From: "André Przywara" <andre.przywara-5wv7dgnIgG8@public.gmane.org>
To: David Gibson
<david-xT8FGy+AXnRB3Ne2BGzF6laj5H9X9Tb+@public.gmane.org>,
Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: Devicetree Compiler
<devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [RFC PATCH 1/2] checks: Validate interrupt-map properties
Date: Fri, 15 May 2020 11:42:09 +0100 [thread overview]
Message-ID: <58d0a2c1-9e11-9330-6300-331af3b7ccfa@arm.com> (raw)
In-Reply-To: <20200514070647.GD2183-K0bRW+63XPQe6aEkudXLsA@public.gmane.org>
On 14/05/2020 08:06, David Gibson wrote:
Hi,
> On Wed, May 13, 2020 at 10:03:14PM -0500, Rob Herring wrote:
>> On Wed, May 13, 2020 at 11:35 AM Andre Przywara <andre.przywara-5wv7dgnIgG8@public.gmane.org> wrote:
>>>
>>> The interrupt-map in an interrupt nexus is quite a tricky property: Each
>>> entry contains five fields, the size of four of those depending on some
>>> *-cells entries from two different nodes. This is even hard to validate
>>> in a .dts file, especially when the associated interrupt controller is
>>> described in a separate (included) file.
>>>
>>> Add checks to validate those entries, by:
>>> - Checking some basic properties of the interrupt nexus node.
>>> - Checking that a map entry contains at least enough cells to point to
>>> the associated interrupt controller.
>>> - Checking that the phandle points to an actual interrupt controller.
>>> - Checking that there are enough entries to describe an interrupt in
>>> that interrupt controller's domain.
>>>
>>> If each iteration passes and we exhaust exactly all the cells in the
>>> interrupt-map property, the check passes.
>>> Report errors on the way, and abort the check if that happens.
>>>
>>> Signed-off-by: Andre Przywara <andre.przywara-5wv7dgnIgG8@public.gmane.org>
>>> ---
>>> checks.c | 86 +++++++++++++++++++++++++++++++++++++++++++++
>>> tests/bad-interrupt-map.dts | 21 +++++++++++
>>> tests/run_tests.sh | 2 ++
>>> 3 files changed, 109 insertions(+)
>>> create mode 100644 tests/bad-interrupt-map.dts
>>>
>>> diff --git a/checks.c b/checks.c
>>> index 4b3c486..12518db 100644
>>> --- a/checks.c
>>> +++ b/checks.c
>>> @@ -924,6 +924,90 @@ static void check_pci_device_reg(struct check *c, struct dt_info *dti, struct no
>>> }
>>> WARNING(pci_device_reg, check_pci_device_reg, NULL, ®_format, &pci_bridge);
>>>
>>> +static void check_interrupt_map(struct check *c, struct dt_info *dti,
>>> + struct node *node)
>>> +{
>>> + struct property *map = get_property(node, "interrupt-map");
>>> + struct property *prop;
>>> + int i, cells, irq_cells;
>>> +
>>> + /* We are only interested in interrupt nexus nodes. */
>>> + if (!map)
>>> + return;
>>> +
>>> + if (map->val.len % sizeof(cell_t)) {
>>> + FAIL_PROP(c, dti, node, map, "invalid length of interrupt-map");
>>
>> It's good to say what size you found and what was expected.
>>
>>> + return;
>>> + }
>>> + cells = map->val.len / sizeof(cell_t);
>>> +
>>> + prop = get_property(node, "#interrupt-cells");
>>> + if (!prop) {
>>> + FAIL(c, dti, node, "missing #interrupt-cells in nexus\n");
>>> + return;
>>> + }
>>> + irq_cells = propval_cell(prop);
>>> +
>>> + for (i = 0; i < cells;) {
>>> + int phandle_idx = i + node_addr_cells(node) + irq_cells;
>>
>> IIRC, node_addr_cells() will give you a default if not found which is
>> not really what you want.
>
> Using the default seems right to me. We might want a warning in that
> case, but I don't think it belongs in this test.
>
>>> + cell_t intc_phandle, intc_irq_cells, intc_addr_cells;
>>> + struct node *intc = NULL;
>>> +
>>> + if (phandle_idx + 1 >= cells) {
>>> + FAIL_PROP(c, dti, node, map,
>>> + "insufficient cells for interrupt-map entry");
>>> + return;
>>> + }
>>> + intc_phandle = propval_cell_n(map, phandle_idx);
>>> + /* Avoid the assert in get_node_by_phandle(). */
>>> + if (intc_phandle != 0)
>>> + intc = get_node_by_phandle(dti->dt, intc_phandle);
>
> This will always fail the check if the phandle is an unresolved
> reference, which is likely for an overlay dt.
I don't know much about overlays, but is this a valid use case for an
interrupt controller? Or don't we make any assumptions about what
devices can be unresolved?
And without that the assert in get_node_by_phandle() fires if the
phandle is 0 (which is a common case if the interrupt map is wrong). But
that will kill dtc, and not translate the DT. I don't think this is
desirable.
Any ideas what I could do instead?
>>> + if (!intc) {
>>> + FAIL_PROP(c, dti, node, map,
>>> + "invalid phandle for interrupt-map entry");
>>> + return;
>>> + }
>>> +
>>> + prop = get_property(intc, "interrupt-controller");
>>> + if (!prop) {
>>> + FAIL_PROP(c,dti, node, map,
>>> + "interrupt-map phandle does not point to interrupt controller");
>>
>> interrupt-map can point to another interrupt-map.
>
> Right.
>
>>> + return;
>>> + }
>>> +
>>> + prop = get_property(intc, "#address-cells");
>>> + if (!prop) {
>>> + FAIL_PROP(c,dti, node, map,
>>> + "interrupt-controller misses #address-cells property");
>
> "is missing", or simply "missing" would be more normal english than
> "misses" (here and elsewhere).
Yeah, I was miserly over the 80 characters ;-)
>>> + /*
>>> + * Linux treats non-existing #address-cells in the
>>> + * interrupt parent as 0, and not 2, as the spec
>>> + * suggests. Deal with that, but print the warning,
>>> + * since we should have an explicit #a-c = 0 in the
>>> + * controller node in this case.
>>
>> IMO, we should not print a warning. Or make it separately enabled.
>
> I tend to agree. A separate check to warn for an interrupt controller
> (or nexus) without #address-cells seems like a good idea.
Yes, will do that.
Many thanks for having a look!
Cheers,
Andre
>>> + */
>>> + intc_addr_cells = 0;
>>> + } else
>>> + intc_addr_cells = propval_cell(prop);
>>> +
>>> + prop = get_property(intc, "#interrupt-cells");
>>> + if (!prop) {
>>> + FAIL_PROP(c,dti, node, map,
>>> + "interrupt-controller misses #interrupt-cells property");
>>> + return;
>>> + }
>>> + intc_irq_cells = propval_cell(prop);
>>> +
>>> + if (phandle_idx + intc_addr_cells + intc_irq_cells >= cells) {
>>> + FAIL_PROP(c, dti, node, map,
>>> + "insufficient cells for interrupt-map entry");
>>> + return;
>>> + }
>>> + i = phandle_idx + 1 + intc_addr_cells + intc_irq_cells;
>>> + }
>>> +}
>>> +WARNING(interrupt_map, check_interrupt_map, NULL);
>>> +
>>> static const struct bus_type simple_bus = {
>>> .name = "simple-bus",
>>> };
>>> @@ -1792,6 +1876,8 @@ static struct check *check_table[] = {
>>> &pci_device_reg,
>>> &pci_device_bus_num,
>>>
>>> + &interrupt_map,
>>> +
>>> &simple_bus_bridge,
>>> &simple_bus_reg,
>>>
>>> diff --git a/tests/bad-interrupt-map.dts b/tests/bad-interrupt-map.dts
>>> new file mode 100644
>>> index 0000000..cf9618f
>>> --- /dev/null
>>> +++ b/tests/bad-interrupt-map.dts
>>> @@ -0,0 +1,21 @@
>>> +/dts-v1/;
>>> +
>>> +/ {
>>> + intc: interrupt-controller {
>>> + interrupt-controller;
>>> + #address-cells = <2>;
>>> + #interrupt-cells = <3>;
>>> + };
>>> +
>>> + nexus-node {
>>> + #address-cells = <1>;
>>> + #interrupt-cells = <1>;
>>> +/*
>>> + * The cells after the phandle are the address in the interrupt controller's
>>> + * domain. This here encodes 0 cells , but the actual number is 2 above.
>>> + */
>>> + interrupt-map = <0 0 &intc 1 42 4>,
>>> + <0 1 &intc 1 43 4>,
>>> + <0 2 &intc 1 44 4>;
>>> + };
>>> +};
>>> diff --git a/tests/run_tests.sh b/tests/run_tests.sh
>>> index eccb85d..aec92fb 100755
>>> --- a/tests/run_tests.sh
>>> +++ b/tests/run_tests.sh
>>> @@ -732,6 +732,8 @@ dtc_tests () {
>>> check_tests "$SRCDIR/pci-bridge-bad1.dts" pci_bridge
>>> check_tests "$SRCDIR/pci-bridge-bad2.dts" pci_bridge
>>>
>>> + check_tests "$SRCDIR/bad-interrupt-map.dts" interrupt_map
>>> +
>>> check_tests "$SRCDIR/unit-addr-simple-bus-reg-mismatch.dts" simple_bus_reg
>>> check_tests "$SRCDIR/unit-addr-simple-bus-compatible.dts" simple_bus_reg
>>>
>>>
>>
>
next prev parent reply other threads:[~2020-05-15 10:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 16:33 [RFC PATCH 0/2] dtc: checks: Validate interrupt-map properties Andre Przywara
[not found] ` <20200513163339.29607-1-andre.przywara-5wv7dgnIgG8@public.gmane.org>
2020-05-13 16:33 ` [RFC PATCH 1/2] " Andre Przywara
[not found] ` <20200513163339.29607-2-andre.przywara-5wv7dgnIgG8@public.gmane.org>
2020-05-14 3:03 ` Rob Herring
[not found] ` <CAL_JsqKPTzb=0h4fCpHh+p=SanTDuVj8W-H8pj7EQ7LJxFySAQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2020-05-14 7:06 ` David Gibson
[not found] ` <20200514070647.GD2183-K0bRW+63XPQe6aEkudXLsA@public.gmane.org>
2020-05-15 10:42 ` André Przywara [this message]
2020-05-15 10:17 ` André Przywara
2020-05-13 16:33 ` [RFC PATCH 2/2] checks: interrupt-map: Dump entries on error Andre Przywara
[not found] ` <20200513163339.29607-3-andre.przywara-5wv7dgnIgG8@public.gmane.org>
2020-05-14 3:08 ` Rob Herring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58d0a2c1-9e11-9330-6300-331af3b7ccfa@arm.com \
--to=andre.przywara-5wv7dgnigg8@public.gmane.org \
--cc=david-xT8FGy+AXnRB3Ne2BGzF6laj5H9X9Tb+@public.gmane.org \
--cc=devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).