| Message ID | 20210816173035.5165-1-david@salt-inc.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/intc/sifive_clint: Fix overflow in sifive_clint_write_timecmp() | expand |
diff --git a/hw/intc/sifive_clint.c b/hw/intc/sifive_clint.c index 0f41e5ea1c..e65e71e5ec 100644 --- a/hw/intc/sifive_clint.c +++ b/hw/intc/sifive_clint.c @@ -61,6 +61,8 @@ static void sifive_clint_write_timecmp(RISCVCPU *cpu, uint64_t value, /* back to ns (note args switched in muldiv64) */ next = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + muldiv64(diff, NANOSECONDS_PER_SECOND, timebase_freq); + /* ensure next does not overflow, as timer_mod takes a signed value */ + next = MAX(next, INT64_MAX); timer_mod(cpu->env.timer, next); }
`next` is an `uint64_t` value, but `timer_mod` takes an `int64_t`. This resulted in high values such as `UINT64_MAX` being converted to `-1`, which caused an immediate timer interrupt. By limiting `next` to `INT64_MAX` no overflow will happen while the timer will still be effectively set to "infinitely" far in the future. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/493 Signed-off-by: David Hoppenbrouwers <david@salt-inc.org> --- hw/intc/sifive_clint.c | 2 ++ 1 file changed, 2 insertions(+)