All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW
@ 2009-08-03  2:48 Hiroshi Shimamoto
  2009-08-04  7:22 ` Andrew Morton
  2009-08-04  8:21 ` [tip:timers/urgent] posix-timers: Fix " tip-bot for Hiroshi Shimamoto
  0 siblings, 2 replies; 6+ messages in thread
From: Hiroshi Shimamoto @ 2009-08-03  2:48 UTC (permalink / raw)
  To: Thomas Gleixner; +Cc: Ingo Molnar, linux-kernel

From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>

Prevent calling do_nanosleep() with clockid CLOCK_MONOTONIC_RAW, it may
cause oops, such as NULL pointer dereference.

Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
---
 kernel/posix-timers.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index 052ec4d..d089d05 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -202,6 +202,12 @@ static int no_timer_create(struct k_itimer *new_timer)
 	return -EOPNOTSUPP;
 }
 
+static int no_nsleep(const clockid_t which_clock, int flags,
+		     struct timespec *tsave, struct timespec __user *rmtp)
+{
+	return -EOPNOTSUPP;
+}
+
 /*
  * Return nonzero if we know a priori this clockid_t value is bogus.
  */
@@ -254,6 +260,7 @@ static __init int init_posix_timers(void)
 		.clock_get = posix_get_monotonic_raw,
 		.clock_set = do_posix_clock_nosettime,
 		.timer_create = no_timer_create,
+		.nsleep = no_nsleep,
 	};
 
 	register_posix_clock(CLOCK_REALTIME, &clock_realtime);
-- 
1.6.3.3


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW
  2009-08-03  2:48 [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW Hiroshi Shimamoto
@ 2009-08-04  7:22 ` Andrew Morton
  2009-08-04  7:41   ` Hiroshi Shimamoto
  2009-08-04  8:21 ` [tip:timers/urgent] posix-timers: Fix " tip-bot for Hiroshi Shimamoto
  1 sibling, 1 reply; 6+ messages in thread
From: Andrew Morton @ 2009-08-04  7:22 UTC (permalink / raw)
  To: Hiroshi Shimamoto; +Cc: Thomas Gleixner, Ingo Molnar, linux-kernel

On Mon, 03 Aug 2009 11:48:19 +0900 Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote:

> From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> 
> Prevent calling do_nanosleep() with clockid CLOCK_MONOTONIC_RAW, it may
> cause oops, such as NULL pointer dereference.
> 
> Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> ---
>  kernel/posix-timers.c |    7 +++++++
>  1 files changed, 7 insertions(+), 0 deletions(-)
> 
> diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
> index 052ec4d..d089d05 100644
> --- a/kernel/posix-timers.c
> +++ b/kernel/posix-timers.c
> @@ -202,6 +202,12 @@ static int no_timer_create(struct k_itimer *new_timer)
>  	return -EOPNOTSUPP;
>  }
>  
> +static int no_nsleep(const clockid_t which_clock, int flags,
> +		     struct timespec *tsave, struct timespec __user *rmtp)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
>  /*
>   * Return nonzero if we know a priori this clockid_t value is bogus.
>   */
> @@ -254,6 +260,7 @@ static __init int init_posix_timers(void)
>  		.clock_get = posix_get_monotonic_raw,
>  		.clock_set = do_posix_clock_nosettime,
>  		.timer_create = no_timer_create,
> +		.nsleep = no_nsleep,
>  	};
>  
>  	register_posix_clock(CLOCK_REALTIME, &clock_realtime);

Under which circumstances will this oops trigger?

What userspace setup/actions will trigger the oops?

Thanks.



<spends 5 minutes trying to work out where k_clock.nsleep() even gets
called from>

OK, that CLOCK_DISPATCH() thing should be strangled and burnt...

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW
  2009-08-04  7:22 ` Andrew Morton
@ 2009-08-04  7:41   ` Hiroshi Shimamoto
  2009-08-04  7:57     ` Andrew Morton
  0 siblings, 1 reply; 6+ messages in thread
From: Hiroshi Shimamoto @ 2009-08-04  7:41 UTC (permalink / raw)
  To: Andrew Morton; +Cc: Thomas Gleixner, Ingo Molnar, linux-kernel

Andrew Morton wrote:
> On Mon, 03 Aug 2009 11:48:19 +0900 Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote:
> 
>> From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
>>
>> Prevent calling do_nanosleep() with clockid CLOCK_MONOTONIC_RAW, it may
>> cause oops, such as NULL pointer dereference.
>>
>> Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
>> ---
>>  kernel/posix-timers.c |    7 +++++++
>>  1 files changed, 7 insertions(+), 0 deletions(-)
>>
>> diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
>> index 052ec4d..d089d05 100644
>> --- a/kernel/posix-timers.c
>> +++ b/kernel/posix-timers.c
>> @@ -202,6 +202,12 @@ static int no_timer_create(struct k_itimer *new_timer)
>>  	return -EOPNOTSUPP;
>>  }
>>  
>> +static int no_nsleep(const clockid_t which_clock, int flags,
>> +		     struct timespec *tsave, struct timespec __user *rmtp)
>> +{
>> +	return -EOPNOTSUPP;
>> +}
>> +
>>  /*
>>   * Return nonzero if we know a priori this clockid_t value is bogus.
>>   */
>> @@ -254,6 +260,7 @@ static __init int init_posix_timers(void)
>>  		.clock_get = posix_get_monotonic_raw,
>>  		.clock_set = do_posix_clock_nosettime,
>>  		.timer_create = no_timer_create,
>> +		.nsleep = no_nsleep,
>>  	};
>>  
>>  	register_posix_clock(CLOCK_REALTIME, &clock_realtime);
> 
> Under which circumstances will this oops trigger?
> 
> What userspace setup/actions will trigger the oops?

Sorry for the lack of information.
Userspace program is like this;

#include <time.h>

int main(void)
{
	struct timespec ts;

	ts.tv_sec = 1;
	ts.tv_nsec = 0;

	return clock_nanosleep(4, 0, &ts, NULL);
}

and it will cause oops;

BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
IP: [<ffffffff81029eb5>] __ticket_spin_lock+0x9/0x1a
PGD 3dc6c067 PUD 3b519067 PMD 0 
Oops: 0002 [#1] SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/irq
CPU 0 
Modules linked in: sco bnep l2cap bluetooth sunrpc bridge stp llc ipv6 p4_clockmod speedstep_lib freq_table dm_multipath uinput iTCO_wdt iTCO_vendor_support tg3 i2c_i801 snd_intel8x0 snd_ac97_codec ac97_bus ppdev snd_pcm parport_pc snd_timer floppy parport snd soundcore snd_page_alloc pcspkr ata_generic pata_acpi nouveau drm i2c_algo_bit i2c_core [last unloaded: freq_table]
Pid: 20114, comm: a.out Not tainted 2.6.29.6-213.fc11.x86_64 #1 PC-MY32EXZE78SG
RIP: 0010:[<ffffffff81029eb5>]  [<ffffffff81029eb5>] __ticket_spin_lock+0x9/0x1a
RSP: 0018:ffff88003e08bd88  EFLAGS: 00010046
RAX: 0000000000000100 RBX: 0000000000000001 RCX: 0000000000000001
RDX: 000000000000c350 RSI: 0000000000000286 RDI: 0000000000000001
RBP: ffff88003e08bd88 R08: 0000000000000001 R09: 0000003ec680eec0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000286
R13: ffff88003e08be20 R14: 000000000000c350 R15: 000000000000c350
FS:  00007fb6cd3996f0(0000) GS:ffffffff817b7000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000001 CR3: 000000003a5c0000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process a.out (pid: 20114, threadinfo ffff88003e08a000, task ffff8800399e1700)
Stack:
 ffff88003e08bd98 ffffffff81029f7f ffff88003e08bdb8 ffffffff813ac07c
 ffff880001011178 ffff88003e08be98 ffff88003e08bde8 ffffffff8105f3a1
 ffff88003e08bdd8 ffff88003e08be98 0000000000000001 000000003b9aca00
Call Trace:
 [<ffffffff81029f7f>] default_spin_lock_flags+0x9/0xe
 [<ffffffff813ac07c>] _spin_lock_irqsave+0x32/0x3b
 [<ffffffff8105f3a1>] lock_hrtimer_base+0x2a/0x50
 [<ffffffff8105f527>] __hrtimer_start_range_ns+0x2f/0x238
 [<ffffffff8105f75e>] hrtimer_start_range_ns+0x14/0x16
 [<ffffffff813aac8b>] do_nanosleep+0x4e/0xae
 [<ffffffff8105f813>] hrtimer_nanosleep+0xb3/0x123
 [<ffffffff8105edea>] ? hrtimer_wakeup+0x0/0x26
 [<ffffffff8105b4ed>] sys_clock_nanosleep+0xc9/0xdf
 [<ffffffff8101133a>] system_call_fastpath+0x16/0x1b
Code: 9c 02 81 44 89 c6 48 89 c7 e8 0a fb ff ff eb 0f 0f b7 f6 40 0f b6 ff 48 89 c2 e8 1c fb ff ff c9 c3 90 55 b8 00 01 00 00 48 89 e5 <f0> 66 0f c1 07 38 e0 74 06 f3 90 8a 07 eb f6 c9 c3 55 48 89 e5 
RIP  [<ffffffff81029eb5>] __ticket_spin_lock+0x9/0x1a
 RSP <ffff88003e08bd88>
CR2: 0000000000000001
---[ end trace e83b583836779b24 ]---

thanks,
Hiroshi

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW
  2009-08-04  7:41   ` Hiroshi Shimamoto
@ 2009-08-04  7:57     ` Andrew Morton
  2009-08-04  8:06       ` Hiroshi Shimamoto
  0 siblings, 1 reply; 6+ messages in thread
From: Andrew Morton @ 2009-08-04  7:57 UTC (permalink / raw)
  To: Hiroshi Shimamoto; +Cc: Thomas Gleixner, Ingo Molnar, linux-kernel

On Tue, 04 Aug 2009 16:41:33 +0900 Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote:

> Userspace program is like this;
> 
> #include <time.h>
> 
> int main(void)
> {
> 	struct timespec ts;
> 
> 	ts.tv_sec = 1;
> 	ts.tv_nsec = 0;
> 
> 	return clock_nanosleep(4, 0, &ts, NULL);
> }
> 
> and it will cause oops;
> 
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000001

Well that's not very good.

How far back does this go?  posix-timers.c hasn't changed in several
kernel versions.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW
  2009-08-04  7:57     ` Andrew Morton
@ 2009-08-04  8:06       ` Hiroshi Shimamoto
  0 siblings, 0 replies; 6+ messages in thread
From: Hiroshi Shimamoto @ 2009-08-04  8:06 UTC (permalink / raw)
  To: Andrew Morton; +Cc: Thomas Gleixner, Ingo Molnar, linux-kernel

Andrew Morton wrote:
> On Tue, 04 Aug 2009 16:41:33 +0900 Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com> wrote:
> 
>> Userspace program is like this;
>>
>> #include <time.h>
>>
>> int main(void)
>> {
>> 	struct timespec ts;
>>
>> 	ts.tv_sec = 1;
>> 	ts.tv_nsec = 0;
>>
>> 	return clock_nanosleep(4, 0, &ts, NULL);
>> }
>>
>> and it will cause oops;
>>
>> BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
> 
> Well that's not very good.
> 
> How far back does this go?  posix-timers.c hasn't changed in several
> kernel versions.

Not sure the exact version is. I've just noticed it on the latest git and
Fedora 11.
I guess after the below commit;
commit 2d42244ae71d6c7b0884b5664cf2eda30fb2ae68
Author: John Stultz <johnstul@us.ibm.com>
Date:   Wed Aug 20 16:37:30 2008 -0700

    clocksource: introduce CLOCK_MONOTONIC_RAW

thanks,
Hiroshi

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [tip:timers/urgent] posix-timers: Fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW
  2009-08-03  2:48 [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW Hiroshi Shimamoto
  2009-08-04  7:22 ` Andrew Morton
@ 2009-08-04  8:21 ` tip-bot for Hiroshi Shimamoto
  1 sibling, 0 replies; 6+ messages in thread
From: tip-bot for Hiroshi Shimamoto @ 2009-08-04  8:21 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: linux-kernel, hpa, mingo, johnstul, h-shimamoto, akpm, stable,
	tglx, mingo

Commit-ID:  70d715fd0597f18528f389b5ac59102263067744
Gitweb:     http://git.kernel.org/tip/70d715fd0597f18528f389b5ac59102263067744
Author:     Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
AuthorDate: Mon, 3 Aug 2009 11:48:19 +0900
Committer:  Ingo Molnar <mingo@elte.hu>
CommitDate: Tue, 4 Aug 2009 10:16:41 +0200

posix-timers: Fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW

Prevent calling do_nanosleep() with clockid
CLOCK_MONOTONIC_RAW, it may cause oops, such as NULL pointer
dereference.

Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: John Stultz <johnstul@us.ibm.com>
Cc: <stable@kernel.org>
LKML-Reference: <4A764FF3.50607@ct.jp.nec.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>


---
 kernel/posix-timers.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index 052ec4d..d089d05 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -202,6 +202,12 @@ static int no_timer_create(struct k_itimer *new_timer)
 	return -EOPNOTSUPP;
 }
 
+static int no_nsleep(const clockid_t which_clock, int flags,
+		     struct timespec *tsave, struct timespec __user *rmtp)
+{
+	return -EOPNOTSUPP;
+}
+
 /*
  * Return nonzero if we know a priori this clockid_t value is bogus.
  */
@@ -254,6 +260,7 @@ static __init int init_posix_timers(void)
 		.clock_get = posix_get_monotonic_raw,
 		.clock_set = do_posix_clock_nosettime,
 		.timer_create = no_timer_create,
+		.nsleep = no_nsleep,
 	};
 
 	register_posix_clock(CLOCK_REALTIME, &clock_realtime);

^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-08-04  8:22 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-08-03  2:48 [PATCH] posix-timers: fix oops in clock_nanosleep() with CLOCK_MONOTONIC_RAW Hiroshi Shimamoto
2009-08-04  7:22 ` Andrew Morton
2009-08-04  7:41   ` Hiroshi Shimamoto
2009-08-04  7:57     ` Andrew Morton
2009-08-04  8:06       ` Hiroshi Shimamoto
2009-08-04  8:21 ` [tip:timers/urgent] posix-timers: Fix " tip-bot for Hiroshi Shimamoto

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.