[BUG] problem with timer_create(2) for SIGEV_NONE ??

[BUG] problem with timer_create(2) for SIGEV_NONE ??

[Aniruddha M Marathe]

George,

 timer_create(2) fails in the case where sigev_notify parameter of
sigevent structure is SIGEV_NONE. I believe this should not happen.

Consider following code which was run on x86:

#include <stdio.h>
#include <syscall.h>
#include <errno.h>
#include <time.h>
#include <signal.h>

#define ANYSIG SIGALRM  /* Any signal value works*/

#ifndef __NR_timer_create
#if defined(__i386__)
#define __NR_timer_create 259
#elif defined(__ppc__)
#define __NR_timer_create 240
#elif defined(__powerpc64__)
#define __NR_timer_create 240
#elif defined(__x86_64__)
#define __NR_timer_create 222
#endif
#endif

_syscall3(int, timer_create, clockid_t, which_clock, struct sigevent *,
        timer_event_spec, timer_t *, created_timer_id);

 int main(int ac, char **av)
{
	timer_t created_timer_id;     /* holds the returned timer_id*/
	struct sigevent evp;
	int retval;

	evp.sigev_value =  (sigval_t) 0;
	evp.sigev_signo = ANYSIG;
	evp.sigev_notify = SIGEV_NONE;

	retval =	timer_create(CLOCK_REALTIME, &evp,
                                                &created_timer_id);

	if (retval < 0) {
		perror("timer_crete");
		printf("timer_create returned %d\n", retval); 
	} else {
		printf("timer_create success");
	}
	return 0;
}  /* End of main */

My analysis of this problem:

Kernel/include/asm-generic/siginfo.h contains following defintions

#define SIGEV_SIGNAL    0       /* notify via signal */
#define SIGEV_NONE      1       /* other notification: meaningless */
#define SIGEV_THREAD    2       /* deliver via thread creation */
#define SIGEV_THREAD_ID 4       /* deliver to thread */

In 2.5.68/kernel/posix-timers.c

Line 86:
MIPS_SEGV = ~(SIGEV_NONE & \
                      SIGEV_SIGNAL & \
                      SIGEV_THREAD &  \
                      SIGEV_THREAD_ID)
= (001 & 000 & 010 & 100) = ~(000) = 111

Line 364: in good_sigevent()
Lets assume that event->sigev_notify = SIGEV_NONE = 001
 
Line 368:
SIGEV_NONE & SIGEV_THREAD_ID = 001 & 100 = 000. Therefore the if
statement becomes false
 
Line 373:
SIGEV_NONE & SIGEV_SIGNAL = 001 & 000 = 000. Therefore the if statement
is false
 
Line 377:
SIGEV_NONE & ~(SIGEV_SIGNAL | SIGEV_THREAD_ID)
= 001 & ~(000 | 100)
= 001 & ~(100)
= 001 & 011
= 001
therefore the if condition is true
therefore the function returns NULL from line 378.
 
Now in sys_timer_create() at line number 462
Process = NULL
 
Now at line 489
if (!process) becomes TRUE
and function returns with EINVAL

Is my analysis right? If so can you comment on this behaviour?

-Aniruddha

Re: [BUG] problem with timer_create(2) for SIGEV_NONE ??

[george anzinger]

Aniruddha M Marathe wrote:
> George,
> 
>  timer_create(2) fails in the case where sigev_notify parameter of
> sigevent structure is SIGEV_NONE. I believe this should not happen.
> 
  ~snip~

>  
> Line 377:
> SIGEV_NONE & ~(SIGEV_SIGNAL | SIGEV_THREAD_ID)
> = 001 & ~(000 | 100)
> = 001 & ~(100)
> = 001 & 011
> = 001
> therefore the if condition is true
> therefore the function returns NULL from line 378.
>  
> Now in sys_timer_create() at line number 462
> Process = NULL
>  
> Now at line 489
> if (!process) becomes TRUE
> and function returns with EINVAL
> 
> Is my analysis right? If so can you comment on this behaviour?
> 
Looks like a bug :(  I feel a patch coming on...

-- 
George Anzinger   george@mvista.com
High-res-timers:  http://sourceforge.net/projects/high-res-timers/
Preemption patch: http://www.kernel.org/pub/linux/kernel/people/rml

Re: [BUG] problem with timer_create(2) for SIGEV_NONE ??

[george anzinger]

[-- Attachment #1: Type: text/plain, Size: 1114 bytes --]

Attached is a fix.

Change log:

Fix the sig_notify filtering code for the timer_create system call to 
properly check for the signal number being small enought, but only if 
SIG_NONE is not specified.

Eliminate useless test of sig_notify.

george


Aniruddha M Marathe wrote:
> George,
> 
>  timer_create(2) fails in the case where sigev_notify parameter of
> sigevent structure is SIGEV_NONE. I believe this should not happen.
> 
    ~snip~

>  
> Line 377:
> SIGEV_NONE & ~(SIGEV_SIGNAL | SIGEV_THREAD_ID)
> = 001 & ~(000 | 100)
> = 001 & ~(100)
> = 001 & 011
> = 001
> therefore the if condition is true
> therefore the function returns NULL from line 378.
>  
> Now in sys_timer_create() at line number 462
> Process = NULL
>  
> Now at line 489
> if (!process) becomes TRUE
> and function returns with EINVAL
> 
> Is my analysis right? If so can you comment on this behaviour?
> 
Looks like a bug :(  I feel a patch coming on...

-- 
George Anzinger   george@mvista.com
High-res-timers:  http://sourceforge.net/projects/high-res-timers/
Preemption patch: http://www.kernel.org/pub/linux/kernel/people/rml



[-- Attachment #2: hrtimers-fix-signone-2.5.69-1.0.patch --]
[-- Type: text/plain, Size: 507 bytes --]

--- linux-2.5.69-org/kernel/posix-timers.c	2003-05-05 15:34:09.000000000 -0700
+++ linux/kernel/posix-timers.c	2003-05-06 00:24:21.000000000 -0700
@@ -357,13 +357,10 @@
 			rtn->tgid != current->tgid))
 		return NULL;
 
-	if ((event->sigev_notify & SIGEV_SIGNAL & MIPS_SIGEV) &&
+	if ((event->sigev_notify & ~SIGEV_NONE & MIPS_SIGEV) &&
 			((unsigned) (event->sigev_signo > SIGRTMAX)))
 		return NULL;
 
-	if (event->sigev_notify & ~(SIGEV_SIGNAL | SIGEV_THREAD_ID))
-		return NULL;
-
 	return rtn;
 }