On Wed, Aug 28, 2019 at 07:43:45AM -0600, Simon Glass wrote:
> Hi David,
>
> On Fri, 9 Aug 2019 at 11:02, Simon Glass <sjg@xxxxxxxxxxxx> wrote:
> >
> > Hi David,
> >
> > On Fri, 9 Aug 2019 at 05:53, David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > On Thu, Aug 01, 2019 at 01:11:29PM -0600, Simon Glass wrote:
> > > > Hi David,
> > > >
> > > > On Mon, 22 Jul 2019 at 01:25, David Gibson <david@xxxxxxxxxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > On Sat, Jul 20, 2019 at 05:31:09PM -0600, Simon Glass wrote:
> > > > > > This file provides read-write access to the device tree and includes
> > > > > > mostly checks of the header. Allow these checks to be disabled to reduce
> > > > > > code size.
> > > > > >
> > > > > > Signed-off-by: Simon Glass <sjg@xxxxxxxxxxxx>
> > > > > > ---
> > > > > >
> > > > > > libfdt/fdt_rw.c | 14 ++++++++++----
> > > > > > 1 file changed, 10 insertions(+), 4 deletions(-)
> > > > > >
> > > > > > diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c
> > > > > > index 8795947..4ff3aab 100644
> > > > > > --- a/libfdt/fdt_rw.c
> > > > > > +++ b/libfdt/fdt_rw.c
> > > > > > @@ -13,6 +13,8 @@
> > > > > > static int fdt_blocks_misordered_(const void *fdt,
> > > > > > int mem_rsv_size, int struct_size)
> > > > > > {
> > > > > > + if (!_check2())
> > > > > > + return false;
> > > > >
> > > > > I think this needs to be check1. An fdt with the blocks in the
> > > > > "wrong" order isn't actually invalid - it's just inconvenient for our
> > > > > purposes here. So if you disable this check, you're potentially
> > > > > making this misbehave on valid blobs, not merely trusting that the
> > > > > blob you have is valid.
> > > >
> > > > Yes, fixed.
> > > >
> > > > >
> > > > > > return (fdt_off_mem_rsvmap(fdt) < FDT_ALIGN(sizeof(struct fdt_header), 8))
> > > > > > || (fdt_off_dt_struct(fdt) <
> > > > > > (fdt_off_mem_rsvmap(fdt) + mem_rsv_size))
> > > > > > @@ -24,6 +26,8 @@ static int fdt_blocks_misordered_(const void *fdt,
> > > > > >
> > > > > > static int fdt_rw_probe_(void *fdt)
> > > > > > {
> > > > > > + if (!_check2())
> > > > > > + return 0;
> > > > > > FDT_RO_PROBE(fdt);
> > > > > >
> > > > > > if (fdt_version(fdt) < 17)
> > > > > > @@ -40,7 +44,7 @@ static int fdt_rw_probe_(void *fdt)
> > > > > > #define FDT_RW_PROBE(fdt) \
> > > > > > { \
> > > > > > int err_; \
> > > > > > - if ((err_ = fdt_rw_probe_(fdt)) != 0) \
> > > > > > + if (_check2() && (err_ = fdt_rw_probe_(fdt)) != 0) \
> > > > > > return err_; \
> > > > > > }
> > > > > >
> > > > > > @@ -120,7 +124,8 @@ static int fdt_find_add_string_(void *fdt, const char *s, int *allocated)
> > > > > > int len = strlen(s) + 1;
> > > > > > int err;
> > > > > >
> > > > > > - *allocated = 0;
> > > > > > + if (_check1())
> > > > > > + *allocated = 0;
> > > > > >
> > > > > > p = fdt_find_string_(strtab, fdt_size_dt_strings(fdt), s);
> > > > > > if (p)
> > > > > > @@ -132,7 +137,8 @@ static int fdt_find_add_string_(void *fdt, const char *s, int *allocated)
> > > > > > if (err)
> > > > > > return err;
> > > > > >
> > > > > > - *allocated = 1;
> > > > > > + if (_check1())
> > > > > > + *allocated = 1;
> > > > >
> > > > > IIUC you're also using the check level to avoid searching for an
> > > > > existing string and just adding it (possibly duplicated). That's
> > > > > potentially a useful thing - I've had other requests for that to avoid
> > > > > a potentially slow string search. However, I'm a bit uncomfortable
> > > > > with hooking it to something that's allegedly just about checking.
> > > > > This will change the behaviour of the library even on correct blobs.
> > > >
> > > > I don't think so. It's just that if we don't care whether the string
> > > > was found or allocated, unless we want to delete the string when we
> > > > run out of space. This new feature was not present earlier, and wastes
> > > > code space if you don't care.
> > >
> > > It's true that we don't usually care whether the string is found or
> > > allocated. But - for a correct starting dt and correct usage - your
> > > other changes will result in byte-for-byte identical output. This one
> > > won't.
> >
> > Yes that's right. Of course this is how it used to work until
> > recently, and running out of space is an error condition.
> >
> > So should I change it to always enable this code except when all
> > checks are disabled?
>
> Just checking in on this. I should point out that errors like this
> don't typically happen in constrained environments since they are
> tested for such problems. If an error happens, then the likely outcome
> is that the DT is expanded and the operation retried.
>
> Also, is that your only comment on the series? So I should respin it
> once we figure this one out.
So, I've (finally) made some comments on v2, sorry it's taken so long.
The use of a mask rather than just a "level" makes me more comfortable
with the use of this to avoid the string de-duplication - I'm not sure
if that's entirely rational but there you go.
Thinking about it even more though, I think I'll be even more
comfortable if we re-frame things a bit. I'd like to think of this
(and describe it in the code and commends) not as a set of checks to
enable, but to invert the sense and have a set of "corners to cut".
For one thing that terminology includes things that aren't really
about "checks" like the string deduplication. It's also a scarier way
of putting it - we want to discourage people from using this unless
they really know what they're doing.
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
Attachment:
signature.asc
Description: PGP signature
