From: Michal Schmidt <mschmidt@redhat.com>
Date: Tue, 15 Apr 2008 15:46:53 +0200
Subject: [misc] infinite loop in highres timers
Message-id: 20080415154653.21623719@brian.englab.brq.redhat.com
O-Subject: [RHEL5.2 PATCH] CVE-2007-6712 kernel: infinite loop in highres timers (kernel hang)
Bugzilla: 440002

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=440002

Description
===========
(from Thomas Gleixner's patch description:)

hrtimer_forward() does not check for the possible overflow of
timer->expires.  This can happen on 64 bit machines with large interval
values and results currently in an endless loop in the softirq because
the expiry value becomes negative and therefor the timer is expired all
the time.

Check for this condition and set the expiry value to the max.  expiry
time in the future.  The fix should be applied to stable kernel series
as well.

Upstream status
===============
Upstream commit 13788ccc41ceea5893f9c747c59bc0b28f2416c2
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 16 13:38:20 2007 -0800
    [PATCH] hrtimer: prevent overrun DoS in hrtimer_forward()

Testing
=======
Scratch build in Brew:
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1269316
A reproducer is attached to the BZ. I tested it successfully on a
x86_64 system.

Please ACK.
Michal

Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Andy Gospodarek <gospo@redhat.com>
Acked-by: Brian Maly <bmaly@redhat.com>

diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
index bee3deb..46ee71f 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -332,6 +332,12 @@ hrtimer_forward(struct hrtimer *timer, ktime_t now, ktime_t interval)
 		orun++;
 	}
 	timer->expires = ktime_add(timer->expires, interval);
+	/*
+	 * Make sure, that the result did not wrap with a very large
+	 * interval.
+	 */
+	if (timer->expires.tv64 < 0)
+		timer->expires = ktime_set(KTIME_SEC_MAX, 0);
 
 	return orun;
 }