On 10 November 2014 18:21, Alexander Graf <ag...@suse.de> wrote:
> When creating a timer handle, we give the timer id a special magic offset
> of 0xcafe0000. However, we never mask that offset out of the timer id before
> we start using it to dereference our timer array. So we always end up aborting
> timer operations because the timer id is out of bounds.
>
> This was not an issue before my patch e52a99f756e ("linux-user: Simplify
> timerid checks on g_posix_timers range") because before we would blindly mask
> anything above the first 16 bits.
>
> This patch simplifies the code around timer id creation by introducing a
> proper
> target_timer_id typedef that is s32, just like Linux has it. It also changes
> the
> magic offset to a value that makes all timer ids be positive.
>
> Reported-by: Tom Musta <tommu...@gmail.com>
> Signed-off-by: Alexander Graf <ag...@suse.de>
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Thanks for putting up with all my nitpicking...
-- PMM
