All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/3] Alarmtimer fixes for 3.1
@ 2011-08-10 23:43 John Stultz
  2011-08-10 23:43 ` [PATCH 1/3] alarmtimers: Avoid possible null pointer traversal John Stultz
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: John Stultz @ 2011-08-10 23:43 UTC (permalink / raw)
  To: LKML; +Cc: John Stultz, Thomas Gleixner

Hey Thomas,

In reviewing the alarmtimer code, I ran across a few bugs that should be
fixed for 3.1 and backported to 3.0-stable.

These are also available in the git repository at:
  git://git.linaro.org/people/jstultz/linux.git fortglx/3.1/tip/timers/alarmtimers


The last of these is a pretty terrible hack, but I've got a more invasive
fix (along with other cleanups) queued on top of these for 3.2 that should
resolve it. Feel free to take a peek at those changes here:
  git://git.linaro.org/people/jstultz/linux.git fortglx/3.2/tip/timers/alarmtimers

Let me know if you have any thoughts or feedback!

thanks
-john

CC: Thomas Gleixner <tglx@linutronix.de>

John Stultz (3):
  alarmtimers: Avoid possible null pointer traversal
  alarmtimers: Memset itimerspec passed into alarm_timer_get
  alarmtimers: Avoid possible denial of service with high freq periodic
    timers

 kernel/time/alarmtimer.c |   18 +++++++++++++-----
 1 files changed, 13 insertions(+), 5 deletions(-)

-- 
1.7.3.2.146.gca209


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/3] alarmtimers: Avoid possible null pointer traversal
  2011-08-10 23:43 [PATCH 0/3] Alarmtimer fixes for 3.1 John Stultz
@ 2011-08-10 23:43 ` John Stultz
  2011-08-10 23:43 ` [PATCH 2/3] alarmtimers: Memset itimerspec passed into alarm_timer_get John Stultz
  2011-08-10 23:43 ` [PATCH 3/3] alarmtimers: Avoid possible denial of service with high freq periodic timers John Stultz
  2 siblings, 0 replies; 4+ messages in thread
From: John Stultz @ 2011-08-10 23:43 UTC (permalink / raw)
  To: LKML; +Cc: John Stultz, Thomas Gleixner, stable

We don't check if old_setting is non null before assigning it, so
correct this.

CC: Thomas Gleixner <tglx@linutronix.de>
CC: stable@kernel.org
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 kernel/time/alarmtimer.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index 59f369f..1dee3f6 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -479,11 +479,8 @@ static int alarm_timer_set(struct k_itimer *timr, int flags,
 	if (!rtcdev)
 		return -ENOTSUPP;
 
-	/* Save old values */
-	old_setting->it_interval =
-			ktime_to_timespec(timr->it.alarmtimer.period);
-	old_setting->it_value =
-			ktime_to_timespec(timr->it.alarmtimer.node.expires);
+	if (old_setting)
+		alarm_timer_get(timr, old_setting);
 
 	/* If the timer was already set, cancel it */
 	alarm_cancel(&timr->it.alarmtimer);
-- 
1.7.3.2.146.gca209


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/3] alarmtimers: Memset itimerspec passed into alarm_timer_get
  2011-08-10 23:43 [PATCH 0/3] Alarmtimer fixes for 3.1 John Stultz
  2011-08-10 23:43 ` [PATCH 1/3] alarmtimers: Avoid possible null pointer traversal John Stultz
@ 2011-08-10 23:43 ` John Stultz
  2011-08-10 23:43 ` [PATCH 3/3] alarmtimers: Avoid possible denial of service with high freq periodic timers John Stultz
  2 siblings, 0 replies; 4+ messages in thread
From: John Stultz @ 2011-08-10 23:43 UTC (permalink / raw)
  To: LKML; +Cc: John Stultz, Thomas Gleixner, stable

Following common_timer_get, zero out the itimerspec passed in.

CC: Thomas Gleixner <tglx@linutronix.de>
CC: stable@kernel.org
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 kernel/time/alarmtimer.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index 1dee3f6..0e9263f 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -441,6 +441,8 @@ static int alarm_timer_create(struct k_itimer *new_timer)
 static void alarm_timer_get(struct k_itimer *timr,
 				struct itimerspec *cur_setting)
 {
+	memset(cur_setting, 0, sizeof(struct itimerspec));
+
 	cur_setting->it_interval =
 			ktime_to_timespec(timr->it.alarmtimer.period);
 	cur_setting->it_value =
-- 
1.7.3.2.146.gca209


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 3/3] alarmtimers: Avoid possible denial of service with high freq periodic timers
  2011-08-10 23:43 [PATCH 0/3] Alarmtimer fixes for 3.1 John Stultz
  2011-08-10 23:43 ` [PATCH 1/3] alarmtimers: Avoid possible null pointer traversal John Stultz
  2011-08-10 23:43 ` [PATCH 2/3] alarmtimers: Memset itimerspec passed into alarm_timer_get John Stultz
@ 2011-08-10 23:43 ` John Stultz
  2 siblings, 0 replies; 4+ messages in thread
From: John Stultz @ 2011-08-10 23:43 UTC (permalink / raw)
  To: LKML; +Cc: John Stultz, Thomas Gleixner, stable

Its possible to jam up the alarm timers by setting very small interval
timers, which will cause the alarmtimer subsystem to spend all of its time
firing and restarting timers. This can effectivly lock up a box.

A deeper fix is needed, closely mimicking the hrtimer code, but for now
just cap the interval to 100us to avoid userland hanging the system.

CC: Thomas Gleixner <tglx@linutronix.de>
CC: stable@kernel.org
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 kernel/time/alarmtimer.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index 0e9263f..ea5e1a9 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -481,6 +481,15 @@ static int alarm_timer_set(struct k_itimer *timr, int flags,
 	if (!rtcdev)
 		return -ENOTSUPP;
 
+	/*
+	 * XXX HACK! Currently we can DOS a system if the interval
+	 * period on alarmtimers is too small. Cap the interval here
+	 * to 100us and solve this properly in a future patch! -jstultz
+	 */
+	if ((new_setting->it_interval.tv_sec == 0) &&
+			(new_setting->it_interval.tv_nsec < 100000))
+		new_setting->it_interval.tv_nsec = 100000;
+
 	if (old_setting)
 		alarm_timer_get(timr, old_setting);
 
-- 
1.7.3.2.146.gca209


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-08-10 23:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-08-10 23:43 [PATCH 0/3] Alarmtimer fixes for 3.1 John Stultz
2011-08-10 23:43 ` [PATCH 1/3] alarmtimers: Avoid possible null pointer traversal John Stultz
2011-08-10 23:43 ` [PATCH 2/3] alarmtimers: Memset itimerspec passed into alarm_timer_get John Stultz
2011-08-10 23:43 ` [PATCH 3/3] alarmtimers: Avoid possible denial of service with high freq periodic timers John Stultz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.