Signals of timers which are reprogammed, disarmed or deleted can deliver
signals related to the past. The POSIX spec is blury about this:
- "The effect of disarming or resetting a timer with pending expiration
notifications is unspecified."
- "The disposition of pending signals for the deleted timer is
unspecified."
In both cases it is reasonable to expect that pending signals are
discarded. Especially in the reprogramming case it does not make sense to
account for previous overruns or to deliver a signal for a timer which has
been disarmed. This makes the behaviour consistent and understandable.
Remove the si_sys_private check from the signal delivery code and invoke
posix_timer_deliver_signal() unconditionally.
Change that function so it controls the actual signal delivery via the
return value. It now instructs the signal code to drop the signal when:
1) The timer does not longer exist in the hash table
2) The timer signal_seq value is not the same as the si_sys_private value
which was set when the signal was queued.
Signed-off-by: Thomas Gleixner <[email protected]>
---
include/linux/posix-timers.h | 2 --
kernel/signal.c | 2 +-
kernel/time/posix-cpu-timers.c | 2 +-
kernel/time/posix-timers.c | 25 +++++++++++++++----------
4 files changed, 17 insertions(+), 14 deletions(-)
--- a/include/linux/posix-timers.h
+++ b/include/linux/posix-timers.h
@@ -137,8 +137,6 @@ static inline void clear_posix_cputimers
static inline void posix_cputimers_init_work(void) { }
#endif
-#define REQUEUE_PENDING 1
-
/**
* struct k_itimer - POSIX.1b interval timer structure.
* @list: List head for binding the timer to signals->posix_timers
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -617,7 +617,7 @@ int dequeue_signal(sigset_t *mask, kerne
}
if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
- if (unlikely(info->si_code == SI_TIMER && info->si_sys_private)) {
+ if (unlikely(info->si_code == SI_TIMER)) {
if (!posixtimer_deliver_signal(info))
goto again;
}
--- a/kernel/time/posix-cpu-timers.c
+++ b/kernel/time/posix-cpu-timers.c
@@ -746,7 +746,7 @@ static void __posix_cpu_timer_get(struct
* - Timers which expired, but the signal has not yet been
* delivered
*/
- if (iv && ((timer->it_signal_seq & REQUEUE_PENDING) || sigev_none))
+ if (iv && timer->it_status != POSIX_TIMER_ARMED)
expires = bump_cpu_timer(timer, now);
else
expires = cpu_timer_getexpires(&timer->it.cpu);
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -269,7 +269,10 @@ bool posixtimer_deliver_signal(struct ke
if (!timr)
goto out;
- if (timr->it_interval && timr->it_signal_seq == info->si_sys_private) {
+ if (timr->it_signal_seq != info->si_sys_private)
+ goto out_unlock;
+
+ if (timr->it_interval && timr->it_status == POSIX_TIMER_REQUEUE_PENDING) {
timr->kclock->timer_rearm(timr);
timr->it_status = POSIX_TIMER_ARMED;
@@ -281,6 +284,7 @@ bool posixtimer_deliver_signal(struct ke
}
ret = true;
+out_unlock:
unlock_timer(timr, flags);
out:
spin_lock(¤t->sighand->siglock);
@@ -293,19 +297,19 @@ bool posixtimer_deliver_signal(struct ke
int posix_timer_queue_signal(struct k_itimer *timr)
{
enum posix_timer_state state = POSIX_TIMER_DISARMED;
- int ret, si_private = 0;
enum pid_type type;
+ int ret;
lockdep_assert_held(&timr->it_lock);
if (timr->it_interval) {
+ timr->it_signal_seq++;
state = POSIX_TIMER_REQUEUE_PENDING;
- si_private = ++timr->it_signal_seq;
}
timr->it_status = state;
type = !(timr->it_sigev_notify & SIGEV_THREAD_ID) ? PIDTYPE_TGID : PIDTYPE_PID;
- ret = send_sigqueue(timr->sigq, timr->it_pid, type, si_private);
+ ret = send_sigqueue(timr->sigq, timr->it_pid, type, timr->it_signal_seq);
/* If we failed to send the signal the timer stops. */
return ret > 0;
}
@@ -670,7 +674,7 @@ void common_timer_get(struct k_itimer *t
* is a SIGEV_NONE timer move the expiry time forward by intervals,
* so expiry is > now.
*/
- if (iv && (timr->it_signal_seq & REQUEUE_PENDING || sig_none))
+ if (iv && timr->it_status != POSIX_TIMER_ARMED)
timr->it_overrun += kc->timer_forward(timr, now);
remaining = kc->timer_remaining(timr, now);
@@ -870,8 +874,6 @@ void posix_timer_set_common(struct k_iti
else
timer->it_interval = 0;
- /* Prevent reloading in case there is a signal pending */
- timer->it_signal_seq = (timer->it_signal_seq + 2) & ~REQUEUE_PENDING;
/* Reset overrun accounting */
timer->it_overrun_last = 0;
timer->it_overrun = -1LL;
@@ -889,8 +891,6 @@ int common_timer_set(struct k_itimer *ti
if (old_setting)
common_timer_get(timr, old_setting);
- /* Prevent rearming by clearing the interval */
- timr->it_interval = 0;
/*
* Careful here. On SMP systems the timer expiry function could be
* active and spinning on timr->it_lock.
@@ -940,6 +940,9 @@ static int do_timer_settime(timer_t time
if (old_spec64)
old_spec64->it_interval = ktime_to_timespec64(timr->it_interval);
+ /* Prevent signal delivery and rearming. */
+ timr->it_signal_seq++;
+
kc = timr->kclock;
if (WARN_ON_ONCE(!kc || !kc->timer_set))
error = -EINVAL;
@@ -1008,7 +1011,6 @@ int common_timer_del(struct k_itimer *ti
{
const struct k_clock *kc = timer->kclock;
- timer->it_interval = 0;
if (kc->timer_try_to_cancel(timer) < 0)
return TIMER_RETRY;
timer->it_status = POSIX_TIMER_DISARMED;
@@ -1036,6 +1038,9 @@ SYSCALL_DEFINE1(timer_delete, timer_t, t
if (!timer)
return -EINVAL;
+ /* Prevent signal delivery and rearming. */
+ timer->it_signal_seq++;
+
if (unlikely(timer_delete_hook(timer) == TIMER_RETRY)) {
/* Unlocks and relocks the timer if it still exists */
timer = timer_wait_running(timer, &flags);
Thomas Gleixner <[email protected]> writes:
> Signals of timers which are reprogammed, disarmed or deleted can deliver
> signals related to the past. The POSIX spec is blury about this:
>
> - "The effect of disarming or resetting a timer with pending expiration
> notifications is unspecified."
>
> - "The disposition of pending signals for the deleted timer is
> unspecified."
>
> In both cases it is reasonable to expect that pending signals are
> discarded. Especially in the reprogramming case it does not make sense to
> account for previous overruns or to deliver a signal for a timer which has
> been disarmed. This makes the behaviour consistent and understandable.
>
> Remove the si_sys_private check from the signal delivery code and invoke
> posix_timer_deliver_signal() unconditionally.
s/posix_timer/posixtimer/ (or renaming the function when you introduced
it)
>
> Change that function so it controls the actual signal delivery via the
> return value. It now instructs the signal code to drop the signal when:
>
> 1) The timer does not longer exist in the hash table
>
> 2) The timer signal_seq value is not the same as the si_sys_private value
> which was set when the signal was queued.
>
> Signed-off-by: Thomas Gleixner <[email protected]>
[...]
> --- a/kernel/time/posix-timers.c
> +++ b/kernel/time/posix-timers.c
> @@ -293,19 +297,19 @@ bool posixtimer_deliver_signal(struct ke
> int posix_timer_queue_signal(struct k_itimer *timr)
> {
> enum posix_timer_state state = POSIX_TIMER_DISARMED;
> - int ret, si_private = 0;
> enum pid_type type;
> + int ret;
>
> lockdep_assert_held(&timr->it_lock);
>
> if (timr->it_interval) {
> + timr->it_signal_seq++;
> state = POSIX_TIMER_REQUEUE_PENDING;
> - si_private = ++timr->it_signal_seq;
> }
> timr->it_status = state;
>
> type = !(timr->it_sigev_notify & SIGEV_THREAD_ID) ? PIDTYPE_TGID : PIDTYPE_PID;
> - ret = send_sigqueue(timr->sigq, timr->it_pid, type, si_private);
> + ret = send_sigqueue(timr->sigq, timr->it_pid, type, timr->it_signal_seq);
> /* If we failed to send the signal the timer stops. */
> return ret > 0;
> }
posix_timer_queue_signal() is executed, when a
posix/posix-cpu/alarmtimer expires. There is the check for it_interval
set, to decide whether reprogramming takes place or not.
If I understood it correctly, a resetted or deleted timer should not get
a signal delivered so it should also do not requeue a timer. But when
the timer expires at the same time when trying to reset or delete it,
the above it_interval check reduces the chance that a timer is
nevertheless requeued. Right?
> @@ -889,8 +891,6 @@ int common_timer_set(struct k_itimer *ti
> if (old_setting)
> common_timer_get(timr, old_setting);
>
> - /* Prevent rearming by clearing the interval */
> - timr->it_interval = 0;
But here the clearing of the interval is removed. So it is more likely,
that the timer is reamed, when expiring and resetting happens at the
same time. Same thing when deleting the timer (see next hunk). Is this
ok, that the behavior changes like this?
But keeping the clearing of the interval is also a problem here - if I'm
not totally on the wrong track. When an expiry and resetting of the
timer happens together and old_setting is set, then the
timr->it_interval is cleared and timer_try_to_cancel() will fail so
TIMER_RETRY is returend to do_timer_settime(). In do_timer_settime() the
timr->it_interval is written into the old_setting struct. But this is
then cleared even if it was set before... hmm...
> /*
> * Careful here. On SMP systems the timer expiry function could be
> * active and spinning on timr->it_lock.
> @@ -1008,7 +1011,6 @@ int common_timer_del(struct k_itimer *ti
> {
> const struct k_clock *kc = timer->kclock;
>
> - timer->it_interval = 0;
> if (kc->timer_try_to_cancel(timer) < 0)
> return TIMER_RETRY;
> timer->it_status = POSIX_TIMER_DISARMED;
Thanks,
Anna-Maria