From: Laurent Vivier <lvivier@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>,
tglx@linutronix.de, john.stultz@linaro.org,
daniel.lezcano@linaro.org
Cc: paulus@samba.org, mpe@ellerman.id.au, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] time: Avoid signed overflow in timekeeping_get_ns()
Date: Mon, 30 Nov 2015 14:15:42 +0100 [thread overview]
Message-ID: <565C4BFE.2090707@redhat.com> (raw)
In-Reply-To: <1448847030-27205-1-git-send-email-david@gibson.dropbear.id.au>
On 30/11/2015 02:30, David Gibson wrote:
> 1e75fa8 "time: Condense timekeeper.xtime into xtime_sec" replaced a call to
> clocksource_cyc2ns() from timekeeping_get_ns() with an open-coded version
> of the same logic to avoid keeping a semi-redundant struct timespec
> in struct timekeeper.
>
> However, the commit also introduced a subtle semantic change - where
> clocksource_cyc2ns() uses purely unsigned math, the new version introduces
> a signed temporary, meaning that if (delta * tk->mult) has a 63-bit
> overflow the following shift will still give a negative result. The
> choice of 'maxsec' in __clocksource_updatefreq_scale() means this will
> generally happen if there's a ~10 minute pause in examining the
> clocksource.
>
> This can be triggered on a powerpc KVM guest by stopping it from qemu for
> a bit over 10 minutes. After resuming time has jumped backwards several
> minutes causing numerous problems (jiffies does not advance, msleep()s can
> be extended by minutes..). It doesn't happen on x86 KVM guests, because
> the guest TSC is effectively frozen while the guest is stopped, which is
> not the case for the powerpc timebase.
>
> Obviously an unsigned (64 bit) overflow will only take twice as long as a
> signed, 63-bit overflow. I don't know the time code well enough to know
> if that will still cause incorrect calculations, or if a 64-bit overflow
> is avoided elsewhere.
>
> Still, an incorrect forwards clock adjustment will cause less trouble than
> time going backwards. So, this patch removes the potential for
> intermediate signed overflow.
>
> Suggested-by: Laurent Vivier <lvivier@redhat.com>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> kernel/time/timekeeping.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
> index d563c19..99188ee 100644
> --- a/kernel/time/timekeeping.c
> +++ b/kernel/time/timekeeping.c
> @@ -305,8 +305,7 @@ static inline s64 timekeeping_get_ns(struct tk_read_base *tkr)
>
> delta = timekeeping_get_delta(tkr);
>
> - nsec = delta * tkr->mult + tkr->xtime_nsec;
> - nsec >>= tkr->shift;
> + nsec = (delta * tkr->mult + tkr->xtime_nsec) >> tkr->shift;
>
> /* If arch requires, add in get_arch_timeoffset() */
> return nsec + arch_gettimeoffset();
>
Tested-by: Laurent Vivier <lvivier@redhat.com>
next prev parent reply other threads:[~2015-11-30 13:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-30 1:30 [PATCH] time: Avoid signed overflow in timekeeping_get_ns() David Gibson
2015-11-30 13:15 ` Laurent Vivier [this message]
2015-12-04 20:25 ` John Stultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565C4BFE.2090707@redhat.com \
--to=lvivier@redhat.com \
--cc=daniel.lezcano@linaro.org \
--cc=david@gibson.dropbear.id.au \
--cc=john.stultz@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.