Received: by 2002:a89:288:0:b0:1f7:eeee:6653 with SMTP id j8csp316296lqh; Mon, 6 May 2024 22:54:54 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXoDkuETvbfUITJsgn2Y45evWa8hy0FLDAN4ZOTvWIKEzNYcwghxEjp4VUJDPU3/p62Um9km8Llk/T7xVdGVcozqYBUr3QEcNaDgom6HA== X-Google-Smtp-Source: AGHT+IFJ0UxY8AimsK4OJOz3SfXKcDLMXm71MPzrQQj1cbocJZVhrufR770ZMcsU6dvNMp+/2Pg4 X-Received: by 2002:a2e:984c:0:b0:2e1:d94a:771d with SMTP id e12-20020a2e984c000000b002e1d94a771dmr10939699ljj.4.1715061294694; Mon, 06 May 2024 22:54:54 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715061294; cv=pass; d=google.com; s=arc-20160816; b=VhP1xPWGlNS+ctev4F6KNqd2L7RtGEV6NVdOxb+MuyrHB/9bSUbqkUlYYpvqvhnz8U lsDzKPX1YlltltXwnh//Do5Ltg57cvRVVN1eBTYK0I8mQ55URzT+lllnZG/GQo8ZYx2e afrVYkD7V9T7ifeES5XVgVXc362erNgJGzqSa9YL8GZi8fDCs4vBdteVvLaiNGrb7Cu7 LAuRlE5tg3woHJFxzxpSm9HTlAOjSm1pWwQ3RuPxSkwkzAaS/Ijh8U8yqUVVxoOwSuap /eg9SYsohtKNsCoT6x18yIDM16n7GUUPiwGrT7KhUYEBduZufNcB+UrADTPK8vE+bwgt 0/lw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=k2+XprmFK+IYeTTDNzHuz3jEWMm6Vi+YQ+2eFOmblGY=; fh=eHMuhjowOIuPvUsqcjsXNv6JgBrgOzpVtky/YVqs+OQ=; b=n4V90jMXK79trDyYlfLjSlYOG92quvrlWigtDHI2Lq/i9Bp1Q+f+Lue2WNxZbVYpfQ oA1ofBlYtbQ5tez9lL3oqJk75aoz8eo0LhTroFHg2VLA0vamxBdH1r4ZB9nSEPfumt5O dVSHs0xxBfL0/BR6myPAEOQvhBTsXqAkjvJ307RjIW0emouV/DQi17lKExdj1jTMoG9S YyZWeuYwIX/MTispRRCJONYzI4rec38FxfNUCtQ7Ea0t3ZfEKbpe7nfEav9jWBOg6MPO YUZRF+LBYA9zP1hVzEjfsSfw89SZzf/qEb/dA/w0xrZfml6J1+Wj+/SLLIKjaFKLA52v ERQg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=d1D5JRpK; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-170713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id xf13-20020a17090731cd00b00a5999e18809si4431898ejb.85.2024.05.06.22.54.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 May 2024 22:54:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-170713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=d1D5JRpK; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-170713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 6AA421F22AA3 for ; Tue, 7 May 2024 05:54:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0A9AD6CDB1; Tue, 7 May 2024 05:54:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="d1D5JRpK" Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 953826EB5C for ; Tue, 7 May 2024 05:54:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061286; cv=none; b=ao1a2G7gz1L+C8vGm388m0t9S5WgN5JX1Wf28lta7yJPLVZhM1i3f0Vx0ECvyztULMz9eGOypS3Igvq3lJ+objJyApBI8XNeG71roEHBCSdx+HfI//KH3c6e+btoHzaFlgh9upk6FoHNp2LRAibdCwNvNRnyVTXHlJGm/Nb+wN8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061286; c=relaxed/simple; bh=zycI60GD/v+qvEnAFNouzBUTO1V9JiQnJpX3TM+77ZE=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=oHMqD+jAHN5gHqjM6me2+vS+WXdbfrdlwA+HHmK9McN4XBSjmtlTWa2uhy1e62loKSTm5hWODGkyFdsrxukf5femO22kaNqaloi0PMY0OLQiKt1ugEfSGkXILzivtsr2Z6LOTjCVVCmRe5usb+/b+8YPt2XqG3QEM75EhGpmySE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=d1D5JRpK; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-41e79ec20a6so29295e9.1 for ; Mon, 06 May 2024 22:54:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1715061283; x=1715666083; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=k2+XprmFK+IYeTTDNzHuz3jEWMm6Vi+YQ+2eFOmblGY=; b=d1D5JRpKkTlwZ78YKt6XdJSGZbx8mJ17drPWi3dD2y3eMZUteIveYLQdva3oli/Y/7 vc0+lhaIa7pCwiRzTIUeKHSYnJpEvr1nCk41EEBgBUxmkZHqbvcqylG5ybutmOE3Ci/j asn4xu+WOrqv5g4wEyvk8PkArpFC3Xk9tW+49hT8S4DMNKCK0Y+vx7XBLwHXnfrrmdvT ve0NK35L4ucwlTR1YKJdYD3wmWyfRYJbVFyjsrF5YSoj24CNU9cdqLtQTnCAfO0QawbY 4uzSN1bvDo5tWNgLd01v5eE8mWBla0MjnmA+7mREcg+AupEzlilU5boDGCoIgF2DQ3FQ MLDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715061283; x=1715666083; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k2+XprmFK+IYeTTDNzHuz3jEWMm6Vi+YQ+2eFOmblGY=; b=Dnu+3y0BsWo+qCPdX81b54WkyOBpDh1r4CWeSTQIyqYp51nBWu7PrYIj5rqB1OgJhK avG7tI4Ug/Cf4YZVv8ZkXxpwc7FkR2JELi6OcGyN4u/gVQlJWl6OP427m7aia3ala6BC fKo8dz2+npjU9jHqUIZ8j1Pn24Cy16/NpniN5Os4qUM6KgPrImMvxtmx3yjZJ0evx7yh cisJ4wz3gWjrD8xWiirmqDCcBYUMrgCRo+e308PZ/xuPUASRG2Qhprd93yeP3QGdvDTW t5844e626XWDd2YLI9tLiskLBh2ZFUbFqSmQfKaBeOOv7QZOsjZqdmJpZsYR1qSEMxPw Co9w== X-Forwarded-Encrypted: i=1; AJvYcCVU3LafUOdW/UgnyQp7kkP9vMnwpz2HtoVCbvsbittpI2PFfhtx6qt6BcSf8I+D37Apu2681oySQXAz1G3OF5psjaWjsYv/N1Tobqnu X-Gm-Message-State: AOJu0YwOP91V0CBphHZIi0BSWsf2p/6AwpM1ixEYLCecrHHFarwJh9n4 UExcDvGPBpqmiJ27CWyfG6QrcIfLu/QAcEvKHYUhbsj+kfi2Her+g+BnDkQEd4CwBJBGyrHL0/b VkrW5G97RfCR3GcIObqOqcZi6A8QELj2oTFQ= X-Received: by 2002:a05:600c:3ba8:b0:418:5aaa:7db1 with SMTP id 5b1f17b1804b1-41f3b8affaemr886575e9.1.1715061282789; Mon, 06 May 2024 22:54:42 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240507-b4-sio-ntp-usec-v1-1-15003fc9c2b4@google.com> In-Reply-To: <20240507-b4-sio-ntp-usec-v1-1-15003fc9c2b4@google.com> From: John Stultz Date: Mon, 6 May 2024 22:54:30 -0700 Message-ID: Subject: Re: [PATCH] ntp: remove accidental integer wrap-around To: Justin Stitt Cc: Thomas Gleixner , Stephen Boyd , Nathan Chancellor , Bill Wendling , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, May 6, 2024 at 9:34=E2=80=AFPM Justin Stitt wrote: > Let's introduce a new macro and use that against NTP_PHASE_LIMIT to > properly limit the max size of time_maxerror without overflowing during > the check itself. > > Link: https://github.com/llvm/llvm-project/pull/82432 [1] > Closes: https://github.com/KSPP/linux/issues/354 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt > --- > include/linux/timex.h | 1 + > kernel/time/ntp.c | 8 ++++---- > 2 files changed, 5 insertions(+), 4 deletions(-) > > diff --git a/include/linux/timex.h b/include/linux/timex.h > index 3871b06bd302..976490a06915 100644 > --- a/include/linux/timex.h > +++ b/include/linux/timex.h > @@ -138,6 +138,7 @@ unsigned long random_get_entropy_fallback(void); > #define MINSEC 256 /* min interval between updates (s) */ > #define MAXSEC 2048 /* max interval between updates (s) */ > #define NTP_PHASE_LIMIT ((MAXPHASE / NSEC_PER_USEC) << 5) /* beyond max.= dispersion */ > +#define NTP_MAXFREQ_USEC (MAXFREQ / NSEC_PER_USEC) /* scaled to microsec= onds */ > > /* > * kernel variables > diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c > index 406dccb79c2b..19027b6d0827 100644 > --- a/kernel/time/ntp.c > +++ b/kernel/time/ntp.c > @@ -454,12 +454,12 @@ int second_overflow(time64_t secs) > } > > > - /* Bump the maxerror field */ > - time_maxerror +=3D MAXFREQ / NSEC_PER_USEC; > - if (time_maxerror > NTP_PHASE_LIMIT) { > + /* Bump the maxerror field, making sure not to exceed NTP_PHASE_L= IMIT */ > + if (NTP_PHASE_LIMIT - NTP_MAXFREQ_USEC < time_maxerror) { > time_maxerror =3D NTP_PHASE_LIMIT; > time_status |=3D STA_UNSYNC; > - } > + } else > + time_maxerror +=3D NTP_MAXFREQ_USEC; > > /* Compute the phase adjustment for the next second */ > tick_length =3D tick_length_base; > Looks reasonable to me. Acked-by: John Stultz thanks -john