[SRU][Jammy][OEM-6.1][PATCH 1/2] timers: Replace BUG_ON()s

Yuxuan Luo yuxuan.luo at canonical.com
Wed Mar 20 13:52:51 UTC 2024 

On 3/20/24 05:36, Andrei Gherzan wrote:
> On 24/03/19 05:25PM, Yuxuan Luo wrote:
>> From: Thomas Gleixner <tglx at linutronix.de>
>>
>> The timer code still has a few BUG_ON()s left which are crashing the kernel
>> in situations where it still can recover or simply refuse to take an
>> action.
>>
>> Remove the one in the hotplug callback which checks for the CPU being
>> offline. If that happens then the whole hotplug machinery will explode in
>> colourful ways.
>>
>> Replace the rest with WARN_ON_ONCE() and conditional returns where
>> appropriate.
>>
>> Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
>> Tested-by: Guenter Roeck <linux at roeck-us.net>
>> Reviewed-by: Jacob Keller <jacob.e.keller at intel.com>
>> Reviewed-by: Anna-Maria Behnsen <anna-maria at linutronix.de>
>> Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.de
>>
> NIT: There is an extra newline here.
It is from the original patch, kept on purpose/I did not touch it.
>
>> (cherry picked from commit 82ed6f7ef58f9634fe4462dd721902c580f01569)
>> CVE-2023-6039
>> Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
>> ---
>>   kernel/time/timer.c | 11 ++++++-----
>>   1 file changed, 6 insertions(+), 5 deletions(-)
>>
>> diff --git a/kernel/time/timer.c b/kernel/time/timer.c
>> index ef25b242dfa2f..14913aea1fd49 100644
>> --- a/kernel/time/timer.c
>> +++ b/kernel/time/timer.c
>> @@ -1155,7 +1155,8 @@ EXPORT_SYMBOL(timer_reduce);
>>    */
>>   void add_timer(struct timer_list *timer)
>>   {
>> -	BUG_ON(timer_pending(timer));
>> +	if (WARN_ON_ONCE(timer_pending(timer)))
>> +		return;
>>   	__mod_timer(timer, timer->expires, MOD_TIMER_NOTPENDING);
>>   }
>>   EXPORT_SYMBOL(add_timer);
>> @@ -1174,7 +1175,8 @@ void add_timer_on(struct timer_list *timer, int cpu)
>>   	struct timer_base *new_base, *base;
>>   	unsigned long flags;
>>   
>> -	BUG_ON(timer_pending(timer) || !timer->function);
>> +	if (WARN_ON_ONCE(timer_pending(timer) || !timer->function))
>> +		return;
>>   
>>   	new_base = get_timer_cpu_base(timer->flags, cpu);
>>   
>> @@ -2148,8 +2150,6 @@ int timers_dead_cpu(unsigned int cpu)
>>   	struct timer_base *new_base;
>>   	int b, i;
>>   
>> -	BUG_ON(cpu_online(cpu));
>> -
>>   	for (b = 0; b < NR_BASES; b++) {
>>   		old_base = per_cpu_ptr(&timer_bases[b], cpu);
>>   		new_base = get_cpu_ptr(&timer_bases[b]);
>> @@ -2166,7 +2166,8 @@ int timers_dead_cpu(unsigned int cpu)
>>   		 */
>>   		forward_timer_base(new_base);
>>   
>> -		BUG_ON(old_base->running_timer);
>> +		WARN_ON_ONCE(old_base->running_timer);
>> +		old_base->running_timer = NULL;
>>   
>>   		for (i = 0; i < WHEEL_SIZE; i++)

More information about the kernel-team mailing list