commit 080344b98805553f9b01de0f59a41b1533036d8d · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

hrtimer: fix *rmtp handling in hrtimer_nanosleep()

Spotted by Pavel Emelyanov and Alexey Dobriyan.

hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
the local variable which lives in the caller's stack frame. This means that
if sys_restart_syscall() actually happens and it is interrupted as well, we
don't update the user-space variable, but write into the already dead stack
frame.

Introduced by commit 04c227140fed77587432667a574b14736a06dd7f
hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier

Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.

Small problem remains. man 2 nanosleep states that *rtmp should be written if
nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
if nanosleep returns 0), but (with or without this patch) we can dirty *rem
even if nanosleep() returns 0.

NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
bugs. Fixed by the next patch.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Alexey Dobriyan <adobriyan@sw.ru>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Pavel Emelyanov <xemul@sw.ru>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Toyo Abe <toyoa@mvista.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

include/linux/hrtimer.h | 2 -
kernel/hrtimer.c | 51 +++++++++++++++++++++++++-----------------------
kernel/posix-timers.c | 14 +------------
3 files changed, 30 insertions(+), 37 deletions(-)

authored by Oleg Nesterov and committed by Thomas Gleixner 18 years ago 080344b9 e13a2e61

+31 -39

3 changed files

expand all

unified split

include

linux

hrtimer.h

kernel

hrtimer.c

posix-timers.c

+1 -1

include/linux/hrtimer.h

··· 316 317 /* Precise sleep: */ 318 extern long hrtimer_nanosleep(struct timespec *rqtp, 319 - struct timespec *rmtp, 320 const enum hrtimer_mode mode, 321 const clockid_t clockid); 322 extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);

··· 316 317 /* Precise sleep: */ 318 extern long hrtimer_nanosleep(struct timespec *rqtp, 319 + struct timespec __user *rmtp, 320 const enum hrtimer_mode mode, 321 const clockid_t clockid); 322 extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);

+27 -24

kernel/hrtimer.c

··· 1319 return t->task == NULL; 1320 } 1321 1322 long __sched hrtimer_nanosleep_restart(struct restart_block *restart) 1323 { 1324 struct hrtimer_sleeper t; 1325 - struct timespec *rmtp; 1326 - ktime_t time; 1327 1328 restart->fn = do_no_restart_syscall; 1329 ··· 1348 if (do_nanosleep(&t, HRTIMER_MODE_ABS)) 1349 return 0; 1350 1351 - rmtp = (struct timespec *)restart->arg1; 1352 if (rmtp) { 1353 - time = ktime_sub(t.timer.expires, t.timer.base->get_time()); 1354 - if (time.tv64 <= 0) 1355 - return 0; 1356 - *rmtp = ktime_to_timespec(time); 1357 } 1358 1359 restart->fn = hrtimer_nanosleep_restart; ··· 1361 return -ERESTART_RESTARTBLOCK; 1362 } 1363 1364 - long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp, 1365 const enum hrtimer_mode mode, const clockid_t clockid) 1366 { 1367 struct restart_block *restart; 1368 struct hrtimer_sleeper t; 1369 - ktime_t rem; 1370 1371 hrtimer_init(&t.timer, clockid, mode); 1372 t.timer.expires = timespec_to_ktime(*rqtp); ··· 1377 return -ERESTARTNOHAND; 1378 1379 if (rmtp) { 1380 - rem = ktime_sub(t.timer.expires, t.timer.base->get_time()); 1381 - if (rem.tv64 <= 0) 1382 - return 0; 1383 - *rmtp = ktime_to_timespec(rem); 1384 } 1385 1386 restart = &current_thread_info()->restart_block; ··· 1395 asmlinkage long 1396 sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp) 1397 { 1398 - struct timespec tu, rmt; 1399 - int ret; 1400 1401 if (copy_from_user(&tu, rqtp, sizeof(tu))) 1402 return -EFAULT; ··· 1403 if (!timespec_valid(&tu)) 1404 return -EINVAL; 1405 1406 - ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL, 1407 - CLOCK_MONOTONIC); 1408 - 1409 - if (ret && rmtp) { 1410 - if (copy_to_user(rmtp, &rmt, sizeof(*rmtp))) 1411 - return -EFAULT; 1412 - } 1413 - 1414 - return ret; 1415 } 1416 1417 /*

··· 1319 return t->task == NULL; 1320 } 1321 1322 + static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp) 1323 + { 1324 + struct timespec rmt; 1325 + ktime_t rem; 1326 + 1327 + rem = ktime_sub(timer->expires, timer->base->get_time()); 1328 + if (rem.tv64 <= 0) 1329 + return 0; 1330 + rmt = ktime_to_timespec(rem); 1331 + 1332 + if (copy_to_user(rmtp, &rmt, sizeof(*rmtp))) 1333 + return -EFAULT; 1334 + 1335 + return 1; 1336 + } 1337 + 1338 long __sched hrtimer_nanosleep_restart(struct restart_block *restart) 1339 { 1340 struct hrtimer_sleeper t; 1341 + struct timespec __user *rmtp; 1342 1343 restart->fn = do_no_restart_syscall; 1344 ··· 1333 if (do_nanosleep(&t, HRTIMER_MODE_ABS)) 1334 return 0; 1335 1336 + rmtp = (struct timespec __user *)restart->arg1; 1337 if (rmtp) { 1338 + int ret = update_rmtp(&t.timer, rmtp); 1339 + if (ret <= 0) 1340 + return ret; 1341 } 1342 1343 restart->fn = hrtimer_nanosleep_restart; ··· 1347 return -ERESTART_RESTARTBLOCK; 1348 } 1349 1350 + long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp, 1351 const enum hrtimer_mode mode, const clockid_t clockid) 1352 { 1353 struct restart_block *restart; 1354 struct hrtimer_sleeper t; 1355 1356 hrtimer_init(&t.timer, clockid, mode); 1357 t.timer.expires = timespec_to_ktime(*rqtp); ··· 1364 return -ERESTARTNOHAND; 1365 1366 if (rmtp) { 1367 + int ret = update_rmtp(&t.timer, rmtp); 1368 + if (ret <= 0) 1369 + return ret; 1370 } 1371 1372 restart = &current_thread_info()->restart_block; ··· 1383 asmlinkage long 1384 sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp) 1385 { 1386 + struct timespec tu; 1387 1388 if (copy_from_user(&tu, rqtp, sizeof(tu))) 1389 return -EFAULT; ··· 1392 if (!timespec_valid(&tu)) 1393 return -EINVAL; 1394 1395 + return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC); 1396 } 1397 1398 /*

+3 -14

kernel/posix-timers.c

··· 982 static int common_nsleep(const clockid_t which_clock, int flags, 983 struct timespec *tsave, struct timespec __user *rmtp) 984 { 985 - struct timespec rmt; 986 - int ret; 987 - 988 - ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL, 989 - flags & TIMER_ABSTIME ? 990 - HRTIMER_MODE_ABS : HRTIMER_MODE_REL, 991 - which_clock); 992 - 993 - if (ret && rmtp) { 994 - if (copy_to_user(rmtp, &rmt, sizeof(*rmtp))) 995 - return -EFAULT; 996 - } 997 - 998 - return ret; 999 } 1000 1001 asmlinkage long

··· 982 static int common_nsleep(const clockid_t which_clock, int flags, 983 struct timespec *tsave, struct timespec __user *rmtp) 984 { 985 + return hrtimer_nanosleep(tsave, rmtp, flags & TIMER_ABSTIME ? 986 + HRTIMER_MODE_ABS : HRTIMER_MODE_REL, 987 + which_clock); 988 } 989 990 asmlinkage long