From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@elte.hu>
Subject: [patch 11/36] hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966)
Date: Wed, 12 Dec 2007 22:34:31 -0800 [thread overview]
Message-ID: <20071213063431.GL25301@kroah.com> (raw)
In-Reply-To: <20071213063308.GA25301@kroah.com>
[-- Attachment #1: hrtimers-avoid-overflow-for-large-relative-timeouts.patch --]
[-- Type: text/plain, Size: 1517 bytes --]
2.6.22-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline
Relative hrtimers with a large timeout value might end up as negative
timer values, when the current time is added in hrtimer_start().
This in turn is causing the clockevents_set_next() function to set an
huge timeout and sleep for quite a long time when we have a clock
source which is capable of long sleeps like HPET. With PIT this almost
goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code
sorts this out in the next timer interrupt, so we never noticed that
problem which has been there since the first day of hrtimers.
This bug became more apparent in 2.6.24 which activates HPET on more
hardware.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
kernel/hrtimer.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -825,6 +825,14 @@ hrtimer_start(struct hrtimer *timer, kti
#ifdef CONFIG_TIME_LOW_RES
tim = ktime_add(tim, base->resolution);
#endif
+ /*
+ * Careful here: User space might have asked for a
+ * very long sleep, so the add above might result in a
+ * negative number, which enqueues the timer in front
+ * of the queue.
+ */
+ if (tim.tv64 < 0)
+ tim.tv64 = KTIME_MAX;
}
timer->expires = tim;
--
next prev parent reply other threads:[~2007-12-13 6:40 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20071213062511.265908583@mini.kroah.org>
2007-12-13 6:33 ` [patch 00/36] 2.6.22-stable review Greg KH
2007-12-13 6:33 ` [patch 01/36] atl1: disable broken 64-bit DMA Greg KH
2007-12-13 6:33 ` [patch 02/36] rd: fix data corruption on memory pressure Future of Linux 2.6.22.y series Greg KH
2007-12-13 6:34 ` [patch 03/36] wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() Greg KH
2007-12-13 6:34 ` [patch 04/36] USB: make the microtek driver and HAL cooperate Greg KH
2007-12-13 6:34 ` [patch 05/36] USB: fix up EHCI startup synchronization Greg KH
2007-12-13 6:34 ` [patch 06/36] tmpfs: restore missing clear_highpage Greg KH
2007-12-13 6:34 ` [patch 07/36] nf_nat: fix memset error Greg KH
2007-12-13 6:34 ` [patch 08/36] libcrc32c: keep intermediate crc state in cpu order Greg KH
2007-12-13 6:34 ` [patch 09/36] isdn: avoid copying overly-long strings Greg KH
2007-12-13 6:34 ` [patch 10/36] I4L: fix isdn_ioctl memory overrun vulnerability Greg KH
2007-12-13 6:34 ` Greg KH [this message]
2007-12-13 6:34 ` [patch 12/36] futex: fix for futex_wait signal stack corruption Greg KH
2007-12-13 6:34 ` [patch 13/36] forcedeth: new mcp79 pci ids Greg KH
2007-12-13 6:34 ` [patch 14/36] forcedeth boot delay fix Greg KH
2007-12-13 6:34 ` [patch 15/36] fb_ddc: fix DDC lines quirk Greg KH
2007-12-13 6:34 ` [patch 16/36] TCP: Problem bug with sysctl_tcp_congestion_control function Greg KH
2007-12-13 6:34 ` [patch 17/36] TCP: MTUprobe: fix potential sk_send_head corruption Greg KH
2007-12-13 6:34 ` [patch 18/36] PFKEY: Sending an SADB_GET responds with an SADB_GET Greg KH
2007-12-13 6:34 ` [patch 19/36] NET: Corrects a bug in ip_rt_acct_read() Greg KH
2007-12-13 6:34 ` [patch 20/36] IPV4: Remove bogus ifdef mess in arp_process Greg KH
2007-12-13 6:34 ` [patch 21/36] CRYPTO api: Fix potential race in crypto_remove_spawn Greg KH
2007-12-13 6:35 ` [patch 22/36] ATM: initialize lock and tasklet earlier Greg KH
2007-12-13 6:35 ` [patch 23/36] UNIX: EOF on non-blocking SOCK_SEQPACKET Greg KH
2007-12-13 6:35 ` [patch 24/36] TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure Greg KH
2007-12-13 6:35 ` [patch 25/36] TCP: illinois: Incorrect beta usage Greg KH
2007-12-13 6:35 ` [patch 26/36] RXRPC: Add missing select on CRYPTO Greg KH
2007-12-13 6:35 ` [patch 27/36] IPV6: Restore IPv6 when MTU is big enough Greg KH
2007-12-13 6:35 ` [patch 28/36] DECNET: dn_nl_deladdr() almost always returns no error Greg KH
2007-12-13 6:35 ` [patch 29/36] BRIDGE: Lost call to br_fdb_fini() in br_init() error path Greg KH
2007-12-13 6:35 ` [patch 30/36] knfsd: Validate filehandle type in fsid_source Greg KH
2007-12-13 6:35 ` [patch 31/36] Revert "Fix SMP poweroff hangs" Greg KH
2007-12-13 6:35 ` [patch 32/36] XFS: Make xfsbufd threads freezable Greg KH
2007-12-13 18:46 ` Fortier,Vincent [Montreal]
2007-12-13 19:07 ` Olivér Pintér
2007-12-13 19:16 ` Olivér Pintér
2007-12-14 0:34 ` Greg KH
2007-12-13 6:35 ` [patch 33/36] XFRM: Fix leak of expired xfrm_states Greg KH
2007-12-13 6:35 ` [patch 34/36] NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON Greg KH
2007-12-13 6:35 ` [patch 35/36] libata: kill spurious NCQ completion detection Greg KH
2007-12-13 6:35 ` [patch 36/36] BRIDGE: Properly dereference the br_should_route_hook Greg KH
2007-12-13 6:42 ` [stable] [patch 00/36] 2.6.22-stable review Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071213063431.GL25301@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox