From 56ef5ae6322ae29833a610bb5c75dcab1f50b133 Mon Sep 17 00:00:00 2001
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Date: Sat, 16 Feb 2019 20:36:07 +0800
Subject: [PATCH] timekeeping: Fix ktime_add overflow in tk_set_wall_to_mono

euler inclusion
category: bugfix
Bugzilla: 5380
CVE: N/A
----------------------------------------

Syzkaller report UBSAN bug:
UBSAN: Undefined behaviour in kernel/time/timekeeping.c:98:17
signed integer overflow:
8589935550743139462 + 2147483647000000000 cannot be represented
in type 'long long int'

Use add_time_safe instead add_time in tk_set_wall_to_mono.

Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Reviewed-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 kernel/time/timekeeping.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 7846ce24ecc0..0073b7151dbb 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -144,7 +144,8 @@ static void tk_set_wall_to_mono(struct timekeeper *tk, struct timespec64 wtm)
 	tk->wall_to_monotonic = wtm;
 	set_normalized_timespec64(&tmp, -wtm.tv_sec, -wtm.tv_nsec);
 	tk->offs_real = timespec64_to_ktime(tmp);
-	tk->offs_tai = ktime_add(tk->offs_real, ktime_set(tk->tai_offset, 0));
+	tk->offs_tai = ktime_add_safe(tk->offs_real,
+				      ktime_set(tk->tai_offset, 0));
 }
 
 static inline void tk_update_sleep_time(struct timekeeper *tk, ktime_t delta)
-- 
GitLab