Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=080344b98805553f9b01de0f59a41b1533036d8d
Commit:     080344b98805553f9b01de0f59a41b1533036d8d
Parent:     e13a2e61dd5152f5499d2003470acf9c838eab84
Author:     Oleg Nesterov <[EMAIL PROTECTED]>
AuthorDate: Fri Feb 1 17:29:05 2008 +0300
Committer:  Thomas Gleixner <[EMAIL PROTECTED]>
CommitDate: Sun Feb 10 10:48:03 2008 +0100

    hrtimer: fix *rmtp handling in hrtimer_nanosleep()
    
    Spotted by Pavel Emelyanov and Alexey Dobriyan.
    
    hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
    the local variable which lives in the caller's stack frame. This means that
    if sys_restart_syscall() actually happens and it is interrupted as well, we
    don't update the user-space variable, but write into the already dead stack
    frame.
    
    Introduced by commit 04c227140fed77587432667a574b14736a06dd7f
    hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier
    
    Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
    hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
    
    Small problem remains. man 2 nanosleep states that *rtmp should be written 
if
    nanosleep() was interrupted (it says nothing whether it is OK to update 
*rmtp
    if nanosleep returns 0), but (with or without this patch) we can dirty *rem
    even if nanosleep() returns 0.
    
    NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
    bugs. Fixed by the next patch.
    
    Signed-off-by: Oleg Nesterov <[EMAIL PROTECTED]>
    Cc: Alexey Dobriyan <[EMAIL PROTECTED]>
    Cc: Michael Kerrisk <[EMAIL PROTECTED]>
    Cc: Pavel Emelyanov <[EMAIL PROTECTED]>
    Cc: Peter Zijlstra <[EMAIL PROTECTED]>
    Cc: Toyo Abe <[EMAIL PROTECTED]>
    Cc: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Thomas Gleixner <[EMAIL PROTECTED]>
    
     include/linux/hrtimer.h |    2 -
     kernel/hrtimer.c        |   51 
+++++++++++++++++++++++++-----------------------
     kernel/posix-timers.c   |   14 +------------
     3 files changed, 30 insertions(+), 37 deletions(-)
---
 include/linux/hrtimer.h |    2 +-
 kernel/hrtimer.c        |   51 ++++++++++++++++++++++++----------------------
 kernel/posix-timers.c   |   17 ++------------
 3 files changed, 31 insertions(+), 39 deletions(-)

diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
index 600fc3b..1ad56a7 100644
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -316,7 +316,7 @@ static inline u64 hrtimer_forward_now(struct hrtimer *timer,
 
 /* Precise sleep: */
 extern long hrtimer_nanosleep(struct timespec *rqtp,
-                             struct timespec *rmtp,
+                             struct timespec __user *rmtp,
                              const enum hrtimer_mode mode,
                              const clockid_t clockid);
 extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
index 668f396..355085f 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -1319,11 +1319,26 @@ static int __sched do_nanosleep(struct hrtimer_sleeper 
*t, enum hrtimer_mode mod
        return t->task == NULL;
 }
 
+static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
+{
+       struct timespec rmt;
+       ktime_t rem;
+
+       rem = ktime_sub(timer->expires, timer->base->get_time());
+       if (rem.tv64 <= 0)
+               return 0;
+       rmt = ktime_to_timespec(rem);
+
+       if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
+               return -EFAULT;
+
+       return 1;
+}
+
 long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
 {
        struct hrtimer_sleeper t;
-       struct timespec *rmtp;
-       ktime_t time;
+       struct timespec __user  *rmtp;
 
        restart->fn = do_no_restart_syscall;
 
@@ -1333,12 +1348,11 @@ long __sched hrtimer_nanosleep_restart(struct 
restart_block *restart)
        if (do_nanosleep(&t, HRTIMER_MODE_ABS))
                return 0;
 
-       rmtp = (struct timespec *)restart->arg1;
+       rmtp = (struct timespec __user *)restart->arg1;
        if (rmtp) {
-               time = ktime_sub(t.timer.expires, t.timer.base->get_time());
-               if (time.tv64 <= 0)
-                       return 0;
-               *rmtp = ktime_to_timespec(time);
+               int ret = update_rmtp(&t.timer, rmtp);
+               if (ret <= 0)
+                       return ret;
        }
 
        restart->fn = hrtimer_nanosleep_restart;
@@ -1347,12 +1361,11 @@ long __sched hrtimer_nanosleep_restart(struct 
restart_block *restart)
        return -ERESTART_RESTARTBLOCK;
 }
 
-long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
+long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
                       const enum hrtimer_mode mode, const clockid_t clockid)
 {
        struct restart_block *restart;
        struct hrtimer_sleeper t;
-       ktime_t rem;
 
        hrtimer_init(&t.timer, clockid, mode);
        t.timer.expires = timespec_to_ktime(*rqtp);
@@ -1364,10 +1377,9 @@ long hrtimer_nanosleep(struct timespec *rqtp, struct 
timespec *rmtp,
                return -ERESTARTNOHAND;
 
        if (rmtp) {
-               rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
-               if (rem.tv64 <= 0)
-                       return 0;
-               *rmtp = ktime_to_timespec(rem);
+               int ret = update_rmtp(&t.timer, rmtp);
+               if (ret <= 0)
+                       return ret;
        }
 
        restart = &current_thread_info()->restart_block;
@@ -1383,8 +1395,7 @@ long hrtimer_nanosleep(struct timespec *rqtp, struct 
timespec *rmtp,
 asmlinkage long
 sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
 {
-       struct timespec tu, rmt;
-       int ret;
+       struct timespec tu;
 
        if (copy_from_user(&tu, rqtp, sizeof(tu)))
                return -EFAULT;
@@ -1392,15 +1403,7 @@ sys_nanosleep(struct timespec __user *rqtp, struct 
timespec __user *rmtp)
        if (!timespec_valid(&tu))
                return -EINVAL;
 
-       ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
-                               CLOCK_MONOTONIC);
-
-       if (ret && rmtp) {
-               if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
-                       return -EFAULT;
-       }
-
-       return ret;
+       return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
 }
 
 /*
diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index ce26896..022c9c3 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -982,20 +982,9 @@ sys_clock_getres(const clockid_t which_clock, struct 
timespec __user *tp)
 static int common_nsleep(const clockid_t which_clock, int flags,
                         struct timespec *tsave, struct timespec __user *rmtp)
 {
-       struct timespec rmt;
-       int ret;
-
-       ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
-                               flags & TIMER_ABSTIME ?
-                               HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
-                               which_clock);
-
-       if (ret && rmtp) {
-               if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
-                       return -EFAULT;
-       }
-
-       return ret;
+       return hrtimer_nanosleep(tsave, rmtp, flags & TIMER_ABSTIME ?
+                                HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
+                                which_clock);
 }
 
 asmlinkage long
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to