From: sashiko-bot@kernel.org
To: "Ankur Arora" <ankur.a.arora@oracle.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v13 03/15] arm64/delay: move some constants out to a separate header
Date: Thu, 02 Jul 2026 01:47:02 +0000 [thread overview]
Message-ID: <20260702014702.818DA1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702013334.140905-4-ankur.a.arora@oracle.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Integer overflow in `USECS_TO_CYCLES()` and `RPMH_USECS_TO_CYCLES()` causes incorrect timer cycle calculations for durations in the seconds range.
--
commit 0184d882315b35a4fce3d21dea0ae947ba4b1d29
Author: Ankur Arora <ankur.a.arora@oracle.com>
arm64/delay: move some constants out to a separate header
Moves some constants and functions related to xloops, cycles computation
out to a new header. Also make __delay_cycles() available outside of
arch/arm64/lib/delay.c. Rename some macros in qcom/rpmh-rsc.c which were
occupying the same namespace. No functional change.
> diff --git a/arch/arm64/include/asm/delay-const.h b/arch/arm64/include/asm/delay-const.h
> new file mode 100644
> index 0000000000000..2a5acfb7bff17
> --- /dev/null
> +++ b/arch/arm64/include/asm/delay-const.h
> @@ -0,0 +1,28 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
[ ... ]
> +static inline unsigned long xloops_to_cycles(unsigned long xloops)
> +{
> + return (xloops * loops_per_jiffy * HZ) >> 32;
> +}
> +
> +#define USECS_TO_CYCLES(time_usecs) \
> + xloops_to_cycles((time_usecs) * __usecs_to_xloops_mult)
> +
[ ... ]
> diff --git a/drivers/soc/qcom/rpmh-rsc.c b/drivers/soc/qcom/rpmh-rsc.c
> index c6f7d5c9c493d..ad5ec5c0de0a3 100644
> --- a/drivers/soc/qcom/rpmh-rsc.c
> +++ b/drivers/soc/qcom/rpmh-rsc.c
> @@ -146,10 +146,10 @@ enum {
> * +---------------------------------------------------+
> */
>
> -#define USECS_TO_CYCLES(time_usecs) \
> - xloops_to_cycles((time_usecs) * 0x10C7UL)
> +#define RPMH_USECS_TO_CYCLES(time_usecs) \
> + rpmh_xloops_to_cycles((time_usecs) * 0x10C7UL)
>
> -static inline unsigned long xloops_to_cycles(u64 xloops)
> +static inline unsigned long rpmh_xloops_to_cycles(u64 xloops)
> {
> return (xloops * loops_per_jiffy * HZ) >> 32;
> }
[Severity: High]
This is a pre-existing issue, but does this calculation silently overflow for
durations exceeding a few minutes?
In rpmh_rsc_write_next_wakeup(), the wakeup_us value is derived from the
next hrtimer. During system suspend, the next timer can be hours away, or
even KTIME_MAX if no timers are pending.
The RPMH_USECS_TO_CYCLES() macro multiplies wakeup_us by 0x10C7UL (4295),
and then rpmh_xloops_to_cycles() multiplies that further by
loops_per_jiffy * HZ.
On arm64, loops_per_jiffy * HZ represents the arch timer frequency (e.g.,
19.2 MHz on QCOM). This means the intermediate value grows by roughly
4295 * 19,200,000 = ~8.24e10 per microsecond. A 64-bit unsigned integer
maxes out at 1.84e19, which means this multiplication wraps around when
wakeup_us exceeds approximately 224 seconds.
This overflow produces a severely truncated timer cycle count, which can
cause the device to wake up almost immediately from deep sleep instead of
sleeping for the requested duration, draining the battery.
Does promoting this flawed logic to a global header via the new generic
USECS_TO_CYCLES() macro in asm/delay-const.h also introduce an
architectural hazard for large timeouts?
> @@ -819,7 +819,7 @@ void rpmh_rsc_write_next_wakeup(struct rsc_drv *drv)
> wakeup_us = ktime_to_us(wakeup);
>
> /* Convert the wakeup to arch timer scale */
> - wakeup_cycles = USECS_TO_CYCLES(wakeup_us);
> + wakeup_cycles = RPMH_USECS_TO_CYCLES(wakeup_us);
> wakeup_cycles += arch_timer_read_counter();
>
> exit:
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702013334.140905-1-ankur.a.arora@oracle.com?part=3
next prev parent reply other threads:[~2026-07-02 1:47 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 1:33 [PATCH v13 00/15] barrier: Add smp_cond_load_{relaxed,acquire}_timeout() Ankur Arora
2026-07-02 1:33 ` [PATCH v13 01/15] asm-generic: barrier: Add smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02 1:46 ` sashiko-bot
2026-07-02 2:11 ` bot+bpf-ci
2026-07-02 1:33 ` [PATCH v13 02/15] arm64: barrier: Support smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02 1:50 ` sashiko-bot
2026-07-02 1:33 ` [PATCH v13 03/15] arm64/delay: move some constants out to a separate header Ankur Arora
2026-07-02 1:47 ` sashiko-bot [this message]
2026-07-02 1:33 ` [PATCH v13 04/15] arm64: support WFET in smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02 1:52 ` sashiko-bot
2026-07-02 1:33 ` [PATCH v13 05/15] arm64: rqspinlock: Remove private copy of smp_cond_load_acquire_timewait() Ankur Arora
2026-07-02 1:33 ` [PATCH v13 06/15] asm-generic: barrier: Add smp_cond_load_acquire_timeout() Ankur Arora
2026-07-02 1:53 ` sashiko-bot
2026-07-02 1:33 ` [PATCH v13 07/15] atomic: Add atomic_cond_read_*_timeout() Ankur Arora
2026-07-02 1:48 ` sashiko-bot
2026-07-02 1:33 ` [PATCH v13 08/15] locking/atomic: scripts: build atomic_long_cond_read_*_timeout() Ankur Arora
2026-07-02 1:33 ` [PATCH v13 09/15] bpf/rqspinlock: switch check_timeout() to a clock interface Ankur Arora
2026-07-02 1:33 ` [PATCH v13 10/15] bpf/rqspinlock: Use smp_cond_load_acquire_timeout() Ankur Arora
2026-07-02 1:33 ` [PATCH v13 11/15] sched: add need-resched timed wait interface Ankur Arora
2026-07-02 1:33 ` [PATCH v13 12/15] cpuidle/poll_state: Wait for need-resched via tif_need_resched_relaxed_wait() Ankur Arora
2026-07-02 1:33 ` [PATCH v13 13/15] arm64/delay: enable testing smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02 1:57 ` sashiko-bot
2026-07-02 1:33 ` [PATCH v13 14/15] barrier: add tests for smp_cond_load_*_timeout() Ankur Arora
2026-07-02 1:33 ` [PATCH v13 15/15] barrier: add clock tests for smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02 2:11 ` bot+bpf-ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702014702.818DA1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ankur.a.arora@oracle.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox