Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754169AbcKOWDk (ORCPT <rfc822;w@1wt.eu>);
        Tue, 15 Nov 2016 17:03:40 -0500
Received: from mail-oi0-f52.google.com ([209.85.218.52]:35790 "EHLO
        mail-oi0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751749AbcKOWDj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Nov 2016 17:03:39 -0500
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.20.1611152250080.3595@nanos>
References: <1479152569-16890-1-git-send-email-cmetcalf@mellanox.com>
 <CALAqxLX1iDJFbnVW3-TCjaeHdKX-HFLe4JAf7vmd4QLLLi4G3g@mail.gmail.com> <alpine.DEB.2.20.1611152250080.3595@nanos>
From: John Stultz <john.stultz@linaro.org>
Date: Tue, 15 Nov 2016 14:03:37 -0800
Message-ID: <CALAqxLU8GogiHfQLNr-UbwH3Egmpw+e1nHWO3JXLhEiNpj2h0g@mail.gmail.com>
Subject: Re: [PATCH] time: Avoid signed overflow in timekeeping_delta_to_ns()
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Chris Metcalf <cmetcalf@mellanox.com>,
        Laurent Vivier <lvivier@redhat.com>,
        David Gibson <david@gibson.dropbear.id.au>,
        "Christopher S . Hall" <christopher.s.hall@intel.com>,
        lkml <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2332
Lines: 55

On Tue, Nov 15, 2016 at 1:53 PM, Thomas Gleixner <tglx@linutronix.de> wrote:
> On Mon, 14 Nov 2016, John Stultz wrote:
>
>> On Mon, Nov 14, 2016 at 11:42 AM, Chris Metcalf <cmetcalf@mellanox.com> wrote:
>> > This bugfix was originally made in commit 35a4933a8959 ("time:
>> > Avoid signed overflow in timekeeping_get_ns()").  When the code was
>> > refactored in commit 6bd58f09e1d8 ("time: Add cycles to nanoseconds
>> > translation") the signed overflow fix was lost.  Re-introduce it.
>> >
>> > Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com>
>> > ---
>> > I happened to be looking for an unrelated fix, found this code,
>> > realized the tip code didn't match the fixed code, and
>> > backtracked to where it had gone away.
>> >
>> >  kernel/time/timekeeping.c | 3 +--
>> >  1 file changed, 1 insertion(+), 2 deletions(-)
>> >
>> > diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
>> > index 37dec7e3db43..57926bc7b7f3 100644
>> > --- a/kernel/time/timekeeping.c
>> > +++ b/kernel/time/timekeeping.c
>> > @@ -304,8 +304,7 @@ static inline s64 timekeeping_delta_to_ns(struct tk_read_base *tkr,
>> >  {
>> >         s64 nsec;
>> >
>> > -       nsec = delta * tkr->mult + tkr->xtime_nsec;
>> > -       nsec >>= tkr->shift;
>> > +       nsec = (delta * tkr->mult + tkr->xtime_nsec) >> tkr->shift;
>>
>> Ugh.
>>
>> So... I think this proves the original fix was *far* too subtle to
>> maintain. So I think reintroducing it as-is doesn't protect us from
>> undoing it.  If the problem is really using the signed intermediate
>> nsec value, we should get rid of that.
>
> As I told the other guy who submitted something similar: This is not really
> helpful. It merily drags the overflow case out by a factor of 2.

Well... So lost time (where a VM/gdb caused stall runs past the
clocksource or causes an mult overflow) is a bit less problematic then
getting a huge negative nsec value.

> So we really need to figure out under which circumstances this can happen
> and fixup either the callsites or detect the condition right there, which
> I'd like to avoid for the hotpath.

I get that catching the (delta > TOOBIG) case, but even then I'm not
sure how we deal that condition in a way that results in anything
meaningfully different from the less-problematic unsigned overflow
(ie, capping it).

thanks
-john