Re: [PATCH] alarmtimer: Fix use-after-free of timerqueue node in alarmtimer_suspend()

Next message: Guenter Roeck: "Re: [PATCH] hwmon: (yogafan) various markup improvements"
Previous message: Manivannan Sadhasivam: "Re: [PATCH V11 04/12] PCI: imx6: Add support for parsing the reset property in new Root Port binding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Thomas Gleixner

Date: Tue Apr 07 2026 - 09:58:03 EST

On Mon, Mar 30 2026 at 14:15, Zhan Xusheng wrote:
> In alarmtimer_suspend(), the timerqueue_node pointer 'next' is obtained
> under base->lock via scoped_guard(), but its members (next->expires)
> are accessed after the lock has been released when the scoped_guard
> goes out of scope.
>
> Between the lock release and the dereference, a concurrent timer
> cancellation on another CPU could remove and free the timerqueue node,
> leading to a use-after-free.

That's correct in theory, but it's a made up scenario as this runs
during suspend after all processes which could remove and free it have
been frozen already.

That said, I have no objections against the patch per se, but I'm not
accepting the unrealistic argument backing it up.

Using AI is fine, but taking the output at face value is not.

Thanks,

tglx