| Message ID | 20221106054535.709068702@goodmis.org |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1340588wru;
Sat, 5 Nov 2022 22:47:41 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM7HTjITCj+LxMGUmeR35T0aNBPZb9+pvd606UI0l71ObCML8rnub55AJcBVpUdj6ofvwgEE
X-Received: by 2002:a63:d043:0:b0:46f:8466:1f78 with SMTP id
s3-20020a63d043000000b0046f84661f78mr36731870pgi.119.1667713661229;
Sat, 05 Nov 2022 22:47:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667713661; cv=none;
d=google.com; s=arc-20160816;
b=XwTrR9pVGjiwSQI2R6cP8rmqhmFok7/5ilngaoM3yprnMJtckPTftfrzs+k6UrZ565
46JN6VeVjVmEa0Wo/ODCAVnBy1V7UC2xjj4vF2Lzz3lzc5TPs1NcDRKpuU4BblwNwbqC
CtYIp/doq2D8jQr0E9fJ0qumMSK/0FO3leS0XAqXiNLP220wrlyEpIpWOr55YcskKRqR
1dN6mcOsLGPDU8AmQP+av/beL+07nB4M4z2o9Cn50p/xuUczOppcAQmegTloOTaxuO1/
YSAlnbSRQRiXHjm0wxpU2ytFX8HS3oQFaaDAaqTZKjrlEmG7Y3UQTU02A6b5e2IOh8m3
JeNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:subject:cc:to:from:date:user-agent:message-id;
bh=15OWDaxZtbzO0enI+poAkptTOJT9rr51YqrBZSHNt60=;
b=n7MuR7uj/aCD5e8m2/94fOxb0C5/dmnXohRFAma6Uj0S/QdfpNIEIFID1UJJbGtdB+
fQefKGUTfcwWXHo7VzJHE3Z18ZAwlRvQ4O2jZINSrOElfhU73MaIsW3jbEfnnGfrkVYP
j0J5Mq43aZDdV0jneWoERfknYrgoYCRyOcnJubl9XZwcl+OphDmlbx6XZ++9PzGGtXgZ
MHVo8svffmaTJs2S+zN9TtqBBlbVh2bIZHamRB9uxJmZTuq+f4w/uhnYe1W6r3Qzfa0M
rtJwFWP4FO19GFA8Op/FANqkOukfhCV2PJvxegZ6qkBNIhxJmmoLu0dWonWjSeIY/23M
PJmA==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ix10-20020a170902f80a00b00176a2d5ae14si4852019plb.363.2022.11.05.22.47.28;
Sat, 05 Nov 2022 22:47:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229649AbiKFFq0 (ORCPT <rfc822;hjfbswb@gmail.com> + 99 others);
Sun, 6 Nov 2022 01:46:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60768 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229629AbiKFFqX (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 6 Nov 2022 01:46:23 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org
[IPv6:2604:1380:4601:e00::1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34053766F
for <linux-kernel@vger.kernel.org>;
Sat, 5 Nov 2022 22:46:21 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ams.source.kernel.org (Postfix) with ESMTPS id 8DE16B8095C
for <linux-kernel@vger.kernel.org>;
Sun, 6 Nov 2022 05:46:20 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10CB3C433D7;
Sun, 6 Nov 2022 05:46:19 +0000 (UTC)
Received: from rostedt by gandalf.local.home with local (Exim 4.96)
(envelope-from <rostedt@goodmis.org>)
id 1orYUa-007nAT-16;
Sun, 06 Nov 2022 01:46:48 -0400
Message-ID: <20221106054535.709068702@goodmis.org>
User-Agent: quilt/0.66
Date: Sun, 06 Nov 2022 01:45:35 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Stephen Boyd <sboyd@kernel.org>,
Guenter Roeck <linux@roeck-us.net>,
Anna-Maria Gleixner <anna-maria@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH v5a 0/5] timers: Use timer_shutdown*() before freeing timers
X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00,
HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748724519912198225?=
X-GMAIL-MSGID: =?utf-8?q?1748724519912198225?=
|
| Series |
timers: Use timer_shutdown*() before freeing timers
|
|
Message
Steven Rostedt
Nov. 6, 2022, 5:45 a.m. UTC
del_timer_sync() is often called before the object that owns the timer is
freed. But sometimes there's a race that enables the timer again before it is
freed and causes a use after free when that timer triggers. This patch set
adds a new "shutdown" timer state, which is set on the new timer_shutdown()
API. Once a timer is in this state, it can not be re-armed and if it is, it
will warn.
The first three patches change existing timer_shutdown() functions used
locally in ARM and some drivers to better namespace names.
The fourth patch implements the new API.
The fifth patch is now a treewide patch that uses a coccinelle script to
convert the trivial locations where a del_timer*() is called on a timer of an
object that is freed immediately afterward (or at least in the same function).
Changes since v4a: https://lore.kernel.org/all/20221105060024.598488967@goodmis.org/
- Used more consistent names to rename the generic timer_shutdown() code
(Guenter Roeck, Marc Zyngier)
- Remove del_singleshot_timer_sync() change and the fix that it required.
- Improved the coccinelle script such that the fifth patch is unmodified.
Steven Rostedt (Google) (5):
ARM: spear: Do not use timer namespace for timer_shutdown() function
clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function
clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function
timers: Add timer_shutdown_sync() and timer_shutdown() to be called before freeing timers
treewide: Convert del_timer*() to timer_shutdown*()
----
.../RCU/Design/Requirements/Requirements.rst | 2 +-
Documentation/core-api/local_ops.rst | 2 +-
Documentation/kernel-hacking/locking.rst | 5 ++
arch/arm/mach-spear/time.c | 8 +--
arch/sh/drivers/push-switch.c | 2 +-
block/blk-iocost.c | 2 +-
block/blk-iolatency.c | 2 +-
block/kyber-iosched.c | 2 +-
drivers/acpi/apei/ghes.c | 2 +-
drivers/atm/idt77252.c | 4 +-
drivers/block/drbd/drbd_main.c | 2 +-
drivers/block/loop.c | 2 +-
drivers/bluetooth/hci_bcsp.c | 2 +-
drivers/bluetooth/hci_qca.c | 4 +-
drivers/clocksource/arm_arch_timer.c | 12 ++--
drivers/clocksource/timer-sp804.c | 6 +-
drivers/gpu/drm/i915/i915_sw_fence.c | 2 +-
drivers/hid/hid-wiimote-core.c | 2 +-
drivers/input/keyboard/locomokbd.c | 2 +-
drivers/input/keyboard/omap-keypad.c | 2 +-
drivers/input/mouse/alps.c | 2 +-
drivers/isdn/mISDN/l1oip_core.c | 4 +-
drivers/isdn/mISDN/timerdev.c | 4 +-
drivers/leds/trigger/ledtrig-activity.c | 2 +-
drivers/leds/trigger/ledtrig-heartbeat.c | 2 +-
drivers/leds/trigger/ledtrig-pattern.c | 2 +-
drivers/leds/trigger/ledtrig-transient.c | 2 +-
drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 16 +++---
drivers/media/usb/s2255/s2255drv.c | 4 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 6 +-
drivers/net/ethernet/marvell/sky2.c | 2 +-
drivers/net/ethernet/sun/sunvnet.c | 2 +-
drivers/net/usb/sierra_net.c | 2 +-
drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +-
drivers/net/wireless/intersil/hostap/hostap_ap.c | 2 +-
drivers/net/wireless/marvell/mwifiex/main.c | 2 +-
drivers/net/wireless/microchip/wilc1000/hif.c | 6 +-
drivers/nfc/pn533/pn533.c | 2 +-
drivers/nfc/pn533/uart.c | 2 +-
drivers/pcmcia/bcm63xx_pcmcia.c | 2 +-
drivers/pcmcia/electra_cf.c | 2 +-
drivers/pcmcia/omap_cf.c | 2 +-
drivers/pcmcia/pd6729.c | 4 +-
drivers/pcmcia/yenta_socket.c | 4 +-
drivers/scsi/qla2xxx/qla_edif.c | 4 +-
drivers/staging/media/atomisp/i2c/atomisp-lm3554.c | 2 +-
drivers/tty/n_gsm.c | 2 +-
drivers/tty/sysrq.c | 2 +-
drivers/usb/gadget/udc/m66592-udc.c | 2 +-
drivers/usb/serial/garmin_gps.c | 2 +-
drivers/usb/serial/mos7840.c | 4 +-
fs/ext4/super.c | 2 +-
fs/nilfs2/segment.c | 2 +-
include/linux/timer.h | 62 +++++++++++++++++++--
kernel/time/timer.c | 64 ++++++++++++----------
net/802/garp.c | 2 +-
net/802/mrp.c | 4 +-
net/bridge/br_multicast.c | 8 +--
net/bridge/br_multicast_eht.c | 4 +-
net/core/gen_estimator.c | 2 +-
net/ipv4/ipmr.c | 2 +-
net/ipv6/ip6mr.c | 2 +-
net/mac80211/mesh_pathtbl.c | 2 +-
net/netfilter/ipset/ip_set_list_set.c | 2 +-
net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
net/netfilter/xt_LED.c | 2 +-
net/rxrpc/conn_object.c | 2 +-
net/sched/cls_flow.c | 2 +-
net/sunrpc/svc.c | 2 +-
net/tipc/discover.c | 2 +-
net/tipc/monitor.c | 2 +-
sound/i2c/other/ak4117.c | 2 +-
sound/synth/emux/emux.c | 2 +-
76 files changed, 203 insertions(+), 144 deletions(-)
Comments
On Sun, Nov 06, 2022 at 01:45:35AM -0400, Steven Rostedt wrote: > > del_timer_sync() is often called before the object that owns the timer is > freed. But sometimes there's a race that enables the timer again before it is > freed and causes a use after free when that timer triggers. This patch set > adds a new "shutdown" timer state, which is set on the new timer_shutdown() > API. Once a timer is in this state, it can not be re-armed and if it is, it > will warn. > > The first three patches change existing timer_shutdown() functions used > locally in ARM and some drivers to better namespace names. > > The fourth patch implements the new API. > > The fifth patch is now a treewide patch that uses a coccinelle script to > convert the trivial locations where a del_timer*() is called on a timer of an > object that is freed immediately afterward (or at least in the same function). > Series looks good in my testbed. Build results: total: 152 pass: 152 fail: 0 Qemu test results: total: 500 pass: 500 fail: 0 No runtime warnings reported. For the series: Tested-by: Guenter Roeck <linux@roeck-us.net> Guenter
On Sun, 6 Nov 2022 09:08:11 -0800 Guenter Roeck <linux@roeck-us.net> wrote: > For the series: > > Tested-by: Guenter Roeck <linux@roeck-us.net> Thanks Guenter! Now I guess the question is, is this good enough, and if so, who's going to take it? -- Steve
On 06-11-22, 01:45, Steven Rostedt wrote: > From: "Steven Rostedt (Google)" <rostedt@goodmis.org> > > A new "shutdown" timer state is being added to the generic timer code. One > of the functions to change the timer into the state is called > "timer_shutdown()". This means that there can not be other functions > called "timer_shutdown()" as the timer code owns the "timer_*" name space. > > Rename timer_shutdown() to spear_timer_shutdown() to avoid this conflict. > > Link: https://lore.kernel.org/all/20221105060155.228348078@goodmis.org/ > > Cc: Viresh Kumar <vireshk@kernel.org> > Cc: Shiraz Hashim <shiraz.linux.kernel@gmail.com> > Cc: Russell King <linux@armlinux.org.uk> > Cc: soc@kernel.org > Cc: linux-arm-kernel@lists.infradead.org > Acked-by: Arnd Bergmann <arnd@arndb.de> > Reviewed-by: Guenter Roeck <linux@roeck-us.net> > Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> I just replied to the previous version, ignore that now :) Acked-by: Viresh Kumar <viresh.kumar@linaro.org> Thanks.