Message ID | 20221106054535.709068702@goodmis.org |
---|---|
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1340588wru; Sat, 5 Nov 2022 22:47:41 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7HTjITCj+LxMGUmeR35T0aNBPZb9+pvd606UI0l71ObCML8rnub55AJcBVpUdj6ofvwgEE X-Received: by 2002:a63:d043:0:b0:46f:8466:1f78 with SMTP id s3-20020a63d043000000b0046f84661f78mr36731870pgi.119.1667713661229; Sat, 05 Nov 2022 22:47:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667713661; cv=none; d=google.com; s=arc-20160816; b=XwTrR9pVGjiwSQI2R6cP8rmqhmFok7/5ilngaoM3yprnMJtckPTftfrzs+k6UrZ565 46JN6VeVjVmEa0Wo/ODCAVnBy1V7UC2xjj4vF2Lzz3lzc5TPs1NcDRKpuU4BblwNwbqC CtYIp/doq2D8jQr0E9fJ0qumMSK/0FO3leS0XAqXiNLP220wrlyEpIpWOr55YcskKRqR 1dN6mcOsLGPDU8AmQP+av/beL+07nB4M4z2o9Cn50p/xuUczOppcAQmegTloOTaxuO1/ YSAlnbSRQRiXHjm0wxpU2ytFX8HS3oQFaaDAaqTZKjrlEmG7Y3UQTU02A6b5e2IOh8m3 JeNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:cc:to:from:date:user-agent:message-id; bh=15OWDaxZtbzO0enI+poAkptTOJT9rr51YqrBZSHNt60=; b=n7MuR7uj/aCD5e8m2/94fOxb0C5/dmnXohRFAma6Uj0S/QdfpNIEIFID1UJJbGtdB+ fQefKGUTfcwWXHo7VzJHE3Z18ZAwlRvQ4O2jZINSrOElfhU73MaIsW3jbEfnnGfrkVYP j0J5Mq43aZDdV0jneWoERfknYrgoYCRyOcnJubl9XZwcl+OphDmlbx6XZ++9PzGGtXgZ MHVo8svffmaTJs2S+zN9TtqBBlbVh2bIZHamRB9uxJmZTuq+f4w/uhnYe1W6r3Qzfa0M rtJwFWP4FO19GFA8Op/FANqkOukfhCV2PJvxegZ6qkBNIhxJmmoLu0dWonWjSeIY/23M PJmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ix10-20020a170902f80a00b00176a2d5ae14si4852019plb.363.2022.11.05.22.47.28; Sat, 05 Nov 2022 22:47:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229649AbiKFFq0 (ORCPT <rfc822;hjfbswb@gmail.com> + 99 others); Sun, 6 Nov 2022 01:46:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60768 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229629AbiKFFqX (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sun, 6 Nov 2022 01:46:23 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34053766F for <linux-kernel@vger.kernel.org>; Sat, 5 Nov 2022 22:46:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8DE16B8095C for <linux-kernel@vger.kernel.org>; Sun, 6 Nov 2022 05:46:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10CB3C433D7; Sun, 6 Nov 2022 05:46:19 +0000 (UTC) Received: from rostedt by gandalf.local.home with local (Exim 4.96) (envelope-from <rostedt@goodmis.org>) id 1orYUa-007nAT-16; Sun, 06 Nov 2022 01:46:48 -0400 Message-ID: <20221106054535.709068702@goodmis.org> User-Agent: quilt/0.66 Date: Sun, 06 Nov 2022 01:45:35 -0400 From: Steven Rostedt <rostedt@goodmis.org> To: linux-kernel@vger.kernel.org Cc: Linus Torvalds <torvalds@linux-foundation.org>, Thomas Gleixner <tglx@linutronix.de>, Stephen Boyd <sboyd@kernel.org>, Guenter Roeck <linux@roeck-us.net>, Anna-Maria Gleixner <anna-maria@linutronix.de>, Andrew Morton <akpm@linux-foundation.org> Subject: [PATCH v5a 0/5] timers: Use timer_shutdown*() before freeing timers X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748724519912198225?= X-GMAIL-MSGID: =?utf-8?q?1748724519912198225?= |
Series |
timers: Use timer_shutdown*() before freeing timers
|
|
Message
Steven Rostedt
Nov. 6, 2022, 5:45 a.m. UTC
del_timer_sync() is often called before the object that owns the timer is freed. But sometimes there's a race that enables the timer again before it is freed and causes a use after free when that timer triggers. This patch set adds a new "shutdown" timer state, which is set on the new timer_shutdown() API. Once a timer is in this state, it can not be re-armed and if it is, it will warn. The first three patches change existing timer_shutdown() functions used locally in ARM and some drivers to better namespace names. The fourth patch implements the new API. The fifth patch is now a treewide patch that uses a coccinelle script to convert the trivial locations where a del_timer*() is called on a timer of an object that is freed immediately afterward (or at least in the same function). Changes since v4a: https://lore.kernel.org/all/20221105060024.598488967@goodmis.org/ - Used more consistent names to rename the generic timer_shutdown() code (Guenter Roeck, Marc Zyngier) - Remove del_singleshot_timer_sync() change and the fix that it required. - Improved the coccinelle script such that the fifth patch is unmodified. Steven Rostedt (Google) (5): ARM: spear: Do not use timer namespace for timer_shutdown() function clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function timers: Add timer_shutdown_sync() and timer_shutdown() to be called before freeing timers treewide: Convert del_timer*() to timer_shutdown*() ---- .../RCU/Design/Requirements/Requirements.rst | 2 +- Documentation/core-api/local_ops.rst | 2 +- Documentation/kernel-hacking/locking.rst | 5 ++ arch/arm/mach-spear/time.c | 8 +-- arch/sh/drivers/push-switch.c | 2 +- block/blk-iocost.c | 2 +- block/blk-iolatency.c | 2 +- block/kyber-iosched.c | 2 +- drivers/acpi/apei/ghes.c | 2 +- drivers/atm/idt77252.c | 4 +- drivers/block/drbd/drbd_main.c | 2 +- drivers/block/loop.c | 2 +- drivers/bluetooth/hci_bcsp.c | 2 +- drivers/bluetooth/hci_qca.c | 4 +- drivers/clocksource/arm_arch_timer.c | 12 ++-- drivers/clocksource/timer-sp804.c | 6 +- drivers/gpu/drm/i915/i915_sw_fence.c | 2 +- drivers/hid/hid-wiimote-core.c | 2 +- drivers/input/keyboard/locomokbd.c | 2 +- drivers/input/keyboard/omap-keypad.c | 2 +- drivers/input/mouse/alps.c | 2 +- drivers/isdn/mISDN/l1oip_core.c | 4 +- drivers/isdn/mISDN/timerdev.c | 4 +- drivers/leds/trigger/ledtrig-activity.c | 2 +- drivers/leds/trigger/ledtrig-heartbeat.c | 2 +- drivers/leds/trigger/ledtrig-pattern.c | 2 +- drivers/leds/trigger/ledtrig-transient.c | 2 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 16 +++--- drivers/media/usb/s2255/s2255drv.c | 4 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 6 +- drivers/net/ethernet/marvell/sky2.c | 2 +- drivers/net/ethernet/sun/sunvnet.c | 2 +- drivers/net/usb/sierra_net.c | 2 +- drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- drivers/net/wireless/intersil/hostap/hostap_ap.c | 2 +- drivers/net/wireless/marvell/mwifiex/main.c | 2 +- drivers/net/wireless/microchip/wilc1000/hif.c | 6 +- drivers/nfc/pn533/pn533.c | 2 +- drivers/nfc/pn533/uart.c | 2 +- drivers/pcmcia/bcm63xx_pcmcia.c | 2 +- drivers/pcmcia/electra_cf.c | 2 +- drivers/pcmcia/omap_cf.c | 2 +- drivers/pcmcia/pd6729.c | 4 +- drivers/pcmcia/yenta_socket.c | 4 +- drivers/scsi/qla2xxx/qla_edif.c | 4 +- drivers/staging/media/atomisp/i2c/atomisp-lm3554.c | 2 +- drivers/tty/n_gsm.c | 2 +- drivers/tty/sysrq.c | 2 +- drivers/usb/gadget/udc/m66592-udc.c | 2 +- drivers/usb/serial/garmin_gps.c | 2 +- drivers/usb/serial/mos7840.c | 4 +- fs/ext4/super.c | 2 +- fs/nilfs2/segment.c | 2 +- include/linux/timer.h | 62 +++++++++++++++++++-- kernel/time/timer.c | 64 ++++++++++++---------- net/802/garp.c | 2 +- net/802/mrp.c | 4 +- net/bridge/br_multicast.c | 8 +-- net/bridge/br_multicast_eht.c | 4 +- net/core/gen_estimator.c | 2 +- net/ipv4/ipmr.c | 2 +- net/ipv6/ip6mr.c | 2 +- net/mac80211/mesh_pathtbl.c | 2 +- net/netfilter/ipset/ip_set_list_set.c | 2 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/xt_LED.c | 2 +- net/rxrpc/conn_object.c | 2 +- net/sched/cls_flow.c | 2 +- net/sunrpc/svc.c | 2 +- net/tipc/discover.c | 2 +- net/tipc/monitor.c | 2 +- sound/i2c/other/ak4117.c | 2 +- sound/synth/emux/emux.c | 2 +- 76 files changed, 203 insertions(+), 144 deletions(-)
Comments
On Sun, Nov 06, 2022 at 01:45:35AM -0400, Steven Rostedt wrote: > > del_timer_sync() is often called before the object that owns the timer is > freed. But sometimes there's a race that enables the timer again before it is > freed and causes a use after free when that timer triggers. This patch set > adds a new "shutdown" timer state, which is set on the new timer_shutdown() > API. Once a timer is in this state, it can not be re-armed and if it is, it > will warn. > > The first three patches change existing timer_shutdown() functions used > locally in ARM and some drivers to better namespace names. > > The fourth patch implements the new API. > > The fifth patch is now a treewide patch that uses a coccinelle script to > convert the trivial locations where a del_timer*() is called on a timer of an > object that is freed immediately afterward (or at least in the same function). > Series looks good in my testbed. Build results: total: 152 pass: 152 fail: 0 Qemu test results: total: 500 pass: 500 fail: 0 No runtime warnings reported. For the series: Tested-by: Guenter Roeck <linux@roeck-us.net> Guenter
On Sun, 6 Nov 2022 09:08:11 -0800 Guenter Roeck <linux@roeck-us.net> wrote: > For the series: > > Tested-by: Guenter Roeck <linux@roeck-us.net> Thanks Guenter! Now I guess the question is, is this good enough, and if so, who's going to take it? -- Steve
On 06-11-22, 01:45, Steven Rostedt wrote: > From: "Steven Rostedt (Google)" <rostedt@goodmis.org> > > A new "shutdown" timer state is being added to the generic timer code. One > of the functions to change the timer into the state is called > "timer_shutdown()". This means that there can not be other functions > called "timer_shutdown()" as the timer code owns the "timer_*" name space. > > Rename timer_shutdown() to spear_timer_shutdown() to avoid this conflict. > > Link: https://lore.kernel.org/all/20221105060155.228348078@goodmis.org/ > > Cc: Viresh Kumar <vireshk@kernel.org> > Cc: Shiraz Hashim <shiraz.linux.kernel@gmail.com> > Cc: Russell King <linux@armlinux.org.uk> > Cc: soc@kernel.org > Cc: linux-arm-kernel@lists.infradead.org > Acked-by: Arnd Bergmann <arnd@arndb.de> > Reviewed-by: Guenter Roeck <linux@roeck-us.net> > Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> I just replied to the previous version, ignore that now :) Acked-by: Viresh Kumar <viresh.kumar@linaro.org> Thanks.