tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

alarmtimer: Access timerqueue node under lock in suspend

In alarmtimer_suspend(), timerqueue_getnext() is called under
base->lock, but next->expires is read after the lock is released.

This is safe because suspend freezes all relevant task contexts,
but reading the node while holding the lock makes the code easier
to reason about and not worry about a theoretical UAF.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260407143627.19405-1-zhanxusheng@xiaomi.com

authored by

Zhan Xusheng and committed by
Thomas Gleixner 09c04714 c5283a1f

+8 -4
+8 -4
kernel/time/alarmtimer.c
··· 234 234 if (!rtc) 235 235 return 0; 236 236 237 - /* Find the soonest timer to expire*/ 237 + /* Find the soonest timer to expire */ 238 238 for (i = 0; i < ALARM_NUMTYPE; i++) { 239 239 struct alarm_base *base = &alarm_bases[i]; 240 240 struct timerqueue_node *next; 241 + ktime_t next_expires; 241 242 ktime_t delta; 242 243 243 - scoped_guard(spinlock_irqsave, &base->lock) 244 + scoped_guard(spinlock_irqsave, &base->lock) { 244 245 next = timerqueue_getnext(&base->timerqueue); 246 + if (next) 247 + next_expires = next->expires; 248 + } 245 249 if (!next) 246 250 continue; 247 - delta = ktime_sub(next->expires, base->get_ktime()); 251 + delta = ktime_sub(next_expires, base->get_ktime()); 248 252 if (!min || (delta < min)) { 249 - expires = next->expires; 253 + expires = next_expires; 250 254 min = delta; 251 255 type = i; 252 256 }