lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 26 Oct 2017 14:34:29 +0530
From:   Neeraj Upadhyay <>
Subject: Query regarding __hrtimer_get_next_event()


We have one query regarding the __hrtimer_get_next_event().
The expires_next.tv64 is set to 0 if it is < 0. We observed
an hrtimer interrupt storm for one of the hrtimers with
below properties:

* Expires for the hrtimer was set to KTIME_MAX.
* cpu base was HRTIMER_BASE_REALTIME with negative base->offset.
* Due to below sub, expires overflowed to a negative value and
   expires_next.tv64 was set to 0
     expires = ktime_sub(hrtimer_get_expires(timer), base->offset);
* Due to this, clockevent was programmed to min_delta_ns, everytime
   as __hrtimer_get_next_event() returned 0.

   static ktime_t __hrtimer_get_next_event(...)
     for (; active; base++, active >>= 1) {

       timer = container_of(next, struct hrtimer, node);
       expires = ktime_sub(hrtimer_get_expires(timer),
       if (expires.tv64 < expires_next.tv64) {
         expires_next = expires;
         hrtimer_update_next_timer(cpu_base, timer);
     if (expires_next.tv64 < 0)
       expires_next.tv64 = 0;
     return expires_next;

This may not be a valid use case (queuing a hrtimer with KTIME_MAX)
expires, but should we guard the hrtimer next event code against
this by using KTIME_MAX upper bound. Is something like below a
proper way to guard it? Or am I missing something here?

expires = ktime_sub(hrtimer_get_expires(timer), base->offset);
+  /*
+   * if expires is a very high positive value and base->offset is
+   * negative, expires can overflow and get negative value. Set
+   * expires to KTIME_MAX, if we encounter this.
+   */
+   if (hrtimer_get_expires(timer).tv64 > 0 &&
+      base->offset.tv64 < 0 && expires.tv64 < 0)
+       expires.tv64 = KTIME_MAX;


QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation

Powered by blists - more mailing lists