Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3072508pxb;
        Tue, 12 Jan 2021 05:48:29 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwepyNw5ILGNY1ilkXbc2R78iEwyr2pgqV0iAbvQA86yVyFIG/4uhStjrN/POLzL0FE7/Wj
X-Received: by 2002:a17:906:8058:: with SMTP id x24mr3185721ejw.262.1610459309066;
        Tue, 12 Jan 2021 05:48:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610459309; cv=none;
        d=google.com; s=arc-20160816;
        b=gaDUO3HojWdlwoHyHgWidH3O4jUjOezt30Hr/SYgwYj71HngGYZlEILqRpxL+Kj/wZ
         tEMguMS8vZ0GY4x7oXJY20tfoXJr5IohtG45IQYjPe3Zharzg+KSZ9R/x4zJ0JP9kSuL
         hK4DAPkqUIN+2BgWxlHtbLeeZz1YO7QuRlA14X+VLu4ainQIJEknbVAluoHgFZcjQ76t
         QYZ3AUZnPJQrE6mhIDK3K1c5kBXwQi6QAGPn1mU7lLYiWcJjm5pJ9S/ieJ419+MVZVoU
         idoRi4CyXQPtzZRZ9vc4gWzCRCGOqzh9e7WguSD/R13uefDUGuuh6GWXZ+JPVII4aEl5
         FRUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:mail-followup-to:message-id:subject:cc:to:from:date
         :dkim-signature:dkim-signature;
        bh=4OnyMZBP3xdS7J3G7RqbMtjxsfB6houuqw2q1oOqhp0=;
        b=berEejZCjVJQBEvwa0m/5ycs1Tr5pbG6/HMHYc8bvRsO6nHBgPVYM+/IUa5BCYxGsa
         NYi6PTf6k6NmgGpfTJK7b5W8tb39EJBPLOyoGHI3hocErlt7g8FdPCpDLT7wNYaO5ZBN
         KUS0xBAr4Z6clLhY2G5Rzwxa7xpNtOO2YRfQ4ZYFOCjf5WK9HBTxO02OyV8tlT6ZLqk3
         dQyKjidvKX/jaAscWJo95C+3mcYld2rv63O9BFKkytJDOTvkOa6MYIc43/AI7aUWleBl
         B092IJfjsNYrLqcTVd+/nJAvHQBfpqu62vuymR48HlqytrojOn+wxTeTQXdoWuGVBuNg
         90pg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sakamocchi.jp header.s=fm3 header.b=br3p1BvM;
       dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=e5+aVboH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c18si1318529ede.504.2021.01.12.05.48.04;
        Tue, 12 Jan 2021 05:48:29 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sakamocchi.jp header.s=fm3 header.b=br3p1BvM;
       dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=e5+aVboH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388535AbhALNoM (ORCPT <rfc822;linux.s.jambekar@gmail.com>
        + 99 others); Tue, 12 Jan 2021 08:44:12 -0500
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:42883 "EHLO
        out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S2388323AbhALNoL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Jan 2021 08:44:11 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
        by mailout.nyi.internal (Postfix) with ESMTP id 7C6D95C01D6;
        Tue, 12 Jan 2021 08:43:04 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute4.internal (MEProxy); Tue, 12 Jan 2021 08:43:04 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakamocchi.jp;
         h=date:from:to:cc:subject:message-id:references:mime-version
        :content-type:in-reply-to; s=fm3; bh=4OnyMZBP3xdS7J3G7RqbMtjxsfB
        6houuqw2q1oOqhp0=; b=br3p1BvMwiHbXihsb9loRMpTHYznGsbWZH9N+LJRK3e
        sNwhOhAtUXQyOKYc1kipzgeFCm7qBxinbm0Kplt61uztJSfCcxL0prXkVV3Nydhs
        RXMxbwdGsCcn5mQ6hEM8LWuBGzpU9r/gTfxPeHa+YwcqfH3h0Q8HP5jc3dKrRJM2
        MUMRXZ/B59SyiwEKpyOhHcD+N9gBWMjVKXZ0oR1/sd8+DkScfpPbdMi3PIyGbJTR
        ChVqmaFbk2ULVddIRj0Q5KlVY+S2rV+CBrbvndY2wc5uEI4qHNWsJtjhQgotOBXe
        j/QO0BhVEWFluER2yWiB4Q0+UOifXIMxTXrYoXP4s9A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-type:date:from:in-reply-to
        :message-id:mime-version:references:subject:to:x-me-proxy
        :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=4OnyMZ
        BP3xdS7J3G7RqbMtjxsfB6houuqw2q1oOqhp0=; b=e5+aVboHLxqcQp8O4XeAwM
        rE6GYf1QPxzXwFbjxUkGC83ntFKwJTnLpCJB94bERT2oA5APKfGezCK+XqLUL5Ey
        TnEglBBGpk/I8A1JmfVakGTo0mH2nMKX5LYKgr9Ka/to0Nw96S2XwsNrY/ZkksyT
        6pptJT8Y+mNgt240YBTalQa/0vOr9S+HdrXIWVDXRO4eXTYOFP46V+dKE4ziN0Sj
        kEAv5HM0z0twEB15kN59Ht3zjM8ZMNPTZHt8YB3N7Te4PEPzaUH52oMzL728mFAZ
        p9WB2T7TPOIzxvjXx0aKNkmW/2PlOzNUw8T0x96Jv7jYP/jvJi472k9Vt5yuYNRQ
        ==
X-ME-Sender: <xms:Z6f9XyxuayZujUl-QvEjv_wC1gKH8weyG3JUI84vziYFbNs4NMU5WA>
    <xme:Z6f9X-SMP-EwH9xIo2XR5_p0GCPdyzOx9zo79VkOYXcUVkq5TbvZfPAIHEivT_RKp
    6RN6HayenmQ4LgGuMA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedukedrtddtgddvfecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc
    fjughrpeffhffvuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepvfgrkhgrshhh
    ihcuufgrkhgrmhhothhouceoohdqthgrkhgrshhhihesshgrkhgrmhhotggthhhirdhjph
    eqnecuggftrfgrthhtvghrnhepjeegieefueevueefieeggeejledvgfejgeffjefgvdek
    leehgfdtfeetjeelkeejnecuffhomhgrihhnpehkvghrnhgvlhdrohhrghenucfkphepud
    dukedrvdegfedrjeekrdehkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep
    mhgrihhlfhhrohhmpehoqdhtrghkrghshhhisehsrghkrghmohgttghhihdrjhhp
X-ME-Proxy: <xmx:Z6f9X0UtNJIj4lVLcuaXXJwnTpG_WbeSyHIMIzfuhkO5Cis3u6JO4A>
    <xmx:Z6f9X4iwYveNfs5zRUI7c9EZLYTwLq6Ab-DR3UqMWdW409hertBwdg>
    <xmx:Z6f9X0AeQ-mj1F2ZcWScIsN2MDnys6-b-kbmWn2VxvVJQAxeUxayOA>
    <xmx:aKf9X3PD52cGLbqmJNwtG-WACSF4DeNWMLqjK88ELeq6h-VV8S9Q9A>
Received: from workstation (y078058.dynamic.ppp.asahi-net.or.jp [118.243.78.58])
        by mail.messagingengine.com (Postfix) with ESMTPA id DE939108005C;
        Tue, 12 Jan 2021 08:43:01 -0500 (EST)
Date:   Tue, 12 Jan 2021 22:42:59 +0900
From:   Takashi Sakamoto <o-takashi@sakamocchi.jp>
To:     Geert Uytterhoeven <geert+renesas@glider.be>
Cc:     Clemens Ladisch <clemens@ladisch.de>,
        Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.com>, alsa-devel@alsa-project.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH/RFC 2/2] ALSA: firewire-tascam: Fix integer overflow in
 midi_port_work()
Message-ID: <20210112134259.GA44140@workstation>
Mail-Followup-To: Geert Uytterhoeven <geert+renesas@glider.be>,
        Clemens Ladisch <clemens@ladisch.de>,
        Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
        alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org
References: <20210111130251.361335-1-geert+renesas@glider.be>
 <20210111130251.361335-3-geert+renesas@glider.be>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210111130251.361335-3-geert+renesas@glider.be>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

On Mon, Jan 11, 2021 at 02:02:51PM +0100, Geert Uytterhoeven wrote:
> As snd_fw_async_midi_port.consume_bytes is unsigned int, and
> NSEC_PER_SEC is 1000000000L, the second multiplication in
> 
>     port->consume_bytes * 8 * NSEC_PER_SEC / 31250
> 
> always overflows on 32-bit platforms, truncating the result.  Fix this
> by precalculating "NSEC_PER_SEC / 31250", which is an integer constant.
> 
> Note that this assumes port->consume_bytes <= 16777.
> 
> Fixes: 531f471834227d03 ("ALSA: firewire-lib/firewire-tascam: localize async midi port")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> ---
> Compile-tested only.
> 
> I don't know the maximum transfer length of MIDI, but given it's an old
> standard, I guess it's rather small.  If it is larger than 16777, the
> constant "8" should be replaced by "8ULL", to force 64-bit arithmetic.
> ---
>  sound/firewire/tascam/tascam-transaction.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
 
Indeed. The calculation brings integer overflow of 32 bit storage. Thanks
for your care and proposal of the patch. I agree with the intension of
patch, however I have a nitpicking that the consume_bytes member is
defined as 'int', not 'unsigned int' in your commit comment.

The member has value returned from the call of 'fill_message()'[1] for the
length of byte messages in buffer to process, or for error code. The
error code is checked immediately. The range of value is equal to
or less than 3 when reaching the calculation, thus it should be less than
16777.

Regardless of the type of 'int' or 'unsigned int', this patch can fix
the issued problem. Feel free to add my tag when you post second version
with comment fix.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>

> diff --git a/sound/firewire/tascam/tascam-transaction.c b/sound/firewire/tascam/tascam-transaction.c
> index 90288b4b46379526..a073cece4a7d5e3a 100644
> --- a/sound/firewire/tascam/tascam-transaction.c
> +++ b/sound/firewire/tascam/tascam-transaction.c
> @@ -209,7 +209,7 @@ static void midi_port_work(struct work_struct *work)
>  
>  	/* Set interval to next transaction. */
>  	port->next_ktime = ktime_add_ns(ktime_get(),
> -				port->consume_bytes * 8 * NSEC_PER_SEC / 31250);
> +			port->consume_bytes * 8 * (NSEC_PER_SEC / 31250));
>  
>  	/* Start this transaction. */
>  	port->idling = false;
> -- 
> 2.25.1

[1] https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/tree/sound/firewire/tascam/tascam-transaction.c#n197

Thanks

Takashi Sakamoto