mirror of
				https://source.denx.de/u-boot/u-boot.git
				synced 2025-10-26 22:11:49 +01:00 
			
		
		
		
	ymodem_read_fit() driver will end copying up to BUF_SIZE boundary even
when requested size of copy operation is less than that.
For example, if offset = 0, size = 1440B, ymodem_read_fit() ends up
copying 2KB from offset = 0, to destination buffer addr
This causes data corruption when malloc'd buffer is passed during UART
boot since commit 03f1f78a9b44 ("spl: fit: Prefer a malloc()'d buffer
for loading images")
With this, UART boot works again on K3 (AM654, J7, AM64) family of
devices.
Fixes: 03f1f78a9b44 ("spl: fit: Prefer a malloc()'d buffer for loading images")
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
		
	
			
		
			
				
	
	
		
			195 lines
		
	
	
		
			4.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			195 lines
		
	
	
		
			4.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0+
 | |
| /*
 | |
|  * (C) Copyright 2000-2004
 | |
|  * Wolfgang Denk, DENX Software Engineering, wd@denx.de.
 | |
|  *
 | |
|  * (C) Copyright 2011
 | |
|  * Texas Instruments, <www.ti.com>
 | |
|  *
 | |
|  * Matt Porter <mporter@ti.com>
 | |
|  */
 | |
| #include <common.h>
 | |
| #include <gzip.h>
 | |
| #include <image.h>
 | |
| #include <log.h>
 | |
| #include <spl.h>
 | |
| #include <xyzModem.h>
 | |
| #include <asm/u-boot.h>
 | |
| #include <linux/libfdt.h>
 | |
| 
 | |
| #define BUF_SIZE 1024
 | |
| 
 | |
| /*
 | |
|  * Information required to load image using ymodem.
 | |
|  *
 | |
|  * @image_read: Now of bytes read from the image.
 | |
|  * @buf: pointer to the previous read block.
 | |
|  */
 | |
| struct ymodem_fit_info {
 | |
| 	int image_read;
 | |
| 	char *buf;
 | |
| };
 | |
| 
 | |
| static int getcymodem(void) {
 | |
| 	if (tstc())
 | |
| 		return (getchar());
 | |
| 	return -1;
 | |
| }
 | |
| 
 | |
| static ulong ymodem_read_fit(struct spl_load_info *load, ulong offset,
 | |
| 			     ulong size, void *addr)
 | |
| {
 | |
| 	int res, err, buf_offset;
 | |
| 	struct ymodem_fit_info *info = load->priv;
 | |
| 	char *buf = info->buf;
 | |
| 	ulong copy_size = size;
 | |
| 
 | |
| 	while (info->image_read < offset) {
 | |
| 		res = xyzModem_stream_read(buf, BUF_SIZE, &err);
 | |
| 		if (res <= 0)
 | |
| 			break;
 | |
| 
 | |
| 		info->image_read += res;
 | |
| 	}
 | |
| 
 | |
| 	if (info->image_read > offset) {
 | |
| 		res = info->image_read - offset;
 | |
| 		if (info->image_read % BUF_SIZE)
 | |
| 			buf_offset = (info->image_read % BUF_SIZE);
 | |
| 		else
 | |
| 			buf_offset = BUF_SIZE;
 | |
| 
 | |
| 		if (res > copy_size) {
 | |
| 			memcpy(addr, &buf[buf_offset - res], copy_size);
 | |
| 			goto done;
 | |
| 		}
 | |
| 		memcpy(addr, &buf[buf_offset - res], res);
 | |
| 		addr = addr + res;
 | |
| 		copy_size -= res;
 | |
| 	}
 | |
| 
 | |
| 	while (info->image_read < offset + size) {
 | |
| 		res = xyzModem_stream_read(buf, BUF_SIZE, &err);
 | |
| 		if (res <= 0)
 | |
| 			break;
 | |
| 
 | |
| 		info->image_read += res;
 | |
| 		if (res > copy_size) {
 | |
| 			memcpy(addr, buf, copy_size);
 | |
| 			goto done;
 | |
| 		}
 | |
| 		memcpy(addr, buf, res);
 | |
| 		addr += res;
 | |
| 		copy_size -= res;
 | |
| 	}
 | |
| 
 | |
| done:
 | |
| 	return size;
 | |
| }
 | |
| 
 | |
| int spl_ymodem_load_image(struct spl_image_info *spl_image,
 | |
| 			  struct spl_boot_device *bootdev)
 | |
| {
 | |
| 	ulong size = 0;
 | |
| 	int err;
 | |
| 	int res;
 | |
| 	int ret;
 | |
| 	connection_info_t info;
 | |
| 	char buf[BUF_SIZE];
 | |
| 	struct image_header *ih = NULL;
 | |
| 	ulong addr = 0;
 | |
| 
 | |
| 	info.mode = xyzModem_ymodem;
 | |
| 	ret = xyzModem_stream_open(&info, &err);
 | |
| 	if (ret) {
 | |
| 		printf("spl: ymodem err - %s\n", xyzModem_error(err));
 | |
| 		return ret;
 | |
| 	}
 | |
| 
 | |
| 	res = xyzModem_stream_read(buf, BUF_SIZE, &err);
 | |
| 	if (res <= 0)
 | |
| 		goto end_stream;
 | |
| 
 | |
| 	if (IS_ENABLED(CONFIG_SPL_LOAD_FIT_FULL) &&
 | |
| 	    image_get_magic((struct image_header *)buf) == FDT_MAGIC) {
 | |
| 		addr = CONFIG_SYS_LOAD_ADDR;
 | |
| 		ih = (struct image_header *)addr;
 | |
| 
 | |
| 		memcpy((void *)addr, buf, res);
 | |
| 		size += res;
 | |
| 		addr += res;
 | |
| 
 | |
| 		while ((res = xyzModem_stream_read(buf, BUF_SIZE, &err)) > 0) {
 | |
| 			memcpy((void *)addr, buf, res);
 | |
| 			size += res;
 | |
| 			addr += res;
 | |
| 		}
 | |
| 
 | |
| 		ret = spl_parse_image_header(spl_image, bootdev, ih);
 | |
| 		if (ret)
 | |
| 			return ret;
 | |
| 	} else if (IS_ENABLED(CONFIG_SPL_LOAD_FIT) &&
 | |
| 	    image_get_magic((struct image_header *)buf) == FDT_MAGIC) {
 | |
| 		struct spl_load_info load;
 | |
| 		struct ymodem_fit_info info;
 | |
| 
 | |
| 		debug("Found FIT\n");
 | |
| 		load.dev = NULL;
 | |
| 		load.priv = (void *)&info;
 | |
| 		load.filename = NULL;
 | |
| 		load.bl_len = 1;
 | |
| 		info.buf = buf;
 | |
| 		info.image_read = BUF_SIZE;
 | |
| 		load.read = ymodem_read_fit;
 | |
| 		ret = spl_load_simple_fit(spl_image, &load, 0, (void *)buf);
 | |
| 		size = info.image_read;
 | |
| 
 | |
| 		while ((res = xyzModem_stream_read(buf, BUF_SIZE, &err)) > 0)
 | |
| 			size += res;
 | |
| 	} else {
 | |
| 		ih = (struct image_header *)buf;
 | |
| 		ret = spl_parse_image_header(spl_image, bootdev, ih);
 | |
| 		if (ret)
 | |
| 			goto end_stream;
 | |
| #ifdef CONFIG_SPL_GZIP
 | |
| 		if (ih->ih_comp == IH_COMP_GZIP)
 | |
| 			addr = CONFIG_SYS_LOAD_ADDR;
 | |
| 		else
 | |
| #endif
 | |
| 			addr = spl_image->load_addr;
 | |
| 		memcpy((void *)addr, buf, res);
 | |
| 		ih = (struct image_header *)addr;
 | |
| 		size += res;
 | |
| 		addr += res;
 | |
| 
 | |
| 		while ((res = xyzModem_stream_read(buf, BUF_SIZE, &err)) > 0) {
 | |
| 			memcpy((void *)addr, buf, res);
 | |
| 			size += res;
 | |
| 			addr += res;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| end_stream:
 | |
| 	xyzModem_stream_close(&err);
 | |
| 	xyzModem_stream_terminate(false, &getcymodem);
 | |
| 
 | |
| 	printf("Loaded %lu bytes\n", size);
 | |
| 
 | |
| #ifdef CONFIG_SPL_GZIP
 | |
| 	if (!(IS_ENABLED(CONFIG_SPL_LOAD_FIT) &&
 | |
| 	      image_get_magic((struct image_header *)buf) == FDT_MAGIC) &&
 | |
| 	    (ih->ih_comp == IH_COMP_GZIP)) {
 | |
| 		if (gunzip((void *)(spl_image->load_addr + sizeof(*ih)),
 | |
| 			   CONFIG_SYS_BOOTM_LEN,
 | |
| 			   (void *)(CONFIG_SYS_LOAD_ADDR + sizeof(*ih)),
 | |
| 			   &size)) {
 | |
| 			puts("Uncompressing error\n");
 | |
| 			return -EIO;
 | |
| 		}
 | |
| 	}
 | |
| #endif
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| SPL_LOAD_IMAGE_METHOD("UART", 0, BOOT_DEVICE_UART, spl_ymodem_load_image);
 |