From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Oleg Nesterov <oleg@tv-sign.ru>,
Alexey Dobriyan <adobriyan@sw.ru>,
Michael Kerrisk <mtk.manpages@googlemail.com>,
Pavel Emelyanov <xemul@sw.ru>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Toyo Abe <toyoa@mvista.com>, Thomas Gleixner <tglx@linutronix.de>
Subject: [patch 25/38] hrtimer: fix *rmtp handling in hrtimer_nanosleep()
Date: Fri, 22 Feb 2008 16:31:09 -0800 [thread overview]
Message-ID: <20080223003109.GZ7268@suse.de> (raw)
In-Reply-To: <20080223002907.GA7268@suse.de>
[-- Attachment #1: hrtimer-fix-rmtp-handling-in-hrtimer_nanosleep.patch --]
[-- Type: text/plain, Size: 5655 bytes --]
2.6.24-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Oleg Nesterov <oleg@tv-sign.ru>
commit 080344b98805553f9b01de0f59a41b1533036d8d
Spotted by Pavel Emelyanov and Alexey Dobriyan.
hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
the local variable which lives in the caller's stack frame. This means that
if sys_restart_syscall() actually happens and it is interrupted as well, we
don't update the user-space variable, but write into the already dead stack
frame.
Introduced by commit 04c227140fed77587432667a574b14736a06dd7f
hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier
Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
Small problem remains. man 2 nanosleep states that *rtmp should be written if
nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
if nanosleep returns 0), but (with or without this patch) we can dirty *rem
even if nanosleep() returns 0.
NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
bugs. Fixed by the next patch.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Alexey Dobriyan <adobriyan@sw.ru>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Pavel Emelyanov <xemul@sw.ru>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Toyo Abe <toyoa@mvista.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/linux/hrtimer.h | 2 -
kernel/hrtimer.c | 51 +++++++++++++++++++++++++-----------------------
kernel/posix-timers.c | 17 ++--------------
3 files changed, 31 insertions(+), 39 deletions(-)
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -300,7 +300,7 @@ hrtimer_forward(struct hrtimer *timer, k
/* Precise sleep: */
extern long hrtimer_nanosleep(struct timespec *rqtp,
- struct timespec *rmtp,
+ struct timespec __user *rmtp,
const enum hrtimer_mode mode,
const clockid_t clockid);
extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -1291,11 +1291,26 @@ static int __sched do_nanosleep(struct h
return t->task == NULL;
}
+static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
+{
+ struct timespec rmt;
+ ktime_t rem;
+
+ rem = ktime_sub(timer->expires, timer->base->get_time());
+ if (rem.tv64 <= 0)
+ return 0;
+ rmt = ktime_to_timespec(rem);
+
+ if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
+ return -EFAULT;
+
+ return 1;
+}
+
long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
{
struct hrtimer_sleeper t;
- struct timespec *rmtp;
- ktime_t time;
+ struct timespec __user *rmtp;
restart->fn = do_no_restart_syscall;
@@ -1305,12 +1320,11 @@ long __sched hrtimer_nanosleep_restart(s
if (do_nanosleep(&t, HRTIMER_MODE_ABS))
return 0;
- rmtp = (struct timespec *)restart->arg1;
+ rmtp = (struct timespec __user *)restart->arg1;
if (rmtp) {
- time = ktime_sub(t.timer.expires, t.timer.base->get_time());
- if (time.tv64 <= 0)
- return 0;
- *rmtp = ktime_to_timespec(time);
+ int ret = update_rmtp(&t.timer, rmtp);
+ if (ret <= 0)
+ return ret;
}
restart->fn = hrtimer_nanosleep_restart;
@@ -1319,12 +1333,11 @@ long __sched hrtimer_nanosleep_restart(s
return -ERESTART_RESTARTBLOCK;
}
-long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
+long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
const enum hrtimer_mode mode, const clockid_t clockid)
{
struct restart_block *restart;
struct hrtimer_sleeper t;
- ktime_t rem;
hrtimer_init(&t.timer, clockid, mode);
t.timer.expires = timespec_to_ktime(*rqtp);
@@ -1336,10 +1349,9 @@ long hrtimer_nanosleep(struct timespec *
return -ERESTARTNOHAND;
if (rmtp) {
- rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
- if (rem.tv64 <= 0)
- return 0;
- *rmtp = ktime_to_timespec(rem);
+ int ret = update_rmtp(&t.timer, rmtp);
+ if (ret <= 0)
+ return ret;
}
restart = ¤t_thread_info()->restart_block;
@@ -1355,8 +1367,7 @@ long hrtimer_nanosleep(struct timespec *
asmlinkage long
sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
{
- struct timespec tu, rmt;
- int ret;
+ struct timespec tu;
if (copy_from_user(&tu, rqtp, sizeof(tu)))
return -EFAULT;
@@ -1364,15 +1375,7 @@ sys_nanosleep(struct timespec __user *rq
if (!timespec_valid(&tu))
return -EINVAL;
- ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
- CLOCK_MONOTONIC);
-
- if (ret && rmtp) {
- if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
- return -EFAULT;
- }
-
- return ret;
+ return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
}
/*
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -981,20 +981,9 @@ sys_clock_getres(const clockid_t which_c
static int common_nsleep(const clockid_t which_clock, int flags,
struct timespec *tsave, struct timespec __user *rmtp)
{
- struct timespec rmt;
- int ret;
-
- ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
- flags & TIMER_ABSTIME ?
- HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
- which_clock);
-
- if (ret && rmtp) {
- if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
- return -EFAULT;
- }
-
- return ret;
+ return hrtimer_nanosleep(tsave, rmtp, flags & TIMER_ABSTIME ?
+ HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
+ which_clock);
}
asmlinkage long
--
next prev parent reply other threads:[~2008-02-23 0:45 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080223001946.979768610@mini.kroah.org>
2008-02-23 0:29 ` [patch 00/38] 2.6.24-stable review Greg KH
2008-02-23 0:29 ` [patch 01/38] SPARC/SPARC64: Fix usage of .section .sched.text in assembler code Greg KH
2008-02-23 0:29 ` [patch 02/38] NETFILTER: nf_conntrack_tcp: conntrack reopening fix Greg KH
2008-02-23 0:29 ` [patch 03/38] NFS: Fix a potential file corruption issue when writing Greg KH
2008-02-23 0:29 ` [patch 04/38] inotify: fix check for one-shot watches before destroying them Greg KH
2008-02-23 0:29 ` [patch 05/38] hugetlb: add locking for overcommit sysctl Greg KH
2008-02-23 0:29 ` [patch 06/38] quota: turn quotas off when remounting read-only Greg KH
2008-02-25 21:57 ` Jan Kara
2008-02-25 23:56 ` Greg KH
2008-02-23 0:29 ` [patch 07/38] XFS: Fix oops in xfs_file_readdir() Greg KH
2008-02-23 0:30 ` [patch 08/38] Fix dl2k constants Greg KH
2008-02-23 0:30 ` [patch 09/38] SCSI: sd: handle bad lba in sense information Greg KH
2008-02-23 0:30 ` [patch 10/38] TCP: Fix a bug in strategy_allowed_congestion_control Greg KH
2008-02-23 0:30 ` [patch 11/38] TC: oops in em_meta Greg KH
2008-02-23 0:30 ` [patch 12/38] SELinux: Fix double free in selinux_netlbl_sock_setsid() Greg KH
2008-02-23 0:30 ` [patch 13/38] PKT_SCHED: ematch: oops from uninitialized variable (resend) Greg KH
2008-02-23 0:30 ` [patch 14/38] NET: Add if_addrlabel.h to sanitized headers Greg KH
2008-02-23 0:30 ` [patch 15/38] IPV4: fib_trie: apply fixes from fib_hash Greg KH
2008-02-23 0:30 ` [patch 16/38] IPV4: fib: fix route replacement, fib_info is shared Greg KH
2008-02-23 0:30 ` [patch 17/38] IPCOMP: Fix reception of incompressible packets Greg KH
2008-02-23 0:30 ` [patch 18/38] IPCOMP: Fetch nexthdr before ipch is destroyed Greg KH
2008-02-23 0:30 ` [patch 19/38] INET_DIAG: Fix inet_diag_lock_handler error path Greg KH
2008-02-23 0:30 ` [patch 20/38] INET: Prevent out-of-sync truesize on ip_fragment slow path Greg KH
2008-02-23 0:30 ` [patch 21/38] BLUETOOTH: Add conn add/del workqueues to avoid connection fail Greg KH
2008-02-23 0:30 ` [patch 22/38] AUDIT: Increase skb->truesize in audit_expand Greg KH
2008-02-23 0:30 ` [patch 23/38] Be more robust about bad arguments in get_user_pages() Greg KH
2008-02-23 0:31 ` [patch 24/38] Disable G5 NAP mode during SMU commands on U3 Greg KH
2008-02-23 0:31 ` Greg KH [this message]
2008-02-23 0:31 ` [patch 26/38] hrtimer: fix *rmtp/restarts handling in compat_sys_nanosleep() Greg KH
2008-02-23 0:31 ` [patch 27/38] SLUB: Deal with annoying gcc warning on kfree() Greg KH
2008-02-23 0:31 ` [patch 28/38] hrtimer: check relative timeouts for overflow Greg KH
2008-02-23 0:31 ` [patch 29/38] hrtimer: catch expired CLOCK_REALTIME timers early Greg KH
2008-02-23 0:31 ` [patch 30/38] genirq: do not leave interupts enabled on free_irq Greg KH
2008-02-23 0:31 ` [patch 31/38] S390: Fix futex_atomic_cmpxchg_std inline assembly Greg KH
2008-02-23 0:31 ` [patch 32/38] USB: fix pm counter leak in usblp Greg KH
2008-02-23 0:31 ` [patch 33/38] SCSI: gdth: scan for scsi devices Greg KH
2008-02-23 3:02 ` Boaz Harrosh
2008-02-23 3:52 ` [stable] " Greg KH
2008-02-23 4:15 ` James Bottomley
2008-02-23 0:31 ` [patch 34/38] kbuild: allow -fstack-protector to take effect Greg KH
2008-02-23 0:46 ` Arjan van de Ven
2008-02-23 0:53 ` Greg KH
2008-02-23 3:41 ` Sam Ravnborg
2008-02-23 3:53 ` [stable] " Greg KH
2008-02-23 6:29 ` Sam Ravnborg
2008-02-23 0:31 ` [patch 35/38] PCMCIA: Fix station address detection in smc Greg KH
2008-02-23 0:31 ` [patch 36/38] POWERPC: Revert chrp_pci_fixup_vt8231_ata devinit to fix libata on pegasos Greg KH
2008-02-23 0:31 ` [patch 37/38] bonding: fix NULL pointer deref in startup processing Greg KH
2008-02-23 0:31 ` [patch 38/38] x86_64: CPA, fix cache attribute inconsistency bug Greg KH
2008-02-23 16:56 ` [patch 00/38] 2.6.24-stable review Chuck Ebbert
2008-02-24 14:55 ` Uli Luckas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080223003109.GZ7268@suse.de \
--to=gregkh@suse.de \
--cc=a.p.zijlstra@chello.nl \
--cc=adobriyan@sw.ru \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=mtk.manpages@googlemail.com \
--cc=oleg@tv-sign.ru \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=toyoa@mvista.com \
--cc=tytso@mit.edu \
--cc=xemul@sw.ru \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.