From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751235AbdFDN21 (ORCPT ); Sun, 4 Jun 2017 09:28:27 -0400 Received: from terminus.zytor.com ([65.50.211.136]:55875 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751157AbdFDN2W (ORCPT ); Sun, 4 Jun 2017 09:28:22 -0400 Date: Sun, 4 Jun 2017 06:21:55 -0700 From: tip-bot for Thomas Gleixner Message-ID: Cc: peterz@infradead.org, andreyknvl@google.com, kcc@google.com, john.stultz@linaro.org, dvyukov@google.com, linux-kernel@vger.kernel.org, mingo@kernel.org, syzkaller@googlegroups.com, hpa@zytor.com, tglx@linutronix.de Reply-To: mingo@kernel.org, syzkaller@googlegroups.com, hpa@zytor.com, tglx@linutronix.de, peterz@infradead.org, andreyknvl@google.com, kcc@google.com, dvyukov@google.com, linux-kernel@vger.kernel.org, john.stultz@linaro.org In-Reply-To: <20170530211655.802921648@linutronix.de> References: <20170530211655.802921648@linutronix.de> To: linux-tip-commits@vger.kernel.org Subject: [tip:timers/urgent] alarmtimer: Prevent overflow of relative timers Git-Commit-ID: ecd7d6ff04a59478c41987051dd8f15258cea6af X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit-ID: ecd7d6ff04a59478c41987051dd8f15258cea6af Gitweb: http://git.kernel.org/tip/ecd7d6ff04a59478c41987051dd8f15258cea6af Author: Thomas Gleixner AuthorDate: Tue, 30 May 2017 23:15:34 +0200 Committer: Thomas Gleixner CommitDate: Sun, 4 Jun 2017 15:18:27 +0200 alarmtimer: Prevent overflow of relative timers Andrey reported a alartimer related RCU stall while fuzzing the kernel with syzkaller. The reason for this is an overflow in ktime_add() which brings the resulting time into negative space and causes immediate expiry of the timer. The following rearm with a small interval does not bring the timer back into positive space due to the same issue. This results in a permanent firing alarmtimer which hogs the CPU. Use ktime_add_safe() instead which detects the overflow and clamps the result to KTIME_SEC_MAX. Reported-by: Andrey Konovalov Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Kostya Serebryany Cc: syzkaller Cc: John Stultz Cc: Dmitry Vyukov Link: http://lkml.kernel.org/r/20170530211655.802921648@linutronix.de --- kernel/time/alarmtimer.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c index 5cb5b00..2b2e032 100644 --- a/kernel/time/alarmtimer.c +++ b/kernel/time/alarmtimer.c @@ -387,7 +387,7 @@ void alarm_start_relative(struct alarm *alarm, ktime_t start) { struct alarm_base *base = &alarm_bases[alarm->type]; - start = ktime_add(start, base->gettime()); + start = ktime_add_safe(start, base->gettime()); alarm_start(alarm, start); } EXPORT_SYMBOL_GPL(alarm_start_relative); @@ -475,7 +475,7 @@ u64 alarm_forward(struct alarm *alarm, ktime_t now, ktime_t interval) overrun++; } - alarm->node.expires = ktime_add(alarm->node.expires, interval); + alarm->node.expires = ktime_add_safe(alarm->node.expires, interval); return overrun; } EXPORT_SYMBOL_GPL(alarm_forward); @@ -666,7 +666,7 @@ static int alarm_timer_set(struct k_itimer *timr, int flags, ktime_t now; now = alarm_bases[timr->it.alarm.alarmtimer.type].gettime(); - exp = ktime_add(now, exp); + exp = ktime_add_safe(now, exp); } alarm_start(&timr->it.alarm.alarmtimer, exp);