libfdt: Move funcs for non-DT buffers out of Fdt
Move check_full() and create_empty_tree() out of the class as they did
not work well with OOP (RAII) given that they were intended to act on
buffers that _might_ contain a valid DT (while Fdt should only wrap
buffers with valid DTs).
This introduces a new module, which should end up containing all (and
only) the FFI calls, providing a low-level Rust-safe API to lib.rs. This
will allow us to decouple the high-level client-facing classes (Fdt,
FdtNode, FdtNodeMut, ...) from the low-level considerations of dealing
with the libfdt C function.
Reduce the unsafe blocks to the strict minimum (i.e. the FFI calls).
Test: m pvmfw
Test: atest liblibfdt.integration_test
Change-Id: Ic5efebced5827a8a26af48a151bb437df6f71a93
diff --git a/libs/libfdt/src/lib.rs b/libs/libfdt/src/lib.rs
index f3544cb..72cd3e9 100644
--- a/libs/libfdt/src/lib.rs
+++ b/libs/libfdt/src/lib.rs
@@ -18,6 +18,7 @@
#![no_std]
mod iterators;
+mod libfdt;
mod result;
pub use iterators::{
@@ -845,9 +846,10 @@
///
/// Fails if the FDT does not pass validation.
pub fn from_slice(fdt: &[u8]) -> Result<&Self> {
- // SAFETY: The FDT will be validated before it is returned.
+ libfdt::check_full(fdt)?;
+ // SAFETY: The FDT was validated.
let fdt = unsafe { Self::unchecked_from_slice(fdt) };
- fdt.check_full()?;
+
Ok(fdt)
}
@@ -855,30 +857,18 @@
///
/// Fails if the FDT does not pass validation.
pub fn from_mut_slice(fdt: &mut [u8]) -> Result<&mut Self> {
- // SAFETY: The FDT will be validated before it is returned.
+ libfdt::check_full(fdt)?;
+ // SAFETY: The FDT was validated.
let fdt = unsafe { Self::unchecked_from_mut_slice(fdt) };
- fdt.check_full()?;
+
Ok(fdt)
}
/// Creates an empty Flattened Device Tree with a mutable slice.
pub fn create_empty_tree(fdt: &mut [u8]) -> Result<&mut Self> {
- // SAFETY: fdt_create_empty_tree() only write within the specified length,
- // and returns error if buffer was insufficient.
- // There will be no memory write outside of the given fdt.
- let ret = unsafe {
- libfdt_bindgen::fdt_create_empty_tree(
- fdt.as_mut_ptr().cast::<c_void>(),
- fdt.len() as i32,
- )
- };
- fdt_err_expect_zero(ret)?;
+ libfdt::create_empty_tree(fdt)?;
- // SAFETY: The FDT will be validated before it is returned.
- let fdt = unsafe { Self::unchecked_from_mut_slice(fdt) };
- fdt.check_full()?;
-
- Ok(fdt)
+ Self::from_mut_slice(fdt)
}
/// Wraps a slice containing a Flattened Device Tree.
@@ -1071,16 +1061,6 @@
fdt_err_or_option(ret)
}
- fn check_full(&self) -> Result<()> {
- // SAFETY: Only performs read accesses within the limits of the slice. If successful, this
- // call guarantees to other unsafe calls that the header contains a valid totalsize (w.r.t.
- // 'len' i.e. the self.fdt slice) that those C functions can use to perform bounds
- // checking. The library doesn't maintain an internal state (such as pointers) between
- // calls as it expects the client code to keep track of the objects (DT, nodes, ...).
- let ret = unsafe { libfdt_bindgen::fdt_check_full(self.as_ptr(), self.capacity()) };
- fdt_err_expect_zero(ret)
- }
-
fn get_from_ptr(&self, ptr: *const c_void, len: usize) -> Result<&[u8]> {
let ptr = ptr as usize;
let offset = ptr.checked_sub(self.as_ptr() as usize).ok_or(FdtError::Internal)?;
diff --git a/libs/libfdt/src/libfdt.rs b/libs/libfdt/src/libfdt.rs
new file mode 100644
index 0000000..bd9ae1e
--- /dev/null
+++ b/libs/libfdt/src/libfdt.rs
@@ -0,0 +1,45 @@
+// Copyright 2024, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Low-level libfdt_bindgen wrapper, easy to integrate safely in higher-level APIs.
+
+use crate::{fdt_err_expect_zero, Result};
+
+// Function names are the C function names without the `fdt_` prefix.
+
+/// Safe wrapper around `fdt_create_empty_tree()` (C function).
+pub(crate) fn create_empty_tree(fdt: &mut [u8]) -> Result<()> {
+ let len = fdt.len().try_into().unwrap();
+ let fdt = fdt.as_mut_ptr().cast();
+ // SAFETY: fdt_create_empty_tree() only write within the specified length,
+ // and returns error if buffer was insufficient.
+ // There will be no memory write outside of the given fdt.
+ let ret = unsafe { libfdt_bindgen::fdt_create_empty_tree(fdt, len) };
+
+ fdt_err_expect_zero(ret)
+}
+
+/// Safe wrapper around `fdt_check_full()` (C function).
+pub(crate) fn check_full(fdt: &[u8]) -> Result<()> {
+ let len = fdt.len();
+ let fdt = fdt.as_ptr().cast();
+ // SAFETY: Only performs read accesses within the limits of the slice. If successful, this
+ // call guarantees to other unsafe calls that the header contains a valid totalsize (w.r.t.
+ // 'len' i.e. the self.fdt slice) that those C functions can use to perform bounds
+ // checking. The library doesn't maintain an internal state (such as pointers) between
+ // calls as it expects the client code to keep track of the objects (DT, nodes, ...).
+ let ret = unsafe { libfdt_bindgen::fdt_check_full(fdt, len) };
+
+ fdt_err_expect_zero(ret)
+}