Re: [PATCH v4] hw/intc/sifive_clint: Fix muldiv64 overflow in sifive

qemu-riscv

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4] hw/intc/sifive_clint: Fix muldiv64 overflow in sifive_cli

From:	Alistair Francis
Subject:	Re: [PATCH v4] hw/intc/sifive_clint: Fix muldiv64 overflow in sifive_clint_write_timecmp()
Date:	Mon, 30 Aug 2021 16:02:26 +1000

On Sat, Aug 28, 2021 at 1:28 AM David Hoppenbrouwers <david@salt-inc.org> wrote:
>
> `muldiv64` would overflow in cases where the final 96-bit value does not
> fit in a `uint64_t`. This would result in small values that cause an
> interrupt to be triggered much sooner than intended.
>
> The overflow can be detected in most cases by checking if the new value is
> smaller than the previous value. If the final result is larger than
> `diff` it is either correct or it doesn't matter as it is effectively
> infinite anyways.
>
> `next` is an `uint64_t` value, but `timer_mod` takes an `int64_t`. This
> resulted in high values such as `UINT64_MAX` being converted to `-1`,
> which caused an immediate timer interrupt.
>
> By limiting `next` to `INT64_MAX` no overflow will happen while the
> timer will still be effectively set to "infinitely" far in the future.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/493
> Signed-off-by: David Hoppenbrouwers <david@salt-inc.org>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Alistair

> ---
> I addressed the potential signed integer overflow if `ns_diff` is
> `INT64_MAX`. An unsigned integer overflow still should not be able to
> happen practically.
>
> David
>
>  hw/intc/sifive_clint.c | 25 +++++++++++++++++++++++--
>  1 file changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/hw/intc/sifive_clint.c b/hw/intc/sifive_clint.c
> index 0f41e5ea1c..99c870ced2 100644
> --- a/hw/intc/sifive_clint.c
> +++ b/hw/intc/sifive_clint.c
> @@ -59,8 +59,29 @@ static void sifive_clint_write_timecmp(RISCVCPU *cpu, 
> uint64_t value,
>      riscv_cpu_update_mip(cpu, MIP_MTIP, BOOL_TO_MASK(0));
>      diff = cpu->env.timecmp - rtc_r;
>      /* back to ns (note args switched in muldiv64) */
> -    next = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
> -        muldiv64(diff, NANOSECONDS_PER_SECOND, timebase_freq);
> +    uint64_t ns_diff = muldiv64(diff, NANOSECONDS_PER_SECOND, timebase_freq);
> +
> +    /*
> +     * check if ns_diff overflowed and check if the addition would 
> potentially
> +     * overflow
> +     */
> +    if ((NANOSECONDS_PER_SECOND > timebase_freq && ns_diff < diff) ||
> +        ns_diff > INT64_MAX) {
> +        next = INT64_MAX;
> +    } else {
> +        /*
> +         * as it is very unlikely qemu_clock_get_ns will return a value
> +         * greater than INT64_MAX, no additional check is needed for an
> +         * unsigned integer overflow.
> +         */
> +        next = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + ns_diff;
> +        /*
> +         * if ns_diff is INT64_MAX next may still be outside the range
> +         * of a signed integer.
> +         */
> +        next = MIN(next, INT64_MAX);
> +    }
> +
>      timer_mod(cpu->env.timer, next);
>  }
>
> --
> 2.20.1
>
>

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v4] hw/intc/sifive_clint: Fix muldiv64 overflow in sifive_clint_write_timecmp(), David Hoppenbrouwers, 2021/08/27
- Re: [PATCH v4] hw/intc/sifive_clint: Fix muldiv64 overflow in sifive_clint_write_timecmp(), Alistair Francis <=

Prev by Date: Re: [PATCH v3 2/4] hw/intc: Upgrade the SiFive CLINT implementation to RISC-V ACLINT
Next by Date: Re: [PATCH v2] hw/intc/sifive_clint: Fix expiration time logic
Previous by thread: [PATCH v4] hw/intc/sifive_clint: Fix muldiv64 overflow in sifive_clint_write_timecmp()
Next by thread: [PATCH] hw/intc/sifive_clint: Fix expiration time logic
Index(es):
- Date
- Thread