libswdg: fix potential sleeping forever

[mateuszkobak]

After calling channel callback, it was possible to sleep on condWait without proper timeout.

YT: NIL-1079

Description

Motivation and Context

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Chore (refactoring, style fixes, git/CI config, submodule management, no code logic changes)

How Has This Been Tested?

• Already covered by automatic testing.
• New test added: (add PR link here).
• Tested by hand on: (list targets here).

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing linter checks and tests passed.
• My changes generate no new compilation warnings for any of the targets.

Special treatment

• This PR needs additional PRs to work (list the PRs, preferably in merge-order).
• I will merge this PR by myself when appropriate.

[gemini-code-assist]

Summary of Changes

Hello @mateuszkobak, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical bug in the software watchdog (libswdg) where the system could enter an indefinite sleep state. The fix ensures that the watchdog's deadline is consistently updated, preventing miscalculations that could lead to the watchdog failing to trigger or reset as expected, thereby enhancing system reliability.

Highlights

• Watchdog Deadline Calculation: The deadline calculation for the software watchdog channel was moved outside of an else block to ensure it is always updated before determining the diff and timeout for the next sleep cycle.
• Potential Infinite Sleep Fix: This change addresses a bug where the watchdog could potentially sleep indefinitely if the deadline was not properly re-calculated, leading to incorrect timeout values.

Changelog

• libswdg/swdg.c
  • Corrected the logic for calculating the watchdog channel's deadline to prevent potential infinite sleep scenarios.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request fixes a bug where the watchdog thread could sleep forever if a watchdog channel timed out by correctly recalculating the next timeout value after a channel's callback is executed. However, a medium-severity vulnerability was identified: a potential integer overflow that could lead to incorrect watchdog behavior, effectively a denial of service of the watchdog functionality. Furthermore, the new logic introduces a critical issue where a busy-loop can occur if a watchdog channel is configured with a negative timeout limit, as diff would become negative and cause condWait to misbehave. Specific comments with suggested fixes and remediations have been provided for these issues.

[gemini-code-assist]

The variable diff can become negative if swdg_common.chan[i].limit is a negative value. time_t is signed, and swdg_chanConfig() doesn't validate the limit parameter. A negative diff assigned to timeout would cause condWait() to likely return immediately, resulting in a busy-loop (100% CPU usage). This is a critical issue.

To safeguard against this, you should ensure diff is positive before updating timeout. While the root cause is in swdg_chanConfig(), a local fix here can prevent the busy-loop.

				if (diff > 0 && ((timeout == 0) || (timeout > diff))) {

[anglov]

@gemini-code-assist i think the real isssue here is using time_t for timeout-like variables.

I think that valid solution for that situation is to change the API.

If we don't want to change API for some reason, validate limit arg to swdg_chanConfig should be check if it's > 0

It's not directly connected with fixed issue in this commit though

[gemini-code-assist]

The addition on this line is vulnerable to a signed integer overflow. Both now and limit are of type time_t (a signed integer). If their sum exceeds the maximum value for time_t, the result (deadline) will wrap around and become a negative number. This can lead to incorrect watchdog behavior, either triggering the callback prematurely or causing the watchdog thread to sleep for an unintended duration, effectively disabling the watchdog mechanism. It's recommended to add a check to prevent the overflow. You may need to include <limits.h> to use LLONG_MAX.

if ((swdg_common.chan[i].limit > 0) && (now > LLONG_MAX - swdg_common.chan[i].limit)) {
    deadline = LLONG_MAX;
} else {
    deadline = now + swdg_common.chan[i].limit;
}

[github-actions]

Unit Test Results

9 523 tests  +6 744   8 931 ✅ +6 297   49m 54s ⏱️ + 38m 18s
  583 suites +  435     592 💤 +  447 
    1 files   ±    0       0 ❌ ±    0 

Results for commit c6ac10c. ± Comparison against base commit fc03fc0.

[anglov]

Agree with gemini. It require major refactor. Not in scope of current issue fix.