Converting struct timer_list callback argument to struct timer_list *

From: Kees Cook
Date: Wed Aug 30 2017 - 19:39:43 EST


Hi,

I'm working on converting all callbacks of struct timer_list into
taking the struct timer_list * that triggered the callback (instead of
the timer_list.data field), as done for hrtimers, work queues, etc.
Doing this has a number of benefits including actual type checking
(via container_of(), etc) instead of blind type casts, and getting rid
of the .data field which is used in security flaw exploits[1].

I've got the series well on its way, though I think I have something
like 400 users remaining, and they're getting less trivial to convert.
:)

The series goes through several phases of conversion. The series is
here to browse:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/timer/20170830

Replace open-coded variants of setup_timer() with actual setup_timer() calls:
coccinelle: Improve setup_timer.cocci matching
Run setup_timer.cocci
timer: Remove init_timer_pinned_deferrable() in favor of
setup_pinned_deferrable_timer()
timer: Remove init_timer_on_stack() in favor of setup_timer_on_stack()
timer: Remove init_timer_pinned() in favor of setup_pinned_timer()
timer: Remove init_timer_deferrable() in favor of setup_deferrable_timer()

Remove little or unused macros, with the goal of removing to ability
to statically define the .data field:
timer: Remove users of TIMER_DEFERRED_INITIALIZER
timer: Remove users of TIMER_INITIALIZER
timer: Remove unused static initializer macros
timer: Remove users of expire and data arguments to DEFINE_TIMER
timer: Remove expires and data arguments from DEFINE_TIMER
timer: Remove expires argument from __TIMER_INITIALIZER()

Fix usages of setup_timer() that Coccinelle can't reason about:
timer: Remove meaningless .data/.function assignments
timer: Collapse cross-function single-assignment .data into setup_timer()
timer: Additional init_timer() -> setup_timer() conversions

Eliminate all open-coded usage of the .data field:
usb/phy-isp1301-omap: Remove .data assignment
media/i2c/tc358743: Initialize timer
scsi/aic7xxx: Clean up timer usage
timer: Fix incorrect casts in callbacks
net/core: Collapse redundant sk_timer callback data assignments
s390/char/sclp: Use separate static data field with with static timer
sparc/led: Use separate static data field with with static timer
mips/sgi-ip32: Use separate static data field with with static timer
mips/sgi-ip22: Use separate static data field with with static timer
net/atm/mpc: Use separate static data field with with static timer
staging/comedi/das16: Make timer initialization unconditional
usb/gadget/snps_udc_core: Move timer initialization earlier
infiniband/rdmavt: Remove redundant timer initialization
scsi/bnx2i: Initialize timer
appletalk: Remove unneeded synchronization
timer: Switch to testing for .function instead of .data

Create temporary casts for function and data arguments so
setup_timer() will take both old and new style function and data
arguments:
timer: Temporarily explicitly cast all callback functions

Convert all DEFINE_TIMER users to taking struct timer_list *:
coccinelle: Add define_timer.cocci
timer: Switch DEFINE_TIMER callbacks to struct timer_list *

Create TIMER_CONTAINER() help for new style callbacks:
timer: Add helper for container_of() usage on callbacks

Convert timer users that Coccinelle can't reason about:
scsi/ipr: Convert timer callbacks to use TIMER_CONATINER
staging/wilc1000: Convert timer callbacks to use TIMER_CONTAINER
amifloppy: Convert timer callbacks to use TIMER_CONTAINER
net/irda: Convert timer callbacks to use TIMER_CONTAINER
led/ledtrig-heartbeat: Convert callback to use TIMER_CONTAINER
kthread: Convert callback to use TIMER_CONTAINER
workqueue: Convert callback to use TIMER_CONTAINER
scsi/pmcraid: Convert callbacks to use TIMER_CONTAINER
net/decnet: Convert callback to use TIMER_CONTAINER
net/lapb: Convert callbacks to use TIMER_CONTAINER
net/mac80211/mesh_plink: Convert callback to use TIMER_CONTAINER
fs/nilfs2: Convert callback to use TIMER_CONTAINER
net/rose: Convert callbacks to use TIMER_CONTAINER
scsi/sas: Convert callback to use TIMER_CONTAINER
media/saa7146: Convert callback to use TIMER_CONTAINER
net/irda-usb: Convert callback to use TIMER_CONTAINER
input: Convert callbacks to use TIMER_CONTAINER
net/irda/bfin_sir: Convert callback to use TIMER_CONTAINER
ALSA: sh: aica: Convert callback to use TIMER_CONTAINER
s390/tape: Convert callback to use TIMER_CONTAINER
net/ti/tlan: Convert callback to use TIMER_CONTAINER
net/wireless/ray_cs: Convert callback to use TIMER_CONTAINER
firewire: Convert callback to use TIMER_CONTAINER
sound/pci/asihpi: Convert callback to use TIMER_CONTAINER
isdn/hisax: Convert callback to use TIMER_CONTAINER
net/hamradio/6pack: Convert callback to use TIMER_CONTAINER
pci/ehp_hpc: Convert callback to use TIMER_CONTAINER
net/usb/usbnet: Convert callback to use TIMER_CONTAINER
tty/sysrq: Convert callback to use TIMER_CONTAINER
scsi/cxgbi: Convert callback to use TIMER_CONTAINER
block/laptop_mode: Convert callback to use TIMER_CONTAINER
libata: Convert callback to use TIMER_CONTAINER
staging: rtl8723bs: Refactor timers to use setup_timer()
staging: rtl8723bs: Convert callback to use TIMER_CONTAINER
staging: rtl8712: Convert callbacks to use TIMER_CONTAINER
staging: rtl8188eu: Convert callbacks to use TIMER_CONTAINER
sound/core: Convert callbacks to use TIMER_CONTAINER
fs/ncpfs: Convert callback to use TIMER_CONTAINER
block/aoe: Convert callbacks to use TIMER_CONTAINER

Rename .data field to .cb_data just to find any remaining .data users
that allmodconfig misses but 0-day can find (the above conversions
could be rearranged to do all .data-using conversions first, then this
patch, then the rest of the conversions):
timer: Rename timer_list.data to timer_list.cb_data

Add Coccinelle script to perform "easy" conversions of timer callbacks:
coccinelle: Add new timer_list handling scripts
timer: Mass-convert timer_list callbacks to use TIMER_CONTAINER
timer: setup_deferrable_timer conversions
timer: setup_pinned_timer conversions

Which gets me to here:
747 files changed, 3363 insertions(+), 3410 deletions(-)

And current builds with the forced casts removed show about 400 more
call sites to fix...

Does this look alright, and should some of this go into -next right
now, just to get some of the clean-ups into the tree? (Basically,
everything before "timer: Temporarily explicitly cast all callback
functions")

Thanks!

-Kees

[1] https://lwn.net/Articles/731082/

--
Kees Cook
Pixel Security