[PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

[PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

[Oleg Nesterov]

Spotted by Pavel Emelyanov and Alexey Dobriyan.

hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
the local variable which lives in the caller's stack frame. This means that
if sys_restart_syscall() actually happens and it is interrupted as well, we
don't the user-space variable, but write into the already dead stack frame.

Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.

Small problem remains. man 2 nanosleep states that *rtmp should be written if
nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
if nanosleep returns 0), but (with or without this patch) we can disty *rem
even if nanosleep() returns 0.

NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
bugs. Fixed by the next patch.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>

 include/linux/hrtimer.h |    2 -
 kernel/hrtimer.c        |   51 +++++++++++++++++++++++++-----------------------
 kernel/posix-timers.c   |   14 +------------
 3 files changed, 30 insertions(+), 37 deletions(-)

--- MM/include/linux/hrtimer.h~HRT_RMTP	2008-01-27 17:07:39.000000000 +0300
+++ MM/include/linux/hrtimer.h	2008-01-31 14:01:53.000000000 +0300
@@ -313,7 +313,7 @@ static inline u64 hrtimer_forward_now(st
 
 /* Precise sleep: */
 extern long hrtimer_nanosleep(struct timespec *rqtp,
-			      struct timespec *rmtp,
+			      struct timespec __user *rmtp,
 			      const enum hrtimer_mode mode,
 			      const clockid_t clockid);
 extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
--- MM/kernel/hrtimer.c~HRT_RMTP	2008-02-01 13:43:52.000000000 +0300
+++ MM/kernel/hrtimer.c	2008-02-01 13:56:44.000000000 +0300
@@ -1317,11 +1317,26 @@ static int __sched do_nanosleep(struct h
 	return t->task == NULL;
 }
 
+static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
+{
+	struct timespec rmt;
+	ktime_t rem;
+
+	rem = ktime_sub(timer->expires, timer->base->get_time());
+	if (rem.tv64 <= 0)
+		return 0;
+	rmt = ktime_to_timespec(rem);
+
+	if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
+		return -EFAULT;
+
+	return 1;
+}
+
 long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
 {
 	struct hrtimer_sleeper t;
-	struct timespec *rmtp;
-	ktime_t time;
+	struct timespec __user  *rmtp;
 
 	restart->fn = do_no_restart_syscall;
 
@@ -1331,12 +1346,11 @@ long __sched hrtimer_nanosleep_restart(s
 	if (do_nanosleep(&t, HRTIMER_MODE_ABS))
 		return 0;
 
-	rmtp = (struct timespec *)restart->arg1;
+	rmtp = (struct timespec __user *)restart->arg1;
 	if (rmtp) {
-		time = ktime_sub(t.timer.expires, t.timer.base->get_time());
-		if (time.tv64 <= 0)
-			return 0;
-		*rmtp = ktime_to_timespec(time);
+		int ret = update_rmtp(&t.timer, rmtp);
+		if (ret <= 0)
+			return ret;
 	}
 
 	restart->fn = hrtimer_nanosleep_restart;
@@ -1345,12 +1359,11 @@ long __sched hrtimer_nanosleep_restart(s
 	return -ERESTART_RESTARTBLOCK;
 }
 
-long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
+long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
 		       const enum hrtimer_mode mode, const clockid_t clockid)
 {
 	struct restart_block *restart;
 	struct hrtimer_sleeper t;
-	ktime_t rem;
 
 	hrtimer_init(&t.timer, clockid, mode);
 	t.timer.expires = timespec_to_ktime(*rqtp);
@@ -1362,10 +1375,9 @@ long hrtimer_nanosleep(struct timespec *
 		return -EINTR;
 
 	if (rmtp) {
-		rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
-		if (rem.tv64 <= 0)
-			return 0;
-		*rmtp = ktime_to_timespec(rem);
+		int ret = update_rmtp(&t.timer, rmtp);
+		if (ret <= 0)
+			return ret;
 	}
 
 	restart = &current_thread_info()->restart_block;
@@ -1381,8 +1393,7 @@ long hrtimer_nanosleep(struct timespec *
 asmlinkage long
 sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
 {
-	struct timespec tu, rmt;
-	int ret;
+	struct timespec tu;
 
 	if (copy_from_user(&tu, rqtp, sizeof(tu)))
 		return -EFAULT;
@@ -1390,15 +1401,7 @@ sys_nanosleep(struct timespec __user *rq
 	if (!timespec_valid(&tu))
 		return -EINVAL;
 
-	ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
-				CLOCK_MONOTONIC);
-
-	if (ret && rmtp) {
-		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
-			return -EFAULT;
-	}
-
-	return ret;
+	return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
 }
 
 /*
--- MM/kernel/posix-timers.c~HRT_RMTP	2008-01-27 17:07:40.000000000 +0300
+++ MM/kernel/posix-timers.c	2008-02-01 13:18:51.000000000 +0300
@@ -982,20 +982,10 @@ sys_clock_getres(const clockid_t which_c
 static int common_nsleep(const clockid_t which_clock, int flags,
 			 struct timespec *tsave, struct timespec __user *rmtp)
 {
-	struct timespec rmt;
-	int ret;
-
-	ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
+	return hrtimer_nanosleep(tsave, rmtp,
 				flags & TIMER_ABSTIME ?
-				HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
+					HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
 				which_clock);
-
-	if (ret && rmtp) {
-		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
-			return -EFAULT;
-	}
-
-	return ret;
 }
 
 asmlinkage long

Re: [PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

[Thomas Gleixner]

On Fri, 1 Feb 2008, Oleg Nesterov wrote:

> Spotted by Pavel Emelyanov and Alexey Dobriyan.

Doh, yes. This was introduced by:

04c227140fed77587432667a574b14736a06dd7f

I did not notice, when I picked up the patch.

Thanks for fixing this,

       tglx

> hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
> the local variable which lives in the caller's stack frame. This means that
> if sys_restart_syscall() actually happens and it is interrupted as well, we
> don't the user-space variable, but write into the already dead stack frame.
> 
> Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
> hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
> 
> Small problem remains. man 2 nanosleep states that *rtmp should be written if
> nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
> if nanosleep returns 0), but (with or without this patch) we can disty *rem
> even if nanosleep() returns 0.
> 
> NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
> bugs. Fixed by the next patch.
> 
> Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
> 
>  include/linux/hrtimer.h |    2 -
>  kernel/hrtimer.c        |   51 +++++++++++++++++++++++++-----------------------
>  kernel/posix-timers.c   |   14 +------------
>  3 files changed, 30 insertions(+), 37 deletions(-)
> 
> --- MM/include/linux/hrtimer.h~HRT_RMTP	2008-01-27 17:07:39.000000000 +0300
> +++ MM/include/linux/hrtimer.h	2008-01-31 14:01:53.000000000 +0300
> @@ -313,7 +313,7 @@ static inline u64 hrtimer_forward_now(st
>  
>  /* Precise sleep: */
>  extern long hrtimer_nanosleep(struct timespec *rqtp,
> -			      struct timespec *rmtp,
> +			      struct timespec __user *rmtp,
>  			      const enum hrtimer_mode mode,
>  			      const clockid_t clockid);
>  extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
> --- MM/kernel/hrtimer.c~HRT_RMTP	2008-02-01 13:43:52.000000000 +0300
> +++ MM/kernel/hrtimer.c	2008-02-01 13:56:44.000000000 +0300
> @@ -1317,11 +1317,26 @@ static int __sched do_nanosleep(struct h
>  	return t->task == NULL;
>  }
>  
> +static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
> +{
> +	struct timespec rmt;
> +	ktime_t rem;
> +
> +	rem = ktime_sub(timer->expires, timer->base->get_time());
> +	if (rem.tv64 <= 0)
> +		return 0;
> +	rmt = ktime_to_timespec(rem);
> +
> +	if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
> +		return -EFAULT;
> +
> +	return 1;
> +}
> +
>  long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
>  {
>  	struct hrtimer_sleeper t;
> -	struct timespec *rmtp;
> -	ktime_t time;
> +	struct timespec __user  *rmtp;
>  
>  	restart->fn = do_no_restart_syscall;
>  
> @@ -1331,12 +1346,11 @@ long __sched hrtimer_nanosleep_restart(s
>  	if (do_nanosleep(&t, HRTIMER_MODE_ABS))
>  		return 0;
>  
> -	rmtp = (struct timespec *)restart->arg1;
> +	rmtp = (struct timespec __user *)restart->arg1;
>  	if (rmtp) {
> -		time = ktime_sub(t.timer.expires, t.timer.base->get_time());
> -		if (time.tv64 <= 0)
> -			return 0;
> -		*rmtp = ktime_to_timespec(time);
> +		int ret = update_rmtp(&t.timer, rmtp);
> +		if (ret <= 0)
> +			return ret;
>  	}
>  
>  	restart->fn = hrtimer_nanosleep_restart;
> @@ -1345,12 +1359,11 @@ long __sched hrtimer_nanosleep_restart(s
>  	return -ERESTART_RESTARTBLOCK;
>  }
>  
> -long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
> +long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
>  		       const enum hrtimer_mode mode, const clockid_t clockid)
>  {
>  	struct restart_block *restart;
>  	struct hrtimer_sleeper t;
> -	ktime_t rem;
>  
>  	hrtimer_init(&t.timer, clockid, mode);
>  	t.timer.expires = timespec_to_ktime(*rqtp);
> @@ -1362,10 +1375,9 @@ long hrtimer_nanosleep(struct timespec *
>  		return -EINTR;
>  
>  	if (rmtp) {
> -		rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
> -		if (rem.tv64 <= 0)
> -			return 0;
> -		*rmtp = ktime_to_timespec(rem);
> +		int ret = update_rmtp(&t.timer, rmtp);
> +		if (ret <= 0)
> +			return ret;
>  	}
>  
>  	restart = &current_thread_info()->restart_block;
> @@ -1381,8 +1393,7 @@ long hrtimer_nanosleep(struct timespec *
>  asmlinkage long
>  sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
>  {
> -	struct timespec tu, rmt;
> -	int ret;
> +	struct timespec tu;
>  
>  	if (copy_from_user(&tu, rqtp, sizeof(tu)))
>  		return -EFAULT;
> @@ -1390,15 +1401,7 @@ sys_nanosleep(struct timespec __user *rq
>  	if (!timespec_valid(&tu))
>  		return -EINVAL;
>  
> -	ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
> -				CLOCK_MONOTONIC);
> -
> -	if (ret && rmtp) {
> -		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
> -			return -EFAULT;
> -	}
> -
> -	return ret;
> +	return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
>  }
>  
>  /*
> --- MM/kernel/posix-timers.c~HRT_RMTP	2008-01-27 17:07:40.000000000 +0300
> +++ MM/kernel/posix-timers.c	2008-02-01 13:18:51.000000000 +0300
> @@ -982,20 +982,10 @@ sys_clock_getres(const clockid_t which_c
>  static int common_nsleep(const clockid_t which_clock, int flags,
>  			 struct timespec *tsave, struct timespec __user *rmtp)
>  {
> -	struct timespec rmt;
> -	int ret;
> -
> -	ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
> +	return hrtimer_nanosleep(tsave, rmtp,
>  				flags & TIMER_ABSTIME ?
> -				HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
> +					HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
>  				which_clock);
> -
> -	if (ret && rmtp) {
> -		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
> -			return -EFAULT;
> -	}
> -
> -	return ret;
>  }
>  
>  asmlinkage long
> 

Re: [PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

[Oleg Nesterov]

(Andrew, the same patch, but re-diffed without the first one in series).


[PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

Spotted by Pavel Emelyanov and Alexey Dobriyan.

hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
the local variable which lives in the caller's stack frame. This means that
if sys_restart_syscall() actually happens and it is interrupted as well, we
don't update the user-space variable, but write into the already dead stack
frame.

Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.

Small problem remains. man 2 nanosleep states that *rtmp should be written if
nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
if nanosleep returns 0), but (with or without this patch) we can dirty *rem
even if nanosleep() returns 0.

NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
bugs. Fixed by the next patch.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>

 include/linux/hrtimer.h |    2 -
 kernel/hrtimer.c        |   51 +++++++++++++++++++++++++-----------------------
 kernel/posix-timers.c   |   14 +------------
 3 files changed, 30 insertions(+), 37 deletions(-)

--- MM/include/linux/hrtimer.h~HRT_RMTP	2008-01-27 17:07:39.000000000 +0300
+++ MM/include/linux/hrtimer.h	2008-01-31 14:01:53.000000000 +0300
@@ -313,7 +313,7 @@ static inline u64 hrtimer_forward_now(st
 
 /* Precise sleep: */
 extern long hrtimer_nanosleep(struct timespec *rqtp,
-			      struct timespec *rmtp,
+			      struct timespec __user *rmtp,
 			      const enum hrtimer_mode mode,
 			      const clockid_t clockid);
 extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
--- MM/kernel/hrtimer.c~HRT_RMTP	2008-02-01 13:43:52.000000000 +0300
+++ MM/kernel/hrtimer.c	2008-02-01 13:56:44.000000000 +0300
@@ -1317,11 +1317,26 @@ static int __sched do_nanosleep(struct h
 	return t->task == NULL;
 }
 
+static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
+{
+	struct timespec rmt;
+	ktime_t rem;
+
+	rem = ktime_sub(timer->expires, timer->base->get_time());
+	if (rem.tv64 <= 0)
+		return 0;
+	rmt = ktime_to_timespec(rem);
+
+	if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
+		return -EFAULT;
+
+	return 1;
+}
+
 long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
 {
 	struct hrtimer_sleeper t;
-	struct timespec *rmtp;
-	ktime_t time;
+	struct timespec __user  *rmtp;
 
 	restart->fn = do_no_restart_syscall;
 
@@ -1331,12 +1346,11 @@ long __sched hrtimer_nanosleep_restart(s
 	if (do_nanosleep(&t, HRTIMER_MODE_ABS))
 		return 0;
 
-	rmtp = (struct timespec *)restart->arg1;
+	rmtp = (struct timespec __user *)restart->arg1;
 	if (rmtp) {
-		time = ktime_sub(t.timer.expires, t.timer.base->get_time());
-		if (time.tv64 <= 0)
-			return 0;
-		*rmtp = ktime_to_timespec(time);
+		int ret = update_rmtp(&t.timer, rmtp);
+		if (ret <= 0)
+			return ret;
 	}
 
 	restart->fn = hrtimer_nanosleep_restart;
@@ -1345,12 +1359,11 @@ long __sched hrtimer_nanosleep_restart(s
 	return -ERESTART_RESTARTBLOCK;
 }
 
-long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
+long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
 		       const enum hrtimer_mode mode, const clockid_t clockid)
 {
 	struct restart_block *restart;
 	struct hrtimer_sleeper t;
-	ktime_t rem;
 
 	hrtimer_init(&t.timer, clockid, mode);
 	t.timer.expires = timespec_to_ktime(*rqtp);
@@ -1362,10 +1375,9 @@ long hrtimer_nanosleep(struct timespec *
 		return -ERESTARTNOHAND;
 
 	if (rmtp) {
-		rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
-		if (rem.tv64 <= 0)
-			return 0;
-		*rmtp = ktime_to_timespec(rem);
+		int ret = update_rmtp(&t.timer, rmtp);
+		if (ret <= 0)
+			return ret;
 	}
 
 	restart = &current_thread_info()->restart_block;
@@ -1381,8 +1393,7 @@ long hrtimer_nanosleep(struct timespec *
 asmlinkage long
 sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
 {
-	struct timespec tu, rmt;
-	int ret;
+	struct timespec tu;
 
 	if (copy_from_user(&tu, rqtp, sizeof(tu)))
 		return -EFAULT;
@@ -1390,15 +1401,7 @@ sys_nanosleep(struct timespec __user *rq
 	if (!timespec_valid(&tu))
 		return -EINVAL;
 
-	ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
-				CLOCK_MONOTONIC);
-
-	if (ret && rmtp) {
-		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
-			return -EFAULT;
-	}
-
-	return ret;
+	return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
 }
 
 /*
--- MM/kernel/posix-timers.c~HRT_RMTP	2008-01-27 17:07:40.000000000 +0300
+++ MM/kernel/posix-timers.c	2008-02-01 13:18:51.000000000 +0300
@@ -982,20 +982,10 @@ sys_clock_getres(const clockid_t which_c
 static int common_nsleep(const clockid_t which_clock, int flags,
 			 struct timespec *tsave, struct timespec __user *rmtp)
 {
-	struct timespec rmt;
-	int ret;
-
-	ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
+	return hrtimer_nanosleep(tsave, rmtp,
 				flags & TIMER_ABSTIME ?
-				HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
+					HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
 				which_clock);
-
-	if (ret && rmtp) {
-		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
-			return -EFAULT;
-	}
-
-	return ret;
 }
 
 asmlinkage long

Re: [PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

[Thomas Gleixner]

On Fri, 1 Feb 2008, Oleg Nesterov wrote:

> (Andrew, the same patch, but re-diffed without the first one in series).

I pick them up and feed them through hrtimer.git, once all bugs are
shaken out :)

Thanks,
	tglx 

> [PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling
> 
> Spotted by Pavel Emelyanov and Alexey Dobriyan.
> 
> hrtimer_nanosleep() sets restart_block->arg1 = rmtp, but this rmtp points to
> the local variable which lives in the caller's stack frame. This means that
> if sys_restart_syscall() actually happens and it is interrupted as well, we
> don't update the user-space variable, but write into the already dead stack
> frame.
> 
> Change the callers to pass "__user *rmtp" to hrtimer_nanosleep(), and change
> hrtimer_nanosleep() to use copy_to_user() to actually update *rmtp.
> 
> Small problem remains. man 2 nanosleep states that *rtmp should be written if
> nanosleep() was interrupted (it says nothing whether it is OK to update *rmtp
> if nanosleep returns 0), but (with or without this patch) we can dirty *rem
> even if nanosleep() returns 0.
> 
> NOTE: this patch doesn't change compat_sys_nanosleep(), because it has other
> bugs. Fixed by the next patch.
> 
> Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
> 
>  include/linux/hrtimer.h |    2 -
>  kernel/hrtimer.c        |   51 +++++++++++++++++++++++++-----------------------
>  kernel/posix-timers.c   |   14 +------------
>  3 files changed, 30 insertions(+), 37 deletions(-)
> 
> --- MM/include/linux/hrtimer.h~HRT_RMTP	2008-01-27 17:07:39.000000000 +0300
> +++ MM/include/linux/hrtimer.h	2008-01-31 14:01:53.000000000 +0300
> @@ -313,7 +313,7 @@ static inline u64 hrtimer_forward_now(st
>  
>  /* Precise sleep: */
>  extern long hrtimer_nanosleep(struct timespec *rqtp,
> -			      struct timespec *rmtp,
> +			      struct timespec __user *rmtp,
>  			      const enum hrtimer_mode mode,
>  			      const clockid_t clockid);
>  extern long hrtimer_nanosleep_restart(struct restart_block *restart_block);
> --- MM/kernel/hrtimer.c~HRT_RMTP	2008-02-01 13:43:52.000000000 +0300
> +++ MM/kernel/hrtimer.c	2008-02-01 13:56:44.000000000 +0300
> @@ -1317,11 +1317,26 @@ static int __sched do_nanosleep(struct h
>  	return t->task == NULL;
>  }
>  
> +static int update_rmtp(struct hrtimer *timer, struct timespec __user *rmtp)
> +{
> +	struct timespec rmt;
> +	ktime_t rem;
> +
> +	rem = ktime_sub(timer->expires, timer->base->get_time());
> +	if (rem.tv64 <= 0)
> +		return 0;
> +	rmt = ktime_to_timespec(rem);
> +
> +	if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
> +		return -EFAULT;
> +
> +	return 1;
> +}
> +
>  long __sched hrtimer_nanosleep_restart(struct restart_block *restart)
>  {
>  	struct hrtimer_sleeper t;
> -	struct timespec *rmtp;
> -	ktime_t time;
> +	struct timespec __user  *rmtp;
>  
>  	restart->fn = do_no_restart_syscall;
>  
> @@ -1331,12 +1346,11 @@ long __sched hrtimer_nanosleep_restart(s
>  	if (do_nanosleep(&t, HRTIMER_MODE_ABS))
>  		return 0;
>  
> -	rmtp = (struct timespec *)restart->arg1;
> +	rmtp = (struct timespec __user *)restart->arg1;
>  	if (rmtp) {
> -		time = ktime_sub(t.timer.expires, t.timer.base->get_time());
> -		if (time.tv64 <= 0)
> -			return 0;
> -		*rmtp = ktime_to_timespec(time);
> +		int ret = update_rmtp(&t.timer, rmtp);
> +		if (ret <= 0)
> +			return ret;
>  	}
>  
>  	restart->fn = hrtimer_nanosleep_restart;
> @@ -1345,12 +1359,11 @@ long __sched hrtimer_nanosleep_restart(s
>  	return -ERESTART_RESTARTBLOCK;
>  }
>  
> -long hrtimer_nanosleep(struct timespec *rqtp, struct timespec *rmtp,
> +long hrtimer_nanosleep(struct timespec *rqtp, struct timespec __user *rmtp,
>  		       const enum hrtimer_mode mode, const clockid_t clockid)
>  {
>  	struct restart_block *restart;
>  	struct hrtimer_sleeper t;
> -	ktime_t rem;
>  
>  	hrtimer_init(&t.timer, clockid, mode);
>  	t.timer.expires = timespec_to_ktime(*rqtp);
> @@ -1362,10 +1375,9 @@ long hrtimer_nanosleep(struct timespec *
>  		return -ERESTARTNOHAND;
>  
>  	if (rmtp) {
> -		rem = ktime_sub(t.timer.expires, t.timer.base->get_time());
> -		if (rem.tv64 <= 0)
> -			return 0;
> -		*rmtp = ktime_to_timespec(rem);
> +		int ret = update_rmtp(&t.timer, rmtp);
> +		if (ret <= 0)
> +			return ret;
>  	}
>  
>  	restart = &current_thread_info()->restart_block;
> @@ -1381,8 +1393,7 @@ long hrtimer_nanosleep(struct timespec *
>  asmlinkage long
>  sys_nanosleep(struct timespec __user *rqtp, struct timespec __user *rmtp)
>  {
> -	struct timespec tu, rmt;
> -	int ret;
> +	struct timespec tu;
>  
>  	if (copy_from_user(&tu, rqtp, sizeof(tu)))
>  		return -EFAULT;
> @@ -1390,15 +1401,7 @@ sys_nanosleep(struct timespec __user *rq
>  	if (!timespec_valid(&tu))
>  		return -EINVAL;
>  
> -	ret = hrtimer_nanosleep(&tu, rmtp ? &rmt : NULL, HRTIMER_MODE_REL,
> -				CLOCK_MONOTONIC);
> -
> -	if (ret && rmtp) {
> -		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
> -			return -EFAULT;
> -	}
> -
> -	return ret;
> +	return hrtimer_nanosleep(&tu, rmtp, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
>  }
>  
>  /*
> --- MM/kernel/posix-timers.c~HRT_RMTP	2008-01-27 17:07:40.000000000 +0300
> +++ MM/kernel/posix-timers.c	2008-02-01 13:18:51.000000000 +0300
> @@ -982,20 +982,10 @@ sys_clock_getres(const clockid_t which_c
>  static int common_nsleep(const clockid_t which_clock, int flags,
>  			 struct timespec *tsave, struct timespec __user *rmtp)
>  {
> -	struct timespec rmt;
> -	int ret;
> -
> -	ret = hrtimer_nanosleep(tsave, rmtp ? &rmt : NULL,
> +	return hrtimer_nanosleep(tsave, rmtp,
>  				flags & TIMER_ABSTIME ?
> -				HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
> +					HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
>  				which_clock);
> -
> -	if (ret && rmtp) {
> -		if (copy_to_user(rmtp, &rmt, sizeof(*rmtp)))
> -			return -EFAULT;
> -	}
> -
> -	return ret;
>  }
>  
>  asmlinkage long
> 

Re: [PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

[Oleg Nesterov]

On 02/01, Thomas Gleixner wrote:
>
> On Fri, 1 Feb 2008, Oleg Nesterov wrote:
> 
> > (Andrew, the same patch, but re-diffed without the first one in series).
> 
> I pick them up and feed them through hrtimer.git, once all bugs are
> shaken out :)

Great, thanks.

Thomas, please wait a bit, I'll resend patches 3 and 5.

"PATCH 3/5" also suffers from the buggy "PATCH 1/5", and 5/5 should be
re-diffed.

Sorry to all for the noise.

Oleg.

Re: [PATCH 2/5] hrtimer_nanosleep: fix *rmtp handling

[Andrew Morton]

On Fri, 1 Feb 2008 16:16:50 +0100 (CET) Thomas Gleixner <tglx@linutronix.de> wrote:

> On Fri, 1 Feb 2008, Oleg Nesterov wrote:
> 
> > (Andrew, the same patch, but re-diffed without the first one in series).
> 
> I pick them up and feed them through hrtimer.git, once all bugs are
> shaken out :)

Please remember that
git+ssh://master.kernel.org/pub/scm/linux/kernel/git/tglx/linux-2.6-hrt.git#mm
contains the "hrtimers: use hrtimers so that msleep() sleeps for the
requested time" patch which kills my USB setup.