Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp756637img;
        Fri, 22 Mar 2019 07:59:12 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwJzY/UhCM9IT74++QTjytK0PqnrhMXhaGCGLgv1lRKupCAH6We1t/sjuQ1PanXvw1VAg0m
X-Received: by 2002:a63:1723:: with SMTP id x35mr9070163pgl.364.1553266752531;
        Fri, 22 Mar 2019 07:59:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553266752; cv=none;
        d=google.com; s=arc-20160816;
        b=SvuhPGWeLF3jPWdz+ZRZdu/ZMOYZ1BtO6qL89TpbKHcxPZrHHQG2fW5fdRIljYoFVv
         I9hMSqzlAmhSbHnaRZkzvAX/GPjUcn8f6WzdLcvXBUZ+RmUsjP0tMKCJTOIPq/i7Vd0y
         y0+YWfoccJDE3F2wlOewmnQTF7fcZuWi6kHhwpuhsOG+63d7M19LSsQHQAZktqPt7lUm
         48vyCmk4BeMbARS4xMy0RDJpzWgAS6bUPzwA5/9BS01b2HCcRxQE8etM5FPbftaGKLew
         6dURGoJwelh8ybnAlfN93zqESkBNtcmA4YA8ylLEM5+MKWiP5MxGQzJ55wGsM0L8pL+K
         9ZvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=N9Lj3co0N1cWY4bN6dnfySG3qsce7kQ+8PeOOUIMJFQ=;
        b=bHJ124wLe5+Vz8ojOLkfPA134lMOdnISekROmkywroSFZ+Ci9LHMW0g/4nfEdgdWG8
         TmuITA5a+lIAWlfW7oTQP07x7XEeYcs0Z/upldw3DeBG490egHTHUbwbcH9TGLE9loTG
         BgSqY6WXDmXP1PLdiLRgOdQtQqghQf6CsUnZGdx7k7qvzW4lq+kXsrRVO2sEvYE0GR77
         wzrZDZX+7BSmuCr+6FPVQOTjJVb8ok6AgQVEO+ZZNpgMPqIxNtZoVi+nCgpFNJqi1Fei
         AD5AGRaFOs9jp/zzmprEht+D9RS1fv4ozvwSgiN3R5enc68JxBXc6nVqlcYuD8Pp+4d4
         u/Pw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h24si6785497pgv.67.2019.03.22.07.58.57;
        Fri, 22 Mar 2019 07:59:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729367AbfCVO6Q (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Fri, 22 Mar 2019 10:58:16 -0400
Received: from Galois.linutronix.de ([146.0.238.70]:41227 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728024AbfCVO6P (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 Mar 2019 10:58:15 -0400
Received: from [5.158.153.52] (helo=nanos.tec.linutronix.de)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tglx@linutronix.de>)
        id 1h7LcW-0003Xh-8z; Fri, 22 Mar 2019 15:58:08 +0100
Date:   Fri, 22 Mar 2019 15:58:07 +0100 (CET)
From:   Thomas Gleixner <tglx@linutronix.de>
To:     Xiongfeng Wang <wangxiongfeng2@huawei.com>
cc:     John Stultz <john.stultz@linaro.org>, sboyd@kernel.org,
        LKML <linux-kernel@vger.kernel.org>,
        Arnd Bergmann <arnd@arndb.de>
Subject: Re: [RFC PATCH] timekeeping: Avoid undefined behaviour in
 'ktime_get_with_offset()'
In-Reply-To: <1551259381-15907-1-git-send-email-wangxiongfeng2@huawei.com>
Message-ID: <alpine.DEB.2.21.1903221541060.1729@nanos.tec.linutronix.de>
References: <1551259381-15907-1-git-send-email-wangxiongfeng2@huawei.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 27 Feb 2019, Xiongfeng Wang wrote:

> When I ran Syzkaller testsuite, I got the following call trace.
> ================================================================================
> UBSAN: Undefined behaviour in kernel/time/timekeeping.c:801:8
> signed integer overflow:
> 500152103386 + 9223372036854775807 cannot be represented in type 'long long int'
> CPU: 6 PID: 13904 Comm: syz-executor.0 Not tainted 4.19.25 #5
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0xca/0x13e lib/dump_stack.c:113
>  ubsan_epilogue+0xe/0x81 lib/ubsan.c:159
>  handle_overflow+0x193/0x1e2 lib/ubsan.c:190
>  ktime_get_with_offset+0x26a/0x2d0 kernel/time/timekeeping.c:801
>  common_hrtimer_arm+0x14d/0x220 kernel/time/posix-timers.c:817
>  common_timer_set+0x337/0x530 kernel/time/posix-timers.c:863
>  do_timer_settime+0x198/0x290 kernel/time/posix-timers.c:892
>  __do_sys_timer_settime kernel/time/posix-timers.c:918 [inline]
>  __se_sys_timer_settime kernel/time/posix-timers.c:904 [inline]
>  __x64_sys_timer_settime+0x18d/0x260 kernel/time/posix-timers.c:904
>  do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x462eb9
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f7968072c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000df
> RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9
> RDX: 00000000200000c0 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f79680736bc
> R13: 00000000004c54cc R14: 0000000000704278 R15: 00000000ffffffff
> ================================================================================
> 
> It it because global variable 'offsets' is set with a very large but still
> valid value. It overflows when we add 'tk->tkr_mono.base' with 'offsets'.

Well, no. First of all offsets is not a global variable. It's an array of
offsets.

The value of the offset used above is valid in the sense that it is a
positive value in 'long long int', but it is not at all valid in terms of
timekeeping.
 
> Because 'ktime_get_with_offset()' is a frequently used function, it may
> effect the performance if we use 'ktime_add_safe()' to avoid this
> undefined behaviour, so we use 'ktime_add_unsafe()' instead.

This is just papering over the real problem and no, we are not going to do
that.

The root cause is that something set CLOCK_REALTIME to have an offset of:

    9223372036854775807 ns ~= 292 years

vs. CLOCK_MONOTONIC.

The real fix is to limit the possible offset in the time setting code to a
sane value which cannot overflow in a reasonable time frame. If we assume a
maximum up time of 30 years, then the limit would be 262 years, which makes
the timekeeping code break either when uptime reaches 30 years or finally
in the year 2232.

Thanks,

	tglx