• Oleg Nesterov's avatar
    hrtimer: fix *rmtp handling in hrtimer_nanosleep() · 080344b9
    Oleg Nesterov authored
    Spotted by Pavel Emelyanov and Alexey Dobriyan.
    
    hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
    the local variable which lives in the caller's stack frame. This means that
    if sys_restart_syscall() actually happens and it is interrupted as well, we
    don't update the user-space variable, but write into the already dead stack
    frame.
    
    Introduced by commit 04c22714
    hrtimer: Rework hrtimer_nanosleep to make sys_compat_nanosleep easier
    
    Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
    hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
    
    Small problem remains. man 2 nanosleep states that *rtmp should be written if
    nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
    if nanosleep returns 0), but (with or without this patch) we can dirty *rem
    even if nanosleep() returns 0.
    
    NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
    bugs. Fixed by the next patch.
    Signed-off-by: default avatarOleg Nesterov <oleg@tv-sign.ru>
    Cc: Alexey Dobriyan <adobriyan@sw.ru>
    Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
    Cc: Pavel Emelyanov <xemul@sw.ru>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Toyo Abe <toyoa@mvista.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    
     include/linux/hrtimer.h |    2 -
     kernel/hrtimer.c        |   51 +++++++++++++++++++++++++-----------------------
     kernel/posix-timers.c   |   14 +------------
     3 files changed, 30 insertions(+), 37 deletions(-)
    080344b9
hrtimer.c 36.5 KB