Xen project Mailing List

Re: [PATCH v3 08/16] x86/hyperlaunch: Add helpers to locate multiboot modules

To: Alejandro Vallejo <agarciav@xxxxxxx>

Date: Thu, 10 Apr 2025 12:42:50 +0200

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Jason Andryuk <jason.andryuk@xxxxxxx>, Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 10 Apr 2025 10:43:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 08.04.2025 18:07, Alejandro Vallejo wrote: > --- a/xen/arch/x86/domain-builder/fdt.c > +++ b/xen/arch/x86/domain-builder/fdt.c > @@ -13,6 +13,148 @@ > > #include "fdt.h" > > +/* > + * Unpacks a "reg" property into its address and size constituents. > + * > + * @param prop Pointer to an FDT "reg" property. > + * @param address_cells Number of 4-octet cells that make up an "address". > + * @param size_cells Number of 4-octet cells that make up a "size". > + * @param p_addr[out] Address encoded in the property. > + * @param p_size[out] Size encoded in the property. > + * @returns -EINVAL on malformed property, 0 otherwise. > + */ > +static int __init read_fdt_prop_as_reg(const struct fdt_property *prop, > + int address_cells, int size_cells, > + uint64_t *p_addr, uint64_t *p_size) > +{ > + const fdt32_t *cell = (const fdt32_t *)prop->data; > + uint64_t addr, size; > + > + if ( fdt32_to_cpu(prop->len) != > + (address_cells + size_cells) * sizeof(*cell) ) > + { > + printk(" Cannot read reg %lu+%lu from prop len %u\n", > + address_cells * sizeof(*cell), size_cells * sizeof(*cell), > + fdt32_to_cpu(prop->len)); > + return -EINVAL; > + } > + > + switch ( address_cells ) { Nit: Brace on its own line please. > + case 1: > + addr = fdt32_to_cpu(*cell); > + break; > + case 2: > + addr = fdt64_to_cpu(*(const fdt64_t *)cell); > + break; > + default: > + printk(" unsupported sized address_cells\n"); Depending on how likely this or ... > + return -EINVAL; > + } > + > + cell += address_cells; > + switch ( size_cells ) { > + case 1: > + size = fdt32_to_cpu(*cell); > + break; > + case 2: > + size = fdt64_to_cpu(*(const fdt64_t *)cell); > + break; > + default: > + printk(" unsupported sized size_cells\n"); ... this path is to be hit, perhaps also log the bogus size? Then again, this being passed in, isn't it an internal error if the wrong size makes it here? I.e. rather use ASSERT_UNREACHABLE()? > + return -EINVAL; > + } > + > + *p_addr = addr; > + *p_size = size; > + > + return 0; > +} The function as a whole looks somewhat similar to fdt_get_reg_prop(). What's the deal? > +/* > + * Locate a multiboot module given its node offset in the FDT. > + * > + * The module location may be given via either FDT property: > + * * reg = <address, size> > + * * Mutates `bi` to append the module. > + * * module-index = <idx> > + * * Leaves `bi` unchanged. > + * > + * @param fdt Pointer to the full FDT. > + * @param node Offset for the module node. > + * @param address_cells Number of 4-octet cells that make up an "address". > + * @param size_cells Number of 4-octet cells that make up a "size". > + * @param bi[inout] Xen's representation of the boot parameters. > + * @return -EINVAL on malformed nodes, otherwise > + * index inside `bi->mods` > + */ > +int __init fdt_read_multiboot_module(const void *fdt, int node, > + int address_cells, int size_cells, > + struct boot_info *bi) Functions without callers and non-static ones without declarations are disliked by Misra. > +{ > + const struct fdt_property *prop; > + uint64_t addr, size; > + int ret; > + int idx; > + > + ASSERT(!fdt_node_check_compatible(fdt, node, "multiboot,module")); > + > + /* Location given as a `module-index` property. */ > + prop = fdt_get_property(fdt, node, "module-index", NULL); > + > + if ( prop ) > + { > + if ( fdt_get_property(fdt, node, "reg", NULL) ) > + { > + printk(" Location of multiboot,module defined multiple > times\n"); > + return -EINVAL; > + } > + return fdt_cell_as_u32((const fdt32_t *)prop->data); No concerns here of there being less than 4 bytes of data? > + } > + > + /* Otherwise location given as a `reg` property. */ > + prop = fdt_get_property(fdt, node, "reg", NULL); > + > + if ( !prop ) > + { > + printk(" No location for multiboot,module\n"); > + return -EINVAL; > + } > + if ( fdt_get_property(fdt, node, "module-index", NULL) ) > + { > + printk(" Location of multiboot,module defined multiple times\n"); > + return -EINVAL; > + } > + > + ret = read_fdt_prop_as_reg(prop, address_cells, size_cells, &addr, > &size); > + > + if ( ret < 0 ) > + { > + printk(" Failed reading reg for multiboot,module\n"); > + return -EINVAL; > + } > + > + idx = bi->nr_modules + 1; This at least looks like an off-by-one. If the addition of 1 is really intended, I think it needs commenting on. > + if ( idx > MAX_NR_BOOTMODS ) > + { > + /* > + * MAX_NR_BOOTMODS cannot exceed the max for MB1, represented by > 32bits, > + * thus the cast down to a u32 will be safe due to the prior check. > + */ > + BUILD_BUG_ON(MAX_NR_BOOTMODS >= (uint64_t)UINT32_MAX); Because of idx being a signed quantity, isn't INT_MAX the required upper bound? The latest then the somewhat odd cast should also be possible to drop. > + printk(" idx %d exceeds maximum boot modules\n", idx); Perhaps include STR(MAX_NR_BOOTMODS) as well? > --- a/xen/include/xen/libfdt/libfdt-xen.h > +++ b/xen/include/xen/libfdt/libfdt-xen.h > @@ -13,6 +13,63 @@ > > #include <xen/libfdt/libfdt.h> > > +static inline int __init fdt_cell_as_u32(const fdt32_t *cell) Why plain int here, but ... > +{ > + return fdt32_to_cpu(*cell); > +} > + > +static inline uint64_t __init fdt_cell_as_u64(const fdt32_t *cell) ... a fixed-width and unsigned type here? Question is whether the former helper is really warranted. Also nit: Stray double blank. > +{ > + return ((uint64_t)fdt32_to_cpu(cell[0]) << 32) | fdt32_to_cpu(cell[1]); That is - uniformly big endian? > +} Marking such relatively generic inline functions __init is also somewhat risky. > +/* > + * Property: reg > + * > + * Defined in Section 2.3.6 of the Device Tree Specification is the "reg" > + * standard property. The property is a prop-encoded-array that is encoded as > + * an arbitrary number of (address, size) pairs. We only extract a single > + * pair since that is what is used in practice. > + */ > +static inline int __init fdt_get_reg_prop( > + const void *fdt, int node, unsigned int addr_cells, unsigned int > size_cells, > + uint64_t *addr, uint64_t *size) > +{ > + int ret; > + const struct fdt_property *prop; > + fdt32_t *cell; > + > + /* FDT spec max size is 4 (128bit int), but largest arch int size is 64 > */ > + if ( size_cells > 2 || addr_cells > 2 ) > + return -EINVAL; > + > + prop = fdt_get_property(fdt, node, "reg", &ret); > + if ( !prop || ret < sizeof(u32) ) No uses of u32 et al in new code please. Question anyway is whether this isn't meant to be sizeof(*cell) like you have it ... > + return ret < 0 ? ret : -EINVAL; > + > + if ( fdt32_to_cpu(prop->len) != > + ((size_cells + addr_cells) * sizeof(*cell)) ) ... here. Or maybe it's to be sizeof(prop->len)? Also nit: Hard tab slipped in. > + return -EINVAL; > + > + cell = (fdt32_t *)prop->data; > + > + /* read address field */ > + if ( addr_cells == 1 ) > + *addr = fdt_cell_as_u32(cell); > + else > + *addr = fdt_cell_as_u64(cell); > + > + cell += addr_cells; > + > + /* read size field */ > + if ( size_cells == 1 ) > + *size = fdt_cell_as_u32(cell); > + else > + *size = fdt_cell_as_u64(cell); > + > + return 0; > +} Does this really want/need to be an inline function? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.