hrtimer: fix *rmtp handling in hrtimer_nanosleep()

Spotted by Pavel Emelyanov and Alexey Dobriyan. hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to the local variable which lives in the caller's stack frame. This means that if sys_restart_syscall() actually happens and it is interrupted as well, we don't update the user-space variable, but write into the already dead stack frame. Introduced by commit 04c227140f hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp. Small problem remains. man 2 nanosleep states that *rtmp should be written if nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp if nanosleep returns 0), but (with or without this patch) we can dirty *rem even if nanosleep() returns 0. NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other bugs. Fixed by the next patch. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Alexey Dobriyan <adobriyan@sw.ru> Cc: Michael Kerrisk <mtk.manpages@googlemail.com> Cc: Pavel Emelyanov <xemul@sw.ru> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Toyo Abe <toyoa@mvista.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> include/linux/hrtimer.h | 2 - kernel/hrtimer.c | 51 +++++++++++++++++++++++++----------------------- kernel/posix-timers.c | 14 +------------ 3 files changed, 30 insertions(+), 37 deletions(-)
2024-12-28 03:36:19 +00:00 · 2008-02-01 17:29:05 +03:00 · 2008-02-01 17:29:05 +03:00 · 080344b988
commit 080344b988
parent e13a2e61dd
3 changed files with 31 additions and 39 deletions
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@ -316,7 +316,7 @@ static inline u64 hrtimer_forward_now(struct hrtimer *timer,
 /* Precise sleep: */
 extern long hrtimer_nanosleep(struct timespec *rqtp,
-			      struct timespec *rmtp,
+			      struct timespec __user *rmtp,
 			      const enum hrtimer_mode mode,
 			      const clockid_t clockid);
 extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@ -1319,11 +1319,26 @@ static int __sched do_nanosleep(struct hrtimer_sleeper *t, enum hrtimer_mode mod
 	return t->task == NULL;
 }
 static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
 {
 	struct timespec rmt;
 	ktime_t rem;
 	rem = ktime_sub(timer->expires, timer->base->get_time());
 	if (rem.tv64 <= 0)
 		return 0;
 	rmt = ktime_to_timespec(rem);
 	if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
 		return -EFAULT;
 	return 1;
 }
 long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
 {
 	struct hrtimer_sleeper t;
-	struct timespec *rmtp;
+	struct timespec __user  *rmtp;
 	ktime_t time;
 	restart->fn = do_no_restart_syscall;
@ -1333,12 +1348,11 @@ long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
 	if (do_nanosleep(&t, HRTIMER_MODE_ABS))
 		return 0;
-	rmtp = (struct timespec *)restart->arg1;
+	rmtp = (struct timespec __user *)restart->arg1;
 	if (rmtp) {
-		time = ktime_sub(t.timer.expires, t.timer.base->get_time());
+		int ret = update_rmtp(&t.timer, rmtp);
-		if (time.tv64 <= 0)
+		if (ret <= 0)
-			return 0;
+			return ret;
 		*rmtp = ktime_to_timespec(time);
 	}
 	restart->fn = hrtimer_nanosleep_restart;
@ -1347,12 +1361,11 @@ long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
 	return -ERESTART_RESTARTBLOCK;
 }
-long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
+long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
 		       const enum hrtimer_mode mode, const clockid_t clockid)
 {
 	struct restart_block *restart;
 	struct hrtimer_sleeper t;
 	ktime_t rem;
 	hrtimer_init(&t.timer, clockid, mode);
 	t.timer.expires = timespec_to_ktime(*rqtp);
@ -1364,10 +1377,9 @@ long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
 		return -ERESTARTNOHAND;
 	if (rmtp) {
-		rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
+		int ret = update_rmtp(&t.timer, rmtp);
-		if (rem.tv64 <= 0)
+		if (ret <= 0)
-			return 0;
+			return ret;
 		*rmtp = ktime_to_timespec(rem);
 	}
 	restart = &current_thread_info()->restart_block;
@ -1383,8 +1395,7 @@ long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
 asmlinkage long
 sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
 {
-	struct timespec tu, rmt;
+	struct timespec tu;
 	int ret;
 	if (copy_from_user(&tu, rqtp, sizeof(tu)))
 		return -EFAULT;
@ -1392,15 +1403,7 @@ sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
 	if (!timespec_valid(&tu))
 		return -EINVAL;
-	ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
+	return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
 				CLOCK_MONOTONIC);
 	if (ret && rmtp) {
 		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
 			return -EFAULT;
 	}
 	return ret;
 }
 /*
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@ -982,20 +982,9 @@ sys_clock_getres(const clockid_t which_clock, struct timespec __user *tp)
 static int common_nsleep(const clockid_t which_clock, int flags,
 			 struct timespec *tsave, struct timespec __user *rmtp)
 {
-	struct timespec rmt;
+	return hrtimer_nanosleep(tsave, rmtp, flags & TIMER_ABSTIME ?
-	int ret;
+				 HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
-
+				 which_clock);
 	ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
 				flags & TIMER_ABSTIME ?
 				HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
 				which_clock);
 	if (ret && rmtp) {
 		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
 			return -EFAULT;
 	}
 	return ret;
 }
 asmlinkage long