From patchwork Thu Apr 20 15:12:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 97828 Delivered-To: patch@linaro.org Received: by 10.140.109.52 with SMTP id k49csp846195qgf; Thu, 20 Apr 2017 08:14:41 -0700 (PDT) X-Received: by 10.202.229.6 with SMTP id c6mr4686172oih.45.1492701281703; Thu, 20 Apr 2017 08:14:41 -0700 (PDT) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120]) by mx.google.com with ESMTPS id m54si1196071otd.313.2017.04.20.08.14.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Apr 2017 08:14:41 -0700 (PDT) Received-SPF: neutral (google.com: 192.237.175.120 is neither permitted nor denied by best guess record for domain of xen-devel-bounces@lists.xen.org) client-ip=192.237.175.120; Authentication-Results: mx.google.com; spf=neutral (google.com: 192.237.175.120 is neither permitted nor denied by best guess record for domain of xen-devel-bounces@lists.xen.org) smtp.mailfrom=xen-devel-bounces@lists.xen.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d1DlC-00053M-LH; Thu, 20 Apr 2017 15:12:42 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d1DlB-00052c-Lu for xen-devel@lists.xen.org; Thu, 20 Apr 2017 15:12:41 +0000 Received: from [193.109.254.147] by server-5.bemta-6.messagelabs.com id 34/28-03371-9EFC8F85; Thu, 20 Apr 2017 15:12:41 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRWlGSWpSXmKPExsVysyfVTffF+R8 RBnc3SVos+biYxYHR4+ju30wBjFGsmXlJ+RUJrBldWxexF3yTq7iy8ihbA+NpiS5GLg4hgc2M EhfunGGCcE4zStxf1cTSxcjJwSagKXHn8ycmEFtEQFri2ufLjCA2s4CDxJuP98BqhAWiJY5Pm g5WwyKgKjH53x9WEJtXwFLiwOQ7YDUSAvISu9ougsU5Bawkeu5AzBQCqumbtplpAiP3AkaGVY zqxalFZalFupZ6SUWZ6RkluYmZObqGBmZ6uanFxYnpqTmJScV6yfm5mxiB/mUAgh2MdzcFHGK U5GBSEuVVm/sjQogvKT+lMiOxOCO+qDQntfgQowwHh5IEb945oJxgUWp6akVaZg4w0GDSEhw8 SiK8p0HSvMUFibnFmekQqVOMilLivMUgCQGQREZpHlwbLLgvMcpKCfMyAh0ixFOQWpSbWYIq/ 4pRnINRSZh3McgUnsy8Erjpr4AWMwEtPusHtrgkESEl1cA4ZbGJZADPzBVPrPK9Hxneirz9Kr /ttxOnvozhA/tj1a0LPgRnTA+7rnhGY9YWPR+9I22vHK+saeh5WHIpWu9DUMLmzQIpJ1Imrks 1vbTTfk9b+ZFmdsk8C63of+amByvnf1EOEUyz760LdNJdZRB1eGFQQFbQRhtRr1/n5AvXmax8 k1hnaKvEUpyRaKjFXFScCAClerI1aQIAAA== X-Env-Sender: julien.grall@arm.com X-Msg-Ref: server-15.tower-27.messagelabs.com!1492701158!45321922!2 X-Originating-IP: [217.140.101.70] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.4.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 56344 invoked from network); 20 Apr 2017 15:12:40 -0000 Received: from foss.arm.com (HELO foss.arm.com) (217.140.101.70) by server-15.tower-27.messagelabs.com with SMTP; 20 Apr 2017 15:12:40 -0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D1612169F; Thu, 20 Apr 2017 08:12:39 -0700 (PDT) Received: from e108454-lin.cambridge.arm.com (e108454-lin.cambridge.arm.com [10.1.206.53]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 3AC4C3F4FF; Thu, 20 Apr 2017 08:12:39 -0700 (PDT) From: Julien Grall To: xen-devel@lists.xen.org Date: Thu, 20 Apr 2017 16:12:27 +0100 Message-Id: <20170420151228.19158-5-julien.grall@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170420151228.19158-1-julien.grall@arm.com> References: <20170420151228.19158-1-julien.grall@arm.com> Cc: Julien Grall , sstabellini@kernel.org Subject: [Xen-devel] [PATCH v2 for-4.9 4/5] xen/arm: Check if the FDT passed by the bootloader is valid X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" There is currently no sanity check on the FDT passed by the bootloader. Whilst they are stricly not necessary, it will avoid us to spend hours to try to find out why it does not work. >From the booting documentation for AArch32 [1] and AArch64 [2] must : - be placed on 8-byte boundary - not exceed 2MB (only on AArch64) Even if AArch32 does not seem to limit the size, Xen is not currently able to support more the 2MB FDT. It is better to crash rather with a nice error message than claiming we are supporting any size of FDT. The checks are mostly borrowed from the Linux code (see fixmap_remap_fdt in arch/arm64/mm/mmu.c). [1] Section 2 in linux/Documentation/arm64/booting.txt [2] Section 4b in linux/Documentation/arm/Booting Signed-off-by: Julien Grall Reviewed-by: Stefano Stabellini --- Changes in v2: - Move the \n from the begining of the last line to the end of the first line. The 2 \n are here for clarity - Add missing "." - Add Stefano's reviewed-by --- xen/arch/arm/mm.c | 29 ++++++++++++++++++++++++++++- xen/arch/arm/setup.c | 6 ++++++ xen/include/asm-arm/setup.h | 3 +++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c index 97b3209286..f598396994 100644 --- a/xen/arch/arm/mm.c +++ b/xen/arch/arm/mm.c @@ -39,6 +39,8 @@ #include #include #include +#include +#include struct domain *dom_xen, *dom_io, *dom_cow; @@ -474,11 +476,36 @@ void * __init early_fdt_map(paddr_t fdt_paddr) { /* We are using 2MB superpage for mapping the FDT */ paddr_t base_paddr = fdt_paddr & SECOND_MASK; + paddr_t offset; + void *fdt_virt; + + /* + * Check whether the physical FDT address is set and meets the minimum + * alignment requirement. Since we are relying on MIN_FDT_ALIGN to be at + * least 8 bytes so that we always access the magic and size fields + * of the FDT header after mapping the first chunk, double check if + * that is indeed the case. + */ + BUILD_BUG_ON(MIN_FDT_ALIGN < 8); + if ( !fdt_paddr || fdt_paddr % MIN_FDT_ALIGN ) + return NULL; + + /* The FDT is mapped using 2MB superpage */ + BUILD_BUG_ON(BOOT_FDT_VIRT_START % SZ_2M); create_mappings(boot_second, BOOT_FDT_VIRT_START, paddr_to_pfn(base_paddr), SZ_2M >> PAGE_SHIFT, SZ_2M); - return (void *)BOOT_FDT_VIRT_START + (fdt_paddr % SECOND_SIZE); + offset = fdt_paddr % SECOND_SIZE; + fdt_virt = (void *)BOOT_FDT_VIRT_START + offset; + + if ( fdt_magic(fdt_virt) != FDT_MAGIC ) + return NULL; + + if ( fdt_totalsize(fdt_virt) > MAX_FDT_SIZE ) + return NULL; + + return fdt_virt; } void __init remove_early_mappings(void) diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index 986398970f..e2cda1f134 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -725,6 +725,12 @@ void __init start_xen(unsigned long boot_phys_offset, smp_clear_cpu_maps(); device_tree_flattened = early_fdt_map(fdt_paddr); + if ( !device_tree_flattened ) + panic("Invalid device tree blob at physical address %#lx.\n" + "The DTB must be 8-byte aligned and must not exceed 2 MB in size.\n\n" + "Please check your bootloader.", + fdt_paddr); + fdt_size = boot_fdt_info(device_tree_flattened, fdt_paddr); cmdline = boot_fdt_cmdline(device_tree_flattened); diff --git a/xen/include/asm-arm/setup.h b/xen/include/asm-arm/setup.h index 7c761851d2..7ff2c34dab 100644 --- a/xen/include/asm-arm/setup.h +++ b/xen/include/asm-arm/setup.h @@ -3,6 +3,9 @@ #include +#define MIN_FDT_ALIGN 8 +#define MAX_FDT_SIZE SZ_2M + #define NR_MEM_BANKS 64 #define MAX_MODULES 5 /* Current maximum useful modules */