From patchwork Tue Jul 31 06:35:48 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Stultz <john.stultz@linaro.org>
X-Patchwork-Id: 10375
Return-Path: <patch+caf_=linaro-patchwork=canonical.com@linaro.org>
X-Original-To: patchwork@peony.canonical.com
Delivered-To: patchwork@peony.canonical.com
Received: from fiordland.canonical.com (fiordland.canonical.com
 [91.189.94.145])
 by peony.canonical.com (Postfix) with ESMTP id 00F4A24047
 for <patchwork@peony.canonical.com>;
 Tue, 31 Jul 2012 06:36:12 +0000 (UTC)
Received: from mail-gg0-f180.google.com (mail-gg0-f180.google.com
 [209.85.161.180])
 by fiordland.canonical.com (Postfix) with ESMTP id A6D32A18C77
 for <linaro-patchwork@canonical.com>;
 Tue, 31 Jul 2012 06:36:12 +0000 (UTC)
Received: by ggnf1 with SMTP id f1so5608820ggn.11
 for <linaro-patchwork@canonical.com>;
 Mon, 30 Jul 2012 23:36:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=x-forwarded-to:x-forwarded-for:delivered-to:received-spf:from:to:cc
 :subject:date:message-id:x-mailer:in-reply-to:references
 :x-content-scanned:x-cbid:x-gm-message-state;
 bh=3PozdDMTG3RsMNwcjdz56VUmjEIrS4SjttDLGo1gKNg=;
 b=AICzL1L7aty4tiBABkVZJvu4y4//qUrGt0bws+/lGVHaOVWXKjKArlGzXSZCSGjO/A
 YElWLbDMeKY51O1pXaStX0SedvCUmEP+agKI6Z7mUmvr4NTw9p/x6GGjhBxpsTMehqfh
 HfrxcLTIpS3Me4nEZnGNnw4+zXrI2UtfSStpdJiOCDmiJwDo9ace9PBJkBofOEupYhiL
 1tEsVdLIq/6DcTL+2x/nAMzMLz5XpkU+Ktz7xf6T0MQh5VY1Fkiwt44fUzFK87+XRAEZ
 39KcfrGEbCczldtfdeof+X+Fp3Q/HP3nZOBNYOy/rJeA/qA1G4T8w9AdfRYUxY4mS7i0
 NlbA==
Received: by 10.50.46.132 with SMTP id v4mr1134025igm.25.1343716571630;
 Mon, 30 Jul 2012 23:36:11 -0700 (PDT)
X-Forwarded-To: linaro-patchwork@canonical.com
X-Forwarded-For: patch@linaro.org linaro-patchwork@canonical.com
Delivered-To: patches@linaro.org
Received: by 10.50.87.40 with SMTP id u8csp126558igz;
 Mon, 30 Jul 2012 23:36:11 -0700 (PDT)
Received: by 10.50.213.98 with SMTP id nr2mr1011731igc.71.1343716571122;
 Mon, 30 Jul 2012 23:36:11 -0700 (PDT)
Received: from e35.co.us.ibm.com (e35.co.us.ibm.com. [32.97.110.153])
 by mx.google.com with ESMTPS id
 m8si10804246igw.32.2012.07.30.23.36.10
 (version=TLSv1/SSLv3 cipher=OTHER);
 Mon, 30 Jul 2012 23:36:10 -0700 (PDT)
Received-SPF: neutral (google.com: 32.97.110.153 is neither permitted nor
 denied by best guess record for domain of
 john.stultz@linaro.org) client-ip=32.97.110.153; 
Authentication-Results: mx.google.com;
 spf=neutral (google.com: 32.97.110.153 is neither
 permitted nor denied by best guess record for domain of
 john.stultz@linaro.org) smtp.mail=john.stultz@linaro.org
Received: from /spool/local
 by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
 Only! Violators will be prosecuted
 for <patches@linaro.org> from <john.stultz@linaro.org>;
 Tue, 31 Jul 2012 00:36:09 -0600
Received: from d03dlp01.boulder.ibm.com (9.17.202.177)
 by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway:
 Authorized Use Only! Violators will be prosecuted; 
 Tue, 31 Jul 2012 00:36:08 -0600
Received: from d03relay01.boulder.ibm.com (d03relay01.boulder.ibm.com
 [9.17.195.226])
 by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 0660F1FF001C;
 Tue, 31 Jul 2012 06:36:05 +0000 (WET)
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
 by d03relay01.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
 q6V6a7CH095846; Tue, 31 Jul 2012 00:36:07 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
 by d03av01.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
 id q6V6a6b6011175; Tue, 31 Jul 2012 00:36:06 -0600
Received: from kernel-pok.stglabs.ibm.com (kernel.stglabs.ibm.com
 [9.114.214.19])
 by d03av01.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP
 id q6V6Zw30010780; Tue, 31 Jul 2012 00:36:05 -0600
From: John Stultz <john.stultz@linaro.org>
To: linux-kernel <linux-kernel@vger.kernel.org>
Cc: John Stultz <john.stultz@linaro.org>, Ingo Molnar <mingo@kernel.org>,
 Peter Zijlstra <a.p.zijlstra@chello.nl>,
 Prarit Bhargava <prarit@redhat.com>,
 Thomas Gleixner <tglx@linutronix.de>, Zhouping Liu <zliu@redhat.com>, 
 CAI Qian <caiqian@redhat.com>
Subject: [PATCH 2/2] [RFC] time: Limit time values that would overflow ktime_t
Date: Tue, 31 Jul 2012 02:35:48 -0400
Message-Id: <1343716548-38742-3-git-send-email-john.stultz@linaro.org>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1343716548-38742-1-git-send-email-john.stultz@linaro.org>
References: <1343716548-38742-1-git-send-email-john.stultz@linaro.org>
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 12073106-6148-0000-0000-0000082D75A2
X-Gm-Message-State: ALoCoQkIPdf6GMBMzfq+oCOOjFsjYxQeGpyhl+7d+zPx7GIAiMDW79XJzhlXb+6P2U12HzcOdsK4

We could observe unexpected behavior if the time is set
to a value large enough to overflow a 64bit ktime_t
(which is something larger then the year 2264).

So check timekeeping inputs to make sure we don't set
the time to a value that overflows ktime_t.

Note: This does not protect from setting the time close to
overflowing ktime_t and then letting natural accumulation
cause the overflow.

Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Zhouping Liu <zliu@redhat.com>
Cc: CAI Qian <caiqian@redhat.com>
Reported-by: CAI Qian <caiqian@redhat.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 kernel/time/timekeeping.c |   28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 96179ab..78bccd0 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -92,7 +92,7 @@ __cacheline_aligned_in_smp DEFINE_SEQLOCK(xtime_lock);
 /* flag for if timekeeping is suspended */
 int __read_mostly timekeeping_suspended;
 
-
+#define TWENTY_YEARS (20LL*365*24*60*60)
 
 /**
  * timekeeper_setup_internals - Set up internals to use clocksource clock.
@@ -387,6 +387,9 @@ int do_settimeofday(const struct timespec *tv)
 	if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
 		return -EINVAL;
 
+	if ((unsigned long long)tv->tv_sec >= KTIME_SEC_MAX)
+		return -EINVAL;
+
 	write_seqlock_irqsave(&timekeeper.lock, flags);
 
 	timekeeping_forward_now();
@@ -418,6 +421,8 @@ EXPORT_SYMBOL(do_settimeofday);
 int timekeeping_inject_offset(struct timespec *ts)
 {
 	unsigned long flags;
+	struct timespec tmp;
+	int ret = 0;
 
 	if ((unsigned long)ts->tv_nsec >= NSEC_PER_SEC)
 		return -EINVAL;
@@ -426,10 +431,17 @@ int timekeeping_inject_offset(struct timespec *ts)
 
 	timekeeping_forward_now();
 
-	timekeeper.xtime = timespec_add(timekeeper.xtime, *ts);
+	/* Make sure the increased value won't cause ktime_t trouble */
+	tmp = timespec_add(timekeeper.xtime, *ts);
+	if ((unsigned long long)tmp.tv_sec >= KTIME_SEC_MAX) {
+		ret= -EINVAL;
+		goto error;
+	}
+	timekeeper.xtime = tmp;
 	timekeeper.wall_to_monotonic =
 				timespec_sub(timekeeper.wall_to_monotonic, *ts);
 
+error: /* even if we error out, we forwarded the time, so call update */
 	timekeeping_update(true);
 
 	write_sequnlock_irqrestore(&timekeeper.lock, flags);
@@ -437,7 +449,7 @@ int timekeeping_inject_offset(struct timespec *ts)
 	/* signal hrtimers about time change */
 	clock_was_set();
 
-	return 0;
+	return ret;
 }
 EXPORT_SYMBOL(timekeeping_inject_offset);
 
@@ -599,6 +611,16 @@ void __init timekeeping_init(void)
 	read_persistent_clock(&now);
 	read_boot_clock(&boot);
 
+	/*
+	 * Check to make sure the persistent clock
+	 * didn't return something crazy.
+	 */
+	if (now.tv_sec > (KTIME_SEC_MAX - TWENTY_YEARS)) {
+		printk("WARNING: Persistent clock returned a year greater then"
+			" 2242. Capping at 2242.\n");
+		now.tv_sec = KTIME_SEC_MAX - TWENTY_YEARS;
+	}
+
 	seqlock_init(&timekeeper.lock);
 
 	ntp_init();