From: Yu Liao liaoyu15@huawei.com
hulk inclusion category: bugfix bugzilla: 185831, https://gitee.com/openeuler/kernel/issues/I4MO2G CVE: NA
-------------------------------------------------
Passing unnormalized timespec64 to timespec64_compare() may cause incorrect results.
For example: wall_to_monotonic = {tv_sec = -10, tv_nsec = 900000000} ts_delta = {tv_sec = -9, tv_nsec = -900000000}
timespec64_compare() returns -1, but actually wall_to_monotonic > ts_delta. This will cause wall_to_monotonic to become a positive number.
Use timespec64_sub() instead of direct subtraction to avoid this.
Signed-off-by: Yu Liao liaoyu15@huawei.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- include/linux/time64.h | 2 ++ kernel/time/timekeeping.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/time64.h b/include/linux/time64.h index b58142aa0b1dd..e58f59674ad6d 100644 --- a/include/linux/time64.h +++ b/include/linux/time64.h @@ -62,6 +62,8 @@ static inline int timespec64_equal(const struct timespec64 *a, * lhs < rhs: return <0 * lhs == rhs: return 0 * lhs > rhs: return >0 + * + * Note: Both lhs and rhs must be normalized. */ static inline int timespec64_compare(const struct timespec64 *lhs, const struct timespec64 *rhs) { diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index 64aa492f79422..17ba0a2f5f5d1 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -1236,8 +1236,7 @@ int do_settimeofday64(const struct timespec64 *ts) timekeeping_forward_now(tk);
xt = tk_xtime(tk); - ts_delta.tv_sec = ts->tv_sec - xt.tv_sec; - ts_delta.tv_nsec = ts->tv_nsec - xt.tv_nsec; + ts_delta = timespec64_sub(*ts, xt);
if (timespec64_compare(&tk->wall_to_monotonic, &ts_delta) > 0) { ret = -EINVAL;
From: Yu Liao liaoyu15@huawei.com
hulk inclusion category: bugfix bugzilla: 185900, https://gitee.com/openeuler/kernel/issues/I4MOGB CVE: NA
-----------------------------------------------
This reverts commit 2a3c581973756b8f08df4749de848d86bd46665d. Commit c0b527413194 fixes undefined behaviour in timespec64_to_ns(), so just revert it.
Signed-off-by: Yu Liao liaoyu15@huawei.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- kernel/time/posix-timers.c | 8 -------- 1 file changed, 8 deletions(-)
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c index aebb612404006..12c4048c54239 100644 --- a/kernel/time/posix-timers.c +++ b/kernel/time/posix-timers.c @@ -877,14 +877,6 @@ static int do_timer_settime(timer_t timer_id, int flags, if (!timespec64_valid(&new_spec64->it_interval) || !timespec64_valid(&new_spec64->it_value)) return -EINVAL; - if (new_spec64->it_interval.tv_sec >= KTIME_SEC_MAX) { - new_spec64->it_interval.tv_sec = KTIME_SEC_MAX; - new_spec64->it_interval.tv_nsec = 0; - } - if (new_spec64->it_value.tv_sec >= KTIME_SEC_MAX) { - new_spec64->it_value.tv_sec = KTIME_SEC_MAX; - new_spec64->it_value.tv_nsec = 0; - }
if (old_spec64) memset(old_spec64, 0, sizeof(*old_spec64));
From: Yu Liao liaoyu15@huawei.com
hulk inclusion category: bugfix bugzilla: 185900, https://gitee.com/openeuler/kernel/issues/I4MOGB CVE: NA
-------------------------------------------------
This reverts commit 85d6dbdf051d7efdbd1a82fe9e57dc9e8b97d993. Commit 7a8e61f84786 force upper bound for setting CLOCK_REALTIME. The realtime is limited, so just revert it.
Signed-off-by: Yu Liao liaoyu15@huawei.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- kernel/time/timekeeping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index 17ba0a2f5f5d1..5a91ac540a47e 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -798,7 +798,7 @@ ktime_t ktime_get_with_offset(enum tk_offsets offs)
do { seq = read_seqcount_begin(&tk_core.seq); - base = ktime_add_safe(tk->tkr_mono.base, *offset); + base = ktime_add(tk->tkr_mono.base, *offset); nsecs = timekeeping_get_ns(&tk->tkr_mono);
} while (read_seqcount_retry(&tk_core.seq, seq));
From: Yu Liao liaoyu15@huawei.com
hulk inclusion category: bugfix bugzilla: 185900, https://gitee.com/openeuler/kernel/issues/I4MOGB CVE: NA
-------------------------------------------------
This reverts commit 56ef5ae6322ae29833a610bb5c75dcab1f50b133. Commit 7a8e61f84786 force upper bound for setting CLOCK_REALTIME. The realtime is limited, so just revert it.
Signed-off-by: Yu Liao liaoyu15@huawei.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- kernel/time/timekeeping.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index 5a91ac540a47e..f246818e35dbc 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -144,8 +144,7 @@ static void tk_set_wall_to_mono(struct timekeeper *tk, struct timespec64 wtm) tk->wall_to_monotonic = wtm; set_normalized_timespec64(&tmp, -wtm.tv_sec, -wtm.tv_nsec); tk->offs_real = timespec64_to_ktime(tmp); - tk->offs_tai = ktime_add_safe(tk->offs_real, - ktime_set(tk->tai_offset, 0)); + tk->offs_tai = ktime_add(tk->offs_real, ktime_set(tk->tai_offset, 0)); }
static inline void tk_update_sleep_time(struct timekeeper *tk, ktime_t delta)
-
Yang Yingliang