From: Peter Maydell <peter.maydell@linaro.org>
To: P J P <ppandit@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Li Qiang <liqiang6-s@360.cn>, qemu-arm <qemu-arm@nongnu.org>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH] timer: a9gtimer: check auto-increment register value
Date: Thu, 22 Sep 2016 14:59:01 +0100 [thread overview]
Message-ID: <CAFEAcA8uAjbxbARR0PHnzgiTm3x2axAzW8GP7_Z75ejNqK4HKA@mail.gmail.com> (raw)
In-Reply-To: <1474488807-451-1-git-send-email-ppandit@redhat.com>
On 21 September 2016 at 21:13, P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> ARM A9MP processor has a peripheral timer with an auto-increment
> register, which holds an increment step value. A user could set
> this value to zero, when auto-increment control bit is enabled.
> This leads to an infinite loop in 'a9_gtimer_update' while
> updating comparator value. Add check to avoid it.
>
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/timer/a9gtimer.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
> index 772f85f..3f752ce 100644
> --- a/hw/timer/a9gtimer.c
> +++ b/hw/timer/a9gtimer.c
> @@ -85,7 +85,7 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)
> while (gtb->compare < update.new) {
> DB_PRINT("Compare event happened for CPU %d\n", i);
> gtb->status = 1;
> - if (gtb->control & R_CONTROL_AUTO_INCREMENT) {
> + if (gtb->inc && gtb->control & R_CONTROL_AUTO_INCREMENT) {
> DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n",
> gtb->inc);
> gtb->compare += gtb->inc;
The code as it stands is definitely wrong, but it's also rather
weird, because it loops round just incrementing gtb->compare
by gtb->inc each time until it's >= update.new, when we ought
in theory to be able to calculate the new compare value without
having to loop round to do it.
The loop code also introduces some other odd corner cases which
are might loop forever or at least run for a long time before
they terminate. For instance suppose gtb->compare is
0xFFFF_FFFF_FFFF_0000, update.new is slightly larger than that,
and gtb->inc is 0x10000. This will loop forever because
compare will wrap round to 0x10000, then increment steadily
until it hits 0xFFFF_FFFF_FFFF_0000 again, and repeat.
So I think we need to fix this bug by rewriting the code to
not have a loop in it at all. (Something like, take
(update.new - gtb->compare), round it up to a multiple of
gtb->inc, and then add that to gtb->compare.)
thanks
-- PMM
prev parent reply other threads:[~2016-09-22 13:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-21 20:13 [Qemu-devel] [PATCH] timer: a9gtimer: check auto-increment register value P J P
2016-09-22 13:59 ` Peter Maydell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA8uAjbxbARR0PHnzgiTm3x2axAzW8GP7_Z75ejNqK4HKA@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=liqiang6-s@360.cn \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).