Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753756AbbK3NPr (ORCPT ); Mon, 30 Nov 2015 08:15:47 -0500 Received: from mx1.redhat.com ([209.132.183.28]:40564 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752231AbbK3NPp (ORCPT ); Mon, 30 Nov 2015 08:15:45 -0500 Subject: Re: [PATCH] time: Avoid signed overflow in timekeeping_get_ns() To: David Gibson , tglx@linutronix.de, john.stultz@linaro.org, daniel.lezcano@linaro.org References: <1448847030-27205-1-git-send-email-david@gibson.dropbear.id.au> Cc: paulus@samba.org, mpe@ellerman.id.au, linux-kernel@vger.kernel.org From: Laurent Vivier Message-ID: <565C4BFE.2090707@redhat.com> Date: Mon, 30 Nov 2015 14:15:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <1448847030-27205-1-git-send-email-david@gibson.dropbear.id.au> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2636 Lines: 59 On 30/11/2015 02:30, David Gibson wrote: > 1e75fa8 "time: Condense timekeeper.xtime into xtime_sec" replaced a call to > clocksource_cyc2ns() from timekeeping_get_ns() with an open-coded version > of the same logic to avoid keeping a semi-redundant struct timespec > in struct timekeeper. > > However, the commit also introduced a subtle semantic change - where > clocksource_cyc2ns() uses purely unsigned math, the new version introduces > a signed temporary, meaning that if (delta * tk->mult) has a 63-bit > overflow the following shift will still give a negative result. The > choice of 'maxsec' in __clocksource_updatefreq_scale() means this will > generally happen if there's a ~10 minute pause in examining the > clocksource. > > This can be triggered on a powerpc KVM guest by stopping it from qemu for > a bit over 10 minutes. After resuming time has jumped backwards several > minutes causing numerous problems (jiffies does not advance, msleep()s can > be extended by minutes..). It doesn't happen on x86 KVM guests, because > the guest TSC is effectively frozen while the guest is stopped, which is > not the case for the powerpc timebase. > > Obviously an unsigned (64 bit) overflow will only take twice as long as a > signed, 63-bit overflow. I don't know the time code well enough to know > if that will still cause incorrect calculations, or if a 64-bit overflow > is avoided elsewhere. > > Still, an incorrect forwards clock adjustment will cause less trouble than > time going backwards. So, this patch removes the potential for > intermediate signed overflow. > > Suggested-by: Laurent Vivier > Signed-off-by: David Gibson > --- > kernel/time/timekeeping.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c > index d563c19..99188ee 100644 > --- a/kernel/time/timekeeping.c > +++ b/kernel/time/timekeeping.c > @@ -305,8 +305,7 @@ static inline s64 timekeeping_get_ns(struct tk_read_base *tkr) > > delta = timekeeping_get_delta(tkr); > > - nsec = delta * tkr->mult + tkr->xtime_nsec; > - nsec >>= tkr->shift; > + nsec = (delta * tkr->mult + tkr->xtime_nsec) >> tkr->shift; > > /* If arch requires, add in get_arch_timeoffset() */ > return nsec + arch_gettimeoffset(); > Tested-by: Laurent Vivier -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/