[SRU][F][PATCH v3 08/16] timers: Replace BUG_ON()s

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Fri Nov 29 17:00:09 UTC 2024 

From: Thomas Gleixner <tglx at linutronix.de>

The timer code still has a few BUG_ON()s left which are crashing the kernel
in situations where it still can recover or simply refuse to take an
action.

Remove the one in the hotplug callback which checks for the CPU being
offline. If that happens then the whole hotplug machinery will explode in
colourful ways.

Replace the rest with WARN_ON_ONCE() and conditional returns where
appropriate.

Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Tested-by: Guenter Roeck <linux at roeck-us.net>
Reviewed-by: Jacob Keller <jacob.e.keller at intel.com>
Reviewed-by: Anna-Maria Behnsen <anna-maria at linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.de

(backported from commit 82ed6f7ef58f9634fe4462dd721902c580f01569)
[mpellizzer: backported solving one minor merge conflict which does not
affect the patch]
CVE-2024-35887
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>
---
 kernel/time/timer.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 13f9bb9fbc92..e52958b890e1 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1159,7 +1159,8 @@ EXPORT_SYMBOL(timer_reduce);
  */
 void add_timer(struct timer_list *timer)
 {
-	BUG_ON(timer_pending(timer));
+	if (WARN_ON_ONCE(timer_pending(timer)))
+		return;
 	mod_timer(timer, timer->expires);
 }
 EXPORT_SYMBOL(add_timer);
@@ -1178,7 +1179,8 @@ void add_timer_on(struct timer_list *timer, int cpu)
 	struct timer_base *new_base, *base;
 	unsigned long flags;
 
-	BUG_ON(timer_pending(timer) || !timer->function);
+	if (WARN_ON_ONCE(timer_pending(timer) || !timer->function))
+		return;
 
 	new_base = get_timer_cpu_base(timer->flags, cpu);
 
@@ -2029,8 +2031,6 @@ int timers_dead_cpu(unsigned int cpu)
 	struct timer_base *new_base;
 	int b, i;
 
-	BUG_ON(cpu_online(cpu));
-
 	for (b = 0; b < NR_BASES; b++) {
 		old_base = per_cpu_ptr(&timer_bases[b], cpu);
 		new_base = get_cpu_ptr(&timer_bases[b]);
@@ -2047,7 +2047,8 @@ int timers_dead_cpu(unsigned int cpu)
 		 */
 		forward_timer_base(new_base);
 
-		BUG_ON(old_base->running_timer);
+		WARN_ON_ONCE(old_base->running_timer);
+		old_base->running_timer = NULL;
 
 		for (i = 0; i < WHEEL_SIZE; i++)
 			migrate_timer_list(new_base, old_base->vectors + i);
-- 
2.43.0

More information about the kernel-team mailing list