[tip: timers/core] alarmtimer: Access timerqueue node under lock in suspend

[tip-bot2 for Zhan Xusheng]

The following commit has been merged into the timers/core branch of tip:

Commit-ID:     09c04714cb455debc1dcc3535b6becb52c5b01e0
Gitweb:        https://git.kernel.org/tip/09c04714cb455debc1dcc3535b6becb52c5b01e0
Author:        Zhan Xusheng <zhanxusheng1024@xxxxxxxxx>
AuthorDate:    Tue, 07 Apr 2026 22:36:27 +08:00
Committer:     Thomas Gleixner <tglx@xxxxxxxxxx>
CommitterDate: Tue, 07 Apr 2026 19:14:26 +02:00

alarmtimer: Access timerqueue node under lock in suspend

In alarmtimer_suspend(), timerqueue_getnext() is called under
base->lock, but next->expires is read after the lock is released.

This is safe because suspend freezes all relevant task contexts,
but reading the node while holding the lock makes the code easier
to reason about and not worry about a theoretical UAF.

Signed-off-by: Zhan Xusheng <zhanxusheng@xxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxx>
Link: https://patch.msgid.link/20260407143627.19405-1-zhanxusheng@xxxxxxxxxx
---
 kernel/time/alarmtimer.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index 069d93b..7c07737 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -234,19 +234,23 @@ static int alarmtimer_suspend(struct device *dev)
 	if (!rtc)
 		return 0;
 
-	/* Find the soonest timer to expire*/
+	/* Find the soonest timer to expire */
 	for (i = 0; i < ALARM_NUMTYPE; i++) {
 		struct alarm_base *base = &alarm_bases[i];
 		struct timerqueue_node *next;
+		ktime_t next_expires;
 		ktime_t delta;
 
-		scoped_guard(spinlock_irqsave, &base->lock)
+		scoped_guard(spinlock_irqsave, &base->lock) {
 			next = timerqueue_getnext(&base->timerqueue);
+			if (next)
+				next_expires = next->expires;
+		}
 		if (!next)
 			continue;
-		delta = ktime_sub(next->expires, base->get_ktime());
+		delta = ktime_sub(next_expires, base->get_ktime());
 		if (!min || (delta < min)) {
-			expires = next->expires;
+			expires = next_expires;
 			min = delta;
 			type = i;
 		}