ext: Sync ext-libfdt with dtc v1.7.2#3037
Conversation
There was a problem hiding this comment.
Pull request overview
This PR refreshes the vendored ext/libfdt snapshot to match dtc v1.7.2, primarily to resolve Clang 21’s -Wtautological-compare failures by moving bounds checks into integer space and updating the library’s internal probing/checking logic.
Changes:
- Update libfdt headers and core implementation to the dtc v1.7.2 API/behavior (new probing helpers, new error codes, updated helpers/macros).
- Add new dtc v1.7.2 libfdt modules (
fdt_overlay.c,fdt_check.c,fdt_addresses.c) and update documentation to point at the upstream source/release. - Adjust SCons build metadata/comments for the ext library.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| ext/libfdt/libfdt_internal.h | Updates internal helper API, adds assumption-masking helpers used by the refreshed libfdt. |
| ext/libfdt/libfdt_env.h | Updates environment/typing helpers and adds portability glue (e.g., Apple strnlen fallback). |
| ext/libfdt/libfdt.h | Large API refresh: new helpers (unaligned loads/stores), new traversal helpers, new overlay/address APIs, new error codes. |
| ext/libfdt/fdt_wip.c | Updates write-in-place functions; adds fdt_setprop_inplace_namelen_partial(). |
| ext/libfdt/fdt_sw.c | Refreshes sequential-write implementation with probe/state handling and new creation flags/APIs. |
| ext/libfdt/fdt_strerror.c | Expands strerror table for new error codes and updates formatting. |
| ext/libfdt/fdt_rw.c | Refreshes RW editing logic and introduces new splice/probe helpers and placeholder APIs. |
| ext/libfdt/fdt_ro.c | Refreshes RO helpers; adds string/phandle utilities and strengthens validation paths. |
| ext/libfdt/fdt_overlay.c | New overlay application support from dtc v1.7.2. |
| ext/libfdt/fdt_empty_tree.c | Minor updates to match refreshed API/headers. |
| ext/libfdt/fdt_check.c | New “full DTB validation” helper (fdt_check_full()). |
| ext/libfdt/fdt_addresses.c | New address/size-cells helpers and fdt_appendprop_addrrange(). |
| ext/libfdt/fdt.h | Refreshes core structs/macros (flexible array members, updated headers/guards). |
| ext/libfdt/fdt.c | Implements new probe/header-size logic and replaces pointer-overflow checks with integer-space checks. |
| ext/libfdt/SConscript | Updates metadata and (currently) leaves new modules commented out from the build list. |
| ext/libfdt/README | Updates provenance text to reference upstream dtc repo and v1.7.2 release tag. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
018cf02 to
53584ab
Compare
Clang 21 introduces `-Wtautological-compare`, which causes our 2013-era `libfdt` snapshot to fail because it tries to spot overflow with `if (p + len < p)` pointer arithmetic (see here: https://github.com/gem5/gem5/blob/7a2b0e413d06c5ce7097104abef3b1d9eaabca91/ext/libfdt/fdt.c#L67). The warning/error returned is: ``` [ SHCC] ext/libfdt/fdt_ro.c -> ALL/ext/libfdt/fdt_ro.os ext/libfdt/fdt.c:67:21: error: pointer comparison always evaluates to false [-Werror,-Wtautological-compare] ``` This change refreshes `ext/libfdt` to the version shipped with the lastest releast of dtc - v1.7.2. The newer code performs its bounds checking in integer space, so the new clang warning goes away while keeping the same behaviour.
53584ab to
91fa71a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 17 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| for (i = 0; i < fixup_len; i++) { | ||
| fdt32_t *refp; | ||
|
|
||
| refp = (fdt32_t *)(tree_val + fdt32_ld_(fixup_val + i)); | ||
|
|
||
| /* | ||
| * phandles to fixup can be unaligned, so use | ||
| * fdt32_{ld,st}() to read/write them. | ||
| */ | ||
| fdt32_st(refp, fdt32_ld(refp) + delta); |
There was a problem hiding this comment.
The fixup offset read from __local_fixups__ (fdt32_ld_(fixup_val + i)) is used to form refp without validating it against tree_len. A malformed overlay can make this read/write outside the property buffer. Validate that each offset is within [0, tree_len - sizeof(fdt32_t)] (and consider overflow/unaligned cases) before calling fdt32_ld/st.
| for (i = 0; i < fixup_len; i++) { | ||
| fdt32_t *refp; | ||
| uint32_t valp; | ||
|
|
||
| refp = (fdt32_t *)(tree_val + fdt32_ld_(fixup_val + i)); | ||
| valp = fdt32_ld(refp); | ||
|
|
||
| if (valp == fdto_phandle) | ||
| fdt32_st(refp, fdt_phandle); |
There was a problem hiding this comment.
Same as above: the fixup-provided offset is used to compute refp without checking it is within the bounds of tree_val/tree_len, which can lead to out-of-bounds reads/writes when resolving conflicting references. Add bounds/overflow checks for each fixup offset before dereferencing.
| poffset = strtoul(sep + 1, &endptr, 10); | ||
| if ((*endptr != '\0') || (endptr <= (sep + 1))) | ||
| return -FDT_ERR_BADOVERLAY; |
There was a problem hiding this comment.
poffset is parsed with strtoul() but stored in an int and then passed on as an offset into a property value. This can overflow/truncate on large inputs and, combined with the lack of robust overflow checking in the inplace setter, can lead to incorrect bounds checks. Parse into an unsigned type and validate the range (e.g., <= UINT32_MAX and within the target property's length).
| * Internal helpers to access tructural elements of the device tree | ||
| * blob (rather than for exaple reading integers from within property |
There was a problem hiding this comment.
Typo in comment: "tructural" → "structural".
| * Internal helpers to access tructural elements of the device tree | |
| * blob (rather than for exaple reading integers from within property | |
| * Internal helpers to access structural elements of the device tree | |
| * blob (rather than for example reading integers from within property |
| return rsv_table + n; | ||
| /* | ||
| * Internal helpers to access tructural elements of the device tree | ||
| * blob (rather than for exaple reading integers from within property |
There was a problem hiding this comment.
Typo in comment: "exaple" → "example".
| * blob (rather than for exaple reading integers from within property | |
| * blob (rather than for example reading integers from within property |
| * signature or hash check before using libfdt. | ||
| * | ||
| * For situations where security is not a concern it may be safe to enable | ||
| * ASSUME_SANE. |
There was a problem hiding this comment.
The comment suggests enabling ASSUME_SANE, but there is no ASSUME_SANE value in the ASSUME_... enum below. This is confusing for anyone configuring FDT_ASSUME_MASK; please update the comment to reference the actual assumption(s) intended (e.g., ASSUME_VALID_DTB / ASSUME_VALID_INPUT) or remove the mention.
| * ASSUME_SANE. | |
| * less-strict assumptions. |
| #include "libfdt_env.h" | ||
|
|
||
| #include <fdt.h> | ||
| #include <libfdt.h> | ||
|
|
||
| #include "libfdt_internal.h" |
There was a problem hiding this comment.
This source file defines public APIs declared in libfdt.h (e.g., fdt_overlay_apply() / fdt_overlay_target_offset()), but ext/libfdt/SConscript currently only builds a fixed list of .c files and does not include fdt_overlay.c (nor the other newly added sources like fdt_check.c / fdt_addresses.c). Unless the build script is updated, these symbols won't be part of libfdt and may cause link errors when used.
Clang 21 introduces `-Wtautological-compare`, which causes our 2013-era `libfdt` snapshot to fail because it tries to spot overflow with `if (p + len < p)` pointer arithmetic (see here: https://github.com/gem5/gem5/blob/7a2b0e413d06c5ce7097104abef3b1d9eaabca91/ext/libfdt/fdt.c#L67). The warning/error returned is: ``` [ SHCC] ext/libfdt/fdt_ro.c -> ALL/ext/libfdt/fdt_ro.os ext/libfdt/fdt.c:67:21: error: pointer comparison always evaluates to false [-Werror,-Wtautological-compare] ``` This change refreshes `ext/libfdt` to the version shipped with the lastest releast of dtc - v1.7.2. The newer code performs its bounds checking in integer space, so the new clang warning goes away while keeping the same behaviour.
Clang 21 introduces
-Wtautological-compare, which causes our 2013-eralibfdtsnapshot to fail because it tries to spot overflow withif (p + len < p)pointer arithmetic (see here:gem5/ext/libfdt/fdt.c
Line 67 in 7a2b0e4
This change refreshes
ext/libfdtto the version shipped with the lastest releast of dtc - v1.7.2. The newer code performs its bounds checking in integer space, so the new clang warning goes away while keeping the same behaviour.