Hi, all,
I found the following problem (attached to the end) when testing stable-4.4 with Syzkaller. This is not an easy-to-trigger problem, so the tool does not generate code for recurring problems.
From the call stack, it is because the first parameter in ktime_sub is large, and
the second parameter offset is a negative number, causing the final result to overflow into the sign bit and become a large negative number.
-------------- ... ktime_t expires = ktime_sub(hrtimer_get_expires(timer), base->offset); ... --------------
But I don't know how to fix this problem. The mainline code is also different from stable-4.4, and I have not found a patch to fix this problem in the mainline repository.
So I am a bit confused about how to fix it. Can anyone give me some advice?
Thanks. Xiaojun.
================================================================================ UBSAN: Undefined behaviour in kernel/time/hrtimer.c:615:20 signed integer overflow: 9223372036854775807 - -495588161 cannot be represented in type 'long long int' CPU: 0 PID: 4542 Comm: syz-executor0 Not tainted 4.4.156-514.55.6.9.x86_64+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 1ffff100391dbf45 ad071d3307b76e03 ffff8801c8edfab0 ffffffff81c9f586 0000000041b58ab3 ffffffff831fd4e6 ffffffff81c9f478 ffff8801c8edfad8 ffff8801c8edfa78 00000000000014a9 ad071d3307b76e03 ffffffff837fd660 Call Trace: [<ffffffff81c9f586>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81c9f586>] dump_stack+0x10e/0x1a8 lib/dump_stack.c:51 [<ffffffff81d814a6>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 [<ffffffff81d830a1>] handle_overflow+0x23e/0x299 lib/ubsan.c:195 [<ffffffff81d83157>] __ubsan_handle_sub_overflow+0x2a/0x31 lib/ubsan.c:211 [<ffffffff813d8c33>] hrtimer_reprogram kernel/time/hrtimer.c:615 [inline] [<ffffffff813d8c33>] hrtimer_start_range_ns+0x1083/0x1580 kernel/time/hrtimer.c:1024 [<ffffffff813fde1f>] hrtimer_start include/linux/hrtimer.h:393 [inline] [<ffffffff813fde1f>] alarm_start+0xcf/0x130 kernel/time/alarmtimer.c:328 [<ffffffff813fed66>] alarm_timer_set+0x296/0x4a0 kernel/time/alarmtimer.c:632 [<ffffffff813e1a3e>] SYSC_timer_settime kernel/time/posix-timers.c:914 [inline] [<ffffffff813e1a3e>] SyS_timer_settime+0x2be/0x3d0 kernel/time/posix-timers.c:885 [<ffffffff82c2fb61>] entry_SYSCALL_64_fastpath+0x1e/0x9e ================================================================================ ================================================================================ UBSAN: Undefined behaviour in kernel/time/hrtimer.c:490:13 signed integer overflow: 9223372036854775807 - -495588161 cannot be represented in type 'long long int' CPU: 0 PID: 4542 Comm: syz-executor0 Not tainted 4.4.156-514.55.6.9.x86_64+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 1ffff1003ed40f8b ad071d3307b76e03 ffff8801f6a07ce0 ffffffff81c9f586 0000000041b58ab3 ffffffff831fd4e6 ffffffff81c9f478 ffff8801f6a07d08 ffff8801f6a07ca8 000000000000000a ad071d3307b76e03 ffffffff837fd660 Call Trace: <IRQ> [<ffffffff81c9f586>] __dump_stack lib/dump_stack.c:15 [inline] <IRQ> [<ffffffff81c9f586>] dump_stack+0x10e/0x1a8 lib/dump_stack.c:51 [<ffffffff81d814a6>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 [<ffffffff81d830a1>] handle_overflow+0x23e/0x299 lib/ubsan.c:195 [<ffffffff81d83157>] __ubsan_handle_sub_overflow+0x2a/0x31 lib/ubsan.c:211 [<ffffffff813d43ea>] __hrtimer_get_next_event+0x1da/0x2b0 kernel/time/hrtimer.c:490 [<ffffffff813d9532>] hrtimer_interrupt+0x202/0x580 kernel/time/hrtimer.c:1361 [<ffffffff8113e7ad>] local_apic_timer_interrupt+0x9d/0x150 arch/x86/kernel/apic/apic.c:901 [<ffffffff82c32ea0>] smp_apic_timer_interrupt+0x80/0xb0 arch/x86/kernel/apic/apic.c:925 [<ffffffff82c30ac5>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:563 <EOI> [<ffffffff82c2f0fb>] ? arch_local_irq_restore arch/x86/include/asm/paravirt.h:812 [inline] <EOI> [<ffffffff82c2f0fb>] ? __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:162 [inline] <EOI> [<ffffffff82c2f0fb>] ? _raw_spin_unlock_irqrestore+0x3b/0x60 kernel/locking/spinlock.c:191 [<ffffffff813e1a4f>] unlock_timer include/linux/spinlock.h:362 [inline] [<ffffffff813e1a4f>] SYSC_timer_settime kernel/time/posix-timers.c:916 [inline] [<ffffffff813e1a4f>] SyS_timer_settime+0x2cf/0x3d0 kernel/time/posix-timers.c:885 [<ffffffff82c2fb61>] entry_SYSCALL_64_fastpath+0x1e/0x9e ================================================================================