Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964833AbcKOV4l (ORCPT ); Tue, 15 Nov 2016 16:56:41 -0500 Received: from Galois.linutronix.de ([146.0.238.70]:44485 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752497AbcKOV4i (ORCPT ); Tue, 15 Nov 2016 16:56:38 -0500 Date: Tue, 15 Nov 2016 22:53:44 +0100 (CET) From: Thomas Gleixner To: John Stultz cc: Chris Metcalf , Laurent Vivier , David Gibson , "Christopher S . Hall" , lkml Subject: Re: [PATCH] time: Avoid signed overflow in timekeeping_delta_to_ns() In-Reply-To: Message-ID: References: <1479152569-16890-1-git-send-email-cmetcalf@mellanox.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1819 Lines: 46 On Mon, 14 Nov 2016, John Stultz wrote: > On Mon, Nov 14, 2016 at 11:42 AM, Chris Metcalf wrote: > > This bugfix was originally made in commit 35a4933a8959 ("time: > > Avoid signed overflow in timekeeping_get_ns()"). When the code was > > refactored in commit 6bd58f09e1d8 ("time: Add cycles to nanoseconds > > translation") the signed overflow fix was lost. Re-introduce it. > > > > Signed-off-by: Chris Metcalf > > --- > > I happened to be looking for an unrelated fix, found this code, > > realized the tip code didn't match the fixed code, and > > backtracked to where it had gone away. > > > > kernel/time/timekeeping.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c > > index 37dec7e3db43..57926bc7b7f3 100644 > > --- a/kernel/time/timekeeping.c > > +++ b/kernel/time/timekeeping.c > > @@ -304,8 +304,7 @@ static inline s64 timekeeping_delta_to_ns(struct tk_read_base *tkr, > > { > > s64 nsec; > > > > - nsec = delta * tkr->mult + tkr->xtime_nsec; > > - nsec >>= tkr->shift; > > + nsec = (delta * tkr->mult + tkr->xtime_nsec) >> tkr->shift; > > Ugh. > > So... I think this proves the original fix was *far* too subtle to > maintain. So I think reintroducing it as-is doesn't protect us from > undoing it. If the problem is really using the signed intermediate > nsec value, we should get rid of that. As I told the other guy who submitted something similar: This is not really helpful. It merily drags the overflow case out by a factor of 2. So we really need to figure out under which circumstances this can happen and fixup either the callsites or detect the condition right there, which I'd like to avoid for the hotpath. Thanks, tglx