Re: [RFC][PATCH] timers: Add del_time_free() to be called before freeing timers

From: Steven Rostedt
Date: Fri Apr 08 2022 - 21:15:02 EST


On Fri, 8 Apr 2022 15:00:43 -1000
Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> On Fri, Apr 8, 2022 at 2:49 PM Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> >
> > Hmm, well, I'm not sure it would work for all architectures, but what
> > about the MSB? Setting it to zero on "shutdown"?
>
> Let's just clear the whole thing for now. We don't actually _have_ any
> timer_restart() cases yet.

OK, so this has gone toward the handling all sorts of situations tangent.

Thus, I want to get back to the current situation at hand. We have a
bunch of places that use del_timer(), and possibly del_timer_sync() but
can then have it rearm, and then the timer gets freed and BOOM we get a
crash in the timer code. Worse yet, we have no idea what timer it was
that did the UAF.

So, we could just add that "timer_shutdown()" function that clears the
function and mod_timer() would no longer rearm it. It would also need
to do the synchronization as well. Which means it can't be called with
locks that might be taken in the timer itself.

We can look into more elaborate APIs if we want to help fix other
issues later, but for now, it would be nice to go audit the kernel for
all locations that do a del_timer(_sync) followed by freeing the timer,
and replace it with a timer_shutdown() call.

For the del_timer() cases, we will have to make sure it's not done that
way due to locking. But they will still need to be dealt with because
they are still prone to UAF.

-- Steve