From patchwork Sun Nov 6 21:24:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steven Rostedt X-Patchwork-Id: 1246 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1682761wru; Sun, 6 Nov 2022 13:30:12 -0800 (PST) X-Google-Smtp-Source: AMsMyM5/2HgdnDJ+M5y50E3l0+myYJAYweRrqpHJsccvu7J5wmZ/QXdLbTgEehFSbDeZUDFQld58 X-Received: by 2002:a17:906:cc10:b0:7ad:d776:8b7a with SMTP id ml16-20020a170906cc1000b007add7768b7amr35799777ejb.508.1667770212043; Sun, 06 Nov 2022 13:30:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667770212; cv=none; d=google.com; s=arc-20160816; b=UYEzu18H3ziM/nAwPtTWAKYH8AZOmeW5MkOlC+LFcjOqSELYKVz73tWMTd0XiYIn9K U+KHaxJq7lJzIBrb3Ig/dGh9yvQ9mQqkUoJjJVqhjyZv1TPvmoZbG3k9XJpfbiteOpG7 i/zx0x/e0fpSSsFQZzkkhIu7UtCu6V66X3d5EaeVrhWE9nVNWYw0172nofCmHs9iiOaP D59paH/RwYM5AAtsewP+Aoxsf9FfRoAtQyPNIwzkxF+xvls0ApnYZHLNFbSWj9cC2ecX eOfVHcOQpegWldHxyBC8SKpD3M8XN/4GPJC5jb6Ag8RKtmYW6RJb/t6xKMVJ/fR8dXVH KKxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:cc:to:from:date:user-agent:message-id; bh=hw0xRVQ8a2AlyCHn4IKcBZLsVITQjVGIUTkedFLWTZk=; b=vsw4JdMOgVPgb+SjjO8ioGCUQS4+yXXadWJ9HUNN+3oRM/OtZQWORXxxGN5ufm1Xir vPyzgootRwIVuBRV5mVyT7/AxXFdEy9zZDCjfjj+Q0tfRZwQmV7uDR/kNBdDtT6Wz+m/ vEV/5RTnLvAEte1eXh0QAGEnis3TYvTeK+5CFDUwQ6W0k++B5FpgpcUUxXZiIlvNChOi taavm7Qod+FzfcljH4n2DmDWSzmYnA7bHLk4bWsN51l4i6BTBHHTvriHANoPIXlDHN8A eSivZfhok6P+T3B3HKkeiT8VGvvhrlHFF6HTUncY4jElTmJ35VsBpHS/murLpklGhNo6 er3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n26-20020aa7c45a000000b00463cd7d6e7asi6229099edr.30.2022.11.06.13.29.48; Sun, 06 Nov 2022 13:30:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230350AbiKFV0g (ORCPT + 99 others); Sun, 6 Nov 2022 16:26:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229973AbiKFV0d (ORCPT ); Sun, 6 Nov 2022 16:26:33 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9383A7648; Sun, 6 Nov 2022 13:26:32 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 21D3660DC7; Sun, 6 Nov 2022 21:26:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7C35DC433C1; Sun, 6 Nov 2022 21:26:31 +0000 (UTC) Received: from rostedt by gandalf.local.home with local (Exim 4.96) (envelope-from ) id 1ornAT-008Cga-2Z; Sun, 06 Nov 2022 16:27:01 -0500 Message-ID: <20221106212427.739928660@goodmis.org> User-Agent: quilt/0.66 Date: Sun, 06 Nov 2022 16:24:27 -0500 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Linus Torvalds , Thomas Gleixner , Stephen Boyd , Guenter Roeck , Anna-Maria Gleixner , Andrew Morton , Julia Lawall , linux-sh@vger.kernel.org, linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, linux-block@vger.kernel.org, linux-acpi@vger.kernel.org, linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org, drbd-dev@lists.linbit.com, linux-bluetooth@vger.kernel.org, intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-input@vger.kernel.org, linux-leds@vger.kernel.org, linux-media@vger.kernel.org, intel-wired-lan@lists.osuosl.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, linux-scsi@vger.kernel.org, linux-staging@lists.linux.dev, linux-ext4@vger.kernel.org, linux-nilfs@vger.kernel.org, bridge@lists.linux-foundation.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, lvs-devel@vger.kernel.org, linux-afs@lists.infradead.org, linux-nfs@vger.kernel.org, tipc-discussion@lists.sourceforge.net, alsa-devel@alsa-project.org Subject: [PATCH v6a 0/5] timers: Use timer_shutdown*() before freeing timers X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748724519912198225?= X-GMAIL-MSGID: =?utf-8?q?1748783818074232873?= del_timer_sync() is often called before the object that owns the timer is freed. But sometimes there's a race that enables the timer again before it is freed and causes a use after free when that timer triggers. This patch set adds a new "shutdown" timer state, which is set on the new timer_shutdown() API. Once a timer is in this state, it can not be re-armed and if it is, it will warn. The first three patches change existing timer_shutdown() functions used locally in ARM and some drivers to better namespace names. The fourth patch implements the new API. The fifth patch is now a treewide patch that uses a coccinelle script to convert the trivial locations where a del_timer*() is called on a timer of an object that is freed immediately afterward (or at least in the same function). Changes since v5a: https://lore.kernel.org/all/20221106054535.709068702@goodmis.org/ - Updated the script to make ptr and slab into expressions instead of using identifiers (Julia Lawall and Linus Torvalds) Steven Rostedt (Google) (5): ARM: spear: Do not use timer namespace for timer_shutdown() function clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function timers: Add timer_shutdown_sync() and timer_shutdown() to be called before freeing timers treewide: Convert del_timer*() to timer_shutdown*() ---- .../RCU/Design/Requirements/Requirements.rst | 2 +- Documentation/core-api/local_ops.rst | 2 +- Documentation/kernel-hacking/locking.rst | 5 ++ arch/arm/mach-spear/time.c | 8 +-- arch/sh/drivers/push-switch.c | 2 +- block/blk-iocost.c | 2 +- block/blk-iolatency.c | 2 +- block/kyber-iosched.c | 2 +- drivers/acpi/apei/ghes.c | 2 +- drivers/atm/idt77252.c | 6 +- drivers/block/drbd/drbd_main.c | 2 +- drivers/block/loop.c | 2 +- drivers/bluetooth/hci_bcsp.c | 2 +- drivers/bluetooth/hci_qca.c | 4 +- drivers/clocksource/arm_arch_timer.c | 12 ++-- drivers/clocksource/timer-sp804.c | 6 +- drivers/gpu/drm/i915/i915_sw_fence.c | 2 +- drivers/hid/hid-wiimote-core.c | 2 +- drivers/input/keyboard/locomokbd.c | 2 +- drivers/input/keyboard/omap-keypad.c | 2 +- drivers/input/mouse/alps.c | 2 +- drivers/isdn/mISDN/l1oip_core.c | 4 +- drivers/isdn/mISDN/timerdev.c | 4 +- drivers/leds/trigger/ledtrig-activity.c | 2 +- drivers/leds/trigger/ledtrig-heartbeat.c | 2 +- drivers/leds/trigger/ledtrig-pattern.c | 2 +- drivers/leds/trigger/ledtrig-transient.c | 2 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 16 +++--- drivers/media/usb/s2255/s2255drv.c | 4 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 6 +- drivers/net/ethernet/marvell/sky2.c | 2 +- drivers/net/ethernet/sun/sunvnet.c | 2 +- drivers/net/usb/sierra_net.c | 2 +- .../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 2 +- drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- drivers/net/wireless/intersil/hostap/hostap_ap.c | 2 +- drivers/net/wireless/marvell/mwifiex/main.c | 2 +- drivers/net/wireless/microchip/wilc1000/hif.c | 6 +- drivers/nfc/pn533/pn533.c | 2 +- drivers/nfc/pn533/uart.c | 2 +- drivers/pcmcia/bcm63xx_pcmcia.c | 2 +- drivers/pcmcia/electra_cf.c | 2 +- drivers/pcmcia/omap_cf.c | 2 +- drivers/pcmcia/pd6729.c | 4 +- drivers/pcmcia/yenta_socket.c | 4 +- drivers/scsi/qla2xxx/qla_edif.c | 4 +- drivers/staging/media/atomisp/i2c/atomisp-lm3554.c | 2 +- drivers/tty/n_gsm.c | 2 +- drivers/tty/sysrq.c | 2 +- drivers/usb/gadget/udc/m66592-udc.c | 2 +- drivers/usb/serial/garmin_gps.c | 2 +- drivers/usb/serial/mos7840.c | 4 +- fs/ext4/super.c | 2 +- fs/nilfs2/segment.c | 2 +- include/linux/timer.h | 62 +++++++++++++++++++-- kernel/time/timer.c | 64 ++++++++++++---------- net/802/garp.c | 2 +- net/802/mrp.c | 4 +- net/bridge/br_multicast.c | 8 +-- net/bridge/br_multicast_eht.c | 4 +- net/core/gen_estimator.c | 2 +- net/ipv4/ipmr.c | 2 +- net/ipv6/ip6mr.c | 2 +- net/mac80211/mesh_pathtbl.c | 2 +- net/netfilter/ipset/ip_set_list_set.c | 2 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/xt_IDLETIMER.c | 4 +- net/netfilter/xt_LED.c | 2 +- net/rxrpc/conn_object.c | 2 +- net/sched/cls_flow.c | 2 +- net/sunrpc/svc.c | 2 +- net/tipc/discover.c | 2 +- net/tipc/monitor.c | 2 +- sound/i2c/other/ak4117.c | 2 +- sound/synth/emux/emux.c | 2 +- 78 files changed, 207 insertions(+), 148 deletions(-)