | return -ENODEV; |
| 155 | f_fb->in_ep->driver_data = c->cdev; | 155 | f_fb->in_ep->driver_data = c->cdev; |
| 156 | 156 | ||
| 157 | f_fb->out_ep = usb_ep_autoconfig(gadget, &fs_ep_out); | 157 | f_fb->out_ep = usb_ep_autoconfig(gadget, &fs_ep_out); |
| 158 | if (!f_fb->out_ep) | 158 | if (!f_fb->out_ep) |
| 159 | return -ENODEV; | 159 | return -ENODEV; |
| 160 | f_fb->out_ep->driver_data = c->cdev; | 160 | f_fb->out_ep->driver_data = c->cdev; |
| 161 | 161 | ||
| 162 | hs_ep_out.bEndpointAddress = fs_ep_out.bEndpointAddress; | 162 | hs_ep_out.bEndpointAddress = fs_ep_out.bEndpointAddress; |
| 163 | 163 | ||
| 164 | return 0; | 164 | return 0; |
| 165 | } | 165 | } |
| 166 | 166 | ||
| 167 | static void fastboot_unbind(struct usb_configuration *c, struct usb_function *f) | 167 | static void fastboot_unbind(struct usb_configuration *c, struct usb_function *f) |
| 168 | { | 168 | { |
| 169 | memset(fastboot_func, 0, sizeof(*fastboot_func)); | 169 | memset(fastboot_func, 0, sizeof(*fastboot_func)); |
| 170 | } | 170 | } |
| 171 | 171 | ||
| 172 | static void fastboot_disable(struct usb_function *f) | 172 | static void fastboot_disable(struct usb_function *f) |
| 173 | { | 173 | { |
| 174 | struct f_fastboot *f_fb = func_to_fastboot(f); | 174 | struct f_fastboot *f_fb = func_to_fastboot(f); |
| 175 | 175 | ||
| 176 | usb_ep_disable(f_fb->out_ep); | 176 | usb_ep_disable(f_fb->out_ep); |
| 177 | usb_ep_disable(f_fb->in_ep); | 177 | usb_ep_disable(f_fb->in_ep); |
| 178 | 178 | ||
| 179 | if (f_fb->out_req) { | 179 | if (f_fb->out_req) { |
| 180 | free(f_fb->out_req->buf); | 180 | free(f_fb->out_req->buf); |
| 181 | usb_ep_free_request(f_fb->out_ep, f_fb->out_req); | 181 | usb_ep_free_request(f_fb->out_ep, f_fb->out_req); |
| 182 | f_fb->out_req = NULL; | 182 | f_fb->out_req = NULL; |
| 183 | } | 183 | } |
| 184 | if (f_fb->in_req) { | 184 | if (f_fb->in_req) { |
| 185 | free(f_fb->in_req->buf); | 185 | free(f_fb->in_req->buf); |
| 186 | usb_ep_free_request(f_fb->in_ep, f_fb->in_req); | 186 | usb_ep_free_request(f_fb->in_ep, f_fb->in_req); |
| 187 | f_fb->in_req = NULL; | 187 | f_fb->in_req = NULL; |
| 188 | } | 188 | } |
| 189 | } | 189 | } |
| 190 | 190 | ||
| 191 | static struct usb_request *fastboot_start_ep(struct usb_ep *ep) | 191 | static struct usb_request *fastboot_start_ep(struct usb_ep *ep) |
| 192 | { | 192 | { |
| 193 | struct usb_request *req; | 193 | struct usb_request *req; |
| 194 | 194 | ||
| 195 | req = usb_ep_alloc_request(ep, 0); | 195 | req = usb_ep_alloc_request(ep, 0); |
| 196 | if (!req) | 196 | if (!req) |
| 197 | return NULL; | 197 | return NULL; |
| 198 | 198 | ||
| 199 | req->length = EP_BUFFER_SIZE; | 199 | req->length = EP_BUFFER_SIZE; |
| 200 | req->buf = memalign(CONFIG_SYS_CACHELINE_SIZE, EP_BUFFER_SIZE); | 200 | req->buf = memalign(CONFIG_SYS_CACHELINE_SIZE, EP_BUFFER_SIZE); |
| 201 | if (!req->buf) { | 201 | if (!req->buf) { |
| 202 | usb_ep_free_request(ep, req); | 202 | usb_ep_free_request(ep, req); |
| 203 | return NULL; | 203 | return NULL; |
| 204 | } | 204 | } |
| 205 | 205 | ||
| 206 | memset(req->buf, 0, req->length); | 206 | memset(req->buf, 0, req->length); |
| 207 | return req; | 207 | return req; |
| 208 | } | 208 | } |
| 209 | 209 | ||
| 210 | static int fastboot_set_alt(struct usb_function *f, | 210 | static int fastboot_set_alt(struct usb_function *f, |
| 211 | unsigned interface, unsigned alt) | 211 | unsigned interface, unsigned alt) |
| 212 | { | 212 | { |
| 213 | int ret; | 213 | int ret; |
| 214 | struct usb_composite_dev *cdev = f->config->cdev; | 214 | struct usb_composite_dev *cdev = f->config->cdev; |
| 215 | struct usb_gadget *gadget = cdev->gadget; | 215 | struct usb_gadget *gadget = cdev->gadget; |
| 216 | struct f_fastboot *f_fb = func_to_fastboot(f); | 216 | struct f_fastboot *f_fb = func_to_fastboot(f); |
| 217 | 217 | ||
| 218 | debug("%s: func: %s intf: %d alt: %d\n", | 218 | debug("%s: func: %s intf: %d alt: %d\n", |
| 219 | __func__, f->name, interface, alt); | 219 | __func__, f->name, interface, alt); |
| 220 | 220 | ||
| 221 | /* make sure we don't enable the ep twice */ | 221 | /* make sure we don't enable the ep twice */ |
| 222 | if (gadget->speed == USB_SPEED_HIGH) | 222 | if (gadget->speed == USB_SPEED_HIGH) |
| 223 | ret = usb_ep_enable(f_fb->out_ep, &hs_ep_out); | 223 | ret = usb_ep_enable(f_fb->out_ep, &hs_ep_out); |
| 224 | else | 224 | else |
| 225 | ret = usb_ep_enable(f_fb->out_ep, &fs_ep_out); | 225 | ret = usb_ep_enable(f_fb->out_ep, &fs_ep_out); |
| 226 | if (ret) { | 226 | if (ret) { |
| 227 | puts("failed to enable out ep\n"); | 227 | puts("failed to enable out ep\n"); |
| 228 | return ret; | 228 | return ret; |
| 229 | } | 229 | } |
| 230 | 230 | ||
| 231 | f_fb->out_req = fastboot_start_ep(f_fb->out_ep); | 231 | f_fb->out_req = fastboot_start_ep(f_fb->out_ep); |
| 232 | if (!f_fb->out_req) { | 232 | if (!f_fb->out_req) { |
| 233 | puts("failed to alloc out req\n"); | 233 | puts("failed to alloc out req\n"); |
| 234 | ret = -EINVAL; | 234 | ret = -EINVAL; |
| 235 | goto err; | 235 | goto err; |
| 236 | } | 236 | } |
| 237 | f_fb->out_req->complete = rx_handler_command; | 237 | f_fb->out_req->complete = rx_handler_command; |
| 238 | 238 | ||
| 239 | ret = usb_ep_enable(f_fb->in_ep, &fs_ep_in); | 239 | ret = usb_ep_enable(f_fb->in_ep, &fs_ep_in); |
| 240 | if (ret) { | 240 | if (ret) { |
| 241 | puts("failed to enable in ep\n"); | 241 | puts("failed to enable in ep\n"); |
| 242 | goto err; | 242 | goto err; |
| 243 | } | 243 | } |
| 244 | 244 | ||
| 245 | f_fb->in_req = fastboot_start_ep(f_fb->in_ep); | 245 | f_fb->in_req = fastboot_start_ep(f_fb->in_ep); |
| 246 | if (!f_fb->in_req) { | 246 | if (!f_fb->in_req) { |
| 247 | puts("failed alloc req in\n"); | 247 | puts("failed alloc req in\n"); |
| 248 | ret = -EINVAL; | 248 | ret = -EINVAL; |
| 249 | goto err; | 249 | goto err; |
| 250 | } | 250 | } |
| 251 | f_fb->in_req->complete = fastboot_complete; | 251 | f_fb->in_req->complete = fastboot_complete; |
| 252 | 252 | ||
| 253 | ret = usb_ep_queue(f_fb->out_ep, f_fb->out_req, 0); | 253 | ret = usb_ep_queue(f_fb->out_ep, f_fb->out_req, 0); |
| 254 | if (ret) | 254 | if (ret) |
| 255 | goto err; | 255 | goto err; |
| 256 | 256 | ||
| 257 | return 0; | 257 | return 0; |
| 258 | err: | 258 | err: |
| 259 | fastboot_disable(f); | 259 | fastboot_disable(f); |
| 260 | return ret; | 260 | return ret; |
| 261 | } | 261 | } |
| 262 | 262 | ||
| 263 | static int fastboot_add(struct usb_configuration *c) | 263 | static int fastboot_add(struct usb_configuration *c) |
| 264 | { | 264 | { |
| 265 | struct f_fastboot *f_fb = fastboot_func; | 265 | struct f_fastboot *f_fb = fastboot_func; |
| 266 | int status; | 266 | int status; |
| 267 | 267 | ||
| 268 | debug("%s: cdev: 0x%p\n", __func__, c->cdev); | 268 | debug("%s: cdev: 0x%p\n", __func__, c->cdev); |
| 269 | 269 | ||
| 270 | if (!f_fb) { | 270 | if (!f_fb) { |
| 271 | f_fb = memalign(CONFIG_SYS_CACHELINE_SIZE, sizeof(*f_fb)); | 271 | f_fb = memalign(CONFIG_SYS_CACHELINE_SIZE, sizeof(*f_fb)); |
| 272 | if (!f_fb) | 272 | if (!f_fb) |
| 273 | return -ENOMEM; | 273 | return -ENOMEM; |
| 274 | 274 | ||
| 275 | fastboot_func = f_fb; | 275 | fastboot_func = f_fb; |
| 276 | memset(f_fb, 0, sizeof(*f_fb)); | 276 | memset(f_fb, 0, sizeof(*f_fb)); |
| 277 | } | 277 | } |
| 278 | 278 | ||
| 279 | f_fb->usb_function.name = "f_fastboot"; | 279 | f_fb->usb_function.name = "f_fastboot"; |
| 280 | f_fb->usb_function.hs_descriptors = fb_runtime_descs; | 280 | f_fb->usb_function.hs_descriptors = fb_runtime_descs; |
| 281 | f_fb->usb_function.bind = fastboot_bind; | 281 | f_fb->usb_function.bind = fastboot_bind; |
| 282 | f_fb->usb_function.unbind = fastboot_unbind; | 282 | f_fb->usb_function.unbind = fastboot_unbind; |
| 283 | f_fb->usb_function.set_alt = fastboot_set_alt; | 283 | f_fb->usb_function.set_alt = fastboot_set_alt; |
| 284 | f_fb->usb_function.disable = fastboot_disable; | 284 | f_fb->usb_function.disable = fastboot_disable; |
| 285 | f_fb->usb_function.strings = fastboot_strings; | 285 | f_fb->usb_function.strings = fastboot_strings; |
| 286 | 286 | ||
| 287 | status = usb_add_function(c, &f_fb->usb_function); | 287 | status = usb_add_function(c, &f_fb->usb_function); |
| 288 | if (status) { | 288 | if (status) { |
| 289 | free(f_fb); | 289 | free(f_fb); |
| 290 | fastboot_func = f_fb; | 290 | fastboot_func = f_fb; |
| 291 | } | 291 | } |
| 292 | 292 | ||
| 293 | return status; | 293 | return status; |
| 294 | } | 294 | } |
| 295 | DECLARE_GADGET_BIND_CALLBACK(usb_dnl_fastboot, fastboot_add); | 295 | DECLARE_GADGET_BIND_CALLBACK(usb_dnl_fastboot, fastboot_add); |
| 296 | 296 | ||
| 297 | static int fastboot_tx_write(const char *buffer, unsigned int buffer_size) | 297 | static int fastboot_tx_write(const char *buffer, unsigned int buffer_size) |
| 298 | { | 298 | { |
| 299 | struct usb_request *in_req = fastboot_func->in_req; | 299 | struct usb_request *in_req = fastboot_func->in_req; |
| 300 | int ret; | 300 | int ret; |
| 301 | 301 | ||
| 302 | memcpy(in_req->buf, buffer, buffer_size); | 302 | memcpy(in_req->buf, buffer, buffer_size); |
| 303 | in_req->length = buffer_size; | 303 | in_req->length = buffer_size; |
| 304 | ret = usb_ep_queue(fastboot_func->in_ep, in_req, 0); | 304 | ret = usb_ep_queue(fastboot_func->in_ep, in_req, 0); |
| 305 | if (ret) | 305 | if (ret) |
| 306 | printf("Error %d on queue\n", ret); | 306 | printf("Error %d on queue\n", ret); |
| 307 | return 0; | 307 | return 0; |
| 308 | } | 308 | } |
| 309 | 309 | ||
| 310 | static int fastboot_tx_write_str(const char *buffer) | 310 | static int fastboot_tx_write_str(const char *buffer) |
| 311 | { | 311 | { |
| 312 | return fastboot_tx_write(buffer, strlen(buffer)); | 312 | return fastboot_tx_write(buffer, strlen(buffer)); |
| 313 | } | 313 | } |
| 314 | 314 | ||
| 315 | static void compl_do_reset(struct usb_ep *ep, struct usb_request *req) | 315 | static void compl_do_reset(struct usb_ep *ep, struct usb_request *req) |
| 316 | { | 316 | { |
| 317 | do_reset(NULL, 0, 0, NULL); | 317 | do_reset(NULL, 0, 0, NULL); |
| 318 | } | 318 | } |
| 319 | 319 | ||
| 320 | static void cb_reboot(struct usb_ep *ep, struct usb_request *req) | 320 | static void cb_reboot(struct usb_ep *ep, struct usb_request *req) |
| 321 | { | 321 | { |
| 322 | fastboot_func->in_req->complete = compl_do_reset; | 322 | fastboot_func->in_req->complete = compl_do_reset; |
| 323 | fastboot_tx_write_str("OKAY"); | 323 | fastboot_tx_write_str("OKAY"); |
| 324 | } | 324 | } |
| 325 | 325 | ||
| 326 | static int strcmp_l1(const char *s1, const char *s2) | 326 | static int strcmp_l1(const char *s1, const char *s2) |
| 327 | { | 327 | { |
| 328 | if (!s1 || !s2) | 328 | if (!s1 || !s2) |
| 329 | return -1; | 329 | return -1; |
| 330 | return strncmp(s1, s2, strlen(s1)); | 330 | return strncmp(s1, s2, strlen(s1)); |
| 331 | } | 331 | } |
| 332 | 332 | ||
| 333 | static void cb_getvar(struct usb_ep *ep, struct usb_request *req) | 333 | static void cb_getvar(struct usb_ep *ep, struct usb_request *req) |
| 334 | { | 334 | { |
| 335 | char *cmd = req->buf; | 335 | char *cmd = req->buf; |
| 336 | char response[RESPONSE_LEN]; | 336 | char response[RESPONSE_LEN]; |
| 337 | const char *s; | 337 | const char *s; |
| 338 | size_t chars_left; | 338 | size_t chars_left; |
| 339 | 339 | ||
| 340 | strcpy(response, "OKAY"); | 340 | strcpy(response, "OKAY"); |
| 341 | chars_left = sizeof(response) - strlen(response) - 1; | 341 | chars_left = sizeof(response) - strlen(response) - 1; |
| 342 | 342 | ||
| 343 | strsep(&cmd, ":"); | 343 | strsep(&cmd, ":"); |
| 344 | if (!cmd) { | 344 | if (!cmd) { |
| 345 | error("missing variable\n"); | 345 | error("missing variable\n"); |
| 346 | fastboot_tx_write_str("FAILmissing var"); | 346 | fastboot_tx_write_str("FAILmissing var"); |
| 347 | return; | 347 | return; |
| 348 | } | 348 | } |
| 349 | 349 | ||
| 350 | if (!strcmp_l1("version", cmd)) { | 350 | if (!strcmp_l1("version", cmd)) { |
| 351 | strncat(response, FASTBOOT_VERSION, chars_left); | 351 | strncat(response, FASTBOOT_VERSION, chars_left); |
| 352 | } else if (!strcmp_l1("bootloader-version", cmd)) { | 352 | } else if (!strcmp_l1("bootloader-version", cmd)) { |
| 353 | strncat(response, U_BOOT_VERSION, chars_left); | 353 | strncat(response, U_BOOT_VERSION, chars_left); |
| 354 | } else if (!strcmp_l1("downloadsize", cmd) || | 354 | } else if (!strcmp_l1("downloadsize", cmd) || |
| 355 | !strcmp_l1("max-download-size", cmd)) { | 355 | !strcmp_l1("max-download-size", cmd)) { |
| 356 | char str_num[12]; | 356 | char str_num[12]; |
| 357 | 357 | ||
| 358 | sprintf(str_num, "0x%08x", CONFIG_USB_FASTBOOT_BUF_SIZE); | 358 | sprintf(str_num, "0x%08x", CONFIG_USB_FASTBOOT_BUF_SIZE); |
| 359 | strncat(response, str_num, chars_left); | 359 | strncat(response, str_num, chars_left); |
| 360 | } else if (!strcmp_l1("serialno", cmd)) { | 360 | } else if (!strcmp_l1("serialno", cmd)) { |
| 361 | s = getenv("serial#"); | 361 | s = getenv("serial#"); |
| 362 | if (s) | 362 | if (s) |
| 363 | strncat(response, s, chars_left); | 363 | strncat(response, s, chars_left); |
| 364 | else | 364 | else |
| 365 | strcpy(response, "FAILValue not set"); | 365 | strcpy(response, "FAILValue not set"); |
| 366 | } else { | 366 | } else { |
| 367 | error("unknown variable: %s\n", cmd); | 367 | error("unknown variable: %s\n", cmd); |
| 368 | strcpy(response, "FAILVariable not implemented"); | 368 | strcpy(response, "FAILVariable not implemented"); |
| 369 | } | 369 | } |
| 370 | fastboot_tx_write_str(response); | 370 | fastboot_tx_write_str(response); |
| 371 | } | 371 | } |
| 372 | 372 | ||
| 373 | static unsigned int rx_bytes_expected(void) | 373 | static unsigned int rx_bytes_expected(void) |
| 374 | { | 374 | { |
| 375 | int rx_remain = download_size - download_bytes; | 375 | int rx_remain = download_size - download_bytes; |
| 376 | if (rx_remain < 0) | 376 | if (rx_remain < 0) |
| 377 | return 0; | 377 | return 0; |
| 378 | if (rx_remain > EP_BUFFER_SIZE) | 378 | if (rx_remain > EP_BUFFER_SIZE) |
| 379 | return EP_BUFFER_SIZE; | 379 | return EP_BUFFER_SIZE; |
| 380 | return rx_remain; | 380 | return rx_remain; |
| 381 | } | 381 | } |
| 382 | 382 | ||
| 383 | #define BYTES_PER_DOT 0x20000 | 383 | #define BYTES_PER_DOT 0x20000 |
| 384 | static void rx_handler_dl_image(struct usb_ep *ep, struct usb_request *req) | 384 | static void rx_handler_dl_image(struct usb_ep *ep, struct usb_request *req) |
| 385 | { | 385 | { |
| 386 | char response[RESPONSE_LEN]; | 386 | char response[RESPONSE_LEN]; |
| 387 | unsigned int transfer_size = download_size - download_bytes; | 387 | unsigned int transfer_size = download_size - download_bytes; |
| 388 | const unsigned char *buffer = req->buf; | 388 | const unsigned char *buffer = req->buf; |
| 389 | unsigned int buffer_size = req->actual; | 389 | unsigned int buffer_size = req->actual; |
| 390 | unsigned int pre_dot_num, now_dot_num; | 390 | unsigned int pre_dot_num, now_dot_num; |
| 391 | 391 | ||
| 392 | if (req->status != 0) { | 392 | if (req->status != 0) { |
| 393 | printf("Bad status: %d\n", req->status); | 393 | printf("Bad status: %d\n", req->status); |
| 394 | return; | 394 | return; |
| 395 | } | 395 | } |
| 396 | 396 | ||
| 397 | if (buffer_size < transfer_size) | 397 | if (buffer_size < transfer_size) |
| 398 | transfer_size = buffer_size; | 398 | transfer_size = buffer_size; |
| 399 | 399 | ||
| 400 | memcpy((void *)CONFIG_USB_FASTBOOT_BUF_ADDR + download_bytes, | 400 | memcpy((void *)CONFIG_USB_FASTBOOT_BUF_ADDR + download_bytes, |
| 401 | buffer, transfer_size); | 401 | buffer, transfer_size); |
| 402 | 402 | ||
| 403 | pre_dot_num = download_bytes / BYTES_PER_DOT; | 403 | pre_dot_num = download_bytes / BYTES_PER_DOT; |
| 404 | download_bytes += transfer_size; | 404 | download_bytes += transfer_size; |
| 405 | now_dot_num = download_bytes / BYTES_PER_DOT; | 405 | now_dot_num = download_bytes / BYTES_PER_DOT; |
| 406 | 406 | ||
| 407 | if (pre_dot_num != now_dot_num) { | 407 | if (pre_dot_num != now_dot_num) { |
| 408 | putc('.'); | 408 | putc('.'); |
| 409 | if (!(now_dot_num % 74)) | 409 | if (!(now_dot_num % 74)) |
| 410 | putc('\n'); | 410 | putc('\n'); |
| 411 | } | 411 | } |
| 412 | 412 | ||
| 413 | /* Check if transfer is done */ | 413 | /* Check if transfer is done */ |
| 414 | if (download_bytes >= download_size) { | 414 | if (download_bytes >= download_size) { |
| 415 | /* | 415 | /* |
| 416 | * Reset global transfer variable, keep download_bytes because | 416 | * Reset global transfer variable, keep download_bytes because |
| 417 | * it will be used in the next possible flashing command | 417 | * it will be used in the next possible flashing command |
| 418 | */ | 418 | */ |
| 419 | download_size = 0; | 419 | download_size = 0; |
| 420 | req->complete = rx_handler_command; | 420 | req->complete = rx_handler_command; |
| 421 | req->length = EP_BUFFER_SIZE; | 421 | req->length = EP_BUFFER_SIZE; |
| 422 | 422 | ||
| 423 | sprintf(response, "OKAY"); | 423 | sprintf(response, "OKAY"); |
| 424 | fastboot_tx_write_str(response); | 424 | fastboot_tx_write_str(response); |
| 425 | 425 | ||
| 426 | printf("\ndownloading of %d bytes finished\n", download_bytes); | 426 | printf("\ndownloading of %d bytes finished\n", download_bytes); |
| 427 | } else { | 427 | } else { |
| 428 | req->length = rx_bytes_expected(); | 428 | req->length = rx_bytes_expected(); |
| 429 | if (req->length < ep->maxpacket) | 429 | if (req->length < ep->maxpacket) |
| 430 | req->length = ep->maxpacket; | 430 | req->length = ep->maxpacket; |
| 431 | } | 431 | } |
| 432 | 432 | ||
| 433 | req->actual = 0; | 433 | req->actual = 0; |
| 434 | usb_ep_queue(ep, req, 0); | 434 | usb_ep_queue(ep, req, 0); |
| 435 | } | 435 | } |
| 436 | 436 | ||
| 437 | static void cb_download(struct usb_ep *ep, struct usb_request *req) | 437 | static void cb_download(struct usb_ep *ep, struct usb_request *req) |
| 438 | { | 438 | { |
| 439 | char *cmd = req->buf; | 439 | char *cmd = req->buf; |
| 440 | char response[RESPONSE_LEN]; | 440 | char response[RESPONSE_LEN]; |
| 441 | 441 | ||
| 442 | strsep(&cmd, ":"); | 442 | strsep(&cmd, ":"); |
| 443 | download_size = simple_strtoul(cmd, NULL, 16); | 443 | download_size = simple_strtoul(cmd, NULL, 16); |
| 444 | download_bytes = 0; | 444 | download_bytes = 0; |
| 445 | 445 | ||
| 446 | printf("Starting download of %d bytes\n", download_size); | 446 | printf("Starting download of %d bytes\n", download_size); |
| 447 | 447 | ||
| 448 | if (0 == download_size) { | 448 | if (0 == download_size) { |
| 449 | sprintf(response, "FAILdata invalid size"); | 449 | sprintf(response, "FAILdata invalid size"); |
| 450 | } else if (download_size > CONFIG_USB_FASTBOOT_BUF_SIZE) { | 450 | } else if (download_size > CONFIG_USB_FASTBOOT_BUF_SIZE) { |
| 451 | download_size = 0; | 451 | download_size = 0; |
| 452 | sprintf(response, "FAILdata too large"); | 452 | sprintf(response, "FAILdata too large"); |
| 453 | } else { | 453 | } else { |
| 454 | sprintf(response, "DATA%08x", download_size); | 454 | sprintf(response, "DATA%08x", download_size); |
| 455 | req->complete = rx_handler_dl_image; | 455 | req->complete = rx_handler_dl_image; |
| 456 | req->length = rx_bytes_expected(); | 456 | req->length = rx_bytes_expected(); |
| 457 | if (req->length < ep->maxpacket) | 457 | if (req->length < ep->maxpacket) |
| 458 | req->length = ep->maxpacket; | 458 | req->length = ep->maxpacket; |
| 459 | } | 459 | } |
| 460 | fastboot_tx_write_str(response); | 460 | fastboot_tx_write_str(response); |
| 461 | } | 461 | } |
| 462 | 462 | ||
| 463 | static void do_bootm_on_complete(struct usb_ep *ep, struct usb_request *req) | 463 | static void do_bootm_on_complete(struct usb_ep *ep, struct usb_request *req) |
| 464 | { | 464 | { |
| 465 | char boot_addr_start[12]; | 465 | char boot_addr_start[12]; |
| 466 | char *bootm_args[] = { "bootm", boot_addr_start, NULL }; | 466 | char *bootm_args[] = { "bootm", boot_addr_start, NULL }; |
| 467 | 467 | ||
| 468 | puts("Booting kernel..\n"); | 468 | puts("Booting kernel..\n"); |
| 469 | 469 | ||
| 470 | sprintf(boot_addr_start, "0x%lx", load_addr); | 470 | sprintf(boot_addr_start, "0x%lx", load_addr); |
| 471 | do_bootm(NULL, 0, 2, bootm_args); | 471 | do_bootm(NULL, 0, 2, bootm_args); |
| 472 | 472 | ||
| 473 | /* This only happens if image is somehow faulty so we start over */ | 473 | /* This only happens if image is somehow faulty so we start over */ |
| 474 | do_reset(NULL, 0, 0, NULL); | 474 | do_reset(NULL, 0, 0, NULL); |
| 475 | } | 475 | } |
| 476 | 476 | ||
| 477 | static void cb_boot(struct usb_ep *ep, struct usb_request *req) | 477 | static void cb_boot(struct usb_ep *ep, struct usb_request *req) |
| 478 | { | 478 | { |
| 479 | fastboot_func->in_req->complete = do_bootm_on_complete; | 479 | fastboot_func->in_req->complete = do_bootm_on_complete; |
| 480 | fastboot_tx_write_str("OKAY"); | 480 | fastboot_tx_write_str("OKAY"); |
| 481 | } | 481 | } |
| 482 | 482 | ||
| 483 | #ifdef CONFIG_FASTBOOT_FLASH | 483 | #ifdef CONFIG_FASTBOOT_FLASH |
| 484 | static void cb_flash(struct usb_ep *ep, struct usb_request *req) | 484 | static void cb_flash(struct usb_ep *ep, struct usb_request *req) |
| 485 | { | 485 | { |
| 486 | char *cmd = req->buf; | 486 | char *cmd = req->buf; |
| 487 | char response[RESPONSE_LEN]; | 487 | char response[RESPONSE_LEN]; |
| 488 | 488 | ||
| 489 | strsep(&cmd, ":"); | 489 | strsep(&cmd, ":"); |
| 490 | if (!cmd) { | 490 | if (!cmd) { |
| 491 | error("missing partition name\n"); | 491 | error("missing partition name\n"); |
| 492 | fastboot_tx_write_str("FAILmissing partition name"); | 492 | fastboot_tx_write_str("FAILmissing partition name"); |
| 493 | return; | 493 | return; |
| 494 | } | 494 | } |
| 495 | 495 | ||
| 496 | strcpy(response, "FAILno flash device defined"); | 496 | strcpy(response, "FAILno flash device defined"); |
| 497 | #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV | 497 | #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV |
| 498 | fb_mmc_flash_write(cmd, (void *)CONFIG_USB_FASTBOOT_BUF_ADDR, | 498 | fb_mmc_flash_write(cmd, (void *)CONFIG_USB_FASTBOOT_BUF_ADDR, |
| 499 | download_bytes, response); | 499 | download_bytes, response); |
| 500 | #endif | 500 | #endif |
| 501 | fastboot_tx_write_str(response); | 501 | fastboot_tx_write_str(response); |
| 502 | } | 502 | } |
| 503 | #endif | 503 | #endif |
| 504 | 504 | ||
| 505 | struct cmd_dispatch_info { | 505 | struct cmd_dispatch_info { |
| 506 | char *cmd; | 506 | char *cmd; |
| 507 | void (*cb)(struct usb_ep *ep, struct usb_request *req); | 507 | void (*cb)(struct usb_ep *ep, struct usb_request *req); |
| 508 | }; | 508 | }; |
| 509 | 509 | ||
| 510 | static const struct cmd_dispatch_info cmd_dispatch_info[] = { | 510 | static const struct cmd_dispatch_info cmd_dispatch_info[] = { |
| 511 | { | 511 | { |
| 512 | .cmd = "reboot", | 512 | .cmd = "reboot", |
| 513 | .cb = cb_reboot, | 513 | .cb = cb_reboot, |
| 514 | }, { | 514 | }, { |
| 515 | .cmd = "getvar:", | 515 | .cmd = "getvar:", |
| 516 | .cb = cb_getvar, | 516 | .cb = cb_getvar, |
| 517 | }, { | 517 | }, { |
| 518 | .cmd = "download:", | 518 | .cmd = "download:", |
| 519 | .cb = cb_download, | 519 | .cb = cb_download, |
| 520 | }, { | 520 | }, { |
| 521 | .cmd = "boot", | 521 | .cmd = "boot", |
| 522 | .cb = cb_boot, | 522 | .cb = cb_boot, |
| 523 | }, | 523 | }, |
| 524 | #ifdef CONFIG_FASTBOOT_FLASH | 524 | #ifdef CONFIG_FASTBOOT_FLASH |
| 525 | { | 525 | { |
| 526 | .cmd = "flash", | 526 | .cmd = "flash", |
| 527 | .cb = cb_flash, | 527 | .cb = cb_flash, |
| 528 | }, | 528 | }, |
| 529 | #endif | 529 | #endif |
| 530 | }; | 530 | }; |
| 531 | 531 | ||
| 532 | static void rx_handler_command(struct usb_ep *ep, struct usb_request *req) | 532 | static void rx_handler_command(struct usb_ep *ep, struct usb_request *req) |
| 533 | { | 533 | { |
| 534 | char *cmdbuf = req->buf; | 534 | char *cmdbuf = req->buf; |
| 535 | void (*func_cb)(struct usb_ep *ep, struct usb_request *req) = NULL; | 535 | void (*func_cb)(struct usb_ep *ep, struct usb_request *req) = NULL; |
| 536 | int i; | 536 | int i; |
| 537 | 537 | ||
| 538 | for (i = 0; i < ARRAY_SIZE(cmd_dispatch_info); i++) { | 538 | for (i = 0; i < ARRAY_SIZE(cmd_dispatch_info); i++) { |
| 539 | if (!strcmp_l1(cmd_dispatch_info[i].cmd, cmdbuf)) { | 539 | if (!strcmp_l1(cmd_dispatch_info[i].cmd, cmdbuf)) { |
| 540 | func_cb = cmd_dispatch_info[i].cb; | 540 | func_cb = cmd_dispatch_info[i].cb; |
| 541 | break; | 541 | break; |
| 542 | } | 542 | } |
| 543 | } | 543 | } |
| 544 | 544 | ||
| 545 | if (!func_cb) { | 545 | if (!func_cb) { |
| 546 | error("unknown command: %s\n", cmdbuf); | 546 | error("unknown command: %s\n", cmdbuf); |
| 547 | fastboot_tx_write_str("FAILunknown command"); | 547 | fastboot_tx_write_str("FAILunknown command"); |
| 548 | } else { | 548 | } else { |
| 549 | func_cb(ep, req); | 549 | if (req->actual < req->length) { |
| 550 | u8 *buf = (u8 *)req->buf; | ||
| 551 | buf[req->actual] = 0; | ||
| 552 | func_cb(ep, req); | ||
| 553 | } else { | ||
| 554 | error("buffer overflow\n"); | ||
| 555 | fastboot_tx_write_str("FAILbuffer overflow"); | ||
| 556 | } | ||
| 550 | } | 557 | } |
| 551 | 558 | ||
| 552 | if (req->status == 0) { | 559 | if (req->status == 0) { |
| 553 | *cmdbuf = '\0'; | 560 | *cmdbuf = '\0'; |
| 554 | req->actual = 0; | 561 | req->actual = 0; |
| 555 | usb_ep_queue(ep, req, 0); | 562 | usb_ep_queue(ep, req, 0); |
| 556 | } | 563 | } |
| 557 | } | 564 | } |
| 558 | 565 |