Received: by 2002:a05:6a10:87d6:0:0:0:0 with SMTP id g22csp689407pxr; Mon, 11 Apr 2022 04:51:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyi3lA+GbgT9LlTtb6wo7dsJqHEX4CVBe6zNQe0+7VLcuq0yLbUAkD2VrL0/dl+AmIIqSXY X-Received: by 2002:a17:907:6289:b0:6e0:eb0c:8ee7 with SMTP id nd9-20020a170907628900b006e0eb0c8ee7mr28147186ejc.245.1649677881595; Mon, 11 Apr 2022 04:51:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649677881; cv=none; d=google.com; s=arc-20160816; b=QLXDgSy7gdrWnHaNBZogIARMQBld/1ZS5XfAYjW+EzO4TF6C/Yd7KsLFY/VYdDCkJ3 Opf13uQTb7awiWrmJlW5VNP6Da4nmJcvgopne7b16AZG+5yODA0htwmaadKvAcpyscau OXVlBl3Pxdq1CIWfBiVtzcPPFCxksvHPHwH1T5S1GBmpedtdXtZ1s3XvqrsNodU/9QLZ tCm6cLMCDc4TLJreWOkhU2zcUFoSEMxOn91Dz4Hz3ZntuBnTTpi7R0qDtnUUSwO6581k dKr6hPkyyh8pRrqz7ZKrBXnats64Qk4tuPbM65gQT6m0wWQbOZqqRxui802TLL5ZnuHs 0VQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=WZK9oxP7cndhA9NJKhmU575PkEHjIfpvimIyan4nZqU=; b=VI6F1xaMuEwbIJpD8M840c8HjPjWgl4fcplIELuR6qGZIw9UPov9aiumWIAalC/1SM 8pjD7AhakWTAo57ufgY8bqepCmRQszh2cmjMS54+MvAPpERCT/k8c2XTvM8FSADZh3q/ +BiebnflAXnKfY7958TZuspWzFyikCXJZ+p9nIJ9Hi00pGoQTZZuJf4pkHyCyZyVyHWh 5cZjdjoai3/cxVZ+u8GO0m7uAOZAVSv5nSUDCG1zahQV4/5ydhTwaUBcRrBCFY1UFRGM B+MZqsED1aB9siLV/LP1Z2rb33+11SBpraK1zP5YhEumxmFTyIWg/7ue9twxGlzbNoWX W2MA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v10-20020a50a44a000000b004190d03a30fsi6617458edb.220.2022.04.11.04.50.57; Mon, 11 Apr 2022 04:51:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237564AbiDIBRE (ORCPT + 99 others); Fri, 8 Apr 2022 21:17:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229609AbiDIBRC (ORCPT ); Fri, 8 Apr 2022 21:17:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59772615E for ; Fri, 8 Apr 2022 18:14:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E672E621DC for ; Sat, 9 Apr 2022 01:14:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D1F30C385A3; Sat, 9 Apr 2022 01:14:54 +0000 (UTC) Date: Fri, 8 Apr 2022 21:14:53 -0400 From: Steven Rostedt To: Linus Torvalds Cc: Thomas Gleixner , LKML , jstultz@google.com, Stephen Boyd , Andrew Morton , Peter Zijlstra , Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Eric Dumazet , Guenter Roeck Subject: Re: [RFC][PATCH] timers: Add del_time_free() to be called before freeing timers Message-ID: <20220408211453.52d7c9a5@rorschach.local.home> In-Reply-To: References: <20220407161745.7d6754b3@gandalf.local.home> <87pmlrkgi3.ffs@tglx> <87v8vjiaih.ffs@tglx> <20220408202230.0ea5388f@rorschach.local.home> <20220408204925.16361b44@rorschach.local.home> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 8 Apr 2022 15:00:43 -1000 Linus Torvalds wrote: > On Fri, Apr 8, 2022 at 2:49 PM Steven Rostedt wrote: > > > > Hmm, well, I'm not sure it would work for all architectures, but what > > about the MSB? Setting it to zero on "shutdown"? > > Let's just clear the whole thing for now. We don't actually _have_ any > timer_restart() cases yet. OK, so this has gone toward the handling all sorts of situations tangent. Thus, I want to get back to the current situation at hand. We have a bunch of places that use del_timer(), and possibly del_timer_sync() but can then have it rearm, and then the timer gets freed and BOOM we get a crash in the timer code. Worse yet, we have no idea what timer it was that did the UAF. So, we could just add that "timer_shutdown()" function that clears the function and mod_timer() would no longer rearm it. It would also need to do the synchronization as well. Which means it can't be called with locks that might be taken in the timer itself. We can look into more elaborate APIs if we want to help fix other issues later, but for now, it would be nice to go audit the kernel for all locations that do a del_timer(_sync) followed by freeing the timer, and replace it with a timer_shutdown() call. For the del_timer() cases, we will have to make sure it's not done that way due to locking. But they will still need to be dealt with because they are still prone to UAF. -- Steve