From: Marc Zyngier <maz@kernel.org>
To: Sudeep Holla <sudeep.holla@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org, linux-acpi@vger.kernel.org,
linux-kernel@vger.kernel.org, devicetree@vger.kernel.org,
"Lorenzo Pieralisi" <lpieralisi@kernel.org>,
"Hanjun Guo" <guohanjun@huawei.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Will Deacon" <will@kernel.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Mark Rutland" <mark.rutland@arm.com>,
"Daniel Lezcano" <daniel.lezcano@kernel.org>,
"Thomas Gleixner" <tglx@kernel.org>,
"Rob Herring" <robh@kernel.org>,
"Krzysztof Kozlowski" <krzk+dt@kernel.org>,
"Conor Dooley" <conor+dt@kernel.org>,
"Chen-Yu Tsai" <wens@kernel.org>,
"Jernej Skrabec" <jernej.skrabec@gmail.com>,
"Samuel Holland" <samuel@sholland.org>,
"Neil Armstrong" <neil.armstrong@linaro.org>,
"Kevin Hilman" <khilman@baylibre.com>,
"Jerome Brunet" <jbrunet@baylibre.com>,
"Martin Blumenstingl" <martin.blumenstingl@googlemail.com>,
"Ge Gordon" <gordon.ge@bst.ai>,
"BST Linux Kernel Upstream Group" <bst-upstream@bstai.top>,
"Jesper Nilsson" <jesper.nilsson@axis.com>,
"Lars Persson" <lars.persson@axis.com>,
"Alim Akhtar" <alim.akhtar@samsung.com>,
"Ivaylo Ivanov" <ivo.ivanov.ivanov1@gmail.com>,
"Frank Li" <Frank.Li@nxp.com>,
"Sascha Hauer" <s.hauer@pengutronix.de>,
"Pengutronix Kernel Team" <kernel@pengutronix.de>,
"Fabio Estevam" <festevam@gmail.com>,
"Dinh Nguyen" <dinguyen@kernel.org>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
"AngeloGioacchino Del Regno"
<angelogioacchino.delregno@collabora.com>,
"Thierry Reding" <thierry.reding@kernel.org>,
"Jonathan Hunter" <jonathanh@nvidia.com>,
"Bjorn Andersson" <andersson@kernel.org>,
"Konrad Dybcio" <konradybcio@kernel.org>,
"Andreas Färber" <afaerber@suse.de>,
"Heiko Stuebner" <heiko@sntech.de>,
"Shawn Lin" <shawn.lin@rock-chips.com>,
"Orson Zhai" <orsonzhai@gmail.com>,
"Baolin Wang" <baolin.wang@linux.alibaba.com>,
"Michal Simek" <michal.simek@amd.com>
Subject: Re: [PATCH v2 01/17] ACPI: GTDT: Account for GTDTv3 size when walking the platform timer descriptors
Date: Fri, 15 May 2026 12:23:50 +0100 [thread overview]
Message-ID: <864ik8ykzd.wl-maz@kernel.org> (raw)
In-Reply-To: <20260515-prudent-vagabond-beetle-cad34b@sudeepholla>
On Fri, 15 May 2026 10:51:52 +0100,
Sudeep Holla <sudeep.holla@kernel.org> wrote:
>
> On Thu, May 14, 2026 at 04:09:29PM +0100, Marc Zyngier wrote:
> > Since ARMv8.1, the architecture has grown an EL2-private virtual
> > timer. This has been described in ACPI since ACPI v6.3 and revision
> > 3 of the GTDT table.
> >
> > An aditional structure was added in ACPICA, though in a rather
> > bizarre way, and merged in v5.1 as 8f5a14d053100 ("ACPICA: ACPI 6.3:
> > add GTDT Revision 3 support").
> >
> > Finally plug the table parsing in GTDT, and correct the parsing of
> > the platform timer subtables to account for the expanded size of
> > the base table.
> >
> > Suggested-by: Sudeep Holla <sudeep.holla@kernel.org>
> > Signed-off-by: Marc Zyngier <maz@kernel.org>
> > ---
> > drivers/acpi/arm64/gtdt.c | 15 ++++++++++++++-
> > 1 file changed, 14 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
> > index ffc867bac2d60..b9d9b8edf2df7 100644
> > --- a/drivers/acpi/arm64/gtdt.c
> > +++ b/drivers/acpi/arm64/gtdt.c
> > @@ -32,6 +32,12 @@ struct acpi_gtdt_descriptor {
> > struct acpi_table_gtdt *gtdt;
> > void *gtdt_end;
> > void *platform_timer;
> > + bool v3;
> > +};
> > +
> > +struct gtdt_v3 {
> > + struct acpi_table_gtdt gtdt_v2;
> > + struct acpi_gtdt_el2 el2_vtimer;
> > };
> >
> > static struct acpi_gtdt_descriptor acpi_gtdt_desc __initdata;
> > @@ -39,8 +45,14 @@ static struct acpi_gtdt_descriptor acpi_gtdt_desc __initdata;
> > static __init bool platform_timer_valid(void *platform_timer)
> > {
> > struct acpi_gtdt_header *gh = platform_timer;
> > + void *platform_timer_begin;
> > +
> > + if (acpi_gtdt_desc.v3)
> > + platform_timer_begin = container_of(acpi_gtdt_desc.gtdt, struct gtdt_v3, gtdt_v2) + 1;
> > + else
> > + platform_timer_begin = acpi_gtdt_desc.gtdt + 1;
> >
> > - return (platform_timer >= (void *)(acpi_gtdt_desc.gtdt + 1) &&
> > + return (platform_timer >= platform_timer_begin &&
> > platform_timer < acpi_gtdt_desc.gtdt_end &&
> > gh->length != 0 &&
> > platform_timer + gh->length <= acpi_gtdt_desc.gtdt_end);
> > @@ -169,6 +181,7 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
> > acpi_gtdt_desc.gtdt = gtdt;
> > acpi_gtdt_desc.gtdt_end = (void *)table + table->length;
> > acpi_gtdt_desc.platform_timer = NULL;
> > + acpi_gtdt_desc.v3 = gtdt->header.revision >= 3 && gtdt->header.length >= sizeof(struct gtdt_v3);
>
> Regarding Sashiko’s comment about the missing length validation for GTDT v2, I
> realised that the current check could cause a malformed v3 table to be
> interpreted as v2 if its length does not match the expected v3
> length.
Yeah, that's overall dodgy. As much as I hate having to write a
validating parser for ACPI, we need to be prepared for the worst.
> It would be better to fail early and return an error rather than allow
> processing to continue with the table incorrectly interpreted as v2.
How about something like the hack below?
Thanks,
M.
diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
index 12bc8875e95e2..ceec69609f038 100644
--- a/drivers/acpi/arm64/gtdt.c
+++ b/drivers/acpi/arm64/gtdt.c
@@ -202,7 +202,15 @@ int __init acpi_gtdt_init(struct acpi_table_header *table,
acpi_gtdt_desc.gtdt = gtdt;
acpi_gtdt_desc.gtdt_end = (void *)table + table->length;
acpi_gtdt_desc.platform_timer = NULL;
- acpi_gtdt_desc.v3 = gtdt->header.revision >= 3 && gtdt->header.length >= sizeof(struct gtdt_v3);
+
+ if ((gtdt->header.revision >= 3 && gtdt->header.length < sizeof(struct gtdt_v3)) ||
+ (gtdt->header.revision == 2 && gtdt->header.length < sizeof(*gtdt))) {
+ pr_err(FW_BUG "GTDT with invalid size %d\n", gtdt->header.length);
+ return -EINVAL;
+ }
+
+ acpi_gtdt_desc.v3 = gtdt->header.revision >= 3;
+
if (platform_timer_count)
*platform_timer_count = 0;
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-05-15 11:23 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 15:09 [PATCH v2 00/17] arm64: Use EL2 virtual timer when running VHE Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 01/17] ACPI: GTDT: Account for GTDTv3 size when walking the platform timer descriptors Marc Zyngier
2026-05-14 19:54 ` sashiko-bot
2026-05-15 9:51 ` Sudeep Holla
2026-05-15 11:23 ` Marc Zyngier [this message]
2026-05-15 12:52 ` Sudeep Holla
2026-05-14 15:09 ` [PATCH v2 02/17] ACPI: GTDT: Parse information related to the EL2 virtual timer Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 03/17] clocksource/drivers/arm_arch_timer: Default to EL2 virtual timer when running VHE Marc Zyngier
2026-05-14 21:23 ` sashiko-bot
2026-05-15 8:30 ` Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 04/17] dt-bindings: timer: arm,arch_timer: Fix requirements for interrupt description Marc Zyngier
2026-05-14 21:37 ` sashiko-bot
2026-05-15 9:18 ` Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 05/17] arm64: dts: allwinner: Add EL2 virtual timer interrupt Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 06/17] arm64: dts: amlogic: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 07/17] arm64: dts: bst: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 08/17] arm64: dts: exynos: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 09/17] arm64: dts: freescale: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 10/17] arm64: dts: intel: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 11/17] arm64: dts: mediatek: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 12/17] arm64: dts: nvidia: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 13/17] arm64: dts: qcom: " Marc Zyngier
2026-05-14 23:06 ` sashiko-bot
2026-05-15 8:24 ` Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 14/17] arm64: dts: realtek: " Marc Zyngier
2026-05-14 23:18 ` sashiko-bot
2026-05-15 8:23 ` Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 15/17] arm64: dts: rockchip: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 16/17] arm64: dts: sprd: " Marc Zyngier
2026-05-14 15:09 ` [PATCH v2 17/17] arm64: dts: xilinx: " Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=864ik8ykzd.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=Frank.Li@nxp.com \
--cc=afaerber@suse.de \
--cc=alim.akhtar@samsung.com \
--cc=andersson@kernel.org \
--cc=angelogioacchino.delregno@collabora.com \
--cc=baolin.wang@linux.alibaba.com \
--cc=bst-upstream@bstai.top \
--cc=catalin.marinas@arm.com \
--cc=conor+dt@kernel.org \
--cc=daniel.lezcano@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dinguyen@kernel.org \
--cc=festevam@gmail.com \
--cc=gordon.ge@bst.ai \
--cc=guohanjun@huawei.com \
--cc=heiko@sntech.de \
--cc=ivo.ivanov.ivanov1@gmail.com \
--cc=jbrunet@baylibre.com \
--cc=jernej.skrabec@gmail.com \
--cc=jesper.nilsson@axis.com \
--cc=jonathanh@nvidia.com \
--cc=kernel@pengutronix.de \
--cc=khilman@baylibre.com \
--cc=konradybcio@kernel.org \
--cc=krzk+dt@kernel.org \
--cc=lars.persson@axis.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lpieralisi@kernel.org \
--cc=mark.rutland@arm.com \
--cc=martin.blumenstingl@googlemail.com \
--cc=matthias.bgg@gmail.com \
--cc=michal.simek@amd.com \
--cc=neil.armstrong@linaro.org \
--cc=orsonzhai@gmail.com \
--cc=rafael@kernel.org \
--cc=robh@kernel.org \
--cc=s.hauer@pengutronix.de \
--cc=samuel@sholland.org \
--cc=shawn.lin@rock-chips.com \
--cc=sudeep.holla@kernel.org \
--cc=tglx@kernel.org \
--cc=thierry.reding@kernel.org \
--cc=wens@kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox