Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756376AbbLDUZv (ORCPT <rfc822;w@1wt.eu>);
	Fri, 4 Dec 2015 15:25:51 -0500
Received: from mail-yk0-f177.google.com ([209.85.160.177]:35002 "EHLO
	mail-yk0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756336AbbLDUZt (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 4 Dec 2015 15:25:49 -0500
MIME-Version: 1.0
In-Reply-To: <1448847030-27205-1-git-send-email-david@gibson.dropbear.id.au>
References: <1448847030-27205-1-git-send-email-david@gibson.dropbear.id.au>
Date: Fri, 4 Dec 2015 12:25:48 -0800
Message-ID: <CALAqxLUa_aCo5Eq-jHi6-jx7jovgxyaaCjd8UTzNnPSwZiBS9g@mail.gmail.com>
Subject: Re: [PATCH] time: Avoid signed overflow in timekeeping_get_ns()
From: John Stultz <john.stultz@linaro.org>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: Thomas Gleixner <tglx@linutronix.de>,
        Daniel Lezcano <daniel.lezcano@linaro.org>, lviver@redhat.com,
        Paul Mackerras <paulus@samba.org>, mpe@ellerman.id.au,
        lkml <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2051
Lines: 43

On Sun, Nov 29, 2015 at 5:30 PM, David Gibson
<david@gibson.dropbear.id.au> wrote:
> 1e75fa8 "time: Condense timekeeper.xtime into xtime_sec" replaced a call to
> clocksource_cyc2ns() from timekeeping_get_ns() with an open-coded version
> of the same logic to avoid keeping a semi-redundant struct timespec
> in struct timekeeper.
>
> However, the commit also introduced a subtle semantic change - where
> clocksource_cyc2ns() uses purely unsigned math, the new version introduces
> a signed temporary, meaning that if (delta * tk->mult) has a 63-bit
> overflow the following shift will still give a negative result.  The
> choice of 'maxsec' in __clocksource_updatefreq_scale() means this will
> generally happen if there's a ~10 minute pause in examining the
> clocksource.
>
> This can be triggered on a powerpc KVM guest by stopping it from qemu for
> a bit over 10 minutes.  After resuming time has jumped backwards several
> minutes causing numerous problems (jiffies does not advance, msleep()s can
> be extended by minutes..).  It doesn't happen on x86 KVM guests, because
> the guest TSC is effectively frozen while the guest is stopped, which is
> not the case for the powerpc timebase.
>
> Obviously an unsigned (64 bit) overflow will only take twice as long as a
> signed, 63-bit overflow.  I don't know the time code well enough to know
> if that will still cause incorrect calculations, or if a 64-bit overflow
> is avoided elsewhere.
>
> Still, an incorrect forwards clock adjustment will cause less trouble than
> time going backwards.  So, this patch removes the potential for
> intermediate signed overflow.
>
> Suggested-by: Laurent Vivier <lvivier@redhat.com>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

Thanks for sending this in. I've queued it for 4.5

thanks
-john
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/