Coverity gets a bit confused by loading fdt_size_dt_strings() and
using it in a memmove(). In fact this is safe because the callers
have verified this information (via FDT_RW_PROBE() in fdt_pack() or
construction in fdt_open_into()).
Passing in strings_size like we already do struct_size seems to get
Coverity to follow what's going on here.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Only checking the FDT alignment in fdt_ro_probe_() means that
fdt_check_header() can pass, but then subsequent API calls fail on
alignment checks. Let's add an alignment check to fdt_check_header() so
alignment errors are found up front.
Cc: Tom Rini <trini@konsulko.com>
Cc: Frank Rowand <frowand.list@gmail.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20210406190712.2118098-1-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The root node is supposed to have an empty name, but at present this is
not checked. The behaviour of such a tree is not well defined. Most
software rightly assumes that the root node is at offset 0 and does not
check the name. This oddity was discovered as part of a security
investigation into U-Boot verified boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323010410.3222701-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present it is possible to have two root nodes and even access nodes
in the 'second' root. Such trees should not be considered valid. This
was discovered as part of a security investigation into U-Boot verified
boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323000926.3210733-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Apparently the unchecked return value of the first fdt_next_tag() call in
fdt_add_subnode_namelen() is tripping Coverity Scan in some circumstances,
although it appears not to for the scan on our project itself.
This fdt_next_tag() should always return FDT_BEGIN_NODE, since otherwise
the fdt_subnode_offset_namelen() above would have returned BADOFFSET or
BADSTRUCTURE.
Still, add a check to shut Coverity up, gated by a can_assume() to avoid
bloat in small builds.
Reported-by: Ryan Long <ryan.long@oarcorp.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Changes in v3:
- Remove noop version sets
- Set version correctly on loaded fdt in fdt_open_into
Fixes: f1879e1a50 ("Add limited read-only support for older (V2 and V3) device tree to libfdt.")
Signed-off-by: Justin Covell <jujugoboom@gmail.com>
Message-Id: <20201229041749.2187-1-jujugoboom@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There's a small inaccuracy in the comment describing these new helpers.
This corrects it, and reformats while we're there.
Fixes: f98f28ab ("libfdt: Internally perform potentially unaligned loads")
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Commits 6dcb8ba4 "libfdt: Add helpers for accessing unaligned words"
introduced changes to support unaligned reads for ARM platforms and
11738cf01f "libfdt: Don't use memcpy to handle unaligned reads on ARM"
improved the performance of these helpers.
On further discussion, while there are potential cases where we could be
used on platforms that do not fixup unaligned reads for us, making this
choice the default is very expensive in terms of binary size and access
time. To address this, introduce and use new fdt{32,64}_ld_ functions
that call fdt{32,64}_to_cpu() as was done prior to the above mentioned
commits. Leave the existing load functions as unaligned-safe and
include comments in both cases.
Reviewed-by: Rob Herring <robh@kernel.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Message-Id: <20201211022736.31657-1-trini@konsulko.com>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The device tree must be loaded in to memory at an 8-byte aligned
address. Add a check for this condition in fdt_ro_probe_() and a new
error code to return if we are not.
Signed-off-by: Tom Rini <trini@konsulko.com>
Message-Id: <20201104130605.28874-1-trini@konsulko.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The meson build system allows projects to "vendor" dtc easily, thanks to
subproject(). QEMU has recently switched to meson, and adding meson
support to dtc will help to handle the QEMU submodule.
meson rules are arguably simpler to write and maintain than
the hand-crafted/custom Makefile. meson support various backends, and
default build options (including coverage, sanitizer, debug/release
etc, see: https://mesonbuild.com/Builtin-options.html)
Compare to the Makefiles, the same build targets should be built and
installed and the same tests should be run ("meson test" can be provided
extra test arguments for running the equivalent of checkm/checkv).
There is no support EXTRAVERSION/LOCAL_VERSION/CONFIG_LOCALVERSION,
instead the version is simply set with project(), and vcs_tag() is
used for git/dirty version reporting (This is most common and is
hopefully enough. If necessary, configure-time options could be added
for extra versioning.).
libfdt shared library is build following regular naming conventions:
instead of libfdt.so.1 -> libfdt-1.6.0.so (with current build-sys),
libfdt.so.1 -> libfdt.so.1.6.0. I am not sure why the current build
system use an uncommon naming pattern. I also included a libfdt.pc
pkg-config file, as convenience.
Both Linux native build and mingw cross-build pass. CI pass. Tests are
only run on native build.
The current Makefiles are left in-tree, and make/check still work.
Eventually, the Makefiles could be marked as deprecated, to start a
transition period and avoid having to maintain 2 build systems in the
near future.
(run_tests.sh could eventually be replaced by the meson test runner,
which would have several advantages in term of flexibility/features,
but this is left for another day)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20201012073405.1682782-3-marcandre.lureau@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The API documentation in libfdt.h seems to follow the Linux kernel's
kernel-doc format[1].
Running "scripts/kernel-doc -v -none" on the file reports some problems,
mostly missing return values and missing parameter descriptions.
Fix those up by providing the missing bits, and fixing the other small
issues reported by the script.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/doc-guide/kernel-doc.rst
Message-Id: <20201012165331.25016-1-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_strerror().
Force FDT_ERRTABSIZE to be signed (it's surely small enough to fit), so
that the types match. Also move the minus sign to errval, as this is
actually what we use in the next line.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201001164630.4980-7-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in fdt_get_string().
Introduce a new usigned variable, which holds the actual (negated)
stroffset value, so we avoid negating all the other variables and have
proper types everywhere.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201001164630.4980-6-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_setprop_inplace_namelen_partial().
fdt_getprop_namelen() will only return negative error values in "proplen"
if the return value is NULL. So we can rely on "proplen" being positive
in our case and can safely cast it to an unsigned type.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201001164630.4980-5-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_create_with_flags().
By making hdrsize a signed integer (we are sure it's a very small
number), we avoid all the casts and have matching types.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201001164630.4980-4-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in comparisons in fdt_move().
This stems from "bufsize" being passed in as a signed integer, even
though we would expect a buffer size to be positive.
Short of changing the prototype, check that bufsize is not negative, and
cast it to an unsigned type in the comparison.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201001164630.4980-3-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_add_string_().
Make all variables unsigned, and express the negative offset trick via
subtractions in the code.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20201001164630.4980-2-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_node_offset_by_phandle().
Uses a better suited bitwise NOT operator to denote the special value of
-1, which automatically results in an unsigned type.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-14-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
a comparison in overlay_update_local_node_references().
This happens because the division of a signed int by an unsigned int
promotes the dividend to unsigned first (ANSI C standard 6.1.3.8).
As in this case we basically just divide by 4, we can do the division
separately earlier, which preserves the original type.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-12-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_resize().
A negative buffer size will surely do us no good, so let's rule this
case out first.
In the actual comparison we then know that a cast to an unsigned type is
safe.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-10-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_splice_().
Since we just established that oldlen is not negative, we can safely
cast it to an unsigned type.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-8-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in fdt_get_string().
In the first two cases, we have just established that the signed values
are not negative, so it's safe to cast the values to an unsigned type.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-7-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in a comparison in fdt_grab_space_().
All the involved values cannot be negative, so let's switch the types of
the local variables to unsigned to make the compiler happy.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-4-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about a mismatching signedness
in comparisons in fdt_mem_rsv().
Since all involved values must be positive, change the used types to be
unsigned.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-3-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With -Wsign-compare, compilers warn about mismatching signedness in
comparisons in fdt_offset_ptr().
This mostly stems from "offset" being passed in as a signed integer,
even though the function would not really tolerate negative values.
Short of changing the prototype, check that offset is not negative, and
use an unsigned type internally.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200921165303.9115-2-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
fdt_check_node_offset_() checks for a valid offset but also changes the
offset by calling fdt_next_tag(). Hence, do not skip this function if
ASSUME_VALID_INPUT is set but only omit the initial offset check in that
case.
As this function works very similar to fdt_check_prop_offset_(), do the
offset check there as well depending on ASSUME_VALID_INPUT.
Message-Id: <1913141.TlUzK5foHS@noys4>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
fdt_check_header assumes that its argument points to a complete header
and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
can provide.
fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
available and will return a usable value even for a corrupted header.
Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-Id: <20200709041451.338548-1-patrick.oppenlander@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-Id: <20200616011217.15253-1-patrick.oppenlander@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-Id: <20200618042117.131731-1-patrick.oppenlander@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This condition uses bitwise OR but should be logical OR. Fix it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: kernel test robot <lkp@intel.com>
Message-Id: <20200615160033.87328-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
libfdt: fix undefined behaviour in fdt_splice_()
Along the lines of commit d0b3ab0a0f ("libfdt: Fix undefined behaviour
in fdt_offset_ptr()"), fdt_splice_() similarly may not use pointer
arithmetic to do overflow checks. (The left side of the checks added by
d4c7c25c9e ["libfdt: check for potential overrun in _fdt_splice()"]
doesn't really lend itself to similar replacement though.)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Message-Id: <f2d09e81-7cb8-c5cc-9699-1ac05b0626ff@suse.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This error indicates a logic bug in the code calling libfdt, so VALID_DTB
is not really the right check. Update it to use VALID_INPUT instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200302190255.51426-4-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If libfdt returns -FDT_ERR_INTERNAL that generally indicates a bug in the
library. Add a new assumption for these cases since it should be save to
disable these checks regardless of the input.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200302190255.51426-3-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a little more detail in a few of these comments.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200302190255.51426-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Fix 'saftey' and 'additional' typos noticed in the assumption series.
Reword the ASSUME_NO_ROLLBACK slightly to improve clarity.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200302190255.51426-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function is used to perform a full check of the device tree. Allow
it to be excluded if all assumptions are enabled.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200220214557.176528-9-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a way to remove this check and the reordering code, which is
unnecessary if the dtb is known to be correctly ordered.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200220214557.176528-8-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Allow enabling FDT_ASSUME_LATEST to disable version checks.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200220214557.176528-7-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Allow enabling FDT_ASSUME_NO_ROLLBACK to disable rolling back after a
failed operation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20200220214557.176528-6-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Allow enabling ASSUME_VALID_INPUT to disable sanity checks on the device
tree and the parameters to libfdt. This assumption covers that cases where
the problem could be with either.
Signed-off-by: Simon Glass <sjg@chromium.org>
Message-Id: <20200220214557.176528-5-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Support ASSUME_VALID_DTB to disable some sanity checks
If we assume that the DTB itself is valid then we can skip some checks and
save code space. Add various conditions to handle this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Message-Id: <20200220214557.176528-4-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a new ASSUME_MASK option, which allows for some control over the
checks used in libfdt. With all assumptions enabled, libfdt assumes that
the input data and parameters are all correct and that internal errors
cannot happen.
By default no assumptions are made and all checks are enabled.
Signed-off-by: Simon Glass <sjg@chromium.org>
Message-Id: <20200220214557.176528-3-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There does not seem to be a strong reason to inline this function. Also
we are about to add some extra code to it which will increase its size.
Move it into fdt.c and use a simple declaration in libfdt.h
Signed-off-by: Simon Glass <sjg@chromium.org>
Message-Id: <20200220214557.176528-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The overlay path ends with trailing zero. When adding this path
as property value, this character should be removed. This is the case
when the overlay adds a node with an alias.
Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
Message-Id: <20191111080444.9819-2-stefan@olimex.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function returns an int32_t, however the prototype in
libfdt_internal.h shows it returning an int. We haven't caught this before
because they're the same type on nearly all platforms this gets built on.
Apparently it's not the case on FreeRTOS, so someone hit this mismatch
building for that platform.
Reported-by: dharani kumar <dharanikumarsrvn@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Including libfdt.h in a C++ project fails during compilation with recent
version of GCC or Clang.
This simple example:
extern "C" {
#include <libfdt.h>
}
int main(void) { return 0; }
leads to the following errors with GCC 9.1.0:
/usr/include/libfdt.h: In function ‘void fdt32_st(void*, uint32_t)’:
/usr/include/libfdt.h:139:16: error: invalid conversion from ‘void*’ to ‘uint8_t*’ {aka ‘unsigned char*’} [-fpermissive]
139 | uint8_t *bp = property;
| ^~~~~~~~
| |
| void*
/usr/include/libfdt.h: In function ‘void fdt64_st(void*, uint64_t)’:
/usr/include/libfdt.h:163:16: error: invalid conversion from ‘void*’ to ‘uint8_t*’ {aka ‘unsigned char*’} [-fpermissive]
163 | uint8_t *bp = property;
| ^~~~~~~~
| |
| void*
This commit adds an explicit cast to uint8_t* to fix this issue.
Signed-off-by: Luc Michel <luc.michel@greensocs.com>
Message-Id: <20190910104824.1321594-1-luc.michel@greensocs.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
c12b2b0c20 "libfdt: fdt_address_cells() and fdt_size_cells()" introduced
a bug as it consolidated code between the helpers for getting
#address-cells and #size-cells. Specifically #size-cells is allowed to
be 0, and is frequently found so in practice for /cpus. IEEE1275 only
requires implementations to handle 1..4 for #address-cells, although one
could make a case for #address-cells == #size-cells == 0 being used to
represent a bridge with a single port.
While we're there, it's not totally obvious that the existing implicit
cast of a u32 to int will give the correct results according to strict C,
although it does work in practice. Straighten that up to cast only after
we've made our range checks.
Reported-by: yonghuhaige via https://github.com/dgibson/dtc/issues/28
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In libfdt we often sanity test fdt_totalsize(fdt) fairly early, then
trust it (but *only* that header field) for the remainder of our work.
However, Coverity gets confused by this - it sees the byteswap in
fdt32_ld() and assumes that means it is coming from an untrusted source
everytime, resulting in many tainted data warnings.
Most of these end up with logic in fdt_get_string() as the unsafe
destination for this tainted data, so let's tweak the logic there to make
it clearer to Coverity that this is ok.
We add a sanity test on fdt_totalsize() to fdt_probe_ro_(). Because the
interface allows bare ints to be used for offsets, we already have the
assumption that totalsize must be 31-bits or less (2GiB would be a
ludicrously large fdt). This makes this more explicit.
We also make fdt_probe_ro() return the size for convenience, and change the
logic in fdt_get_string() to keep it in a local so that Coverity can see
that it has already been bounds-checked.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Symbols from overlays are merged into the target tree, and are required to
have the form:
/fragment@XXX/__overlay__/...
If any symbols don't have this form, the overlay is rejected.
But there's not really anything wrong with an overlay having "local"
labels referring to a fragment node or some other metadata, that's not
expected to end up in a target tree.
So change our overlay application to simply ignore such symbols rather than
fail.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
When applying overlays, we merge symbols from the overlay into the target
tree. At the moment the logic for this assumes all symbols in the overlay
are attached to a node of the form:
/fragment@XXX/__overlay__/relative/path
And will end up applied to the relative/path node under the fragment's
target.
However, this disallows the case of a symbol in the form just:
/fragment@XXX/__overlay__
This does have a pretty obvious sensible meaning: attach the new symbol
directly to the fragment's target, but we don't currently do that.
It's pretty easy to workaround this limitation in one's overlays, but it's
also easy to handle in the overlay applying code, so we might as well
extend it to cover this case.
Reported-by: Christophe Braillon
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
A couple of libfdt files are missing licenses. Add (GPL-2.0-or-later OR
BSD-2-Clause) SPDX tag to them.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20190620211944.9378-6-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Replace instances of dual GPLv2 or BSD license boilerplate with SPDX tags.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20190620211944.9378-3-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The typos have been discovered with the "codespell" utility.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190520081209.20415-1-thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Searching for duplicate names scales O(n^2) with the number of names
added to a fdt, which can cause a noticable slowdown with larger device
trees and very slow CPU cores.
Add FDT_CREATE_FLAG_NO_NAME_DEDUP that allow the caller to trade fdt size
for speed in the creation process.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190509094122.834-4-npiggin@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There is a need to be able to specify some options when building an FDT
with the SW interface. This can be accomplished with minimal changes by
storing intermediate data in the fdt header itself, in fields that are
not otherwise needed during the creation process and can be set by
fdt_finish().
The fdt.magic field is already used exactly this way, as a state to
check with callers that the FDT has been created but not yet finished.
fdt.version and fdt.last_comp_version are used to make room for more
intermediate state. These are adjacent and unused during the building
process. last_comp_version is not yet used for intermediate state, but
it is zeroed and treated as used, so as to allow future growth easily.
A new interface, fdt_create_with_flags() is added, which takes 32-bit
flag value to control creation.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190509094122.834-3-npiggin@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If fdt_add_property or fdt_property_placeholder fail after allocating
a string for the name, they return without freeing that string. This
does not change the structure of the tree, but in very specific cases
it could lead to undesirable space consumption.
Fix this by rolling back the string allocation in this situation.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190509094122.834-2-npiggin@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the libfdt based tools (fdtput, fdtget, etc.) and all the
test binaries using libfdt are linked against the static version of libfdt.
That's made it very easy in the past to forget to properly update the
version.lds file which is needed to make functions publicaly accessible
from the shared library.
To avoid problems like that in future, alter the build so that we link and
run the tests against the shared library version of libfdt.
That immediately points out several important symbols that are still
missing from the version.lds, so fix those as well.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
It's now a trivial wrapper around fdt_find_max_phandle() so we might as
well inline it. We also remove it from the versioning linker script.
Theoretically, that's a breaking ABI change except that we haven't yet
released a version with it exposed in the shared object, so we can get
away with it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The new fdt_generate_phandle() function can be used to generate a new,
unused phandle given a specific device tree blob. The implementation is
somewhat naive in that it simply walks the entire device tree to find
the highest phandle value and then returns a phandle value one higher
than that. A more clever implementation might try to find holes in the
current set of phandle values and fill them. But this implementation is
relatively simple and works reliably.
Also add a test that validates that phandles generated by this new API
are indeed unique.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Message-Id: <20190326153302.17109-3-thierry.reding@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Use the fdt_find_max_phandle() function instead of the deprecated
fdt_get_max_phandle() function.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Message-Id: <20190326153302.17109-2-thierry.reding@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The fdt_get_max_phandle() function has some shortcomings. On one hand
it returns just a uint32_t which means to check for the "negative"
error code a caller has to explicitly check against the error code
(uint32_t)-1. In addition, the -1 is the only error code that can be
returned, so a caller cannot tell the difference between the various
failures.
Fix this by adding a new fdt_find_max_phandle() function that returns an
error code on failure and 0 on success, just like other APIs, and stores
the maximum phandle value in an output argument on success.
This also refactors fdt_get_max_phandle() to use the new function. Add a
note pointing out that the new fdt_find_max_phandle() function should be
preferred over fdt_get_max_phandle().
Signed-off-by: Thierry Reding <treding@nvidia.com>
Message-Id: <20190326153302.17109-1-thierry.reding@gmail.com>
[dwg: Reword for some inaccuracies in the commit message]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function will append an address range property using parent node's
"#address-cells" and "#size-cells" properties.
It will be used in implementing kdump with kexec_file_load system call
at linux kernel for arm64 once it is merged into kernel tree.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Message-Id: <20190327061552.17170-2-takahiro.akashi@linaro.org>
[dwg: Correct a SEGV error in the testcase]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Yet again, we've added several functions to libfdt that were supposed
to be exported, but forgotten to add them to the versio.lds script.
This adds them.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The new fdt_generate_phandle() function can be used to generate a new,
unused phandle given a specific device tree blob. The implementation is
somewhat naive in that it simply walks the entire device tree to find
the highest phandle value and then returns a phandle value one higher
than that. A more clever implementation might try to find holes in the
current set of phandle values and fill them. But this implementation is
relatively simple and works reliably.
Also add a test that validates that phandles generated by this new API
are indeed unique.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Message-Id: <20190320151003.28941-1-thierry.reding@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The actual error is FDT_ERR_NOTFOUND, not FDT_ERR_NOT_FOUND.
Fixes: d29126c90a ("libfdt: Add iterator over properties")
Fixes: 902d0f0953 ("libfdt: Add a subnodes iterator macro")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The second parameter of fdt_getprop_by_offset() is called "offset", not
"ffset".
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The dtc makefiles have support for building into a separate directory from
the sources... except that it's broken and probably always has been.
Remove the pretense.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Move it to the libfdt Makefile piece, use neater make syntax, and remove
redundant command (already included in STD_CLEANFILES).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
6dcb8ba4 "libfdt: Add helpers for accessing unaligned words" introduced
the fdt32_ld() and fdt64_ld() helpers for loading values from the FDT blob
which might not be naturally aligned. This matters for ARM, where
attempting a plain unaligned load will often cause an exception.
However, it seems the memcpy() we used here was surprisingly expensive,
making libfdt nearly 6x slower on at least some ARM platforms.
This patch takes an alternative approach, using a bunch of 1-byte loads
and shifts to implement the helpers.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
According to the device tree specification, the default value for
#size-cells is 1, but fdt_size_cells() was returning 2 if this property
was not present.
This patch also makes fdt_address_cells() and fdt_size_cells() conform
to the behaviour documented in libfdt.h. The defaults are only returned
if fdt_getprop() returns -FDT_ERR_NOTFOUND, otherwise the actual error
is returned.
Signed-off-by: John Clarke <johnc@kirriwa.net>
Add internal fdt_cells() to avoid copy and paste. Test error cases and
default values. Fix typo in fdt_size_cells() documentation comment.
Signed-off-by: Sebastian Huber <sebastian.huber@embedded-brains.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present fdt_create() will succeed if there is exactly enough space to
put in the fdt header. However, it sets the off_mem_rsvmap field, a few
bytes past that in order to align the memory reservation block.
Having block pointers pointing past the end of the fdt is pretty ugly, even
if it is just a transient state. Worse, if fdt_resize() is called at
exactly the wrong time, it can end up accessing data past the blob's
allocated space because of this.
So, correct fdt_create() to ensure that there is sufficient space for the
alignment padding as well as the plain header. For paranoia, also add a
check in fdt_resize() to make sure we don't copy data from outside the
blob's bounds.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present this function appears to copy only the data before the struct
region and the data in the string region. It does not seem to copy the
struct region itself.
From the arguments of this function it seems that it should support fdt
and buf being different. This patch attempts to fix this problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This adds some helpers to load (32 or 64 bit) words from an fdt blob, even
if they're unaligned and we're on a platform that doesn't like plain
unaligned loads and stores. We then use the helpers in a number of places.
There are two purposes for this:
1) This makes libfdt more robust against a blob loaded at an unaligned
address. It's usually good practice to load a blob at a 64-bit
alignment, but it's nice to work even then.
2) Users can use these helpers to load integer values from within property
values. These can often be unaligned, even if the blob as a whole is
aligned, since some property encodings have integers and strings mixed
together without any alignment gaps.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Allow updating and creating properties, including special methods for
integers.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This new function implements a complete and thorough check of an fdt blob's
structure. Given a buffer containing an fdt, it should return 0 only if
the fdt within is structurally sound in all regards. It doesn't check
anything about the blob's contents (i.e. the actual values of the nodes and
properties), of course.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
We have a couple of places within libfdt and its tests where we need to
find the size of the header, based on the version. Add a helper function
for it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their
parameters, or the memory reserve section offset in the header. That means
that on a corrupted blob they could access outside of the range of memory
that they should.
This improves their safety checking, meaning they shouldn't access outside
the blob's bounds, even if its contents are badly corrupted.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_getprop_by_offset() doesn't check for errors from fdt_string() - after
all, until very recently it couldn't fail. Now it can, so we need to
propagate errors up to the caller.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_string() is used to retrieve strings from a DT blob's strings section.
It's rarely used directly, but is widely used internally.
However, it doesn't do any bounds checking, which means in the case of a
corrupted blob it could access bad memory, which libfdt is supposed to
avoid.
This write a safe alternative to fdt_string, fdt_get_string(). It checks
both that the given offset is within the string section and that the string
it points to is properly \0 terminated within the section. It also returns
the string's length as a convenience (since it needs to determine to do the
checks anyway).
fdt_string() is rewritten in terms of fdt_get_string() for compatibility.
Most of the diff here is actually testing infrastructure.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Currently fdt_check_header() performs only some rudimentary checks, which
is not really what the name suggests. This strengthens fdt_check_header()
to check as much about the blob as is possible from the header alone: as
well as checking the magic number and version, it checks that the total
size is sane, and that all the sub-blocks within the blob lie within the
total size.
* This broadens the meaning of FDT_ERR_TRUNCATED to cover all sorts of
improperly terminated blocks as well as just a structure block without
FDT_END.
* This makes fdt_check_header() only succeed on "complete" blobs, not
in-progress sequential write blobs. The only reason this didn't fail
before was that this function used to be called by many RO functions
which are supposed to also work on incomplete SW blobs.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
When creating a tree with the sequential write functions, certain things
have to be done in a certain order. You must create the memory reserve map
and only then can you create the actual tree structure.
The -FDT_ERR_BADSTATE return code is for if you try to do things out of
order. However, we weren't checking that very thoroughly, so it was
possible to generate a corrupted blob if, for example, you started calling
fdt_begin_node() etc. before calling fdt_finish_reservemap().
This makes the state checking more thorough disallow that.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
Many of the libfdt entry points call some sort of sanity check function
before doing anything else. These need to do slightly different things for
the various classes of functions.
The read-only version is shared with the exported fdt_check_header(), which
limits us a bit in how we can improve it. For that reason split the two
functions apart (though the exported one just calls the ro one for now).
We also rename the functions for more consistency - they're all named
fdt_XX_probe_() where the XX indicates which class of functions they're
for. "probe" is a better "term" than the previous check, since they really
only do minimal validation.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
This can be useful in particular in the kernel when booting on systems
with FDT-emitting firmware that is out of date. Releases of kexec-tools
on ppc64 prior to the end of 2014 are notable examples of such.
Signed-off-by: Nathan Whitehorn <nwhitehorn@freebsd.org>
[dwg: Some whitespace cleanups]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The overlay support has been introduced, but the copyright and license
header was missing. Make sure that this is no longer the case.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Prior the Mac OS 10.7, the function strnlen() was not available. This patch
implements strnlen() on Mac OS X versions that are below 10.7.
Signed-off-by: John Arbuckle <programmingkidx@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In a lot of places libfdt uses a leading _ character to mark an identifier
as "internal" (not part of the published libfdt API). This is a bad idea,
because identifiers with a leading _ are generally reserved by the C
library or system. It's particularly dangerous for libfdt, because it's
designed to be able to be integrated into lots of different environments.
In some cases the leading _ has no purpose, so we simply drop it. In most
cases we move it to the end, as our new convention for marking internal
identifiers.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
A comment in tests/stringlist.c refers to fdt_get_string(), which is not a
function that exists. From the content, it's supposed to be referring to
fdt_getprop_string().
A comment in libfdt.h has an extraneous space in a function name.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The fdt_stringlist_count, fdt_stringslist_search, and fdt_stringlist_get
are added to the libfdt linker script as global symbols
Signed-off-by: Reiner Huober <reiner.huober@nokia.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In some cases you need to add a property but the contents of it
are not known at creation time, merely the extend of it.
This method allows you to create a property of a given size (filled
with garbage) while a pointer to the property data will be provided.
Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
[dwg: Corrected commit message]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
These were noticed when synching with U-Boot's downstream tree.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The existing function to add a new property to a tree being built requires
that the entire contents of the new property be passed in. For some
applications it is more convenient to be able to add the property contents
later, perhaps by reading from a file. This avoids double-buffering of the
contents.
Add a new function to support this and adjust the existing fdt_property() to
use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There are a few places where libfdt.h cannot be used as is with swig:
- macros like fdt_totalsize() have to be defined as C declarations
- fdt_offset_ptr() and fdt_getprop_namelen() need special treatment due to
a TODO in the wrapper for fdt_getprop(). However they are not useful to
Python so can be removed
Add #ifdefs to work around these problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
overlay_update_local_node_references() saves the result of
fdt_subnode_offset() into variable tree_child but checks for variable
ret afterwards. As this does not make sense, check tree_child instead of
ret.
This bug has been found by compiling with clang. The compiler reported
the following warning:
libfdt/fdt_overlay.c:275:7: error: variable 'ret' may be
uninitialized when used here
[-Werror,-Wconditional-uninitialized]
if (ret == -FDT_ERR_NOTFOUND)
^~~
libfdt/fdt_overlay.c:210:9: note: initialize the variable 'ret' to
silence this
warning
int ret;
^
= 0
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The default libfdt_env.h (for POSIXish userland builds) supports sparse
checking. It has a couple of helper macros, __force and __bitwise which
expand the relevant sparse attributes to enable checking for incorrect
or missing endian conversions.
Those are bad names: for one, leading underscores are supposed to be
reserved for the system libraries, and worse, some systems (including
RHEL7) do define those names already.
So change them to FDT_FORCE and FDT_BITWISE which are far less likely to
have collisions.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This fixes a great many sparse warnings on the fdt and libfdt sources.
These are mostly due to incorrect mixing of endian annotated and native
integer types.
This includes fixing a couple of quasi-bugs where we had endian conversions
the wrong way around (this will have the right effect in practice, but is
certainly conceptually incorrect).
This doesn't make the whole tree sparse clean: there are many warnings in
bison and lex generated code, and there are a handful of other remaining
warnings that are (for now) more trouble than they're worth to fix (and
are not genuine bugs).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Device trees can contain empty (zero length) properties, which are often
used as boolean flags. These can already be created using fdt_setprop()
passing a length of zero and a pointer which is ignored. It is safe to
pass NULL, but that may not be obvious from the interface. To make it
clearer, add an fdt_setprop_empty() helper macro.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The standard way of setting an empty property using libfdt is:
fdt_setprop(fdt, nodeoffset, propname, NULL, 0);
However, the implementation of this includes an unconditional:
memcpy(prop->data, NULL, 0);
Which although it will be a no-op (which is what we want) on many platforms
is technically undefined behaviour. Correct this, so that when passing
a 0 length, passing a NULL pointer as the value to fdt_setprop() is
definitely safe. This should quiet static checkers which complain about
this.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
David Gibson