[SRU][Jammy][OEM-6.1][PATCH 1/2] timers: Replace BUG_ON()s

Yuxuan Luo yuxuan.luo at canonical.com
Tue Mar 19 21:25:07 UTC 2024 

From: Thomas Gleixner <tglx at linutronix.de>

The timer code still has a few BUG_ON()s left which are crashing the kernel
in situations where it still can recover or simply refuse to take an
action.

Remove the one in the hotplug callback which checks for the CPU being
offline. If that happens then the whole hotplug machinery will explode in
colourful ways.

Replace the rest with WARN_ON_ONCE() and conditional returns where
appropriate.

Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Tested-by: Guenter Roeck <linux at roeck-us.net>
Reviewed-by: Jacob Keller <jacob.e.keller at intel.com>
Reviewed-by: Anna-Maria Behnsen <anna-maria at linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.de

(cherry picked from commit 82ed6f7ef58f9634fe4462dd721902c580f01569)
CVE-2023-6039
Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
---
 kernel/time/timer.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index ef25b242dfa2f..14913aea1fd49 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1155,7 +1155,8 @@ EXPORT_SYMBOL(timer_reduce);
  */
 void add_timer(struct timer_list *timer)
 {
-	BUG_ON(timer_pending(timer));
+	if (WARN_ON_ONCE(timer_pending(timer)))
+		return;
 	__mod_timer(timer, timer->expires, MOD_TIMER_NOTPENDING);
 }
 EXPORT_SYMBOL(add_timer);
@@ -1174,7 +1175,8 @@ void add_timer_on(struct timer_list *timer, int cpu)
 	struct timer_base *new_base, *base;
 	unsigned long flags;
 
-	BUG_ON(timer_pending(timer) || !timer->function);
+	if (WARN_ON_ONCE(timer_pending(timer) || !timer->function))
+		return;
 
 	new_base = get_timer_cpu_base(timer->flags, cpu);
 
@@ -2148,8 +2150,6 @@ int timers_dead_cpu(unsigned int cpu)
 	struct timer_base *new_base;
 	int b, i;
 
-	BUG_ON(cpu_online(cpu));
-
 	for (b = 0; b < NR_BASES; b++) {
 		old_base = per_cpu_ptr(&timer_bases[b], cpu);
 		new_base = get_cpu_ptr(&timer_bases[b]);
@@ -2166,7 +2166,8 @@ int timers_dead_cpu(unsigned int cpu)
 		 */
 		forward_timer_base(new_base);
 
-		BUG_ON(old_base->running_timer);
+		WARN_ON_ONCE(old_base->running_timer);
+		old_base->running_timer = NULL;
 
 		for (i = 0; i < WHEEL_SIZE; i++)
 			migrate_timer_list(new_base, old_base->vectors + i);
-- 
2.34.1

More information about the kernel-team mailing list