From mboxrd@z Thu Jan 1 00:00:00 1970 From: Guenter Roeck Date: Thu, 15 Apr 2021 18:47:50 -0700 Subject: [PATCH] watchdog: aspeed: fix integer overflow in set_timeout handler In-Reply-To: <20210416010444.GA17388@taoren-ubuntu-R90MNF91> References: <20210416001208.16788-1-rentao.bupt@gmail.com> <469ac948-d65b-471f-102f-726466c19c5c@roeck-us.net> <20210416010444.GA17388@taoren-ubuntu-R90MNF91> Message-ID: <20210416014750.GA53153@roeck-us.net> List-Id: To: linux-aspeed@lists.ozlabs.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thu, Apr 15, 2021 at 06:04:45PM -0700, Tao Ren wrote: > On Thu, Apr 15, 2021 at 05:50:32PM -0700, Guenter Roeck wrote: > > On 4/15/21 5:12 PM, rentao.bupt at gmail.com wrote: > > > From: Tao Ren > > > > > > Fix the time comparison (timeout vs. max_hw_heartbeat_ms) in set_timeout > > > handler to avoid potential integer overflow when the supplied timeout is > > > greater than aspeed's maximum allowed timeout (4294 seconds). > > > > > > Fixes: efa859f7d786 ("watchdog: Add Aspeed watchdog driver") > > > Reported-by: Amithash Prasad > > > Signed-off-by: Tao Ren > > > --- > > > drivers/watchdog/aspeed_wdt.c | 5 ++--- > > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > > > diff --git a/drivers/watchdog/aspeed_wdt.c b/drivers/watchdog/aspeed_wdt.c > > > index 7e00960651fa..9f77272dc906 100644 > > > --- a/drivers/watchdog/aspeed_wdt.c > > > +++ b/drivers/watchdog/aspeed_wdt.c > > > @@ -145,9 +145,8 @@ static int aspeed_wdt_set_timeout(struct watchdog_device *wdd, > > > struct aspeed_wdt *wdt = to_aspeed_wdt(wdd); > > > u32 actual; > > > > > > - wdd->timeout = timeout; > > > - > > > - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); > > > + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); > > > + wdd->timeout = actual; > > > > > > writel(actual * WDT_RATE_1MHZ, wdt->base + WDT_RELOAD_VALUE); > > > writel(WDT_RESTART_MAGIC, wdt->base + WDT_RESTART); > > > > > > > If the provided timeout is larger than the supported hardware timeout, > > the watchdog core will ping the hardware on behalf of userspace. > > The above code would defeat that mechanism for no good reason. > > > > NACK. > > > > Guenter > > Thanks Guenter for Joel for the quick review! > > The integer overflow happens at (actual * WDT_RATE_1MHZ). For example, > if a user tries to set timeout to 4295 seconds, then the hardware would > be programmed to timeout after about 32 milliseconds. I would say this > behavior is not expected? The fix would be - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); without modifying wdd->timeout = timeout; The real problem here is that "wdd->max_hw_heartbeat_ms * 1000" is simply wrong. The overflow is a side effect of the wrong calculation, and concentrating on it disguises the real problem. Guenter From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26223C433ED for ; Fri, 16 Apr 2021 01:47:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EE35061153 for ; Fri, 16 Apr 2021 01:47:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237913AbhDPBsS (ORCPT ); Thu, 15 Apr 2021 21:48:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236309AbhDPBsR (ORCPT ); Thu, 15 Apr 2021 21:48:17 -0400 Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF023C061574; Thu, 15 Apr 2021 18:47:53 -0700 (PDT) Received: by mail-oo1-xc2b.google.com with SMTP id t140-20020a4a3e920000b02901e5c1add773so4584769oot.1; Thu, 15 Apr 2021 18:47:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=t56dQKxoANCG3Oiet8IMk4GlydjPpRzi7nr7AlrlLvk=; b=UgBBUVAqc4CENsYCf/ojNPO1ZPTgTsAk4TJbHpjpwOyQbm4CcFUR9iKKjwd7f3trYm RUh5XXD4mVL/aMvqLe1V0jnQb71SvkZ2dEQ9y2CSLo+05E1Rw+gYzyhsJNkdcjqGs4r0 b9zsV1ksmtXp3iMK1dJnfkEvi+xTT9+SsKzNGhxp72doiKRYtmw1wr4Nw3YiUfm3s3eb thhJ4kcRh7J/eBakmlhv2iVxYj3PW0T8vzYVhnaFCMaDHGmqOt0YdSsvTBUNcUSTWGEf HCkNzWy/Ajhobav9GR62kswu4UNlPLIQ7sJYzp1+LtMcFRDrBmLwUhwzynFzTxsYnJ9c nxYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=t56dQKxoANCG3Oiet8IMk4GlydjPpRzi7nr7AlrlLvk=; b=cgA1WZ1xBgAjPCnKOL1R4W8ojS+qJj8wshsml12n/YvjIVy479xSYx0e/dVuCk043P xLxhyrzTq986h7sr7jChvhjt3V7V99A3I0VzDEAOqdQbkLr23RT28Rjs4acqfkK6VlvB GwRU99QEk2K/Wzr/mg8CfmOCZi18quiLEU7S8i4suhd+uTxxnAPM71o3enB9t100xgry J9gGKvPb+mwhrVu9Fyax1MUde4/NvJcceGADB9t2oeqhemENjLyU/OXhBTSZSuenhKAK CqUpCQ1GnxKelRpjnrhpiqkd1QS7hQsx3FjoXh36EV2AhN1FsPf219cTjDAIofuZTH8H AGnA== X-Gm-Message-State: AOAM530FTmtqPved9inKkl5xdJuGfy86wkEvORm8j+v0BRtMQ20D1YvB Imr/+i3XJwvz/Exk/Hvyit0A+y6dOUw= X-Google-Smtp-Source: ABdhPJxVohYKe/p+xqyc6ZQQ7pdzt88IO0cmHzq0/doj37HzgGpfByJRr0/mpXjMFZYKPe+KRgJmWA== X-Received: by 2002:a4a:4304:: with SMTP id k4mr1585462ooj.42.1618537673101; Thu, 15 Apr 2021 18:47:53 -0700 (PDT) Received: from localhost ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c]) by smtp.gmail.com with ESMTPSA id e44sm1067754ote.21.2021.04.15.18.47.51 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 15 Apr 2021 18:47:52 -0700 (PDT) Sender: Guenter Roeck Date: Thu, 15 Apr 2021 18:47:50 -0700 From: Guenter Roeck To: Tao Ren Cc: Wim Van Sebroeck , Joel Stanley , Andrew Jeffery , linux-watchdog@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, openbmc@lists.ozlabs.org, Tao Ren , Amithash Prasad Subject: Re: [PATCH] watchdog: aspeed: fix integer overflow in set_timeout handler Message-ID: <20210416014750.GA53153@roeck-us.net> References: <20210416001208.16788-1-rentao.bupt@gmail.com> <469ac948-d65b-471f-102f-726466c19c5c@roeck-us.net> <20210416010444.GA17388@taoren-ubuntu-R90MNF91> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210416010444.GA17388@taoren-ubuntu-R90MNF91> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-watchdog@vger.kernel.org On Thu, Apr 15, 2021 at 06:04:45PM -0700, Tao Ren wrote: > On Thu, Apr 15, 2021 at 05:50:32PM -0700, Guenter Roeck wrote: > > On 4/15/21 5:12 PM, rentao.bupt@gmail.com wrote: > > > From: Tao Ren > > > > > > Fix the time comparison (timeout vs. max_hw_heartbeat_ms) in set_timeout > > > handler to avoid potential integer overflow when the supplied timeout is > > > greater than aspeed's maximum allowed timeout (4294 seconds). > > > > > > Fixes: efa859f7d786 ("watchdog: Add Aspeed watchdog driver") > > > Reported-by: Amithash Prasad > > > Signed-off-by: Tao Ren > > > --- > > > drivers/watchdog/aspeed_wdt.c | 5 ++--- > > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > > > diff --git a/drivers/watchdog/aspeed_wdt.c b/drivers/watchdog/aspeed_wdt.c > > > index 7e00960651fa..9f77272dc906 100644 > > > --- a/drivers/watchdog/aspeed_wdt.c > > > +++ b/drivers/watchdog/aspeed_wdt.c > > > @@ -145,9 +145,8 @@ static int aspeed_wdt_set_timeout(struct watchdog_device *wdd, > > > struct aspeed_wdt *wdt = to_aspeed_wdt(wdd); > > > u32 actual; > > > > > > - wdd->timeout = timeout; > > > - > > > - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); > > > + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); > > > + wdd->timeout = actual; > > > > > > writel(actual * WDT_RATE_1MHZ, wdt->base + WDT_RELOAD_VALUE); > > > writel(WDT_RESTART_MAGIC, wdt->base + WDT_RESTART); > > > > > > > If the provided timeout is larger than the supported hardware timeout, > > the watchdog core will ping the hardware on behalf of userspace. > > The above code would defeat that mechanism for no good reason. > > > > NACK. > > > > Guenter > > Thanks Guenter for Joel for the quick review! > > The integer overflow happens at (actual * WDT_RATE_1MHZ). For example, > if a user tries to set timeout to 4295 seconds, then the hardware would > be programmed to timeout after about 32 milliseconds. I would say this > behavior is not expected? The fix would be - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); without modifying wdd->timeout = timeout; The real problem here is that "wdd->max_hw_heartbeat_ms * 1000" is simply wrong. The overflow is a side effect of the wrong calculation, and concentrating on it disguises the real problem. Guenter From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.1 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6731C433ED for ; Fri, 16 Apr 2021 01:54:35 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3BC0B61158 for ; Fri, 16 Apr 2021 01:54:35 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3BC0B61158 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=roeck-us.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4FLzm90rQcz3brV for ; Fri, 16 Apr 2021 11:54:33 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=UgBBUVAq; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::b2f; helo=mail-yb1-xb2f.google.com; envelope-from=groeck7@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=UgBBUVAq; dkim-atps=neutral Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FLzlh4Ds6z2xb6; Fri, 16 Apr 2021 11:54:06 +1000 (AEST) Received: by mail-yb1-xb2f.google.com with SMTP id z1so28347645ybf.6; Thu, 15 Apr 2021 18:54:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=t56dQKxoANCG3Oiet8IMk4GlydjPpRzi7nr7AlrlLvk=; b=UgBBUVAqc4CENsYCf/ojNPO1ZPTgTsAk4TJbHpjpwOyQbm4CcFUR9iKKjwd7f3trYm RUh5XXD4mVL/aMvqLe1V0jnQb71SvkZ2dEQ9y2CSLo+05E1Rw+gYzyhsJNkdcjqGs4r0 b9zsV1ksmtXp3iMK1dJnfkEvi+xTT9+SsKzNGhxp72doiKRYtmw1wr4Nw3YiUfm3s3eb thhJ4kcRh7J/eBakmlhv2iVxYj3PW0T8vzYVhnaFCMaDHGmqOt0YdSsvTBUNcUSTWGEf HCkNzWy/Ajhobav9GR62kswu4UNlPLIQ7sJYzp1+LtMcFRDrBmLwUhwzynFzTxsYnJ9c nxYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=t56dQKxoANCG3Oiet8IMk4GlydjPpRzi7nr7AlrlLvk=; b=FANbvXILkcRVYlkrOYTU3edOCFhmBm+AUW9eERsqXhZWMtYYbBxmLwnVFcgjMql4Ft STulxxe7c9FBj4nnC8Y04HM3pN4l6emUUJx1x2FdW6XMV5zLBzjAyjHuD46hfKxiRxqX 9mXbJU4/0lQOA4LLY6CABWi8VirK2xb8LTRhvrbE9wb5ZGyUbCLyAdqlD4wBvLRfY5ia r3HZr6QHhCooHrs8YY2euH5E55XIGiP2ZYEQAkxUyl4zJaTuvEMcI/RM3Qr6UWg5ZO8l LLUMoKP9NBH/IPUp/heAi6c/J4fGD3RPzstM1KN4217um4Ha/d0Ceu8wTcYg4YQdtEVy rUzQ== X-Gm-Message-State: AOAM5321Ar1V2pmrzGvIGX31z0ylsuExWyn+gXxQj3UUZz0xgKokU6Bu nrdjbG+a1cEYgM88r2BsGV/TD3uzs7s= X-Google-Smtp-Source: ABdhPJxVohYKe/p+xqyc6ZQQ7pdzt88IO0cmHzq0/doj37HzgGpfByJRr0/mpXjMFZYKPe+KRgJmWA== X-Received: by 2002:a4a:4304:: with SMTP id k4mr1585462ooj.42.1618537673101; Thu, 15 Apr 2021 18:47:53 -0700 (PDT) Received: from localhost ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c]) by smtp.gmail.com with ESMTPSA id e44sm1067754ote.21.2021.04.15.18.47.51 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 15 Apr 2021 18:47:52 -0700 (PDT) Date: Thu, 15 Apr 2021 18:47:50 -0700 From: Guenter Roeck To: Tao Ren Subject: Re: [PATCH] watchdog: aspeed: fix integer overflow in set_timeout handler Message-ID: <20210416014750.GA53153@roeck-us.net> References: <20210416001208.16788-1-rentao.bupt@gmail.com> <469ac948-d65b-471f-102f-726466c19c5c@roeck-us.net> <20210416010444.GA17388@taoren-ubuntu-R90MNF91> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210416010444.GA17388@taoren-ubuntu-R90MNF91> User-Agent: Mutt/1.9.4 (2018-02-28) X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-watchdog@vger.kernel.org, linux-aspeed@lists.ozlabs.org, Andrew Jeffery , Tao Ren , openbmc@lists.ozlabs.org, linux-kernel@vger.kernel.org, Amithash Prasad , Wim Van Sebroeck , linux-arm-kernel@lists.infradead.org Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc" On Thu, Apr 15, 2021 at 06:04:45PM -0700, Tao Ren wrote: > On Thu, Apr 15, 2021 at 05:50:32PM -0700, Guenter Roeck wrote: > > On 4/15/21 5:12 PM, rentao.bupt@gmail.com wrote: > > > From: Tao Ren > > > > > > Fix the time comparison (timeout vs. max_hw_heartbeat_ms) in set_timeout > > > handler to avoid potential integer overflow when the supplied timeout is > > > greater than aspeed's maximum allowed timeout (4294 seconds). > > > > > > Fixes: efa859f7d786 ("watchdog: Add Aspeed watchdog driver") > > > Reported-by: Amithash Prasad > > > Signed-off-by: Tao Ren > > > --- > > > drivers/watchdog/aspeed_wdt.c | 5 ++--- > > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > > > diff --git a/drivers/watchdog/aspeed_wdt.c b/drivers/watchdog/aspeed_wdt.c > > > index 7e00960651fa..9f77272dc906 100644 > > > --- a/drivers/watchdog/aspeed_wdt.c > > > +++ b/drivers/watchdog/aspeed_wdt.c > > > @@ -145,9 +145,8 @@ static int aspeed_wdt_set_timeout(struct watchdog_device *wdd, > > > struct aspeed_wdt *wdt = to_aspeed_wdt(wdd); > > > u32 actual; > > > > > > - wdd->timeout = timeout; > > > - > > > - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); > > > + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); > > > + wdd->timeout = actual; > > > > > > writel(actual * WDT_RATE_1MHZ, wdt->base + WDT_RELOAD_VALUE); > > > writel(WDT_RESTART_MAGIC, wdt->base + WDT_RESTART); > > > > > > > If the provided timeout is larger than the supported hardware timeout, > > the watchdog core will ping the hardware on behalf of userspace. > > The above code would defeat that mechanism for no good reason. > > > > NACK. > > > > Guenter > > Thanks Guenter for Joel for the quick review! > > The integer overflow happens at (actual * WDT_RATE_1MHZ). For example, > if a user tries to set timeout to 4295 seconds, then the hardware would > be programmed to timeout after about 32 milliseconds. I would say this > behavior is not expected? The fix would be - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); without modifying wdd->timeout = timeout; The real problem here is that "wdd->max_hw_heartbeat_ms * 1000" is simply wrong. The overflow is a side effect of the wrong calculation, and concentrating on it disguises the real problem. Guenter From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F00E2C433B4 for ; Fri, 16 Apr 2021 01:50:09 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 661A2610F7 for ; Fri, 16 Apr 2021 01:50:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 661A2610F7 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=roeck-us.net Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=nXja4vdav91Qq7POyVzmXd40Omq0KrFowRHQ0jXQu1w=; b=rWmpI3LPI8G84yUzBHTUbBaHX KSsHnU9ON4RJV7NZcpP5ZcyrYFfqQRKHdARfnYStALgkp5Q1K/N97KuXKY3xruli2HTSXgs4t40P+ VcQdFp/8YK5+mxcPHUQeMAT85Eyz7QMrRqkNEABufsA4TlFcdTTi92L4C68hMPENMHXWrMD+rUGhV qyZwPrKrCKQsIN8sN36AKEhpiq5wmNZOeMklR0FTuUjj8FJT8uB6GrXnebaFzXMBZEjjuSe1cQJY8 xKbY3Pf2onY6eASUqUX+r1OnjMlTcewjr8jgu9VIY84F31XiU22D5Jl6KZPEBhSyRb+McClzbOPQd iQ0qhoCZg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lXDaV-000PeU-Uu; Fri, 16 Apr 2021 01:48:04 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lXDaR-000Pdv-BG for linux-arm-kernel@desiato.infradead.org; Fri, 16 Apr 2021 01:47:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=t56dQKxoANCG3Oiet8IMk4GlydjPpRzi7nr7AlrlLvk=; b=W0jZivbSG6ecF+5JXzXYgAqHXS cbv5FFl3vcYxO7Uihn5WoofOQz1z6EvBnqcFOmoeUfg5F1gBaoqqmG8YZEEqzW0L+J+hp0qguOf1r zSZH4GgdBspSa+xDWZboz6xmnEKv+iHwTwsfO3LYSsxz3yAM8SSSxg3YCmDkBwAc24CmJjkHWZ+o2 RKYIGHtJMYr00ifJtbLrfzx21NWc3LfowxfMGtkihtVCYG55gMSIcwUBg/23863OVy5oWrEVHS9Ey zjo9oQ4xLsu5N0QLSITr2DSeGLSPTwvqAl4QGGmWbD5qxc2dnrqRcJYIGKOMe0iCUsEenSEHLNdiv 39JvLoAg==; Received: from mail-oo1-xc30.google.com ([2607:f8b0:4864:20::c30]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lXDaO-0091Od-OP for linux-arm-kernel@lists.infradead.org; Fri, 16 Apr 2021 01:47:58 +0000 Received: by mail-oo1-xc30.google.com with SMTP id i25-20020a4aa1190000b02901bbd9429832so5835523ool.0 for ; Thu, 15 Apr 2021 18:47:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=t56dQKxoANCG3Oiet8IMk4GlydjPpRzi7nr7AlrlLvk=; b=UgBBUVAqc4CENsYCf/ojNPO1ZPTgTsAk4TJbHpjpwOyQbm4CcFUR9iKKjwd7f3trYm RUh5XXD4mVL/aMvqLe1V0jnQb71SvkZ2dEQ9y2CSLo+05E1Rw+gYzyhsJNkdcjqGs4r0 b9zsV1ksmtXp3iMK1dJnfkEvi+xTT9+SsKzNGhxp72doiKRYtmw1wr4Nw3YiUfm3s3eb thhJ4kcRh7J/eBakmlhv2iVxYj3PW0T8vzYVhnaFCMaDHGmqOt0YdSsvTBUNcUSTWGEf HCkNzWy/Ajhobav9GR62kswu4UNlPLIQ7sJYzp1+LtMcFRDrBmLwUhwzynFzTxsYnJ9c nxYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=t56dQKxoANCG3Oiet8IMk4GlydjPpRzi7nr7AlrlLvk=; b=O4iEw+IdUkNS57k/NLiYEpWzkIXkJaciSp9zijHjfulkQaDK2BuzPCv1tKCXqqOwAN xis+emvWlZAfoaED27Q5ORb6qDKeSCyBkWipnTnm2ADsh8lGHyBBvuGJb3c2M1UupEII c4kr1OG8U1Y+5uIt8YrXNR9k/07Y0OAg1TaMFkf4FOGyDDzPK0cw0PMMdNjmmmEd1tRi 8FxQIVvmR1xXOizG9PMvoauLoytNO2BJ77E5bPRFXJ7pxk2mjAzB6xtBzcDCJMKG1BRC EfPvm3vEiPSO1G/Qc6/4Afr8yL3kHNhx5gergbpXzNFXGxQPaY04jCU67xQv+H009vL9 xMTw== X-Gm-Message-State: AOAM532M/GftNlVLcwFd9GSgs6MjQRLUYBzGK41gjr6bhyrc/leEYUYC fjj5hrYD5fwH6x1BpkT1Wcc= X-Google-Smtp-Source: ABdhPJxVohYKe/p+xqyc6ZQQ7pdzt88IO0cmHzq0/doj37HzgGpfByJRr0/mpXjMFZYKPe+KRgJmWA== X-Received: by 2002:a4a:4304:: with SMTP id k4mr1585462ooj.42.1618537673101; Thu, 15 Apr 2021 18:47:53 -0700 (PDT) Received: from localhost ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c]) by smtp.gmail.com with ESMTPSA id e44sm1067754ote.21.2021.04.15.18.47.51 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 15 Apr 2021 18:47:52 -0700 (PDT) Date: Thu, 15 Apr 2021 18:47:50 -0700 From: Guenter Roeck To: Tao Ren Cc: Wim Van Sebroeck , Joel Stanley , Andrew Jeffery , linux-watchdog@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, openbmc@lists.ozlabs.org, Tao Ren , Amithash Prasad Subject: Re: [PATCH] watchdog: aspeed: fix integer overflow in set_timeout handler Message-ID: <20210416014750.GA53153@roeck-us.net> References: <20210416001208.16788-1-rentao.bupt@gmail.com> <469ac948-d65b-471f-102f-726466c19c5c@roeck-us.net> <20210416010444.GA17388@taoren-ubuntu-R90MNF91> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20210416010444.GA17388@taoren-ubuntu-R90MNF91> User-Agent: Mutt/1.9.4 (2018-02-28) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210415_184756_840863_03E4AA43 X-CRM114-Status: GOOD ( 26.61 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Apr 15, 2021 at 06:04:45PM -0700, Tao Ren wrote: > On Thu, Apr 15, 2021 at 05:50:32PM -0700, Guenter Roeck wrote: > > On 4/15/21 5:12 PM, rentao.bupt@gmail.com wrote: > > > From: Tao Ren > > > > > > Fix the time comparison (timeout vs. max_hw_heartbeat_ms) in set_timeout > > > handler to avoid potential integer overflow when the supplied timeout is > > > greater than aspeed's maximum allowed timeout (4294 seconds). > > > > > > Fixes: efa859f7d786 ("watchdog: Add Aspeed watchdog driver") > > > Reported-by: Amithash Prasad > > > Signed-off-by: Tao Ren > > > --- > > > drivers/watchdog/aspeed_wdt.c | 5 ++--- > > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > > > diff --git a/drivers/watchdog/aspeed_wdt.c b/drivers/watchdog/aspeed_wdt.c > > > index 7e00960651fa..9f77272dc906 100644 > > > --- a/drivers/watchdog/aspeed_wdt.c > > > +++ b/drivers/watchdog/aspeed_wdt.c > > > @@ -145,9 +145,8 @@ static int aspeed_wdt_set_timeout(struct watchdog_device *wdd, > > > struct aspeed_wdt *wdt = to_aspeed_wdt(wdd); > > > u32 actual; > > > > > > - wdd->timeout = timeout; > > > - > > > - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); > > > + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); > > > + wdd->timeout = actual; > > > > > > writel(actual * WDT_RATE_1MHZ, wdt->base + WDT_RELOAD_VALUE); > > > writel(WDT_RESTART_MAGIC, wdt->base + WDT_RESTART); > > > > > > > If the provided timeout is larger than the supported hardware timeout, > > the watchdog core will ping the hardware on behalf of userspace. > > The above code would defeat that mechanism for no good reason. > > > > NACK. > > > > Guenter > > Thanks Guenter for Joel for the quick review! > > The integer overflow happens at (actual * WDT_RATE_1MHZ). For example, > if a user tries to set timeout to 4295 seconds, then the hardware would > be programmed to timeout after about 32 milliseconds. I would say this > behavior is not expected? The fix would be - actual = min(timeout, wdd->max_hw_heartbeat_ms * 1000); + actual = min(timeout, wdd->max_hw_heartbeat_ms / 1000); without modifying wdd->timeout = timeout; The real problem here is that "wdd->max_hw_heartbeat_ms * 1000" is simply wrong. The overflow is a side effect of the wrong calculation, and concentrating on it disguises the real problem. Guenter _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel