Re: [PATCH] hpet: fix bounds check for s->timer[]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Zhao Liu <zhao1.liu@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	qemu-devel <qemu-devel@nongnu.org>,
	"Yuma Kurogome, Ricerca Security, Inc." <yumak@ricsec.co.jp>
Subject: Re: [PATCH] hpet: fix bounds check for s->timer[]
Date: Mon, 30 Mar 2026 22:46:42 +0800	[thread overview]
Message-ID: <acqM0he6SpiY7LOK@intel.com> (raw)
In-Reply-To: <CABgObfYxPmG+M1t8VakdKiKEkunQ8cyLfoo8dtVQTTR4RtxUug@mail.gmail.com>

On Fri, Mar 27, 2026 at 09:02:09PM +0100, Paolo Bonzini wrote:
> Date: Fri, 27 Mar 2026 21:02:09 +0100
> From: Paolo Bonzini <pbonzini@redhat.com>
> Subject: Re: [PATCH] hpet: fix bounds check for s->timer[]
> 
> Il ven 27 mar 2026, 19:46 Peter Maydell <peter.maydell@linaro.org> ha
> scritto:
> 
> > > (even
> > > though HPET_MAX_TIMERS is 32) the HPET only has room for 24 timers in
> > > its MMIO region,

It seems like a missing case for HPET spec v1.0a (about how to extend
MMIO). The MMIO size (HPET_LEN = 0x400) and max timers (HPET_MAX_TIMERS
= 32) are both from the spec. And general capabilities register
allocates bits 8-12 for NUM_TIM_CAP (up to 32 timers).

The spec only mentions for IA64 platform, the timer register space can
be up to 64K bytes with page protection capability. :(

> If we can only fit 24 timers into the MMIO region, should we do one of:
> >  * lower HPET_MAX_TIMERS
> >  * enlarge the MMIO region
> >  * leave HPET_MAX_TIMERS where it is but make realize enforce
> >    that num_timers <= 24 ?
> >
> 
> Lowering HPET_MAX_TIMERS is the easiest, yes. No one really uses anything
> but the default anyway.

yes, I agree, maybe no vender implememnts more than 24 timers, which is
why HPET doesn't provide further details on MMIO extensions I think.

Regards,
Zhao

next prev parent reply	other threads:[~2026-03-30 14:20 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-27 17:47 [PATCH] hpet: fix bounds check for s->timer[] Paolo Bonzini
2026-03-27 18:46 ` Peter Maydell
2026-03-27 20:02   ` Paolo Bonzini
2026-03-30 14:46     ` Zhao Liu [this message]
2026-03-27 23:16 ` Philippe Mathieu-Daudé
2026-03-30 14:47 ` Zhao Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=acqM0he6SpiY7LOK@intel.com \
    --to=zhao1.liu@intel.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=yumak@ricsec.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.