If the corresponding '#xxx-cells' value is much too large, an integer
overflow can prevent the checks in check_property_phandle_args() from
correctly determining that the checked property is too short for the
given cells value. This leads to an infinite loops.
This patch fixes the bug, and adds a testcase for it. Further
information in https://github.com/dgibson/dtc/issues/64
Reported-by: Anciety <anciety@pku.edu.cn>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
FT is sometimes used for storing raw data. That is quite common for
U-Boot FIT images.
Extracting such data is not trivial currently. Using type 's' (string)
will replace every 0x00 (NUL) with 0x20 (space). Using type 'x' will
print bytes but in xxd incompatible format.
This commit adds support for 'r' (raw) format. Example usage:
fdtget -t r firmware.itb /images/foo data > image.raw
Support for encoding isn't added as there isn't any clean way of passing
binary data as command line argument.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Message-Id: <20211209061420.29466-1-zajec5@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add a check for parsing 'interrupt-map' properties. The check primarily
tests parsing 'interrupt-map' properties which depends on and the parent
interrupt controller (or another map) node.
Note that this does not require '#address-cells' in the interrupt-map
parent, but treats missing '#address-cells' as 0 which is how the Linux
kernel parses it. There's numerous cases that expect this behavior.
Cc: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20211015213527.2237774-1-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
With the prior commit, this check is now redundant.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20210526010335.860787-4-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The root node is supposed to have an empty name, but at present this is
not checked. The behaviour of such a tree is not well defined. Most
software rightly assumes that the root node is at offset 0 and does not
check the name. This oddity was discovered as part of a security
investigation into U-Boot verified boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323010410.3222701-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present it is possible to have two root nodes and even access nodes
in the 'second' root. Such trees should not be considered valid. This
was discovered as part of a security investigation into U-Boot verified
boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323000926.3210733-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This test was accidentally skipped as the wrong test dts file was built.
The fragment numbering in this sugar-free test case needed adjusting to
match the numbering generated by dtc for overlay_overlay.dts.
Signed-off-by: Paul Barker <pbarker@konsulko.com>
Message-Id: <20201219143521.2118-1-pbarker@konsulko.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
An interrupt provider (an actual interrupt-controller node or an
interrupt nexus) should have both #address-cells and #interrupt-cells
properties explicitly defined.
Add an extra test for this. We check for the #interrupt-cells property
already, but this does not cover every controller so far, only those that
get referenced by an interrupts property in some node. Also we miss
interrupt nexus nodes.
A missing #address-cells property is less critical, but creates
ambiguities when used in interrupt-map properties, so warn about this as
well now.
This removes the now redundant warning in the existing interrupts test.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20200515141827.27957-2-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the test runner script always expects to be run from within the
tests/ subdirectory of a dtc source tree: it looks for dtc and other
binaries in the parent of the current directory and for the libfdt shared
library in ../libfdt.
That works great with make check and for testing a build you've just made.
However, sometimes it's useful to test a dtc & libfdt which have already
been installed on the system, or which for whatever reason are located
somewhere else.
This patch allows the test runner script to do this when TEST_BINDIR and/or
TEST_LIBDIR environment variables are set.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Support for YAML output in dtc is optional (to cover systems that don't
have libyaml). Currently the tests for yaml output test if the libyaml
package is locally installed.
That duplicates similar logic in the Makefile, and worse it will cause
failed tests if the user explicitly disables YAML support, rather than
simply not having libyaml installed.
Fix this by having the test script use the NO_YAML variable exported by
make. Fall back to the current test if the variable isn't set, such as
when running the script manually.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the test script bases whether to run the Python tests on whether
it can see a built Python module. That can easily be fooled if there is
a stale module there.
Instead, have it actually look at the NO_PYTHON variable exported from the
Makefile. If the variable doesn't exist (such as if we're running the
script manually) fall back on the old logic.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently run_tests.sh needs the $PYTHON environment variable set to
correctly run pylibfdt tests. The Makefile does this for make check, but
it breaks if the script is run manually. Add a fallback to handle that
case.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Generalize the existing 'ranges' check to also work for 'dma-ranges'
which has the same parsing requirements.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20200303193931.1653-1-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
By default FreeBSD does not have 'gcc' in the PATH (on common platforms).
As on Linux 'cc' is available as a link to the default compiler (Clang or
GCC), so just use 'cc'.
Signed-off-by: Ed Maste <emaste@freebsd.org>
Message-Id: <20191115155108.39488-1-emaste@freefall.freebsd.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If there is trailing zero, fdtget adds extra chacarter to the
property value. Thus comparing the expected with the actual
value, an error is emitted.
Signed-off-by: Stefan Mavrodiev <stefan@olimex.com>
Message-Id: <20191111080444.9819-3-stefan@olimex.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
BSD sed requires that an extension is provided to the -i (in-place edit)
flag, which may immediately follow the -i or may be separated by a space -
sed -i .bak and sed -i.bak are equivalent. The extension is optional with
GNU sed, but if provided must immediately follow the -i. Thus, sed -i.bak
behaves identically with both GNU and BSD sed.
Signed-off-by: Ed Maste <emaste@freebsd.org>
Message-Id: <20191114203615.2866-1-emaste@freefall.freebsd.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
When applying overlays, we merge symbols from the overlay into the target
tree. At the moment the logic for this assumes all symbols in the overlay
are attached to a node of the form:
/fragment@XXX/__overlay__/relative/path
And will end up applied to the relative/path node under the fragment's
target.
However, this disallows the case of a symbol in the form just:
/fragment@XXX/__overlay__
This does have a pretty obvious sensible meaning: attach the new symbol
directly to the fragment's target, but we don't currently do that.
It's pretty easy to workaround this limitation in one's overlays, but it's
also easy to handle in the overlay applying code, so we might as well
extend it to cover this case.
Reported-by: Christophe Braillon
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This adds a test case to demonstrate some issue seen when applying
overlays using 'fdtoverlay'. It fails with FDT_ERR_NOSPACE:
- with long target path
- symbols in order to use these nodes in possible subsequent overlay.
This is seen with this patch, by running:
$ make check # Reports a failed test
$ ./fdtoverlay -i tests/overlay_base.test.dtb -o out.dtb \
tests/overlay_overlay_long_path.fdoverlay.test.dtb
Failed to apply tests/overlay_overlay_long_path.fdoverlay.test.dtb (-3)
This overlay fails to apply, because dtb size is close to modulo 1024
bytes chunk: utilfdt_read() -> utilfdt_read_err() -> bufsize = 1024.
As there is not much extra space in the blob to resolve symbols (long
target path), it fails with FDT_ERR_NOSPACE. In fdtoverlay, size is :
/* grow the blob to worst case */
blob_len = fdt_totalsize(blob) + total_len;
I can see assumption is made that result should be lower than:
- base fdt size + overlay size. Is there a simple way to find to know
what the final size is?
I'm not sure what the correct fix might be, for such (worst) case?
Similar issue is also seen in u-boot/common/image-fit.c that implements
similar approach (e.g. base fdt size + overlay size).
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
Message-Id: <1538553302-1353-1-git-send-email-fabrice.gasnier@st.com>
[dwg: To avoid breaking bisection, I committed this after a fix, so
the "failed" description is no longer accurate]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The typos have been discovered with the "codespell" utility.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190520081209.20415-1-thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Searching for duplicate names scales O(n^2) with the number of names
added to a fdt, which can cause a noticable slowdown with larger device
trees and very slow CPU cores.
Add FDT_CREATE_FLAG_NO_NAME_DEDUP that allow the caller to trade fdt size
for speed in the creation process.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190509094122.834-4-npiggin@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If fdt_add_property or fdt_property_placeholder fail after allocating
a string for the name, they return without freeing that string. This
does not change the structure of the tree, but in very specific cases
it could lead to undesirable space consumption.
Fix this by rolling back the string allocation in this situation.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20190509094122.834-2-npiggin@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Currently the libfdt based tools (fdtput, fdtget, etc.) and all the
test binaries using libfdt are linked against the static version of libfdt.
That's made it very easy in the past to forget to properly update the
version.lds file which is needed to make functions publicaly accessible
from the shared library.
To avoid problems like that in future, alter the build so that we link and
run the tests against the shared library version of libfdt.
That immediately points out several important symbols that are still
missing from the version.lds, so fix those as well.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
tests.sh has a bunch of shell setup that's sourced in a number of other
scripts. It _doesn't_ actually run a bunch of tests, which is kind of what
the name suggests. So rename it to be more obvious.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function will append an address range property using parent node's
"#address-cells" and "#size-cells" properties.
It will be used in implementing kdump with kexec_file_load system call
at linux kernel for arm64 once it is merged into kernel tree.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Message-Id: <20190327061552.17170-2-takahiro.akashi@linaro.org>
[dwg: Correct a SEGV error in the testcase]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Python 3 C extensions have suffix containing platform, Python version
and another details in the name so the condition has to be extended.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Message-Id: <20190218164856.23861-5-frenzy@frenzy.cz>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
When some warning appears in test result, "ok" is still
at the end of the line but without three dots.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Message-Id: <20190218164856.23861-4-frenzy@frenzy.cz>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This function does not have its own test at present. Add one.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Python 2 is still the default but it can be changed by
setting environment variable PYTHON before build/test.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The logic in wrap_test() was effectively squashing valgrind errors into
the "FAIL" bucket rather than their own bucket as intended. Correct it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Otherwise the FAIL results won't be accounted for in the summary.
Easily testable by artifically causing them to fail:
- if [ $(($size % $align)) -eq 0 ] ;then
+ if [ $(($size % $align)) -eq 666 ] ;then
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Commit 8c59a97ce0 ("Fix missing labels when emitting dts format")
fixed label output, but broke output when there is a REF_PATH marker.
The problem is a REF_PATH marker causes a zero length string to be
emitted. The write_propval_string() function requires a length of at
least 1 (including the terminating '\0'), but that was not being
checked.
For the integer output, a length of 0 is valid as it is possible to have
labels inside the starting '<':
int-prop = < start: 0x1234>;
REF_PHANDLE is another marker that we don't explicitly handle, but it
doesn't cause a problem as it is fundamentally just an int.
Fixes: 8c59a97ce0 ("Fix missing labels when emitting dts format")
Reported-by: Kumar Gala <kumar.gala@linaro.org>
Cc: Grant Likely <grant.likely@arm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit adds test cases for commits "Correct overlay syntactic
sugar for generating target-path fragments" and "Merge nodes with
local target label references".
It verifies that target path references are not resolved locally and
that target label references that can be resolved locally are.
Signed-off-by: Fredrik Markstrom <fredrik.markstrom@gmail.com>
[dwg: Fixed some whitespace problems]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Since commit 7975f64222 ("Fix widespread incorrect use of strneq(),
replace with new strprefixeq()") simple-bus checks have been silently
skipped. The problem was 'end - str' is one more than the string length
and the strnlen in strprefixeq fails. This can't be fixed simply by
subtracting one as it is possible to have multiple '\0' at the end of
the property. Fix this by making the 'compatible' property string list
check a dependency, and then we can assume the property is null
terminated and we can just use streq() for comparisons.
Add some tests so the problem doesn't happen again.
Fixes: 7975f64222 ("Fix widespread incorrect use of strneq(), replace with new strprefixeq()")
Reported-by: Kumar Gala <kumar.gala@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
YAML encoded DT is useful for validation of DTs using binding schemas.
The YAML encoding is an intermediate format used for validation and
is therefore subject to change as needed. The YAML output is dependent
on DTS input with type information preserved.
Signed-off-by: Grant Likely <grant.likely@arm.com>
[robh: make YAML support optional, build fixes, Travis CI test,
preserve type information in paths and phandles]
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Greg Kurz added a trivial test of the -I fs mode recently, which was
previously basically untested. This is an oversight, since we
recently had a bug which completely broke it.
This replaces Greg's test with a more thorough test of -I fs mode. We
use a test helper to create the familiar test_tree1 in "fs" form, then use
dtc -I fs to process it, and check that the results match what they
should.
We only check the content in -I fs -O dtb mode, since that's simplest,
but we do run -I fs -O dts mode as well to make sure it doesn't blow
up (the aforementioned bug caused just such a blow up, specific to -O
dts mode, for example).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Some recent changes caused '-I fs -O dts' to crash instantly when
emitting the first property holding actual data, ie, coming from
a non-empty file. This got fixed already by another patch.
This simply adds a test for the original problem.
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add internal fdt_cells() to avoid copy and paste. Test error cases and
default values. Fix typo in fdt_size_cells() documentation comment.
Signed-off-by: Sebastian Huber <sebastian.huber@embedded-brains.de>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We primarily test fdt_resize() in the sw_tree1 testcase, but it has
some deficiencies:
- It didn't check for errors actually originating in fdt_resize(),
just for errors before and after
- It only tested cases where the resized buffer was at the same
address as the original one, whereas fdt_resize() is also supposed
to work if the new buffer is entirely separate, or partly
overlapping
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
If datatype markers are present in the property value, use them to
output the data in the correct format instead of trying to guess the
datatype. This also will preserve data grouping, such as in an
interrupts list.
This is a step forward for preserving and using datatype information
when processing DTS/DTB files. Schema validation tools can use the
datatype information to make sure a DT is correctly formed and
intepreted.
Signed-off-by: Grant Likely <grant.likely@arm.com>
[robh: rework marker handling and fix label output]
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
'prop_name_chars' is not a valid check name, but the test was passing due
to a bug in dtc-checkfails.sh. Fix it to be the correct name,
'property_name_chars'.
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Extend the Properties class with some functions to read a single integer
property. Add a new getprop_obj() function to return a Property object
instead of the raw data.
This suggested approach can be extended to handle other types, as well as
arrays.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This new function implements a complete and thorough check of an fdt blob's
structure. Given a buffer containing an fdt, it should return 0 only if
the fdt within is structurally sound in all regards. It doesn't check
anything about the blob's contents (i.e. the actual values of the nodes and
properties), of course.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their
parameters, or the memory reserve section offset in the header. That means
that on a corrupted blob they could access outside of the range of memory
that they should.
This improves their safety checking, meaning they shouldn't access outside
the blob's bounds, even if its contents are badly corrupted.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_string() is used to retrieve strings from a DT blob's strings section.
It's rarely used directly, but is widely used internally.
However, it doesn't do any bounds checking, which means in the case of a
corrupted blob it could access bad memory, which libfdt is supposed to
avoid.
This write a safe alternative to fdt_string, fdt_get_string(). It checks
both that the given offset is within the string section and that the string
it points to is properly \0 terminated within the section. It also returns
the string's length as a convenience (since it needs to determine to do the
checks anyway).
fdt_string() is rewritten in terms of fdt_get_string() for compatibility.
Most of the diff here is actually testing infrastructure.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Currently fdt_check_header() performs only some rudimentary checks, which
is not really what the name suggests. This strengthens fdt_check_header()
to check as much about the blob as is possible from the header alone: as
well as checking the magic number and version, it checks that the total
size is sane, and that all the sub-blocks within the blob lie within the
total size.
* This broadens the meaning of FDT_ERR_TRUNCATED to cover all sorts of
improperly terminated blocks as well as just a structure block without
FDT_END.
* This makes fdt_check_header() only succeed on "complete" blobs, not
in-progress sequential write blobs. The only reason this didn't fail
before was that this function used to be called by many RO functions
which are supposed to also work on incomplete SW blobs.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
When creating a tree with the sequential write functions, certain things
have to be done in a certain order. You must create the memory reserve map
and only then can you create the actual tree structure.
The -FDT_ERR_BADSTATE return code is for if you try to do things out of
order. However, we weren't checking that very thoroughly, so it was
possible to generate a corrupted blob if, for example, you started calling
fdt_begin_node() etc. before calling fdt_finish_reservemap().
This makes the state checking more thorough disallow that.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
The newly introduced /omit-if-no-ref/ needs a few test cases, make
sure to test them.
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Reviewed-by: Rob Herring <robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
