1. Patchew
  2. QEMU
  3. View series

[RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error

Philippe Mathieu-Daudé posted 1 patch 5 years, 1 month ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20201210141610.884600-1-f4bug@amsat.org
Test checkpatch passed
hw/misc/zynq_slcr.c | 5 +++++
1 file changed, 5 insertions(+)
[RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error
Posted by Philippe Mathieu-Daudé 5 years, 1 month ago 
Malicious user can set the feedback divisor for the PLLs
to zero, triggering a floating-point exception (SIGFPE).

As the datasheet [*] is not clear how hardware behaves
when these bits are zeroes, use the maximum divisor
possible (128) to avoid the software FPE.

[*] Zynq-7000 TRM, UG585 (v1.12.2)
    B.28 System Level Control Registers (slcr)
    -> "Register (slcr) ARM_PLL_CTRL"
    25.10.4 PLLs
    -> "Software-Controlled PLL Update"

Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Cc: Damien Hedde <damien.hedde@greensocs.com>
Cc: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Cc: Alistair Francis <alistair.francis@wdc.com>
Cc: Gaoning Pan <gaoning.pgn@antgroup.com>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>

Alternative is to threat that as PLL disabled and return 0...
---
 hw/misc/zynq_slcr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
index a2b28019e3c..66504a9d3ab 100644
--- a/hw/misc/zynq_slcr.c
+++ b/hw/misc/zynq_slcr.c
@@ -217,6 +217,11 @@ static uint64_t zynq_slcr_compute_pll(uint64_t input, uint32_t ctrl_reg)
         return 0;
     }
 
+    /* Consider zero feedback as maximum divide ratio possible */
+    if (!mult) {
+        mult = 1 << R_xxx_PLL_CTRL_PLL_FPDIV_LENGTH;
+    }
+
     /* frequency multiplier -> period division */
     return input / mult;
 }
-- 
2.26.2
Re: [RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error
Posted by Alistair Francis 5 years, 1 month ago 
On Thu, Dec 10, 2020 at 6:27 AM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> Malicious user can set the feedback divisor for the PLLs
> to zero, triggering a floating-point exception (SIGFPE).
>
> As the datasheet [*] is not clear how hardware behaves
> when these bits are zeroes, use the maximum divisor
> possible (128) to avoid the software FPE.
>
> [*] Zynq-7000 TRM, UG585 (v1.12.2)
>     B.28 System Level Control Registers (slcr)
>     -> "Register (slcr) ARM_PLL_CTRL"
>     25.10.4 PLLs
>     -> "Software-Controlled PLL Update"
>
> Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
> Reported-by: Gaoning Pan <pgn@zju.edu.cn>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Damien Hedde <damien.hedde@greensocs.com>
> Cc: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
> Cc: Alistair Francis <alistair.francis@wdc.com>
> Cc: Gaoning Pan <gaoning.pgn@antgroup.com>
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
>
> Alternative is to threat that as PLL disabled and return 0...

I'm not sure which is better, but this patch now is better then before:

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Alistair

> ---
>  hw/misc/zynq_slcr.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
> index a2b28019e3c..66504a9d3ab 100644
> --- a/hw/misc/zynq_slcr.c
> +++ b/hw/misc/zynq_slcr.c
> @@ -217,6 +217,11 @@ static uint64_t zynq_slcr_compute_pll(uint64_t input, uint32_t ctrl_reg)
>          return 0;
>      }
>
> +    /* Consider zero feedback as maximum divide ratio possible */
> +    if (!mult) {
> +        mult = 1 << R_xxx_PLL_CTRL_PLL_FPDIV_LENGTH;
> +    }
> +
>      /* frequency multiplier -> period division */
>      return input / mult;
>  }
> --
> 2.26.2
>
>
Re: [RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error
Posted by Edgar E. Iglesias 5 years, 1 month ago 
On Thu, Dec 10, 2020 at 08:39:32AM -0800, Alistair Francis wrote:
> On Thu, Dec 10, 2020 at 6:27 AM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> >
> > Malicious user can set the feedback divisor for the PLLs
> > to zero, triggering a floating-point exception (SIGFPE).
> >
> > As the datasheet [*] is not clear how hardware behaves
> > when these bits are zeroes, use the maximum divisor
> > possible (128) to avoid the software FPE.
> >
> > [*] Zynq-7000 TRM, UG585 (v1.12.2)
> >     B.28 System Level Control Registers (slcr)
> >     -> "Register (slcr) ARM_PLL_CTRL"
> >     25.10.4 PLLs
> >     -> "Software-Controlled PLL Update"
> >
> > Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
> > Reported-by: Gaoning Pan <pgn@zju.edu.cn>
> > Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> > ---
> > Cc: Damien Hedde <damien.hedde@greensocs.com>
> > Cc: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
> > Cc: Alistair Francis <alistair.francis@wdc.com>
> > Cc: Gaoning Pan <gaoning.pgn@antgroup.com>
> > Cc: Mauro Matteo Cascella <mcascell@redhat.com>
> >
> > Alternative is to threat that as PLL disabled and return 0...
> 
> I'm not sure which is better, but this patch now is better then before:
> 
> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

I agree with Alistair:

Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Re: [RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error
Posted by Damien Hedde 5 years, 1 month ago 

On 12/10/20 9:13 PM, Edgar E. Iglesias wrote:
> On Thu, Dec 10, 2020 at 08:39:32AM -0800, Alistair Francis wrote:
>> On Thu, Dec 10, 2020 at 6:27 AM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>>>
>>> Malicious user can set the feedback divisor for the PLLs
>>> to zero, triggering a floating-point exception (SIGFPE).
>>>
>>> As the datasheet [*] is not clear how hardware behaves
>>> when these bits are zeroes, use the maximum divisor
>>> possible (128) to avoid the software FPE.
>>>
>>> [*] Zynq-7000 TRM, UG585 (v1.12.2)
>>>     B.28 System Level Control Registers (slcr)
>>>     -> "Register (slcr) ARM_PLL_CTRL"
>>>     25.10.4 PLLs
>>>     -> "Software-Controlled PLL Update"
>>>
>>> Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
>>> Reported-by: Gaoning Pan <pgn@zju.edu.cn>
>>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
>>> ---
>>> Cc: Damien Hedde <damien.hedde@greensocs.com>
>>> Cc: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
>>> Cc: Alistair Francis <alistair.francis@wdc.com>
>>> Cc: Gaoning Pan <gaoning.pgn@antgroup.com>
>>> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
>>>
>>> Alternative is to threat that as PLL disabled and return 0...
>>
>> I'm not sure which is better, but this patch now is better then before:
>>
>> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
> 
> I agree with Alistair:
> 
> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
> 

Reviewed-by: Damien Hedde <damien.hedde@greensocs.com>
Re: [RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error
Posted by Mauro Matteo Cascella 5 years, 1 month ago 
On Thu, Dec 10, 2020 at 3:16 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> Malicious user can set the feedback divisor for the PLLs
> to zero, triggering a floating-point exception (SIGFPE).
>
> As the datasheet [*] is not clear how hardware behaves
> when these bits are zeroes, use the maximum divisor
> possible (128) to avoid the software FPE.
>
> [*] Zynq-7000 TRM, UG585 (v1.12.2)
>     B.28 System Level Control Registers (slcr)
>     -> "Register (slcr) ARM_PLL_CTRL"
>     25.10.4 PLLs
>     -> "Software-Controlled PLL Update"
>
> Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
> Reported-by: Gaoning Pan <pgn@zju.edu.cn>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Damien Hedde <damien.hedde@greensocs.com>
> Cc: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
> Cc: Alistair Francis <alistair.francis@wdc.com>
> Cc: Gaoning Pan <gaoning.pgn@antgroup.com>
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
>
> Alternative is to threat that as PLL disabled and return 0...
> ---
>  hw/misc/zynq_slcr.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
> index a2b28019e3c..66504a9d3ab 100644
> --- a/hw/misc/zynq_slcr.c
> +++ b/hw/misc/zynq_slcr.c
> @@ -217,6 +217,11 @@ static uint64_t zynq_slcr_compute_pll(uint64_t input, uint32_t ctrl_reg)
>          return 0;
>      }
>
> +    /* Consider zero feedback as maximum divide ratio possible */
> +    if (!mult) {
> +        mult = 1 << R_xxx_PLL_CTRL_PLL_FPDIV_LENGTH;
> +    }
> +
>      /* frequency multiplier -> period division */
>      return input / mult;
>  }
> --
> 2.26.2
>

This patch fixes RHBZ#1906388:
https://bugzilla.redhat.com/show_bug.cgi?id=1906388

Thank you,
-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Re: [RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error
Posted by Peter Maydell 5 years, 1 month ago 
On Thu, 10 Dec 2020 at 14:16, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> Malicious user can set the feedback divisor for the PLLs
> to zero, triggering a floating-point exception (SIGFPE).
>
> As the datasheet [*] is not clear how hardware behaves
> when these bits are zeroes, use the maximum divisor
> possible (128) to avoid the software FPE.
>
> [*] Zynq-7000 TRM, UG585 (v1.12.2)
>     B.28 System Level Control Registers (slcr)
>     -> "Register (slcr) ARM_PLL_CTRL"
>     25.10.4 PLLs
>     -> "Software-Controlled PLL Update"
>
> Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
> Reported-by: Gaoning Pan <pgn@zju.edu.cn>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>



Applied to target-arm.next, thanks.

-- PMM

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.