In RTDS, burn_budget() increments priority_level for extratime units
whenever cur_budget is exhausted. As priority_level is unsigned and was
unbounded, it could eventually overflow to 0.
A wrapped value of 0 is the highest RTDS priority, so an extratime unit
could unexpectedly regain top priority and preempt units with active
real-time reservations, violating EDF intent.
Fix this by saturating priority_level at RTDS_MAX_PRIORITY_LEVEL instead
of incrementing unconditionally. Budget refill semantics are unchanged.
Normal behavior is unchanged. Once saturated, priority_level remains at
the lowest priority until the next period update resets it.
Signed-off-by: Oleksii Moisieiev <oleksii_moisieiev@epam.com>
---
xen/common/sched/rt.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/xen/common/sched/rt.c b/xen/common/sched/rt.c
index 7b1f64a779..9c1027c388 100644
--- a/xen/common/sched/rt.c
+++ b/xen/common/sched/rt.c
@@ -110,6 +110,12 @@
*/
#define RTDS_MIN_BUDGET (MICROSECS(10))
+/*
+ * Maximum extratime demotion level. Saturating at this value avoids
+ * unsigned wraparound back to 0 (highest scheduling priority).
+ */
+#define RTDS_MAX_PRIORITY_LEVEL (~0U)
+
/*
* UPDATE_LIMIT_SHIFT: a constant used in rt_update_deadline(). When finding
* the next deadline, performing addition could be faster if the difference
@@ -976,7 +982,9 @@ burn_budget(const struct scheduler *ops, struct rt_unit *svc, s_time_t now)
{
if ( has_extratime(svc) )
{
- svc->priority_level++;
+ if ( svc->priority_level < RTDS_MAX_PRIORITY_LEVEL )
+ svc->priority_level++;
+
svc->cur_budget = svc->budget;
}
else
--
2.43.0
base-commit: a7bf8ff218ca05eb3674fdfd2817f6cff471e96a
branch: amoi_rtds_extratimeOn 31.03.26 09:54, Oleksii Moisieiev wrote:
> In RTDS, burn_budget() increments priority_level for extratime units
> whenever cur_budget is exhausted. As priority_level is unsigned and was
> unbounded, it could eventually overflow to 0.
>
> A wrapped value of 0 is the highest RTDS priority, so an extratime unit
> could unexpectedly regain top priority and preempt units with active
> real-time reservations, violating EDF intent.
>
> Fix this by saturating priority_level at RTDS_MAX_PRIORITY_LEVEL instead
> of incrementing unconditionally. Budget refill semantics are unchanged.
>
> Normal behavior is unchanged. Once saturated, priority_level remains at
> the lowest priority until the next period update resets it.
>
> Signed-off-by: Oleksii Moisieiev <oleksii_moisieiev@epam.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
with one note: overflowing priority_level would require extremely long
scheduling periods (probably at least several days), so this bug is
more a theoretical one. Anyone configuring the rtds scheduler in such
a way would probably deserve to experience the fallout from this bug. :-)
Juergen
> ---
>
> xen/common/sched/rt.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/xen/common/sched/rt.c b/xen/common/sched/rt.c
> index 7b1f64a779..9c1027c388 100644
> --- a/xen/common/sched/rt.c
> +++ b/xen/common/sched/rt.c
> @@ -110,6 +110,12 @@
> */
> #define RTDS_MIN_BUDGET (MICROSECS(10))
>
> +/*
> + * Maximum extratime demotion level. Saturating at this value avoids
> + * unsigned wraparound back to 0 (highest scheduling priority).
> + */
> +#define RTDS_MAX_PRIORITY_LEVEL (~0U)
> +
> /*
> * UPDATE_LIMIT_SHIFT: a constant used in rt_update_deadline(). When finding
> * the next deadline, performing addition could be faster if the difference
> @@ -976,7 +982,9 @@ burn_budget(const struct scheduler *ops, struct rt_unit *svc, s_time_t now)
> {
> if ( has_extratime(svc) )
> {
> - svc->priority_level++;
> + if ( svc->priority_level < RTDS_MAX_PRIORITY_LEVEL )
> + svc->priority_level++;
> +
> svc->cur_budget = svc->budget;
> }
> else
On 31/03/2026 11:23, Jürgen Groß wrote:
> On 31.03.26 09:54, Oleksii Moisieiev wrote:
>> In RTDS, burn_budget() increments priority_level for extratime units
>> whenever cur_budget is exhausted. As priority_level is unsigned and was
>> unbounded, it could eventually overflow to 0.
>>
>> A wrapped value of 0 is the highest RTDS priority, so an extratime unit
>> could unexpectedly regain top priority and preempt units with active
>> real-time reservations, violating EDF intent.
>>
>> Fix this by saturating priority_level at RTDS_MAX_PRIORITY_LEVEL instead
>> of incrementing unconditionally. Budget refill semantics are unchanged.
>>
>> Normal behavior is unchanged. Once saturated, priority_level remains at
>> the lowest priority until the next period update resets it.
>>
>> Signed-off-by: Oleksii Moisieiev <oleksii_moisieiev@epam.com>
>
> Reviewed-by: Juergen Gross <jgross@suse.com>
>
> with one note: overflowing priority_level would require extremely long
> scheduling periods (probably at least several days), so this bug is
> more a theoretical one. Anyone configuring the rtds scheduler in such
> a way would probably deserve to experience the fallout from this bug. :-)
>
>
> Juergen
>
Hi Juergen,
Thank you for the review and R-b.
I understand that this bug is more theoretical but it still needs to be
fixed for the certification.
--
Oleksii
>> ---
>>
>> xen/common/sched/rt.c | 10 +++++++++-
>> 1 file changed, 9 insertions(+), 1 deletion(-)
>>
>> diff --git a/xen/common/sched/rt.c b/xen/common/sched/rt.c
>> index 7b1f64a779..9c1027c388 100644
>> --- a/xen/common/sched/rt.c
>> +++ b/xen/common/sched/rt.c
>> @@ -110,6 +110,12 @@
>> */
>> #define RTDS_MIN_BUDGET (MICROSECS(10))
>> +/*
>> + * Maximum extratime demotion level. Saturating at this value avoids
>> + * unsigned wraparound back to 0 (highest scheduling priority).
>> + */
>> +#define RTDS_MAX_PRIORITY_LEVEL (~0U)
>> +
>> /*
>> * UPDATE_LIMIT_SHIFT: a constant used in rt_update_deadline().
>> When finding
>> * the next deadline, performing addition could be faster if the
>> difference
>> @@ -976,7 +982,9 @@ burn_budget(const struct scheduler *ops, struct
>> rt_unit *svc, s_time_t now)
>> {
>> if ( has_extratime(svc) )
>> {
>> - svc->priority_level++;
>> + if ( svc->priority_level < RTDS_MAX_PRIORITY_LEVEL )
>> + svc->priority_level++;
>> +
>> svc->cur_budget = svc->budget;
>> }
>> else
>
On 31.03.2026 09:54, Oleksii Moisieiev wrote: > In RTDS, burn_budget() increments priority_level for extratime units > whenever cur_budget is exhausted. As priority_level is unsigned and was > unbounded, it could eventually overflow to 0. > > A wrapped value of 0 is the highest RTDS priority, so an extratime unit > could unexpectedly regain top priority and preempt units with active > real-time reservations, violating EDF intent. > > Fix this by saturating priority_level at RTDS_MAX_PRIORITY_LEVEL instead > of incrementing unconditionally. Budget refill semantics are unchanged. > > Normal behavior is unchanged. Once saturated, priority_level remains at > the lowest priority until the next period update resets it. > > Signed-off-by: Oleksii Moisieiev <oleksii_moisieiev@epam.com> From the description, this looks to want to have a Fixes: tag added. Jan
Hi Jan, I have an R-b from Juergen. Should I post another version with "Fixes:" or it could be added to the commit message during merge? -- Oleksii On 31/03/2026 11:10, Jan Beulich wrote: > On 31.03.2026 09:54, Oleksii Moisieiev wrote: >> In RTDS, burn_budget() increments priority_level for extratime units >> whenever cur_budget is exhausted. As priority_level is unsigned and was >> unbounded, it could eventually overflow to 0. >> >> A wrapped value of 0 is the highest RTDS priority, so an extratime unit >> could unexpectedly regain top priority and preempt units with active >> real-time reservations, violating EDF intent. >> >> Fix this by saturating priority_level at RTDS_MAX_PRIORITY_LEVEL instead >> of incrementing unconditionally. Budget refill semantics are unchanged. >> >> Normal behavior is unchanged. Once saturated, priority_level remains at >> the lowest priority until the next period update resets it. >> >> Signed-off-by: Oleksii Moisieiev <oleksii_moisieiev@epam.com> > From the description, this looks to want to have a Fixes: tag added. > > Jan
On 01.04.2026 12:42, Oleksii Moisieiev wrote: > I have an R-b from Juergen. Should I post another version with "Fixes:" > > or it could be added to the commit message during merge? It can be folded in while committing, sure, but first you need to collect a maintainer ack. See also "The meaning of nesting" in ./MAINTAINERS. Jan
© 2016 - 2026 Red Hat, Inc.