libfdt: Introduce abstraction type NodeOffset
The C functions use c_int for different purposes, which can lead to
undetected bug where values with different meanings are mixed or invalid
values are passed.
Instead, introduce a transparent c_int wrapper representing DT node
offsets, allowing the compiler to catch such bugs and prevent invalid
offsets from being created.
Test: m pvmfw
Test: atest liblibfdt.integration_test
Change-Id: I458c578a287e9484dc0febaaffdda7b28a93f520
diff --git a/libs/libfdt/src/lib.rs b/libs/libfdt/src/lib.rs
index 86d4abd..c0d8d55 100644
--- a/libs/libfdt/src/lib.rs
+++ b/libs/libfdt/src/lib.rs
@@ -17,17 +17,17 @@
#![no_std]
-mod ctypes;
mod iterators;
mod libfdt;
mod result;
+mod safe_types;
-pub use ctypes::Phandle;
pub use iterators::{
AddressRange, CellIterator, CompatibleIterator, DescendantsIterator, MemRegIterator,
PropertyIterator, RangesIterator, Reg, RegIterator, SubnodeIterator,
};
pub use result::{FdtError, Result};
+pub use safe_types::{NodeOffset, Phandle};
use core::ffi::{c_int, c_void, CStr};
use core::ops::Range;
@@ -147,7 +147,7 @@
#[derive(Clone, Copy, Debug)]
pub struct FdtNode<'a> {
fdt: &'a Fdt,
- offset: c_int,
+ offset: NodeOffset,
}
impl<'a> FdtNode<'a> {
@@ -355,7 +355,7 @@
#[derive(Debug)]
pub struct FdtNodeMut<'a> {
fdt: &'a mut Fdt,
- offset: c_int,
+ offset: NodeOffset,
}
impl<'a> FdtNodeMut<'a> {
@@ -525,7 +525,7 @@
self.delete_and_next(next_offset)
}
- fn delete_and_next(self, next_offset: Option<c_int>) -> Result<Option<Self>> {
+ fn delete_and_next(self, next_offset: Option<NodeOffset>) -> Result<Option<Self>> {
if Some(self.offset) == next_offset {
return Err(FdtError::Internal);
}
@@ -748,7 +748,11 @@
Ok(offset.map(|offset| FdtNodeMut { fdt: self, offset }))
}
- fn next_node_skip_subnodes(&self, node: c_int, depth: usize) -> Result<Option<(c_int, usize)>> {
+ fn next_node_skip_subnodes(
+ &self,
+ node: NodeOffset,
+ depth: usize,
+ ) -> Result<Option<(NodeOffset, usize)>> {
let mut iter = self.next_node(node, depth)?;
while let Some((offset, next_depth)) = iter {
if next_depth <= depth {
diff --git a/libs/libfdt/src/libfdt.rs b/libs/libfdt/src/libfdt.rs
index 1e82c9f..b6487fb 100644
--- a/libs/libfdt/src/libfdt.rs
+++ b/libs/libfdt/src/libfdt.rs
@@ -23,7 +23,7 @@
use core::ptr;
use crate::result::FdtRawResult;
-use crate::{FdtError, Phandle, Result};
+use crate::{FdtError, NodeOffset, Phandle, Result};
// Function names are the C function names without the `fdt_` prefix.
@@ -68,7 +68,7 @@
fn as_fdt_slice(&self) -> &[u8];
/// Safe wrapper around `fdt_path_offset_namelen()` (C function).
- fn path_offset_namelen(&self, path: &[u8]) -> Result<Option<c_int>> {
+ fn path_offset_namelen(&self, path: &[u8]) -> Result<Option<NodeOffset>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
// *_namelen functions don't include the trailing nul terminator in 'len'.
let len = path.len().try_into().map_err(|_| FdtError::BadPath)?;
@@ -81,7 +81,7 @@
}
/// Safe wrapper around `fdt_node_offset_by_phandle()` (C function).
- fn node_offset_by_phandle(&self, phandle: Phandle) -> Result<Option<c_int>> {
+ fn node_offset_by_phandle(&self, phandle: Phandle) -> Result<Option<NodeOffset>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
let phandle = phandle.into();
// SAFETY: Accesses are constrained to the DT totalsize.
@@ -91,8 +91,13 @@
}
/// Safe wrapper around `fdt_node_offset_by_compatible()` (C function).
- fn node_offset_by_compatible(&self, prev: c_int, compatible: &CStr) -> Result<Option<c_int>> {
+ fn node_offset_by_compatible(
+ &self,
+ prev: NodeOffset,
+ compatible: &CStr,
+ ) -> Result<Option<NodeOffset>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let prev = prev.into();
let compatible = compatible.as_ptr();
// SAFETY: Accesses (read-only) are constrained to the DT totalsize.
let ret = unsafe { libfdt_bindgen::fdt_node_offset_by_compatible(fdt, prev, compatible) };
@@ -101,8 +106,9 @@
}
/// Safe wrapper around `fdt_next_node()` (C function).
- fn next_node(&self, node: c_int, depth: usize) -> Result<Option<(c_int, usize)>> {
+ fn next_node(&self, node: NodeOffset, depth: usize) -> Result<Option<(NodeOffset, usize)>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
let mut depth = depth.try_into().unwrap();
// SAFETY: Accesses (read-only) are constrained to the DT totalsize.
let ret = unsafe { libfdt_bindgen::fdt_next_node(fdt, node, &mut depth) };
@@ -119,8 +125,9 @@
/// Safe wrapper around `fdt_parent_offset()` (C function).
///
/// Note that this function returns a `Err` when called on a root.
- fn parent_offset(&self, node: c_int) -> Result<c_int> {
+ fn parent_offset(&self, node: NodeOffset) -> Result<NodeOffset> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
// SAFETY: Accesses (read-only) are constrained to the DT totalsize.
let ret = unsafe { libfdt_bindgen::fdt_parent_offset(fdt, node) };
@@ -131,8 +138,9 @@
///
/// Note that this function returns a `Err` when called on a node at a depth shallower than
/// the provided `depth`.
- fn supernode_atdepth_offset(&self, node: c_int, depth: usize) -> Result<c_int> {
+ fn supernode_atdepth_offset(&self, node: NodeOffset, depth: usize) -> Result<NodeOffset> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
let depth = depth.try_into().unwrap();
let nodedepth = ptr::null_mut();
let ret =
@@ -143,8 +151,13 @@
}
/// Safe wrapper around `fdt_subnode_offset_namelen()` (C function).
- fn subnode_offset_namelen(&self, parent: c_int, name: &[u8]) -> Result<Option<c_int>> {
+ fn subnode_offset_namelen(
+ &self,
+ parent: NodeOffset,
+ name: &[u8],
+ ) -> Result<Option<NodeOffset>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let parent = parent.into();
let namelen = name.len().try_into().unwrap();
let name = name.as_ptr().cast();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
@@ -153,8 +166,9 @@
FdtRawResult::from(ret).try_into()
}
/// Safe wrapper around `fdt_first_subnode()` (C function).
- fn first_subnode(&self, node: c_int) -> Result<Option<c_int>> {
+ fn first_subnode(&self, node: NodeOffset) -> Result<Option<NodeOffset>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
// SAFETY: Accesses (read-only) are constrained to the DT totalsize.
let ret = unsafe { libfdt_bindgen::fdt_first_subnode(fdt, node) };
@@ -162,8 +176,9 @@
}
/// Safe wrapper around `fdt_next_subnode()` (C function).
- fn next_subnode(&self, node: c_int) -> Result<Option<c_int>> {
+ fn next_subnode(&self, node: NodeOffset) -> Result<Option<NodeOffset>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
// SAFETY: Accesses (read-only) are constrained to the DT totalsize.
let ret = unsafe { libfdt_bindgen::fdt_next_subnode(fdt, node) };
@@ -171,8 +186,9 @@
}
/// Safe wrapper around `fdt_address_cells()` (C function).
- fn address_cells(&self, node: c_int) -> Result<usize> {
+ fn address_cells(&self, node: NodeOffset) -> Result<usize> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
let ret = unsafe { libfdt_bindgen::fdt_address_cells(fdt, node) };
@@ -180,8 +196,9 @@
}
/// Safe wrapper around `fdt_size_cells()` (C function).
- fn size_cells(&self, node: c_int) -> Result<usize> {
+ fn size_cells(&self, node: NodeOffset) -> Result<usize> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
let ret = unsafe { libfdt_bindgen::fdt_size_cells(fdt, node) };
@@ -189,8 +206,9 @@
}
/// Safe wrapper around `fdt_get_name()` (C function).
- fn get_name(&self, node: c_int) -> Result<&[u8]> {
+ fn get_name(&self, node: NodeOffset) -> Result<&[u8]> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
let mut len = 0;
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor). On success, the
// function returns valid null terminating string and otherwise returned values are dropped.
@@ -201,8 +219,9 @@
}
/// Safe wrapper around `fdt_getprop_namelen()` (C function).
- fn getprop_namelen(&self, node: c_int, name: &[u8]) -> Result<Option<&[u8]>> {
+ fn getprop_namelen(&self, node: NodeOffset, name: &[u8]) -> Result<Option<&[u8]>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
let namelen = name.len().try_into().map_err(|_| FdtError::BadPath)?;
let name = name.as_ptr().cast();
let mut len = 0;
@@ -247,8 +266,9 @@
}
/// Safe wrapper around `fdt_first_property_offset()` (C function).
- fn first_property_offset(&self, node: c_int) -> Result<Option<c_int>> {
+ fn first_property_offset(&self, node: NodeOffset) -> Result<Option<c_int>> {
let fdt = self.as_fdt_slice().as_ptr().cast();
+ let node = node.into();
// SAFETY: Accesses (read-only) are constrained to the DT totalsize.
let ret = unsafe { libfdt_bindgen::fdt_first_property_offset(fdt, node) };
@@ -316,8 +336,9 @@
fn as_fdt_slice_mut(&mut self) -> &mut [u8];
/// Safe wrapper around `fdt_nop_node()` (C function).
- fn nop_node(&mut self, node: c_int) -> Result<()> {
+ fn nop_node(&mut self, node: NodeOffset) -> Result<()> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
let ret = unsafe { libfdt_bindgen::fdt_nop_node(fdt, node) };
@@ -325,8 +346,9 @@
}
/// Safe wrapper around `fdt_add_subnode_namelen()` (C function).
- fn add_subnode_namelen(&mut self, node: c_int, name: &[u8]) -> Result<c_int> {
+ fn add_subnode_namelen(&mut self, node: NodeOffset, name: &[u8]) -> Result<NodeOffset> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
let namelen = name.len().try_into().unwrap();
let name = name.as_ptr().cast();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
@@ -336,8 +358,9 @@
}
/// Safe wrapper around `fdt_setprop()` (C function).
- fn setprop(&mut self, node: c_int, name: &CStr, value: &[u8]) -> Result<()> {
+ fn setprop(&mut self, node: NodeOffset, name: &CStr, value: &[u8]) -> Result<()> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
let name = name.as_ptr();
let len = value.len().try_into().map_err(|_| FdtError::BadValue)?;
let value = value.as_ptr().cast();
@@ -349,8 +372,14 @@
}
/// Safe wrapper around `fdt_setprop_placeholder()` (C function).
- fn setprop_placeholder(&mut self, node: c_int, name: &CStr, size: usize) -> Result<&mut [u8]> {
+ fn setprop_placeholder(
+ &mut self,
+ node: NodeOffset,
+ name: &CStr,
+ size: usize,
+ ) -> Result<&mut [u8]> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
let name = name.as_ptr();
let len = size.try_into().unwrap();
let mut data = ptr::null_mut();
@@ -364,8 +393,9 @@
}
/// Safe wrapper around `fdt_setprop_inplace()` (C function).
- fn setprop_inplace(&mut self, node: c_int, name: &CStr, value: &[u8]) -> Result<()> {
+ fn setprop_inplace(&mut self, node: NodeOffset, name: &CStr, value: &[u8]) -> Result<()> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
let name = name.as_ptr();
let len = value.len().try_into().map_err(|_| FdtError::BadValue)?;
let value = value.as_ptr().cast();
@@ -377,8 +407,9 @@
}
/// Safe wrapper around `fdt_appendprop()` (C function).
- fn appendprop(&mut self, node: c_int, name: &CStr, value: &[u8]) -> Result<()> {
+ fn appendprop(&mut self, node: NodeOffset, name: &CStr, value: &[u8]) -> Result<()> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
let name = name.as_ptr();
let len = value.len().try_into().map_err(|_| FdtError::BadValue)?;
let value = value.as_ptr().cast();
@@ -391,13 +422,15 @@
/// Safe wrapper around `fdt_appendprop_addrrange()` (C function).
fn appendprop_addrrange(
&mut self,
- parent: c_int,
- node: c_int,
+ parent: NodeOffset,
+ node: NodeOffset,
name: &CStr,
addr: u64,
size: u64,
) -> Result<()> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let parent = parent.into();
+ let node = node.into();
let name = name.as_ptr();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
let ret = unsafe {
@@ -408,8 +441,9 @@
}
/// Safe wrapper around `fdt_delprop()` (C function).
- fn delprop(&mut self, node: c_int, name: &CStr) -> Result<()> {
+ fn delprop(&mut self, node: NodeOffset, name: &CStr) -> Result<()> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
let name = name.as_ptr();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) when the
// library locates the node's property. Removing the property may shift the offsets of
@@ -421,8 +455,9 @@
}
/// Safe wrapper around `fdt_nop_property()` (C function).
- fn nop_property(&mut self, node: c_int, name: &CStr) -> Result<()> {
+ fn nop_property(&mut self, node: NodeOffset, name: &CStr) -> Result<()> {
let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let node = node.into();
let name = name.as_ptr();
// SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) when the
// library locates the node's property.
diff --git a/libs/libfdt/src/ctypes.rs b/libs/libfdt/src/safe_types.rs
similarity index 65%
rename from libs/libfdt/src/ctypes.rs
rename to libs/libfdt/src/safe_types.rs
index a65f8e7..b89c771 100644
--- a/libs/libfdt/src/ctypes.rs
+++ b/libs/libfdt/src/safe_types.rs
@@ -14,6 +14,8 @@
//! Safe zero-cost wrappers around integer values used by libfdt.
+use core::ffi::c_int;
+
use crate::result::FdtRawResult;
use crate::{FdtError, Result};
@@ -59,3 +61,41 @@
Self::new(res.try_into()?).ok_or(FdtError::BadPhandle)
}
}
+
+/// Safe zero-cost wrapper around libfdt device tree node offsets.
+///
+/// This type should only be obtained from properly wrapped successful libfdt calls.
+#[repr(transparent)]
+#[derive(Debug, Copy, Clone, Eq, PartialEq, Ord, PartialOrd)]
+pub struct NodeOffset(c_int);
+
+impl NodeOffset {
+ /// Offset of the root node; 0, by definition.
+ pub const ROOT: Self = Self(0);
+}
+
+impl TryFrom<FdtRawResult> for NodeOffset {
+ type Error = FdtError;
+
+ fn try_from(res: FdtRawResult) -> Result<Self> {
+ Ok(Self(res.try_into()?))
+ }
+}
+
+impl TryFrom<FdtRawResult> for Option<NodeOffset> {
+ type Error = FdtError;
+
+ fn try_from(res: FdtRawResult) -> Result<Self> {
+ match res.try_into() {
+ Ok(n) => Ok(Some(n)),
+ Err(FdtError::NotFound) => Ok(None),
+ Err(e) => Err(e),
+ }
+ }
+}
+
+impl From<NodeOffset> for c_int {
+ fn from(offset: NodeOffset) -> Self {
+ offset.0
+ }
+}