From: Alistair Francis <alistair23@gmail.com>
To: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
Cc: Damien Hedde <damien.hedde@greensocs.com>,
Peter Maydell <peter.maydell@linaro.org>,
Mauro Matteo Cascella <mcascell@redhat.com>,
"Edgar E . Iglesias" <edgar.iglesias@xilinx.com>,
Gaoning Pan <gaoning.pgn@antgroup.com>,
Alistair Francis <alistair@alistair23.me>,
"qemu-devel@nongnu.org Developers" <qemu-devel@nongnu.org>,
qemu-arm <qemu-arm@nongnu.org>,
Alistair Francis <alistair.francis@wdc.com>,
"Edgar E. Iglesias" <edgar.iglesias@gmail.com>,
Gaoning Pan <pgn@zju.edu.cn>
Subject: Re: [RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error
Date: Thu, 10 Dec 2020 08:39:32 -0800 [thread overview]
Message-ID: <CAKmqyKN7OMipCzi-B+qNJb_J--ontKzpwX5J=rQ8zye3tmYePQ@mail.gmail.com> (raw)
In-Reply-To: <20201210141610.884600-1-f4bug@amsat.org>
On Thu, Dec 10, 2020 at 6:27 AM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> Malicious user can set the feedback divisor for the PLLs
> to zero, triggering a floating-point exception (SIGFPE).
>
> As the datasheet [*] is not clear how hardware behaves
> when these bits are zeroes, use the maximum divisor
> possible (128) to avoid the software FPE.
>
> [*] Zynq-7000 TRM, UG585 (v1.12.2)
> B.28 System Level Control Registers (slcr)
> -> "Register (slcr) ARM_PLL_CTRL"
> 25.10.4 PLLs
> -> "Software-Controlled PLL Update"
>
> Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
> Reported-by: Gaoning Pan <pgn@zju.edu.cn>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Damien Hedde <damien.hedde@greensocs.com>
> Cc: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
> Cc: Alistair Francis <alistair.francis@wdc.com>
> Cc: Gaoning Pan <gaoning.pgn@antgroup.com>
> Cc: Mauro Matteo Cascella <mcascell@redhat.com>
>
> Alternative is to threat that as PLL disabled and return 0...
I'm not sure which is better, but this patch now is better then before:
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Alistair
> ---
> hw/misc/zynq_slcr.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
> index a2b28019e3c..66504a9d3ab 100644
> --- a/hw/misc/zynq_slcr.c
> +++ b/hw/misc/zynq_slcr.c
> @@ -217,6 +217,11 @@ static uint64_t zynq_slcr_compute_pll(uint64_t input, uint32_t ctrl_reg)
> return 0;
> }
>
> + /* Consider zero feedback as maximum divide ratio possible */
> + if (!mult) {
> + mult = 1 << R_xxx_PLL_CTRL_PLL_FPDIV_LENGTH;
> + }
> +
> /* frequency multiplier -> period division */
> return input / mult;
> }
> --
> 2.26.2
>
>
next prev parent reply other threads:[~2020-12-10 17:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-10 14:16 [RFC PATCH] hw/misc/zynq_slcr: Avoid #DIV/0! error Philippe Mathieu-Daudé
2020-12-10 16:39 ` Alistair Francis [this message]
2020-12-10 20:13 ` Edgar E. Iglesias
2020-12-11 15:26 ` Damien Hedde
2020-12-10 17:21 ` Mauro Matteo Cascella
2020-12-15 13:37 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKmqyKN7OMipCzi-B+qNJb_J--ontKzpwX5J=rQ8zye3tmYePQ@mail.gmail.com' \
--to=alistair23@gmail.com \
--cc=alistair.francis@wdc.com \
--cc=alistair@alistair23.me \
--cc=damien.hedde@greensocs.com \
--cc=edgar.iglesias@gmail.com \
--cc=edgar.iglesias@xilinx.com \
--cc=f4bug@amsat.org \
--cc=gaoning.pgn@antgroup.com \
--cc=mcascell@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pgn@zju.edu.cn \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.