libfdt is never supposed to access memory outside the the blob, or outside
the sub-blocks within it, even if the blob is badly corrupted.
We can leverage valgrind's client requests to do better testing of this.
This adds a vg_prepare_blob() function which marks just the valid parts of
an fdt blob as properly initialized, explicitly marking the rest as
uninitialized. This means valgrind should catch any bad accesses.
We add a call to vg_prepare_blob() to load_blob() so that lots of the
existing testcases will benefit from the extra checking.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Currently we have 3 valgrind suppression files in the tests, all of which
are to handle memcheck errors that originate from saving entire buffers
containing blobs where the gaps between sub-blocks might not be
initialized.
We can more simply suppress those errors by having the save_blob() helper
use valgrind's client interface to mark the data as initialized before we
write it out.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
This was leftover from an earlier implementation of load_blob().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
There are no less than _four_ variants on utilfdt_read() which is a bit
excessive. The _len() variants are particularly pointless, since we can
achieve the same thing with very little extra verbosity by using the usual
convention of ignoring return parameters if they're NULL. So, get rid of
them (we keep the shorter names without _len, but add now-optional len
parameters).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
fdt_string() is used to retrieve strings from a DT blob's strings section.
It's rarely used directly, but is widely used internally.
However, it doesn't do any bounds checking, which means in the case of a
corrupted blob it could access bad memory, which libfdt is supposed to
avoid.
This write a safe alternative to fdt_string, fdt_get_string(). It checks
both that the given offset is within the string section and that the string
it points to is properly \0 terminated within the section. It also returns
the string's length as a convenience (since it needs to determine to do the
checks anyway).
fdt_string() is rewritten in terms of fdt_get_string() for compatibility.
Most of the diff here is actually testing infrastructure.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
For a follow up commit, we want to be able to scan the buffer that was
returned to us. In order to do that safely, we need to know how big
the buffer actually is, so pass that back if requested.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
The load_blob() and save_blob() functions are very similar to the utilfdt
versions. This removes the duplicated code.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
This patch turns on the -Wpointer-arith option in the dtc Makefile,
and fixes the resulting warnings due to using (void *) in pointer
arithmetic. While convenient, pointer arithmetic on void * is not
portable, so it's better that we avoid it, particularly in libfdt.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
I've recently worked with a FreeBSD developer, getting dtc and libfdt
working on FreeBSD. This showed up a number of portability problems
in the dtc package which this patch addresses. Changes are as
follows:
- the parent_offset and supernode_atdepth_offset testcases
used the glibc extension functions strchrnul() and strndupa(). Those
are removed, using slightly longer coding with standard C functions
instead.
- some other testcases had a #define _GNU_SOURCE for no
particular reason. This is removed.
- run_tests.sh has bash specific constructs removed, and the
interpreter changed to /bin/sh. This apparently now runs fine on
FreeBSD's /bin/sh, and I've also tested it with both ash and dash.
- convert-dtsv0-lexer.l has some extra #includes added. These
must have been included indirectly with Linux and glibc, but aren't on
FreeBSD.
- the endian handling functions in libfdt_env.h, based on
endian.h and byteswap.h are replaced with some portable open-coded
versions. Unfortunately, these result in fairly crappy code when
compiled, but as far as I can determine there doesn't seem to be any
POSIX, SUS or de facto standard way of determining endianness at
compile time, nor standard names for byteswapping functions.
- some more endian handling, from testdata.h using the
problematic endian.h is simply removed, since it wasn't actually being
used anyway.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently all the read/write functions in libfdt require that the
given tree be v17, and further, that the tree has the memory
reservation block, structure block and strings block stored in that
physical order.
This patch eases these constraints, by making fdt_open_int() reorder
the blocks, and/or convert the tree to v17, so that it will then be
ready for the other read-write functions.
It also extends fdt_pack() to actually remove any gaps between blocks
that might be present.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds functions to libfdt for accessing the memory
reservation map section of a device tree blob. fdt_num_mem_rsv()
retreives the number of reservation entries in a dtb, and
fdt_get_mem_rsv() retreives a specific reservation entry.
fdt_add_mem_rsv() adds a new entry, and fdt_del_mem_rsv() removes a
specific numbered entry.
Testcases for these new functions are also included.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present, the fdt_subnode_offset() and fdt_path_offset() functions
in libfdt require the exact name of the nodes in question be passed,
including unit address.
This is contrary to traditional OF-like finddevice() behaviour, which
allows the unit address to be omitted (which is useful when the device
name is unambiguous without the address).
This patch introduces similar behaviour to
fdt_subnode_offset_namelen(), and hence to fdt_subnode_offset() and
fdt_path_offset() which are implemented in terms of the former. The
unit address can be omitted from the given node name. If this is
ambiguous, the first such node in the flattened tree will be selected
(this behaviour is consistent with IEEE1275 which specifies only that
an arbitrary node matching the given information be selected).
This very small change is then followed by many more diffs which
change the test examples and testcases to exercise this behaviour.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This large patch removes all trailing whitespace from dtc (including
libfdt, the testsuite and documentation). It also removes a handful
of redundant blank lines (at the end of functions, or when there are
two blank lines together for no particular reason).
As well as anything else, this means that quilt won't whinge when I go
to convert the whole of libfdt into a patch to apply to the kernel.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
As a read-only functions, which take a const pointer to the fdt, treat
fdt_get_property() and fdt_getprop() as returning const pointers to
within the blob. fdt_get_property_w() and fdt_getprop_w() versions
are supplied which take a non-const fdt pointer and return a non-const
pointer for the benefit of callers wishing to alter the device tree
contents.
Likewise the lower-level fdt_offset_ptr() and _fdt_offset_ptr()
functions are changed to return const pointers, with *_w() versions
supplied.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present fdt.h #includes stdint.h. This makes some sense, because fdt.h
uses the standard fixed-width integer types. However, this can make life
difficult when building in different environments which may not have a
stdint.h. Therefore, this patch removes the #include from fdt.h, instead
requiring that users of fdt.h define the fixed-width integer types before
including fdt.h, either by themselves including stdint.h, or by any other
means.
This fixes several small bugs related to fdt_strerror().
- an entry is added to the error table for FDT_ERR_BADLAYOUT.
- Incorrect usage of fdt_strerror() in check_property() and
check_getprop() is corrected (they were passing a positive error code,
when fdt_strerror() expects a negative code).
- Add code to properly retreive an error code from
fdt_get_property() in check_property(). With that a check that the
length returned by fdt_get_property() matches that stored in the
retreived property.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function moves the fdt_strerror() function, currently found in
the test code into the fdt library proper. This makes life easier for
any library users who want to provide meaningful error messages. The
function goes into a module of its own, so that users who don't need
the function won't get a copy of it linked in.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
First, this patch removes several underused error codes:
FDT_ERR_BADPOINTER and FDT_ERR_BADHEADER were not used at all and are
simply removed. FDT_ERR_SIZE_MISMATCH was very similar in spirit to
FDT_ERR_NOSPACE, and used only in circumstances where there can be no
confusion between the two, so is removed and folded into
FDT_ERR_NOSPACE. FDT_ERR_INTERAL was used on only one place, on a
"can't happen" check. It seems of little value so the check and error
code are removed also.
Second, the error codes have been re-numbered and grouped roughly by
severity. That is codes which can reasonably occur in normal
operation separated from those which indicate bad parameters (and
therefore a bug in the caller) or a bad or corrupted device tree blob.
Third the test function fdt_strerror() is cleaned up a little based on
these changes.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present, libfdt functions returning a structure offset return a
zero-or-positive offset on success, and return a negative error code
on failure. Functions which only return an error code return a
positive version of the error code, or 0 on success.
This patch improves consistency by always returning negative error
codes on failure, for both types of function. With this change, we do
away with the special fdt_offset_error() macro for checking whether a
returned offset value is an error and extracting the encoded error
value within. Instead an explicit (ret_value < 0) is now the
preferred way of checking return values for both offset-returning and
error-code-returning functions.
The fdt_strerror() function in the test code is updated
correspondingly to make more sense with the new conventions.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch abolishes the non-standard and confusing encoding of errors
into pointer return values. The only functions still returning such a
potentially encoded pointer are fdt_get_property() and fdt_getprop().
Those functions also return a length via an (int *). With this patch
those functions instead now return NULL on any error, and return the
code indicating the type of error in the length paramater.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present, the blob containing a device tree is passed to the various
fdt_*() functions as a (struct fdt_header *) i.e. a pointer to the
header structure at the beginning of the blob.
This patch changes all the functions so that they instead take a (void
*) pointing to the blob. Under some circumstances can avoid the need
for the caller to cast a blob pointer into a (struct fdt_header *)
before passing it to the fdt_*() functions.
Using a (void *) also reduce the temptation for users of the library
to directly dereference toe (struct fdt_header *) to access header
fields. Instead they must use the fdt_get_header() or
fdt_set_header() macros, or the fdt_magic(), fdt_totalsize()
etc. wrappers around them which are safer, since they will always
handle endian conversion.
With this change, the whole-tree moving, or manipulating functions:
fdt_move(), fdt_open_into() and fdt_pack() no longer need to return a
pointer to the "new" tree. The given (void *) buffer pointer they
take can instead be used directly by the caller as the new tree.
Those functions are thus changed to instead return an error code
(which in turn reduces the number of functions using the ugly encoding
of error values into pointers).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
fdt_property_offset() is the only function in the library returning a
direct offset to a property, and no function takes such an offset
(they only take offsets to nodes, not properties). Furthermore the
only client uses for this function I can think of involve immediately
translating the offset into a pointer, effectively duplicating the
internal function _fdt_getprop()
This function abolishes fdt_property_offset(), replacing it with
fdt_get_property(), a renamed and now externally visible version of
_fdt_getprop().