From: Stephen Hemminger <stephen@networkplumber.org>
To: Bruce Richardson <bruce.richardson@intel.com>
Cc: Soumyadeep Hore <soumyadeep.hore@intel.com>,
<manoj.kumar.subbarao@intel.com>, <aman.deep.singh@intel.com>,
<dev@dpdk.org>, <rajesh3.kumar@intel.com>
Subject: Re: [PATCH v1] net/idpf: harden PTP frequency adjustment
Date: Tue, 7 Apr 2026 08:14:45 -0700 [thread overview]
Message-ID: <20260407081445.39d5cd22@phoenix.local> (raw)
In-Reply-To: <abKqLQmzhTE6P6bU@bricha3-mobl1.ger.corp.intel.com>
On Thu, 12 Mar 2026 11:57:33 +0000
Bruce Richardson <bruce.richardson@intel.com> wrote:
> On Thu, Mar 12, 2026 at 02:43:44PM -0400, Soumyadeep Hore wrote:
> > Normalize ppm to an unsigned magnitude before using it in the
> > increment value scaling path.
> >
> > This avoids negating INT64_MIN and also prevents subtracting 62
> > from the reduced log sum unless the sum is still above the
> > overflow threshold reported by Coverity.
> >
> > Coverity issue: 501832
> >
> > Signed-off-by: Soumyadeep Hore <soumyadeep.hore@intel.com>
> > ---
> > drivers/net/intel/idpf/idpf_ethdev.c | 32 +++++++++++++++++-----------
> > 1 file changed, 20 insertions(+), 12 deletions(-)
> >
> > diff --git a/drivers/net/intel/idpf/idpf_ethdev.c b/drivers/net/intel/idpf/idpf_ethdev.c
> > index 5e57a45775..1c5bd2ee12 100644
> > --- a/drivers/net/intel/idpf/idpf_ethdev.c
> > +++ b/drivers/net/intel/idpf/idpf_ethdev.c
> > @@ -1007,7 +1007,7 @@ idpf_timesync_adjust_freq(struct rte_eth_dev *dev, int64_t ppm)
> > struct idpf_ptp *ptp = adapter->ptp;
> > int64_t incval, diff = 0;
> > bool negative = false;
> > - uint64_t div, rem;
> > + uint64_t abs_ppm, div, rem;
> > uint64_t divisor = 1000000ULL << 16;
> > int shift;
> > int ret;
> > @@ -1016,26 +1016,34 @@ idpf_timesync_adjust_freq(struct rte_eth_dev *dev, int64_t ppm)
> >
> > if (ppm < 0) {
> > negative = true;
> > - ppm = -ppm;
> > + abs_ppm = ppm == INT64_MIN ? (uint64_t)INT64_MAX + 1 :
> > + (uint64_t)(-ppm);
> > + } else {
> > + abs_ppm = (uint64_t)ppm;
> > }
> >
> > /* can incval * ppm overflow ? */
> > - if (rte_log2_u64(incval) + rte_log2_u64(ppm) > 62) {
> > - rem = ppm % divisor;
> > - div = ppm / divisor;
> > + if (rte_log2_u64(incval) + rte_log2_u64(abs_ppm) > 62) {
> > + rem = abs_ppm % divisor;
> > + div = abs_ppm / divisor;
> > diff = div * incval;
> > - ppm = rem;
> > + abs_ppm = rem;
> > +
> > + if (abs_ppm != 0) {
> > + uint32_t log_sum;
> >
> > - shift = rte_log2_u64(incval) + rte_log2_u64(ppm) - 62;
> > - if (shift > 0) {
> > - /* drop precision */
> > - ppm >>= shift;
> > - divisor >>= shift;
> > + log_sum = rte_log2_u64(incval) + rte_log2_u64(abs_ppm);
> > + if (log_sum > 62) {
> > + shift = log_sum - 62;
> > + /* drop precision */
> > + abs_ppm >>= shift;
> > + divisor >>= shift;
> > + }
> > }
> > }
> >
> > if (divisor)
> > - diff = diff + incval * ppm / divisor;
> > + diff = diff + incval * abs_ppm / divisor;
> >
>
> Asking Claude AI about this code and how to simplify it a bit while also
> avoiding the INT64_MIN issue, it suggests using __int128 type, giving much
> shorter code:
>
> __int128 diff;
> int ret;
>
> /*
> * ppm is scaled ppm: 1 ppm = 2^16 units (matching Linux adjfine).
> * Use __int128 to avoid overflow without complex split/shift logic,
> * and to correctly handle ppm == INT64_MIN.
> */
> incval = ptp->base_incval;
> diff = ((__int128)incval * ppm) / (1000000LL << 16);
> incval += (int64_t)diff;
>
> ret = idpf_ptp_adj_dev_clk_fine(adapter, incval);
> if (ret != 0)
> PMD_DRV_LOG(ERR, "PTP failed to set incval, err %d", ret);
> return ret;
>
> Maybe worth considering?
>
> /Bruce
Claude AI review of this patch spotted some possible math issues.
Normalize ppm to an unsigned magnitude before using it in the
increment value scaling path.
This avoids negating INT64_MIN and also prevents subtracting 62
from the reduced log sum unless the sum is still above the
overflow threshold reported by Coverity.
The simplification is a nice improvement and the __int128 approach
is correct for realistic hardware values.
One concern:
Warning: drivers/net/intel/idpf/idpf_ethdev.c
The cast (int64_t)diff silently truncates if diff does not fit in
64 bits. The __int128 multiplication itself never overflows (both
UINT64_MAX × INT64_MAX and UINT64_MAX × INT64_MIN fit within signed
__int128), but after dividing by 1000000LL << 16 the quotient can
still exceed INT64_MAX when incval is large and ppm is extreme.
For realistic PTP hardware (base_incval around 2^32) this is fine,
but the API accepts the full int64_t range without documented bounds.
Adding an explicit clamp or assertion before the cast would preserve
the defensive character of the code being replaced:
next prev parent reply other threads:[~2026-04-07 15:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 18:43 [PATCH v1] net/idpf: harden PTP frequency adjustment Soumyadeep Hore
2026-03-12 11:57 ` Bruce Richardson
2026-04-07 15:14 ` Stephen Hemminger [this message]
2026-04-07 15:56 ` Bruce Richardson
2026-04-07 20:04 ` [PATCH v2] " Soumyadeep Hore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407081445.39d5cd22@phoenix.local \
--to=stephen@networkplumber.org \
--cc=aman.deep.singh@intel.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=manoj.kumar.subbarao@intel.com \
--cc=rajesh3.kumar@intel.com \
--cc=soumyadeep.hore@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox