Add internal fdt_cells() to avoid copy and paste. Test error cases and
default values. Fix typo in fdt_size_cells() documentation comment.
Signed-off-by: Sebastian Huber <sebastian.huber@embedded-brains.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present fdt_create() will succeed if there is exactly enough space to
put in the fdt header. However, it sets the off_mem_rsvmap field, a few
bytes past that in order to align the memory reservation block.
Having block pointers pointing past the end of the fdt is pretty ugly, even
if it is just a transient state. Worse, if fdt_resize() is called at
exactly the wrong time, it can end up accessing data past the blob's
allocated space because of this.
So, correct fdt_create() to ensure that there is sufficient space for the
alignment padding as well as the plain header. For paranoia, also add a
check in fdt_resize() to make sure we don't copy data from outside the
blob's bounds.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present this function appears to copy only the data before the struct
region and the data in the string region. It does not seem to copy the
struct region itself.
From the arguments of this function it seems that it should support fdt
and buf being different. This patch attempts to fix this problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This adds some helpers to load (32 or 64 bit) words from an fdt blob, even
if they're unaligned and we're on a platform that doesn't like plain
unaligned loads and stores. We then use the helpers in a number of places.
There are two purposes for this:
1) This makes libfdt more robust against a blob loaded at an unaligned
address. It's usually good practice to load a blob at a 64-bit
alignment, but it's nice to work even then.
2) Users can use these helpers to load integer values from within property
values. These can often be unaligned, even if the blob as a whole is
aligned, since some property encodings have integers and strings mixed
together without any alignment gaps.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Allow updating and creating properties, including special methods for
integers.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This new function implements a complete and thorough check of an fdt blob's
structure. Given a buffer containing an fdt, it should return 0 only if
the fdt within is structurally sound in all regards. It doesn't check
anything about the blob's contents (i.e. the actual values of the nodes and
properties), of course.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
We have a couple of places within libfdt and its tests where we need to
find the size of the header, based on the version. Add a helper function
for it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their
parameters, or the memory reserve section offset in the header. That means
that on a corrupted blob they could access outside of the range of memory
that they should.
This improves their safety checking, meaning they shouldn't access outside
the blob's bounds, even if its contents are badly corrupted.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_getprop_by_offset() doesn't check for errors from fdt_string() - after
all, until very recently it couldn't fail. Now it can, so we need to
propagate errors up to the caller.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_string() is used to retrieve strings from a DT blob's strings section.
It's rarely used directly, but is widely used internally.
However, it doesn't do any bounds checking, which means in the case of a
corrupted blob it could access bad memory, which libfdt is supposed to
avoid.
This write a safe alternative to fdt_string, fdt_get_string(). It checks
both that the given offset is within the string section and that the string
it points to is properly \0 terminated within the section. It also returns
the string's length as a convenience (since it needs to determine to do the
checks anyway).
fdt_string() is rewritten in terms of fdt_get_string() for compatibility.
Most of the diff here is actually testing infrastructure.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Currently fdt_check_header() performs only some rudimentary checks, which
is not really what the name suggests. This strengthens fdt_check_header()
to check as much about the blob as is possible from the header alone: as
well as checking the magic number and version, it checks that the total
size is sane, and that all the sub-blocks within the blob lie within the
total size.
* This broadens the meaning of FDT_ERR_TRUNCATED to cover all sorts of
improperly terminated blocks as well as just a structure block without
FDT_END.
* This makes fdt_check_header() only succeed on "complete" blobs, not
in-progress sequential write blobs. The only reason this didn't fail
before was that this function used to be called by many RO functions
which are supposed to also work on incomplete SW blobs.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
When creating a tree with the sequential write functions, certain things
have to be done in a certain order. You must create the memory reserve map
and only then can you create the actual tree structure.
The -FDT_ERR_BADSTATE return code is for if you try to do things out of
order. However, we weren't checking that very thoroughly, so it was
possible to generate a corrupted blob if, for example, you started calling
fdt_begin_node() etc. before calling fdt_finish_reservemap().
This makes the state checking more thorough disallow that.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
Many of the libfdt entry points call some sort of sanity check function
before doing anything else. These need to do slightly different things for
the various classes of functions.
The read-only version is shared with the exported fdt_check_header(), which
limits us a bit in how we can improve it. For that reason split the two
functions apart (though the exported one just calls the ro one for now).
We also rename the functions for more consistency - they're all named
fdt_XX_probe_() where the XX indicates which class of functions they're
for. "probe" is a better "term" than the previous check, since they really
only do minimal validation.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
This can be useful in particular in the kernel when booting on systems
with FDT-emitting firmware that is out of date. Releases of kexec-tools
on ppc64 prior to the end of 2014 are notable examples of such.
Signed-off-by: Nathan Whitehorn <nwhitehorn@freebsd.org>
[dwg: Some whitespace cleanups]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The overlay support has been introduced, but the copyright and license
header was missing. Make sure that this is no longer the case.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Prior the Mac OS 10.7, the function strnlen() was not available. This patch
implements strnlen() on Mac OS X versions that are below 10.7.
Signed-off-by: John Arbuckle <programmingkidx@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In a lot of places libfdt uses a leading _ character to mark an identifier
as "internal" (not part of the published libfdt API). This is a bad idea,
because identifiers with a leading _ are generally reserved by the C
library or system. It's particularly dangerous for libfdt, because it's
designed to be able to be integrated into lots of different environments.
In some cases the leading _ has no purpose, so we simply drop it. In most
cases we move it to the end, as our new convention for marking internal
identifiers.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
A comment in tests/stringlist.c refers to fdt_get_string(), which is not a
function that exists. From the content, it's supposed to be referring to
fdt_getprop_string().
A comment in libfdt.h has an extraneous space in a function name.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The fdt_stringlist_count, fdt_stringslist_search, and fdt_stringlist_get
are added to the libfdt linker script as global symbols
Signed-off-by: Reiner Huober <reiner.huober@nokia.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
In some cases you need to add a property but the contents of it
are not known at creation time, merely the extend of it.
This method allows you to create a property of a given size (filled
with garbage) while a pointer to the property data will be provided.
Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
[dwg: Corrected commit message]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
These were noticed when synching with U-Boot's downstream tree.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The existing function to add a new property to a tree being built requires
that the entire contents of the new property be passed in. For some
applications it is more convenient to be able to add the property contents
later, perhaps by reading from a file. This avoids double-buffering of the
contents.
Add a new function to support this and adjust the existing fdt_property() to
use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There are a few places where libfdt.h cannot be used as is with swig:
- macros like fdt_totalsize() have to be defined as C declarations
- fdt_offset_ptr() and fdt_getprop_namelen() need special treatment due to
a TODO in the wrapper for fdt_getprop(). However they are not useful to
Python so can be removed
Add #ifdefs to work around these problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
overlay_update_local_node_references() saves the result of
fdt_subnode_offset() into variable tree_child but checks for variable
ret afterwards. As this does not make sense, check tree_child instead of
ret.
This bug has been found by compiling with clang. The compiler reported
the following warning:
libfdt/fdt_overlay.c:275:7: error: variable 'ret' may be
uninitialized when used here
[-Werror,-Wconditional-uninitialized]
if (ret == -FDT_ERR_NOTFOUND)
^~~
libfdt/fdt_overlay.c:210:9: note: initialize the variable 'ret' to
silence this
warning
int ret;
^
= 0
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The default libfdt_env.h (for POSIXish userland builds) supports sparse
checking. It has a couple of helper macros, __force and __bitwise which
expand the relevant sparse attributes to enable checking for incorrect
or missing endian conversions.
Those are bad names: for one, leading underscores are supposed to be
reserved for the system libraries, and worse, some systems (including
RHEL7) do define those names already.
So change them to FDT_FORCE and FDT_BITWISE which are far less likely to
have collisions.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This fixes a great many sparse warnings on the fdt and libfdt sources.
These are mostly due to incorrect mixing of endian annotated and native
integer types.
This includes fixing a couple of quasi-bugs where we had endian conversions
the wrong way around (this will have the right effect in practice, but is
certainly conceptually incorrect).
This doesn't make the whole tree sparse clean: there are many warnings in
bison and lex generated code, and there are a handful of other remaining
warnings that are (for now) more trouble than they're worth to fix (and
are not genuine bugs).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Device trees can contain empty (zero length) properties, which are often
used as boolean flags. These can already be created using fdt_setprop()
passing a length of zero and a pointer which is ignored. It is safe to
pass NULL, but that may not be obvious from the interface. To make it
clearer, add an fdt_setprop_empty() helper macro.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The standard way of setting an empty property using libfdt is:
fdt_setprop(fdt, nodeoffset, propname, NULL, 0);
However, the implementation of this includes an unconditional:
memcpy(prop->data, NULL, 0);
Which although it will be a no-op (which is what we want) on many platforms
is technically undefined behaviour. Correct this, so that when passing
a 0 length, passing a NULL pointer as the value to fdt_setprop() is
definitely safe. This should quiet static checkers which complain about
this.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The fdt_overlay_apply() function purports to support the edge cases where
an overlay has no fixups to be applied, or a base tree which has no
symbols (the latter can only work if the former is also true). However it
gets it wrong in a couple of small ways:
* In the no fixups case, it doesn't fail immediately, but will attempt
fdt_for_each_property_offset() giving -FDT_ERR_NOTFOUND as the node
offset, which will fail. Instead it should succeed immediately, since
there's nothing to do.
* In the case of no symbols, it again doesn't fail immediately. However
if there is an actual fixup it will fail with an unexpected error,
because -FDT_ERR_NOTFOUND is passed to fdt_getprop() when attempting to
look up the symbols. We should instead return -FDT_ERR_NOTFOUND
directly.
Both of these errors lead to the code returning misleading error codes in
failing cases.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Some error values were missing from the table which meant that they could
not be translated by fdt_strerror().
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If fdt_getprop() fails, negative error code should be returned.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If fdt_getprop() fails, negative error code should be returned.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
fdt_overlay_apply was not usable in the shared library. Export it to allow
its use.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
There's one FDT_ERR_BADOVERLAY too many in the fdt error table.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Some base device tree might not have any __symbols__ nodes, since they
might not have any phandle at all.
Similarly, if an overlay doesn't use any base device tree phandles, its
__fixups__ node will be empty.
In such cases, we don't want to stop the phandle parsing, but rather just
ignore the error reported about the missing node.
If it's actually an issue for the overlay we're trying to apply on a given
base device tree, it will be caught later on, but we cannot make the
assumption that early in the application process.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The __local_fixups__ node as a structure that mimics the structure of the
main overlay part.
This means that if we have a child node somewhere in the local fixups
sub-tree and if that node is not present in the main tree, the overlay is
poorly formatted, and we should report it as such.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The BADPHANDLE error was missing a string, leading to an <unknown error>
string being returned if you were to call fdt_strerror.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Using 'index' as a local variable name shadows the standard library index()
function. This causes warnings on at least some compiler versions. The
recently added overlay code has a number of instances of this.
This patch replaces 'index' with 'poffset', since 'index' is being used to
mean "offset within a property value" in these cases.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The device tree overlays are a good way to deal with user-modifyable
boards or boards with some kind of an expansion mechanism where we can
easily plug new board in (like the BBB, the Raspberry Pi or the CHIP).
Add a new function to merge overlays with a base device tree.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
So far, the BADPHANDLE error was only used for incorrect phandle values.
Extend that meaning to an improperly formatted phandle property.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a few new error codes to report the failure conditions we might
encounter in the overlay application code:
- FDT_ERR_BADOVERLAY, when an overlay cannot be parsed, even though its
structure is correct
- FDT_ERR_NOPHANDLES, when we ran out of available phandles and we
cannot use a new phandle without either using an invalid one (-1 or
0), or one already used.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Correct some typos discovered with the codespell utility.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The variable "err" is unneeded.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a function to modify inplace only a portion of a property..
This is especially useful when the property is an array of values, and you
want to update one of them without changing the DT size.
Acked-by: Simon Glass <sjg@chromium.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
[dwg: Remove unnecessary unsigned qualifier, correct a comment]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a function to retrieve a writeable property only by the first
characters of its name.
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a function to retrieve the highest phandle in a given device tree.
Acked-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Stefan Agner <stefan@agner.ch>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Implement a macro based on fdt_first_property_offset and
fdt_next_property_offset that provides a convenience to iterate over all
the properties of a given node.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Acked-by: Simon Glass <sjg@chromium.org>
[dwg: Removed a stray trailing blank line]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The fdt_for_each_subnode() iterator macro provided by this patch can be
used to iterate over a device tree node's subnodes. At each iteration a
loop variable will be set to the next subnode.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The code style here is slightly incorrect. Fix it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>