From: ben.hutchings@codethink.co.uk (Ben Hutchings)
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] [PATCH 4.4-cip 18/23] time: Avoid undefined behaviour in ktime_add_safe()
Date: Fri, 09 Dec 2016 00:37:20 +0000 [thread overview]
Message-ID: <1481243840.1860.174.camel@codethink.co.uk> (raw)
In-Reply-To: <1481243545.1860.156.camel@codethink.co.uk>
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 979515c5645830465739254abc1b1648ada41518 upstream.
I ran into this:
================================================================================
UBSAN: Undefined behaviour in kernel/time/hrtimer.c:310:16
signed integer overflow:
9223372036854775807 + 50000 cannot be represented in type 'long long int'
CPU: 2 PID: 4798 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #91
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffff88010ce6fb88 ffffffff82344740 0000000041b58ab3
ffffffff84f97a20 ffffffff82344694 ffff88010ce6fbb0 ffff88010ce6fb60
000000000000c350 ffff88010ce6f968 dffffc0000000000 ffffffff857bc320
Call Trace:
[<ffffffff82344740>] dump_stack+0xac/0xfc
[<ffffffff82344694>] ? _atomic_dec_and_lock+0xc4/0xc4
[<ffffffff8242df78>] ubsan_epilogue+0xd/0x8a
[<ffffffff8242e6b4>] handle_overflow+0x202/0x23d
[<ffffffff8242e4b2>] ? val_to_string.constprop.6+0x11e/0x11e
[<ffffffff8236df71>] ? timerqueue_add+0x151/0x410
[<ffffffff81485c48>] ? hrtimer_start_range_ns+0x3b8/0x1380
[<ffffffff81795631>] ? memset+0x31/0x40
[<ffffffff8242e6fd>] __ubsan_handle_add_overflow+0xe/0x10
[<ffffffff81488ac9>] hrtimer_nanosleep+0x5d9/0x790
[<ffffffff814884f0>] ? hrtimer_init_sleeper+0x80/0x80
[<ffffffff813a9ffb>] ? __might_sleep+0x5b/0x260
[<ffffffff8148be10>] common_nsleep+0x20/0x30
[<ffffffff814906c7>] SyS_clock_nanosleep+0x197/0x210
[<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
[<ffffffff823c7113>] ? __this_cpu_preempt_check+0x13/0x20
[<ffffffff8162ef60>] ? __context_tracking_exit.part.3+0x30/0x1b0
[<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
[<ffffffff81007bd3>] do_syscall_64+0x1b3/0x4b0
[<ffffffff845f85aa>] entry_SYSCALL64_slow_path+0x25/0x25
================================================================================
Add a new ktime_add_unsafe() helper which doesn't check for overflow, but
doesn't throw a UBSAN warning when it does overflow either.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
include/linux/ktime.h | 7 +++++++
kernel/time/hrtimer.c | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/include/linux/ktime.h b/include/linux/ktime.h
index 2b6a204bd8d4..3ffc69ebe967 100644
--- a/include/linux/ktime.h
+++ b/include/linux/ktime.h
@@ -64,6 +64,13 @@ static inline ktime_t ktime_set(const s64 secs, const unsigned long nsecs)
({ (ktime_t){ .tv64 = (lhs).tv64 + (rhs).tv64 }; })
/*
+ * Same as ktime_add(), but avoids undefined behaviour on overflow; however,
+ * this means that you must check the result for overflow yourself.
+ */
+#define ktime_add_unsafe(lhs, rhs) \
+ ({ (ktime_t){ .tv64 = (u64) (lhs).tv64 + (rhs).tv64 }; })
+
+/*
* Add a ktime_t variable and a scalar nanosecond value.
* res = kt + nsval:
*/
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 17f7bcff1e02..1dc94768b5a3 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -312,7 +312,7 @@ EXPORT_SYMBOL_GPL(__ktime_divns);
*/
ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs)
{
- ktime_t res = ktime_add(lhs, rhs);
+ ktime_t res = ktime_add_unsafe(lhs, rhs);
/*
* We use KTIME_SEC_MAX here, the maximum timeout which we can
--
2.10.2
--
Ben Hutchings
Software Developer, Codethink Ltd.
next prev parent reply other threads:[~2016-12-09 0:37 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-09 0:32 [cip-dev] [PATCH 4.4-cip 00/23] Undefined Behaviour Sanititizer support Ben Hutchings
2016-12-09 0:33 ` [cip-dev] [PATCH 4.4-cip 01/23] UBSAN: run-time undefined behavior sanity checker Ben Hutchings
2016-12-09 0:33 ` [cip-dev] [PATCH 4.4-cip 02/23] ubsan: cosmetic fix to Kconfig text Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 03/23] PM / sleep: declare __tracedata symbols as char[] rather than char Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 04/23] x86/microcode/intel: Change checksum variables to u32 Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 05/23] mm/page-writeback: fix dirty_ratelimit calculation Ben Hutchings
2016-12-09 0:34 ` [cip-dev] [PATCH 4.4-cip 06/23] perf/core: Fix Undefined behaviour in rb_alloc() Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 07/23] ubsan: fix tree-wide -Wmaybe-uninitialized false positives Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 08/23] mm/filemap: generic_file_read_iter(): check for zero reads unconditionally Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 09/23] perf/x86/amd: Set the size of event map array to PERF_COUNT_HW_MAX Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 10/23] drm/radeon: don't include RADEON_HPD_NONE in HPD IRQ enable bitsets Ben Hutchings
2016-12-09 0:35 ` [cip-dev] [PATCH 4.4-cip 11/23] btrfs: fix int32 overflow in shrink_delalloc() Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 12/23] blk-mq: fix undefined behaviour in order_to_size() Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 13/23] batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 14/23] signal: move the "sig < SIGRTMIN" check into siginmask(sig) Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 15/23] mmc: dw_mmc: remove UBSAN warning in dw_mci_setup_bus() Ben Hutchings
2016-12-09 0:36 ` [cip-dev] [PATCH 4.4-cip 16/23] UBSAN: fix typo in format string Ben Hutchings
2016-12-09 0:37 ` [cip-dev] [PATCH 4.4-cip 17/23] rhashtable: fix shift by 64 when shrinking Ben Hutchings
2016-12-09 0:37 ` Ben Hutchings [this message]
2016-12-09 0:39 ` [cip-dev] [PATCH 4.4-cip 19/23] pwm: samsung: Fix to use lowest div for large enough modulation bits Ben Hutchings
2016-12-09 0:39 ` [cip-dev] [PATCH 4.4-cip 20/23] drm: fix signed integer overflow Ben Hutchings
2016-12-09 0:39 ` [cip-dev] [PATCH 4.4-cip 21/23] xfs: " Ben Hutchings
2016-12-09 0:41 ` [cip-dev] [PATCH 4.4-cip 22/23] net: get rid of an signed integer overflow in ip_idents_reserve() Ben Hutchings
2016-12-09 0:41 ` [cip-dev] [PATCH 4.4-cip 23/23] mlx4: remove unused fields Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1481243840.1860.174.camel@codethink.co.uk \
--to=ben.hutchings@codethink.co.uk \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.