From: John Stultz <john.stultz@linaro.org>
To: lkml <linux-kernel@vger.kernel.org>
Cc: "pang.xunlei" <pang.xunlei@linaro.org>,
Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@elte.hu>,
Arnd Bergmann <arnd.bergmann@linaro.org>,
Miroslav Lichvar <mlichvar@redhat.com>,
Richard Cochran <richardcochran@gmail.com>,
Prarit Bhargava <prarit@redhat.com>,
Alessandro Zummo <a.zummo@towertech.it>,
John Stultz <john.stultz@linaro.org>
Subject: [PATCH 02/12] time: Avoid possible NTP adjustment mult overflow.
Date: Fri, 21 Nov 2014 11:44:08 -0800 [thread overview]
Message-ID: <1416599058-13836-3-git-send-email-john.stultz@linaro.org> (raw)
In-Reply-To: <1416599058-13836-1-git-send-email-john.stultz@linaro.org>
From: "pang.xunlei" <pang.xunlei@linaro.org>
Ideally, __clocksource_updatefreq_scale, selects the largest shift
value possible for a clocksource. This results in the mult memember of
struct clocksource being particularly large, although not so large
that NTP would adjust the clock to cause it to overflow.
That said, nothing actually prohibits an overflow from occuring, its
just that it "shouldn't" occur.
So while very unlikely, and so far never observed, the value of
(cs->mult+cs->maxadj) may have a chance to reach very near 0xFFFFFFFF,
so there is a possibility it may overflow when doing NTP positive
adjustment
See the following detail: When NTP slewes the clock, kernel goes
through update_wall_time()->...->timekeeping_apply_adjustment():
tk->tkr.mult += mult_adj;
Since there is no guard against it, its possible tk->tkr.mult may
overflow during this operation.
This patch avoids any possible mult overflow by judging the overflow
case before adding mult_adj to mult, also adds the WARNING message
when capturing such case.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Arnd Bergmann <arnd.bergmann@linaro.org>
Cc: pang.xunlei <pang.xunlei@linaro.org>
Cc: Miroslav Lichvar <mlichvar@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: pang.xunlei <pang.xunlei@linaro.org>
[jstultz: Reworded commit message]
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
kernel/time/timekeeping.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index ec1791f..cad61b3 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -1332,6 +1332,12 @@ static __always_inline void timekeeping_apply_adjustment(struct timekeeper *tk,
*
* XXX - TODO: Doc ntp_error calculation.
*/
+ if (tk->tkr.mult + mult_adj < mult_adj) {
+ /* NTP adjustment caused clocksource mult overflow */
+ WARN_ON_ONCE(1);
+ return;
+ }
+
tk->tkr.mult += mult_adj;
tk->xtime_interval += interval;
tk->tkr.xtime_nsec -= offset;
--
1.9.1
next prev parent reply other threads:[~2014-11-21 19:48 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-21 19:44 [PATCH 00/12] John Stultz
2014-11-21 19:44 ` [PATCH 01/12] time: Rename udelay_test.c to test_udelay.c John Stultz
2014-11-21 23:30 ` Kees Cook
2014-11-22 3:45 ` Greg KH
2014-11-24 22:14 ` David Riley
2014-11-21 19:44 ` John Stultz [this message]
2014-11-21 19:44 ` [PATCH 03/12] time: Complete NTP adjustment threshold judging conditions John Stultz
2014-11-21 19:44 ` [PATCH 04/12] time: Provide y2038 safe do_settimeofday() replacement John Stultz
2014-11-21 19:44 ` [PATCH 05/12] time: Provide y2038 safe timekeeping_inject_sleeptime() replacement John Stultz
2014-11-21 19:44 ` [PATCH 06/12] time: Provide y2038 safe mktime() replacement John Stultz
2014-11-21 19:44 ` [PATCH 07/12] time: Expose getrawmonotonic64 for in-kernel uses John Stultz
2014-11-21 19:44 ` [PATCH 08/12] time: Expose get_monotonic_corase64() " John Stultz
2014-11-21 19:44 ` [PATCH 09/12] time: Fixup comments to reflect usage of timespec64 John Stultz
2014-11-21 19:44 ` [PATCH 10/12] rtc/lib: Provide y2038 safe rtc_tm_to_time()/rtc_time_to_tm() replacement John Stultz
2014-11-21 19:44 ` [PATCH 11/12] rtc: Update suspend/resume timing to use 64bit time John Stultz
2014-11-21 19:44 ` [PATCH 12/12] time: Remove timekeeping_inject_sleeptime() John Stultz
2014-11-21 19:53 ` [PATCH 00/12] John Stultz
2014-11-21 20:07 ` Arnd Bergmann
2014-11-21 20:17 ` John Stultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1416599058-13836-3-git-send-email-john.stultz@linaro.org \
--to=john.stultz@linaro.org \
--cc=a.zummo@towertech.it \
--cc=arnd.bergmann@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mlichvar@redhat.com \
--cc=pang.xunlei@linaro.org \
--cc=prarit@redhat.com \
--cc=richardcochran@gmail.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox