Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751520AbbLKR5g (ORCPT <rfc822;w@1wt.eu>);
	Fri, 11 Dec 2015 12:57:36 -0500
Received: from foss.arm.com ([217.140.101.70]:34949 "EHLO foss.arm.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750923AbbLKR5e (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 11 Dec 2015 12:57:34 -0500
Date: Fri, 11 Dec 2015 17:57:51 +0000
From: Morten Rasmussen <morten.rasmussen@arm.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Peter Zijlstra <peterz@infradead.org>, mingo@redhat.com,
        linux-kernel@vger.kernel.org, yuyang.du@intel.com,
        Paul Turner <pjt@google.com>, Ben Segall <bsegall@google.com>
Subject: Re: [PATCH] sched/fair: fix mul overflow on 32-bit systems
Message-ID: <20151211175751.GA27552@e105550-lin.cambridge.arm.com>
References: <1449838518-26543-1-git-send-email-aryabinin@virtuozzo.com>
 <20151211132551.GO6356@twins.programming.kicks-ass.net>
 <20151211133612.GG6373@twins.programming.kicks-ass.net>
 <566AD6E1.2070005@virtuozzo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <566AD6E1.2070005@virtuozzo.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3540
Lines: 84

On Fri, Dec 11, 2015 at 05:00:01PM +0300, Andrey Ryabinin wrote:
> 
> 
> On 12/11/2015 04:36 PM, Peter Zijlstra wrote:
> > On Fri, Dec 11, 2015 at 02:25:51PM +0100, Peter Zijlstra wrote:
> >> On Fri, Dec 11, 2015 at 03:55:18PM +0300, Andrey Ryabinin wrote:
> >>> Make 'r' 64-bit type to avoid overflow in 'r * LOAD_AVG_MAX'
> >>> on 32-bit systems:
> >>> 	UBSAN: Undefined behaviour in kernel/sched/fair.c:2785:18
> >>> 	signed integer overflow:
> >>> 	87950 * 47742 cannot be represented in type 'int'
> >>>
> >>> Fixes: 9d89c257dfb9 ("sched/fair: Rewrite runnable load and utilization average tracking")
> >>> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
> >>> ---
> >>>  kernel/sched/fair.c | 4 ++--
> >>>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>>
> >>> diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
> >>> index e3266eb..733f0b8 100644
> >>> --- a/kernel/sched/fair.c
> >>> +++ b/kernel/sched/fair.c
> >>> @@ -2780,14 +2780,14 @@ static inline int update_cfs_rq_load_avg(u64 now, struct cfs_rq *cfs_rq)
> >>>  	int decayed, removed = 0;
> >>>  
> >>>  	if (atomic_long_read(&cfs_rq->removed_load_avg)) {
> >>> -		long r = atomic_long_xchg(&cfs_rq->removed_load_avg, 0);
> >>> +		s64 r = atomic_long_xchg(&cfs_rq->removed_load_avg, 0);
> >>>  		sa->load_avg = max_t(long, sa->load_avg - r, 0);
> >>>  		sa->load_sum = max_t(s64, sa->load_sum - r * LOAD_AVG_MAX, 0);
> >>
> >> This makes sense, because sched_avg::load_sum is u64.

A single removed nice=-20 task should be sufficient to cause the
overflow.

> >>
> >>>  		removed = 1;
> >>>  	}
> >>>  
> >>>  	if (atomic_long_read(&cfs_rq->removed_util_avg)) {
> >>> -		long r = atomic_long_xchg(&cfs_rq->removed_util_avg, 0);
> >>> +		s64 r = atomic_long_xchg(&cfs_rq->removed_util_avg, 0);
> >>>  		sa->util_avg = max_t(long, sa->util_avg - r, 0);
> >>>  		sa->util_sum = max_t(s32, sa->util_sum - r * LOAD_AVG_MAX, 0);
> >>>  	}
> >>
> >> However sched_avg::util_sum is u32, so this is still wrecked.
> > 
> > I seems to have wrecked that in:
> > 
> >   006cdf025a33 ("sched/fair: Optimize per entity utilization tracking")
> > 
> > maybe just make util_load u64 too?

It isn't as bad, but the optimization does increase the normal range
(not guaranteed) for util_sum from 47742 to
scale_down(SCHED_LOAD_SCALE)*47742 (= 1024*47742, unless you mess with
the scaling).

> Is there any guarantee that the final result of expression 'util_sum - r * LOAD_AVG_MAX' always can be represented by s32?
> 
> If yes, than we could just do this:
> 	max_t(s32, (u64)sa->util_sum - r * LOAD_AVG_MAX, 0)

In most cases 'r' shouldn't exceed 1024 and util_sum not significantly
exceed 1024*47742, but in extreme cases like spawning lots of new tasks
it may potentially overflow 32 bit. Newly created tasks contribute
1024*47742 each to the rq util_sum, which means that more than ~87 new
tasks on a single rq will get us in trouble I think.

Without Peter's optimization referenced above, that number should
increase to ~87k tasks as each task only contributed 47742 before, but
'r' could still cause 32-bit overflow if we remove more than ~87 newly
created tasks in one go. But I'm not sure if that is a situation we
should worry about?

I think we have to either make util_sum u64 too or look at the
optimizations again.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/