diff mbox series

[net] net: phy: mscc-miim: Validate bus frequency obtained from Device Tree

Message ID 20240702110650.17563-1-amishin@t-argos.ru (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] net: phy: mscc-miim: Validate bus frequency obtained from Device Tree | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 856 this patch: 856
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 860 this patch: 860
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 860 this patch: 860
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-07-02--12-00 (tests: 666)

Commit Message

Aleksandr Mishin July 2, 2024, 11:06 a.m. UTC 
In mscc_miim_clk_set() miim->bus_freq is taken from Device Tree and can
contain any value in case of any error or broken DT. A value of 2147483648
multiplied by 2 will result in an overflow and division by 0.

Add bus frequency value check to avoid overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: bb2a1934ca01 ("net: phy: mscc-miim: add support to set MDIO bus frequency")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/net/mdio/mdio-mscc-miim.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Michael Walle July 2, 2024, 11:59 a.m. UTC | #1 
Hi,

On Tue Jul 2, 2024 at 1:06 PM CEST, Aleksandr Mishin wrote:
> In mscc_miim_clk_set() miim->bus_freq is taken from Device Tree and can
> contain any value in case of any error or broken DT. A value of 2147483648
> multiplied by 2 will result in an overflow and division by 0.
>
> Add bus frequency value check to avoid overflow.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: bb2a1934ca01 ("net: phy: mscc-miim: add support to set MDIO bus frequency")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/net/mdio/mdio-mscc-miim.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/mdio/mdio-mscc-miim.c b/drivers/net/mdio/mdio-mscc-miim.c
> index c29377c85307..6380c22567ea 100644
> --- a/drivers/net/mdio/mdio-mscc-miim.c
> +++ b/drivers/net/mdio/mdio-mscc-miim.c
> @@ -254,6 +254,11 @@ static int mscc_miim_clk_set(struct mii_bus *bus)
>  	if (!miim->bus_freq)
>  		return 0;
>  
> +	if (miim->bus_freq == 2147483648) {

Please avoid magic numbers.

Instead of this, can we reorder the code and detect whether
2*bus_freq will overflow?

-michael

> +		dev_err(&bus->dev, "Incorrect bus frequency\n");
> +		return -EINVAL;
> +	}
> +
>  	rate = clk_get_rate(miim->clk);
>  
>  	div = DIV_ROUND_UP(rate, 2 * miim->bus_freq) - 1;
Andrew Lunn July 2, 2024, 1:36 p.m. UTC | #2 
On Tue, Jul 02, 2024 at 02:06:50PM +0300, Aleksandr Mishin wrote:
> In mscc_miim_clk_set() miim->bus_freq is taken from Device Tree and can
> contain any value in case of any error or broken DT. A value of 2147483648
> multiplied by 2 will result in an overflow and division by 0.
> 
> Add bus frequency value check to avoid overflow.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: bb2a1934ca01 ("net: phy: mscc-miim: add support to set MDIO bus frequency")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/net/mdio/mdio-mscc-miim.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/net/mdio/mdio-mscc-miim.c b/drivers/net/mdio/mdio-mscc-miim.c
> index c29377c85307..6380c22567ea 100644
> --- a/drivers/net/mdio/mdio-mscc-miim.c
> +++ b/drivers/net/mdio/mdio-mscc-miim.c
> @@ -254,6 +254,11 @@ static int mscc_miim_clk_set(struct mii_bus *bus)
>  	if (!miim->bus_freq)
>  		return 0;
>  
> +	if (miim->bus_freq == 2147483648) {
> +		dev_err(&bus->dev, "Incorrect bus frequency\n");
> +		return -EINVAL;
> +	}

Are you saying that only this one specific value with cause overflow?
No other value will? Can any value cause underflow?

Generally, i would expect to see a range check here. 802.3 requires
that the bus can operate at 2.5MHz. I've seen some which can operate
up to 12Mhz. 25MHz seems like a sensible upper limit. But maybe you
can do the maths and figure out the theoretical maximum. There are use
cases for going below 2.5MHz, the hardware design is broken, the edge
on the signal are two round at 2.5Mhz. So i've seen prototype hardware
need to run there MDIO clock at 100Khz until the hardware designer
fixes their error. So how about validating the frequency is > 100KHz
and < 25MHz?

> +		dev_err(&bus->dev, "Incorrect bus frequency\n");

Incorrect is also a bit odd. I would prefer Invalid.

	Andrew
diff mbox series

Patch

diff --git a/drivers/net/mdio/mdio-mscc-miim.c b/drivers/net/mdio/mdio-mscc-miim.c
index c29377c85307..6380c22567ea 100644
--- a/drivers/net/mdio/mdio-mscc-miim.c
+++ b/drivers/net/mdio/mdio-mscc-miim.c
@@ -254,6 +254,11 @@  static int mscc_miim_clk_set(struct mii_bus *bus)
 	if (!miim->bus_freq)
 		return 0;
 
+	if (miim->bus_freq == 2147483648) {
+		dev_err(&bus->dev, "Incorrect bus frequency\n");
+		return -EINVAL;
+	}
+
 	rate = clk_get_rate(miim->clk);
 
 	div = DIV_ROUND_UP(rate, 2 * miim->bus_freq) - 1;