On Wed, Nov 24, 2010 at 09:52, Shawn Bohrer wrote:
> On Wed, Nov 24, 2010 at 03:33:02AM -0500, Mike Frysinger wrote:
>> On Sun, Aug 8, 2010 at 18:45, Shawn Bohrer wrote:
>> > @@ -1116,18 +1113,22 @@ static int ep_send_events(struct eventpoll *ep,
>> > Âstatic int ep_poll(struct eventpoll *ep, struct epoll_event __user *events,
>> > Â Â Â Â Â Â Â Â Â int maxevents, long timeout)
>> > Â{
>> > - Â Â Â int res, eavail;
>> > + Â Â Â int res, eavail, timed_out = 0;
>> > Â Â Â Âunsigned long flags;
>> > - Â Â Â long jtimeout;
>> > + Â Â Â long slack;
>> > Â Â Â Âwait_queue_t wait;
>> > -
>> > - Â Â Â /*
>> > - Â Â Â Â* Calculate the timeout by checking for the "infinite" value (-1)
>> > - Â Â Â Â* and the overflow condition. The passed timeout is in milliseconds,
>> > - Â Â Â Â* that why (t * HZ) / 1000.
>> > - Â Â Â Â*/
>> > - Â Â Â jtimeout = (timeout < 0 || timeout >= EP_MAX_MSTIMEO) ?
>> > - Â Â Â Â Â Â Â MAX_SCHEDULE_TIMEOUT : (timeout * HZ + 999) / 1000;
>> > + Â Â Â struct timespec end_time;
>> > + Â Â Â ktime_t expires, *to = NULL;
>> > +
>> > + Â Â Â if (timeout > 0) {
>> > + Â Â Â Â Â Â Â ktime_get_ts(&end_time);
>> > + Â Â Â Â Â Â Â timespec_add_ns(&end_time, (u64)timeout * NSEC_PER_MSEC);
>> > + Â Â Â Â Â Â Â slack = estimate_accuracy(&end_time);
>> > + Â Â Â Â Â Â Â to = &expires;
>> > + Â Â Â Â Â Â Â *to = timespec_to_ktime(end_time);
>> > + Â Â Â } else if (timeout == 0) {
>> > + Â Â Â Â Â Â Â timed_out = 1;
>> > + Â Â Â }
>> >
>> > Âretry:
>> > Â Â Â Âspin_lock_irqsave(&ep->lock, flags);
>> > @@ -1149,7 +1150,7 @@ retry:
>> > Â Â Â Â Â Â Â Â Â Â Â Â * to TASK_INTERRUPTIBLE before doing the checks.
>> > Â Â Â Â Â Â Â Â Â Â Â Â */
>> > Â Â Â Â Â Â Â Â Â Â Â Âset_current_state(TASK_INTERRUPTIBLE);
>> > - Â Â Â Â Â Â Â Â Â Â Â if (!list_empty(&ep->rdllist) || !jtimeout)
>> > + Â Â Â Â Â Â Â Â Â Â Â if (!list_empty(&ep->rdllist) || timed_out)
>> > Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Âbreak;
>> > Â Â Â Â Â Â Â Â Â Â Â Âif (signal_pending(current)) {
>> > Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Âres = -EINTR;
>> > @@ -1157,7 +1158,9 @@ retry:
>> > Â Â Â Â Â Â Â Â Â Â Â Â}
>> >
>> > Â Â Â Â Â Â Â Â Â Â Â Âspin_unlock_irqrestore(&ep->lock, flags);
>> > - Â Â Â Â Â Â Â Â Â Â Â jtimeout = schedule_timeout(jtimeout);
>> > + Â Â Â Â Â Â Â Â Â Â Â if (!schedule_hrtimeout_range(to, slack, HRTIMER_MODE_ABS))
>> > + Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â timed_out = 1;
>> > +
>> > Â Â Â Â Â Â Â Â Â Â Â Âspin_lock_irqsave(&ep->lock, flags);
>> > Â Â Â Â Â Â Â Â}
>> > Â Â Â Â Â Â Â Â__remove_wait_queue(&ep->wq, &wait);
>>
>> this code introduces a warning:
>> fs/eventpoll.c: In function âep_pollâ:
>> fs/eventpoll.c:1119: warning: âslackâ may be used uninitialized in this function
>>
>> looks to me like you arent properly handling negative timeouts.
>> certainly epoll_wait() passes the timeout value straight from
>> userspace to ep_poll() without any error checking, so if userspace
>> passes a negative timeout value, it looks like "slack" will be used
>> uninitialized.
>
> If a negative timeout is passed in then 'to' remains NULL. ÂWhen 'to
> is NULL schedule_hrtimeout_range() has an infinite timeout and the
> 'slack' parameter is never used. ÂSo technically everything should be
> fine here.
ok, but that depends on an external function never changing behavior
and makes changing the API pretty hard since all callers must be
closely analyzed
> Of course it would be safest and best to simply initialize slack to 0.
> I can send a patch this evening with the fix.
thanks !
-mike
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
