All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steven Rostedt <rostedt@goodmis.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	LKML <linux-kernel@vger.kernel.org>,
	jstultz@google.com, Stephen Boyd <sboyd@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Marcel Holtmann <marcel@holtmann.org>,
	Johan Hedberg <johan.hedberg@gmail.com>,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
	Eric Dumazet <edumazet@google.com>,
	Guenter Roeck <linux@roeck-us.net>
Subject: Re: [RFC][PATCH] timers: Add del_time_free() to be called before freeing timers
Date: Fri, 8 Apr 2022 21:14:53 -0400	[thread overview]
Message-ID: <20220408211453.52d7c9a5@rorschach.local.home> (raw)
In-Reply-To: <CAHk-=wg6ZTjCoWev039ijHkzJGOE8v1Psc=yDANkt5r3GBxc0w@mail.gmail.com>

On Fri, 8 Apr 2022 15:00:43 -1000
Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Fri, Apr 8, 2022 at 2:49 PM Steven Rostedt <rostedt@goodmis.org> wrote:
> >
> > Hmm, well, I'm not sure it would work for all architectures, but what
> > about the MSB?  Setting it to zero on "shutdown"?  
> 
> Let's just clear the whole thing for now. We don't actually _have_ any
> timer_restart() cases yet.

OK, so this has gone toward the handling all sorts of situations tangent.

Thus, I want to get back to the current situation at hand. We have a
bunch of places that use del_timer(), and possibly del_timer_sync() but
can then have it rearm, and then the timer gets freed and BOOM we get a
crash in the timer code. Worse yet, we have no idea what timer it was
that did the UAF.

So, we could just add that "timer_shutdown()" function that clears the
function and mod_timer() would no longer rearm it. It would also need
to do the synchronization as well. Which means it can't be called with
locks that might be taken in the timer itself.

We can look into more elaborate APIs if we want to help fix other
issues later, but for now, it would be nice to go audit the kernel for
all locations that do a del_timer(_sync) followed by freeing the timer,
and replace it with a timer_shutdown() call.

For the del_timer() cases, we will have to make sure it's not done that
way due to locking. But they will still need to be dealt with because
they are still prone to UAF.

-- Steve

  reply	other threads:[~2022-04-09  1:15 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-07 20:17 [RFC][PATCH] timers: Add del_time_free() to be called before freeing timers Steven Rostedt
2022-04-07 21:58 ` Guenter Roeck
2022-04-07 22:51   ` Steven Rostedt
2022-04-08  0:58     ` Guenter Roeck
2022-04-08  1:36       ` Steven Rostedt
2022-04-08 10:37 ` Thomas Gleixner
2022-04-08 12:33   ` Steven Rostedt
2022-04-08 15:55   ` Steven Rostedt
2022-04-08 17:33   ` Linus Torvalds
2022-04-08 20:10     ` Steven Rostedt
2022-04-08 20:26       ` Steven Rostedt
2022-04-08 23:18       ` Linus Torvalds
2022-04-08 20:29     ` Thomas Gleixner
2022-04-08 20:58       ` Steven Rostedt
2022-04-08 21:46         ` Thomas Gleixner
2022-04-08 21:59           ` Steven Rostedt
2022-04-09  0:22       ` Steven Rostedt
2022-04-09  0:30         ` Linus Torvalds
2022-04-09  0:49           ` Steven Rostedt
2022-04-09  1:00             ` Linus Torvalds
2022-04-09  1:14               ` Steven Rostedt [this message]
2022-11-24 14:16 ` [tip: timers/core] timers: Provide timer_shutdown[_sync]() tip-bot2 for Thomas Gleixner
2022-11-24 14:16 ` [tip: timers/core] timers: Add shutdown mechanism to the internal functions tip-bot2 for Thomas Gleixner
2022-11-24 14:16 ` [tip: timers/core] timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode tip-bot2 for Thomas Gleixner
2022-11-24 14:16 ` [tip: timers/core] timers: Silently ignore timers with a NULL function tip-bot2 for Thomas Gleixner
2022-11-24 14:16 ` [tip: timers/core] timers: Use del_timer_sync() even on UP tip-bot2 for Thomas Gleixner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220408211453.52d7c9a5@rorschach.local.home \
    --to=rostedt@goodmis.org \
    --cc=akpm@linux-foundation.org \
    --cc=edumazet@google.com \
    --cc=johan.hedberg@gmail.com \
    --cc=jstultz@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    --cc=peterz@infradead.org \
    --cc=sboyd@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.