From: sashiko-bot@kernel.org
To: Prabhakar <prabhakar.csengg@gmail.com>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org,
wsa+renesas@sang-engineering.com
Subject: Re: [PATCH 07/12] rtc: rzn1: fix alarm range check truncation on 32-bit systems
Date: Mon, 15 Jun 2026 16:00:41 +0000 [thread overview]
Message-ID: <20260615160041.670BE1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260615154805.1619693-8-prabhakar.mahadev-lad.rj@bp.renesas.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] Incorrect hardware alarm weekday assignment due to unsigned underflow when the alarm crosses a month boundary.
- [High] Unconfigured alarms in `rzn1_rtc_read_alarm` can return an invalid `tm_wday` value of `-1`, risking out-of-bounds array access in userspace.
- [High] Potential spurious interrupt when sequentially updating active hardware alarm registers.
--
commit d278abd6309a65fff235820bea9a8e8631da47be
Author: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Subject: rtc: rzn1: fix alarm range check truncation on 32-bit systems
This commit fixes a silent truncation issue on 32-bit systems by changing
the alarm and farest variables from unsigned long to time64_t. It also
replaces the time_after() macro with a direct signed comparison.
> diff --git a/drivers/rtc/rtc-rzn1.c b/drivers/rtc/rtc-rzn1.c
> index fe21fa6242881..06339adae71f6 100644
> --- a/drivers/rtc/rtc-rzn1.c
> +++ b/drivers/rtc/rtc-rzn1.c
[ ... ]
> @@ -265,8 +266,8 @@ static int rzn1_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm)
> {
> struct rzn1_rtc *rtc = dev_get_drvdata(dev);
> struct rtc_time *tm = &alrm->time, tm_now;
> - unsigned long alarm, farest;
> unsigned int days_ahead, wday;
> + time64_t alarm, farest;
> int ret;
>
> ret = rzn1_rtc_read_time(dev, &tm_now);
> @@ -276,7 +277,7 @@ static int rzn1_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm)
> /* We cannot set alarms more than one week ahead */
> farest = rtc_tm_to_time64(&tm_now) + rtc->rtcdev->alarm_offset_max;
> alarm = rtc_tm_to_time64(tm);
> - if (time_after(alarm, farest))
> + if (alarm > farest)
> return -ERANGE;
>
> /* Convert alarm day into week day */
[Severity: High]
This isn't a bug introduced by this patch, but does the calculation for
days_ahead underflow if the alarm crosses a month boundary?
In rzn1_rtc_set_alarm(), days_ahead is typed as an unsigned int and is
calculated like this:
days_ahead = tm->tm_mday - tm_now.tm_mday;
wday = (tm_now.tm_wday + days_ahead) % 7;
If the alarm is set for the 1st of the next month, and today is the 31st,
the subtraction results in -30. When assigned to an unsigned int, this
underflows. Because 2^32 % 7 evaluates to 4, the resulting wday calculation
shifts the weekday by exactly 4 days, causing the hardware alarm register
to be programmed for the wrong day.
[Severity: High]
This is a pre-existing issue, but is there a risk of a spurious interrupt
when updating the active hardware alarm registers?
Just below this hunk in rzn1_rtc_set_alarm(), the match registers are
updated sequentially:
writel(bin2bcd(tm->tm_min), rtc->base + RZN1_RTC_ALM);
writel(bin2bcd(tm->tm_hour), rtc->base + RZN1_RTC_ALH);
writel(BIT(wday), rtc->base + RZN1_RTC_ALW);
The RTC core can invoke this function without first disabling the hardware
alarm if replacing an existing timer. If the hardware alarm interrupt is
active, modifying these registers sequentially could cause the intermediate
hardware state to momentarily match the current time, triggering a spurious
interrupt and prematurely expiring the next timer in the queue.
[Severity: High]
This is a pre-existing issue, but what happens in rzn1_rtc_read_alarm() if
the hardware alarm is unconfigured?
If the hardware alarm register reads 0, fls(0) - 1 evaluates to -1:
drivers/rtc/rtc-rzn1.c:rzn1_rtc_read_alarm() {
...
wday = readl(rtc->base + RZN1_RTC_ALW);
...
delta_days = ((fls(wday) - 1) - tm->tm_wday + 7) % 7;
tm->tm_wday = fls(wday) - 1;
...
}
If the current weekday is Saturday (6), delta_days evaluates to 0:
((-1 - 6 + 7) % 7) == 0.
Because delta_days is 0, the rtc_time64_to_tm() block is skipped, and the
function returns with tm->tm_wday = -1. Since rtc_valid_tm() does not
bound-check tm_wday, this -1 is passed to userspace where tools commonly
use it as an array index, which could cause an out-of-bounds memory read.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260615154805.1619693-1-prabhakar.mahadev-lad.rj@bp.renesas.com?part=7
next prev parent reply other threads:[~2026-06-15 16:00 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 15:47 [PATCH 00/12] Add RTC support for Renesas RZ/T2H and RZ/N2H SoCs Prabhakar
2026-06-15 15:47 ` [PATCH 01/12] dt-bindings: rtc: renesas,rzn1-rtc: Add RZ/T2H and RZ/N2H support Prabhakar
2026-06-15 15:56 ` sashiko-bot
2026-06-15 16:22 ` Conor Dooley
2026-06-15 15:47 ` [PATCH 02/12] rtc: rzn1: Handle EPROBE_DEFER for optional pps interrupt Prabhakar
2026-06-15 15:58 ` sashiko-bot
2026-06-15 15:47 ` [PATCH 03/12] rtc: rzn1: Fix malformed MODULE_AUTHOR string Prabhakar
2026-06-15 15:47 ` [PATCH 04/12] rtc: Kconfig: Broaden RTC_DRV_RZN1 dependency to ARCH_RENESAS Prabhakar
2026-06-15 15:47 ` [PATCH 05/12] rtc: rzn1: Add system suspend/resume support and wakeup capability Prabhakar
2026-06-15 15:59 ` sashiko-bot
2026-06-15 15:47 ` [PATCH 06/12] rtc: rzn1: Sort headers alphabetically Prabhakar
2026-06-15 15:48 ` [PATCH 07/12] rtc: rzn1: fix alarm range check truncation on 32-bit systems Prabhakar
2026-06-15 16:00 ` sashiko-bot [this message]
2026-06-15 15:48 ` [PATCH 08/12] rtc: rzn1: Dynamically calculate synchronization delay based on clock rate Prabhakar
2026-06-15 15:57 ` sashiko-bot
2026-06-15 15:48 ` [PATCH 09/12] rtc: rzn1: Use temporary variable for struct device Prabhakar
2026-06-15 17:56 ` sashiko-bot
2026-06-15 15:48 ` [PATCH 10/12] rtc: rzn1: Consistently use dev_err_probe() Prabhakar
2026-06-15 15:48 ` [PATCH 11/12] rtc: rzn1: use FIELD_PREP/FIELD_GET and GENMASK for register access Prabhakar
2026-06-15 15:57 ` sashiko-bot
2026-06-15 15:48 ` [PATCH 12/12] rtc: rzn1: Add support for Renesas RZ/T2H and RZ/N2H SoCs Prabhakar
2026-06-15 15:58 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615160041.670BE1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=prabhakar.csengg@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox