temp is assigned the pointer returned by malloc which is used without a
NULL check and then never freed. Add a NULL check and ensure temp is
freed on all return paths.
This issue was found by Smatch.
Reviewed-by: Udit Kumar <u-kumar1@ti.com>
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Nishanth Menon <nm@ti.com>
Tested-by: Anshul Dalal <anshuld@ti.com>
The cv1800b_clk_setfield function returns void, but was doing "return
writel(...);" and while seemingly having a void function return a void
function is not a warning, when readl is a macro this problem is shown.
Correct the code to instead simply call writel.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Yao Zi <ziyao@disroot.org>
This reverts commit a681cfecb4346107212f377e2075f6eb1bdc6a2b.
It has been reported that the commit causes boot regression for SPL on
StarFive VisionFive 2 or compatible boards. Inspecting the code, I did
spot one logic error for deciding whether Zaamo or Zalrsc is used, and
it's still unclear what exactly causes the regression, let's revert it
for now.
Reported-by: E Shattow <e@freeshell.de>
Link: https://lore.kernel.org/u-boot/1871663e-b918-4351-9e9e-97f9a4c73733@freeshell.de/
Signed-off-by: Yao Zi <ziyao@disroot.org>
Acked-by: E Shattow <e@freeshell.de>
Acked-by: Leo Yu-Chi Liang <ycliang@andestech.com>
The WDT_DAVINCI driver is not safe to compile on 64bit platforms such as
allyesconfig on a 64bit host. Tighten the dependencies here to the
platforms which could use it today.
Signed-off-by: Tom Rini <trini@konsulko.com>
A few watchdog drivers cannot build without access to some platform
specific header files. Express those requirements in Kconfig as well.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu> says:
The commit 726404a66c773 ("airoha: rework RAM size handling to support
multiple RAM size") is not good enougth. It results in pacnic during
determining of memory size amount.
This patch series partly fix and partly revert the above commit.
Unfortunately for now we have no a good way to determine the an7581
memory size.
Link: https://lore.kernel.org/r/20251008070903.370974-1-mikhail.kshevetskiy@iopsys.eu
Introduce a new version of the Keystone-II "ddr" command for testing the
inline ECC support in the DDRSS bridge available on K3 devices. The ECC
hardware support in K3's DDRSS and the test method differ substantially
from what we support in the K2 variant of the command. This K3 DDRSS
command currently supports only single controller testing.
The ECC error injection procedure follows these steps:
1) Flush and disable the data cache.
2) Disable the protected ECC Rx range.
3) Flip a bit in the address.
4) Restore the range to original.
5) Read the modified value (corrected).
6) Re-enable the data cache.
This will cause the 1-bit ECC error count to increase while the read
will return the corrected value.
The K3 version of the command extends the syntax for the "ecc_err"
argument by also introducing an argument for range which specifies which
range (0, 1, 2) the address is located in.
Multi-bit ECC errors are uncorrectable and will lead to a synchronous
abort.
Signed-off-by: Georgi Vlaev <g-vlaev@ti.com>
Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
[n-francis@ti.com: Add J7 and multiple-region support, simplify logic]
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
Reviewed-by: Udit Kumar <u-kumar1@ti.com>
This partly fix commit 726404a66c773 ("airoha: rework RAM size handling
to support multiple RAM size")
The function get_effective_memsize() do not see non-global defines
of CFG_MAX_MEM_MAPPED, so the effective memory size will not be changed.
Fix the issue by putting definition of CFG_MAX_MEM_MAPPED to the proper
place.
Fixes: 726404a66c773 ("airoha: rework RAM size handling to support multiple RAM size")
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
expo and cedit tests depend on the host having the SDL library.
Build these tests only if VIDEO_SANDBOX_SDL config is enabled.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Enable CONFIG_OF_UPSTREAM to receive automatic
device tree updates for the Verdin AM62P.
Remove the now-obsolete device tree files:
- k3-am62p-verdin.dtsi
- k3-am62p-verdin-dev.dtsi
- k3-am62p-verdin-wifi.dtsi
- k3-am62p5-verdin-wifi-dev.dts
Signed-off-by: Ernest Van Hoecke <ernest.vanhoecke@toradex.com>
In ut_report() there is a null check for stats but stats was already
dereferenced on the line before and is again dereferenced later in the
same function. Also the two places where ut_report() is called from will
have initialised the parameter so there is no chance that stats will be
null. So to prevent static analysis complaining of a use before check
just remove the check.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
We will want to use this same logic in another place within iter_inc(),
so split it out into its own function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Add a few comments about global bootmeths and first_glob_method
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Make all drive names defined with U_BOOT_DRIVER unique
TEE changes:
Rework things such that sandbox will also traverse the optee directory
when SANDBOX_TEE is enabled, but only build one of the optee-specific
files when OPTEE is enabled.
EFI changes:
Up to now we were relying on the file extension to accept and load
an image over HTTP. We expected images to be either .iso or .img.
By wiring up internal existing functions we can try to mount any
file extension and reject it only if mounting fails.
part_driver_lookup_type
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgWII69YpahbL5iK5gS8AYozs+qIFAmjt/7cACgkQgS8AYozs
+qJjFhAAuiReQHpldIqw0zPkzW26zF4KRNKzkSqGiiAEJZthZcwRsdn1Xid9BhTh
bd47K5OXoPdP9mLL8xmPSYbxnLPCSrrbeMZO/jIivqrvYdA4ub6Mobn8siCeq5+G
ONvnVPjgcZ3LDywsoDXHqta6sMh0gTeH4h5qiUQiM7sNGYz1gdx+8zOfTOpcwk9U
771CoO1o86HKc0+WPJYkTD86ymGEbDLpcaKiL46UCpuFLAwdJ3l/fJHXwLCuxjnj
pPwJ5AOOFtQVdKF32lQQdywoJvNKcrRdAgWFLUGNizRERQ6qZK1ov8IMpyRHZFpE
FvVUF+2l8hFTYCbEKBC/RMlOeHp5ceE+GcVXYjmUIxqMRp7SldqQ3/WANkTKuvcb
fIjYRAFwcqwHG7AuObD/ew+XMwjnNHDKvpuLxkKgj1wX0xmNcX97QmmKz2sPCS/D
ZFEcI9bCkfyhcIGs0WBfZpQTIABrStblSQxG1XK7aYMmnJdzLFo6vXINAa+MFU6e
rA4Pu+OmLyO6rdTuj0HRlXX832nvyVUkyY2d3CyEpcpat2IWwvVJWgCePW2wZo3E
NawhpOuqLnehzhuRG3/5LeMsGLegQq7ak0/zV6egsl6Is08cKJIvzq7qndxJ/8Ez
Ox2sKE3B2crhx3UTs+5XnBF8H8WRKCZW+/D0LSd5knMzo3UwPMo=
=6iJS
-----END PGP SIGNATURE-----
Merge tag 'mix-next-14102025' of https://source.denx.de/u-boot/custodians/u-boot-tpm
TPM changes:
Make all drive names defined with U_BOOT_DRIVER unique
TEE changes:
Rework things such that sandbox will also traverse the optee directory
when SANDBOX_TEE is enabled, but only build one of the optee-specific
files when OPTEE is enabled.
EFI changes:
Up to now we were relying on the file extension to accept and load
an image over HTTP. We expected images to be either .iso or .img.
By wiring up internal existing functions we can try to mount any
file extension and reject it only if mounting fails.
part_driver_lookup_type
Align erase and write on erase block boundary in line with how read was
aligned in commit 622b5d35613 ("cmd: sf: Handle unaligned 'update' start
offset").
Fixes: 622b5d35613 ("cmd: sf: Handle unaligned 'update' start offset")
Signed-off-by: Viorel Suman <viorel.suman@nxp.com>
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # R-Car V4H
Remove cdns,is-dma DT property handling. Property is not the part of DT
binding and it is also hardcoded to value 1 in all DTs that's why remove it
because none is also testing value 0.
If there is any use case when this configuration should be supported this
patch can be reverted.
Signed-off-by: Michal Simek <michal.simek@amd.com>
Link: https://lore.kernel.org/r/6205c6585589b423692b6ed063506b4c51c04c77.1760006086.git.michal.simek@amd.com
All instances of the U_BOOT_DRIVER must use a unique name or they will
lead to link time failures due to name space conflicts when both are
present. In this case the driver was reusing the tpm_tis_i2c name.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The intention of how this Makefile was written was to allow for sandbox
to build and test drivers still while otherwise requiring OPTEE to be
enabled. This however didn't work quite right in practice as sandbox
could enable some drivers which would then fail to link. Rework things
such that sandbox will also traverse the optee directory when
SANDBOX_TEE is enabled, but only build one of the optee-specific files
when OPTEE is enabled.
Signed-off-by: Tom Rini <trini@konsulko.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Enhances the process for identifying disk images within the EFI boot
manager. Utilize part_driver_lookup_type() to verify the validity of a
downloaded file as a disk image, rather than depending on file
extensions.
part_driver_lookup_type() is now used in the prepare_loaded_image()
function in the EFI boot manager to detect partitions on a block device
created from a downloaded image. This allows the boot manager to boot
from any disk image that can be recognized by a partition driver, not
just ISO and IMG images.
Update prepare_loaded_image() to create the ramdisk block device
internally, obtain the blk_desc and use part_driver_lookup_type() to
detect a valid partition table.
In try_load_from_uri_path(), try prepare_loaded_image() first to detect
disk images, and fall back to PE-COFF detection only if that fails.
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Make part_driver_lookup_type non-static so it can be used outside
part.c. This allows external callers to determine the appropriate
partition driver for a block device, enabling more flexible handling of
partition types.
Add a prototype and kernel-doc comment in part.h to document the
function contract. Provide a stub inline implementation returning NULL
when partition support is disabled, ensuring build consistency across
configurations.
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
A "Synchronous Abort" CPU exception happens on an attempt to run the
"bootflow info" command for a global boot method (e.g. efi_mgr):
=> bootflow select 0
=> bootflow info
"Synchronous Abort" handler, esr 0x96000006, far 0x8
It happens because do_bootflow_info() tries to dereference bflow->dev,
which is NULL in case of efi_mgr. Add the corresponding check to prevent
this NULL pointer dereference and make "bootflow info" command work
properly for global boot methods.
Fixes: 2d653f686b6d ("bootstd: Add a bootflow command")
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Due to how we implement the logic for selecting what should/shouldn't be
built in a given phase it becomes extremely cumbersome to make these
phases link when configured by "allyesconfig". As a starting point for
being able to enable "allyesconfig" and expand our static coverage,
disable all other phases in this case.
Future work can be done to enable other phases as time and interest
permit.
Signed-off-by: Tom Rini <trini@konsulko.com>
Given how these options are used in the code, it doesn't make sense to
enable them for COMPILE_TEST. Make them depend on !COMPILE_TEST.
Signed-off-by: Tom Rini <trini@konsulko.com>
The REMAKE_ELF flag is something that should be selected by the
platforms which need it, and not prompted for. Start by making this
depend on !COMPILE_TEST.
Signed-off-by: Tom Rini <trini@konsulko.com>
Today, only a few platforms enable SPL_LOAD_FIT_FULL, and all enable
SPL_LOAD_FIT. As can be seen in usage, the FULL symbol is a superset of
the first symbol, not an alternative. Update Kconfig entries based on
this and simplify the only code which checks for either being set.
Signed-off-by: Tom Rini <trini@konsulko.com>
We can only enable Falcon Mode (aka SPL_OS) on architectures which
implement certain hooks. Express these dependencies in Kconfig.
Signed-off-by: Tom Rini <trini@konsulko.com>
Andreas Pretzsch <apr@cn-eng.de> says:
For the RAUC bootmethod, newly introduced in U-Boot 2025.10, both code
and documentation contain some incorrect (maybe outdated) statements,
so they do not reflect the real behaviour.
This series corrects both the docs and one log_info in the code, to now
reflect the real flow. Beside being visible in the code, all of it was
tested on a real machine.
Despite the very late time in RC cycle, I suggest inclusion before release
of U-Boot 2025.10, as the current statements are simply incorrect. Also I
do not see any risk in these non-functional changes.
Thanks to Martin Schwan for the review and esp. the initial code!
Link: https://lore.kernel.org/r/20251002162506.3908711-1-apr@cn-eng.de
The documentation of bootmeth rauc in some aspects does not reflect the
real program flow. Specifically the reset of boot tries in case of "no
more slots found" is incorrect (it won't change BOOT_ORDER).
Also the search sequence for boot scripts was mixed and incomplete.
Fix these points in the documentation.
Explain the initial setup of any missing BOOT_ORDER and BOOT_x_LEFT
environment variables, and inform about BOOT_x_LEFT decrementing.
Signed-off-by: Andreas Pretzsch <apr@cn-eng.de>
Reviewed-by: Martin Schwan <m.schwan@phytec.de>
If there is no more active slot found in find_active_slot(), like when
all slots in BOOT_ORDER have a count of 0, the counters are reset to their
default value CONFIG_BOOTMETH_RAUC_DEFAULT_TRIES. The BOOT_ORDER is _not_
changed, which is logically correct (especially for the case when there is
only one (active) slot set, e.g. BOOT_ORDER only contains 'B', probably due
to RAUC option prevent-late-fallback being set). Resetting the counters of
inactive slots also does not harm here, and is fine as a generic solution.
But the log_info statement in this scenario
INFO: Resetting boot order and all slot tries
is incorrect. Change this to
INFO: Resetting all slot tries to 3
with the 3 being inserted by CONFIG_BOOTMETH_RAUC_DEFAULT_TRIES.
Signed-off-by: Andreas Pretzsch <apr@cn-eng.de>
Reviewed-by: Martin Schwan <m.schwan@phytec.de>
Correct the memory and IO mbus windows size increments in mvebu_pcie_bind.
Currently, pcie1 controller resource_size(&mem) and resource_size(&io)
checks result in a failure. This is because mem.end and io.end must be
incremented at the end of pcie0 windows assignment.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
This driver cannot link without access to functions that are defined in
files that are only build on some platforms. Express those requirements
in Kconfig as well.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Convert the PXA1908 platform and its coreprimevelte board to OF_UPSTREAM
and enable the few drivers found in the upstream DTS.
Signed-off-by: Duje Mihanović <duje@dujemihanovic.xyz>
In octeontx_mmc_io_drive_setup drive and slew are tested for being less
than 0 but they are declared as uint fields so this test must always
fail. Just remove the test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
The check for no response expected in octeontx_mmc_send_cmd needs parens
adding for proper interpretation.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Smatch reported an issue with a test that was always true in that an
unsigned variable will always be >= to zero. This led to a closer look
at the code which showed that some static functions returned values that
were always discarded so make those functions return void. Also make
the passing of block counts in those functions always use lbaint_t.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Testing an unsigned variable to be >= 0 will always be true so remove
this redundant test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Returning immediately from sqfs_read_nest is not consistent with other
error checks in this function and can lead to memory leaks. Instead use
the unwind goto used elsewhere to ensure that the memory is freed.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Acked-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
When adding filesystems to the table in fs/fs.c we need to use
CONFIG_IS_ENABLED(FS_xxx) so that we only include references to a given
filesystem when CONFIG_FS_xxx or CONFIG_SPL_FS_xxx or similar are
enabled. Update the filesystems which weren't doing this to follow that
pattern.
Signed-off-by: Tom Rini <trini@konsulko.com>
We should compile the LZ4_decompress_safe and
LZ4_decompress_safe_partial functions in SPL and they will be discarded
if unused.
Signed-off-by: Tom Rini <trini@konsulko.com>
When I migrated this to Kconfig in commit 68e54040ccc3 ("sandbox: Move
CONFIG_IO_TRACE to Kconfig") I didn't look hard enough for other
details. As explained in the README, this is valid for ARM too. So start
by making this be a prompted question and CMD_IOTRACE depend on IO_TRACE
being enabled. Next, migrate the information out of README and in to
the appropriate help text for existing options in Kconfig. Finally, make
this option be default y on SANDBOX but not selected as it's valid to
build without it.
Signed-off-by: Tom Rini <trini@konsulko.com>
The way that the current readX/writeX macros are implemented on sandbox
means that when IO_TRACE is not enabled some code will throw up
incorrect warnings due to how sandbox_{read,write} is implemented. We
instead need to do the "uX __v; __v = sandbox..(..v); __v;" trick that
ARM does.
Signed-off-by: Tom Rini <trini@konsulko.com>
We have had an implementation of the generic timer found in many v7m
chips since 2017, but as part of the Kconfig migration forgot to allow
it as it wasn't being used at the time. Allow it to be built.
Signed-off-by: Tom Rini <trini@konsulko.com>
Quentin Schulz <foss+uboot@0leil.net> says:
I had to hunt down a difference between the FIT after running mkimage
once and after running it twice. The use-case is typically U-Boot
generating an unsigned FIT and then calling mkimage manually to sign it
outside any build system.
The issue can be reproduced with the following
make CROSS_COMPILE=aarch64-linux-gnu- BUILD_TAG= SOURCE_DATE_EPOCH=0 O=build/ringneck ringneck-px30_defconfig
make CROSS_COMPILE=aarch64-linux-gnu- BUILD_TAG= SOURCE_DATE_EPOCH=0 O=build/ringneck -j`nproc`
cd build/ringneck
cp ./simple-bin.fit.itb ./simple-bin.foo.fit
cp ./simple-bin.fit.itb ./simple-bin.foo2.fit
BUILD_TAG= SOURCE_DATE_EPOCH=0 ./tools/mkimage -E -t -B 200 -F ./simple-bin.foo.fit
BUILD_TAG= SOURCE_DATE_EPOCH=0 ./tools/mkimage -E -t -B 200 -F ./simple-bin.foo2.fit
BUILD_TAG= SOURCE_DATE_EPOCH=0 ./tools/mkimage -E -t -B 200 -F ./simple-bin.foo2.fit
then compare the output of
dtc -I dtb -O dts simple-bin.foo.fit
dtc -I dtb -O dts simple-bin.foo2.fit
data-size and data-offset properties are swapped.
While going through the code, I identified a few theoretical issues
possibly triggered by not checking the return code of fdt_setprop so
those are added. Not tested outside of building.
Link: https://lore.kernel.org/r/20250923-mkimage-2-runs-data-size-v1-0-ef3fa57e9645@cherry.de
When importing data, the data-offset property is removed and the data
content is imported inside the data property of the node.
When mkimage is run twice on the same FIT, data-size property is already
set in the second run, from the first run (via the fit_export_data
function). If we don't remove the data-size property, nothing guarantees
it matches the actual size of data within the data property. To avoid
possible mistakes when handling the data property, let's simply remove
the data-size property as well.
This also fixes an ordering issue of the data-size and data-offset
properties in FIT when comparing the FIT after one run of mkimage and a
second run. This is due to fit_export_data setting data-offset property
first (it doesn't exist so it's added) and then data-size (it doesn't
exist so it's added) for the first run, while it sets data-offset
property first (removed in fit_import_data, so it doesn't exist so it's
added) and then data-size (it exists already from the first run, so it's
simply modified) for the second run.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
