From: Thomas Gleixner <tglx@linutronix.de>
To: OPENSOURCE Lukas Hannen
<lukas.hannen@opensource.tttech-industrial.com>,
John Stultz <john.stultz@linaro.org>,
"EMC: linux-kernel@vger.kernel.org"
<linux-kernel@vger.kernel.org>
Subject: Re: Subject: [PATCH] changed timespec64_to_ns to avoid underrun
Date: Wed, 08 Sep 2021 17:45:51 +0200 [thread overview]
Message-ID: <87y2876pg0.ffs@tglx> (raw)
In-Reply-To: <AM6PR01MB541637BD6F336B8FFB72AF80EEC69@AM6PR01MB5416.eurprd01.prod.exchangelabs.com>
Lukas,
On Wed, Aug 25 2021 at 10:12, OPENSOURCE Lukas Hannen wrote:
thanks for the patch. A few formal nitpicks:
The subject line lacks a subsystem prefix. You can figure that
usually out by running:
git log --format=oneline --abbrev-commit include/linux/time64.h
Look for the most used. So in this case it would be simply 'time:'
'changed ... underrun'
Please use imperative mood, i.e. 'Change'. But 'change' is redundant
here anyway because it would not be a patch if it would not change
anything.
So something like: 'Handle negative seconds correctly in timespec64_to_ns()'
would be more informative. Your subject line does not really match
the problem.
Also note the brackets which make it obvious that this talks about a
function.
You have a redundant 'Subject:' in the Subject: header
> This patch fixes a small oversight in timespec64_to_ns() that has
This patch is redundant as well. See Documentation/process/ and grep for
'This patch'
> resulted in negative seconds being erroneously clamped to KTIME_MAX
> due to a cast to unsigned long long (which expands to the 2's complement
> of a negative long long, even if the architecture does not implement
> negative numbers using 2's complement)
>
> This is especially relevant in the PTP context, since the ptp_clock_info
> struct (from include/linux/ptp_clock_kernel.h) specifies
>
> int (*adjtime)(struct ptp_clock_info *ptp, s64 delta);
> int (*gettime64)(struct ptp_clock_info *ptp, struct timespec64 *ts);
>
> which is exactly the kind of timespec64 / nanoseconds mix in combination
> with negative values ( ns adjust times ) that can easily lead to calling
> timespec64_to_ns with a negative ts->tv_sec, which would in turn lead to
> instability of the ptp clock.
This is confusing at best.
The adjtime() callback has nothing to do with timespec64_to_ns(). The
conversion happens in the calling code.
gettime64() neither because that reads the time from the PTP clock which
cannot be negative and nothing uses timespec64_to_ns() there either.
The place where a negative seconds value must be handled correctly is
ptp_clock_adjtime().
So something like this:
timespec64_ns() prevents multiplication overflows by comparing the
seconds value of the timespec to KTIME_SEC_MAX. If the value is greater
or equal it returns KTIME_MAX.
But that check casts the signed seconds value to unsigned which makes
the comparision true for all negative values and therefore return
wrongly KTIME_MAX.
Negative second values are perfectly valid and required in some places,
e.g. ptp_clock_adjtime().
Remove the cast and add a check for the negative boundary which is
required to prevent undefined behaviour of the multiplication due to
multiplication underflow.
Hmm?
> Fixes: cb47755725da ("time: Prevent undefined behaviour in timespec64_to_ns()")'
> Signed-off-by: Lukas Hannen <lukas.hannen@opensource.tttech-industrial.com>
>
> ---
> The Patch should apply cleanly to all the branches that the original
Emphasis on should. See below.
> commit cb47755725da ("time: Prevent undefined behaviour in timespec64_to_ns()")'
> was backported to.
>
> include/linux/time64.h | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/time64.h b/include/linux/time64.h
> index 5117cb5b56561..81b9686a20799 100644
> --- a/include/linux/time64.h
> +++ b/include/linux/time64.h
> @@ -21,15 +21,17 @@ struct itimerspec64 {
> };
>
> /* Located here for timespec[64]_valid_strict */
> #define TIME64_MAX ((s64)~((u64)1 << 63))
> #define TIME64_MIN (-TIME64_MAX - 1)
>
> #define KTIME_MAX ((s64)~((u64)1 << 63))
> +#define KTIME_MIN (-KTIME_MAX - 1)
> #define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC)
> +#define KTIME_SEC_MIN (KTIME_MIN / NSEC_PER_SEC)
Your patch is white space damaged, which makes it fail to apply.
Something replaced all tabs with spaces, most likely your mail client.
Please figure out a way to send patches either via git-email or by using
a email client which tries not to be smarter than the person using it.
Send the patch to yourself and validate that it applies cleanly.
I fixed it up for you this time.
Thanks,
tglx
next prev parent reply other threads:[~2021-09-08 15:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-25 10:12 Subject: [PATCH] changed timespec64_to_ns to avoid underrun OPENSOURCE Lukas Hannen
2021-09-08 15:45 ` Thomas Gleixner [this message]
2021-09-08 15:50 ` [tip: timers/urgent] time: Handle negative seconds correctly in timespec64_to_ns() tip-bot2 for Lukas Hannen
2021-09-08 16:01 ` David Laight
2021-09-08 20:11 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y2876pg0.ffs@tglx \
--to=tglx@linutronix.de \
--cc=john.stultz@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.hannen@opensource.tttech-industrial.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.