Re: [PATCH] timekeeping: Force upper bound for setting CLOCK_REALTIME

From: Arnd Bergmann
Date: Tue Mar 26 2019 - 09:17:10 EST

On Tue, Mar 26, 2019 at 1:31 PM Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
> On Tue, 26 Mar 2019, Miroslav Lichvar wrote:
> > On Sat, Mar 23, 2019 at 11:36:19AM +0100, Thomas Gleixner wrote:
> > > It is reasonable to force an upper bound for the various methods of setting
> > > CLOCK_REALTIME. Year 2262 is the absolute upper bound. Assume a maximum
> > > uptime of 30 years which is plenty enough even for esoteric embedded
> > > systems. That results in an upper bound of year 2232 for setting the time.
> >
> > The patch looks good to me.
> >
> > I like this approach better than using a larger value closer to the
> > overflow (e.g. one week) and stepping the clock back automatically
> > when the clock reaches that time, but I suspect it might possibly
> > break more tests (or any unusual applications messing with time) as a
> > much larger interval is now EINVAL.
> I'm fine with breaking a few tests on the way rather than having undefined
> behaviour and the constant flow of patches tackling the wrong end of the
> stick.

I think the one downside of your approach is that it introduces a second
arbitrary cut-off point after which the system almost functions perfectly,
but is no longer able to do ntp updates or set the right time after a reboot.

That said, all other ideas I've managed to come up with are worse,
so I agree on going ahead with this version.

We could still bikeshed over the exact cutoff time, as the one you
picked isn't particularly intuitive. It's almost exactly 30 years before
the final end point, but your calculation is off by a few days because
of leap years. And no, I don't have a particular preference for any
other color of this bikeshed either, it's probably as good as any other
time within 20 years of what you suggested.