From patchwork Tue Feb 20 19:24:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1901644
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TfTrS3m7rz20Qg
	for <incoming@patchwork.ozlabs.org>; Wed, 21 Feb 2024 06:25:12 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rcVjd-0008Ot-Px; Tue, 20 Feb 2024 19:24:59 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yuxuan.luo@canonical.com>)
 id 1rcVjR-0008GS-J9
 for kernel-team@lists.ubuntu.com; Tue, 20 Feb 2024 19:24:45 +0000
Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com
 [209.85.214.197])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 65FCA3FA51
 for <kernel-team@lists.ubuntu.com>; Tue, 20 Feb 2024 19:24:45 +0000 (UTC)
Received: by mail-pl1-f197.google.com with SMTP id
 d9443c01a7336-1dbde77b6f1so29692095ad.1
 for <kernel-team@lists.ubuntu.com>; Tue, 20 Feb 2024 11:24:45 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1708457083; x=1709061883;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Zz+nAa8BY8EbLRyzMnZC8rtTYU1KKoxo+TrUO5fbmew=;
 b=LiFm6fOL0QFrM3Ql2MfXmAwg3Gti0vL16uupGA9g/o7HspiM8LlrnxqoBem9Ny5sg4
 EGOMn9Xcgz3oySD6QD2hQedBcmTYut26+fOXc6JJlDd3poB/haEqA/7A9T+Pf8B5FS20
 8w3QPXJughxeIuDw8HjGw6937Fy4vzGTVggbMgz06bl4D0r8phonJhBOMS2Sw9DY8dRk
 lQhnWGCcVQLxJToz+eUXGjAXPjCdkHRdFg/iIVr5itykac9VHFpKQkpRTF4j+y+ZThyu
 q8EaYmFVy0VwKCnQHaFkwsdXsuKbtDjZBrwKRYUax1tD9diKNvbLbPXBkjJNlUOfitbp
 6LLw==
X-Gm-Message-State: AOJu0YyJvPEWFCeYiVC1/kzZmqWs4w7vLZLQK/r6qcnhAeNnkXLYxOSI
 rtLCFuv5RqUjnbgXPep2NSGc8RzTfDHgVsOTL/XmkMpSv7gOMLNlAe7NzV/FQYn9qSfTnOD4/Bk
 bir4WH857ETp5j9Dr4dCVUGJ0gjzYzI1mHz9Om9u1Q5Yt5pp9PVj5/aZbIyn+l+MgNst8IIsJsb
 1aZJgVnT3yUg==
X-Received: by 2002:a17:902:c402:b0:1db:3a22:1fd6 with SMTP id
 k2-20020a170902c40200b001db3a221fd6mr17980157plk.66.1708457082991;
 Tue, 20 Feb 2024 11:24:42 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHjb1+3YIkKQfz59vaukTL98pwCDniWqEkSMg0EJxRvihQvBLSqLgLsDYSzr8qpTTMq86l2og==
X-Received: by 2002:a17:902:c402:b0:1db:3a22:1fd6 with SMTP id
 k2-20020a170902c40200b001db3a221fd6mr17980138plk.66.1708457082548;
 Tue, 20 Feb 2024 11:24:42 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id
 l21-20020a170902e2d500b001d9fcd343edsm6639440plc.208.2024.02.20.11.24.40
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 20 Feb 2024 11:24:42 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][OEM-6.1][PATCH 6/8] timers: Add shutdown mechanism to the
 internal functions
Date: Tue, 20 Feb 2024 14:24:19 -0500
Message-Id: <20240220192421.35003-7-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240220192421.35003-1-yuxuan.luo@canonical.com>
References: <20240220192421.35003-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Thomas Gleixner <tglx@linutronix.de>

Tearing down timers which have circular dependencies to other
functionality, e.g. workqueues, where the timer can schedule work and work
can arm timers, is not trivial.

In those cases it is desired to shutdown the timer in a way which prevents
rearming of the timer. The mechanism to do so is to set timer->function to
NULL and use this as an indicator for the timer arming functions to ignore
the (re)arm request.

Add a shutdown argument to the relevant internal functions which makes the
actual deactivation code set timer->function to NULL which in turn prevents
rearming of the timer.

Co-developed-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home
Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org
Link: https://lore.kernel.org/r/20221123201625.253883224@linutronix.de

(cherry picked from commit 0cc04e80458a822300b93f82ed861a513edde194)
CVE-2023-6039
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 kernel/time/timer.c | 62 +++++++++++++++++++++++++++++++++++++++------
 1 file changed, 54 insertions(+), 8 deletions(-)

diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 8296cdb1b6ff..9035e336456b 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1257,12 +1257,19 @@ EXPORT_SYMBOL_GPL(add_timer_on);
 /**
  * __timer_delete - Internal function: Deactivate a timer
  * @timer:	The timer to be deactivated
+ * @shutdown:	If true, this indicates that the timer is about to be
+ *		shutdown permanently.
+ *
+ * If @shutdown is true then @timer->function is set to NULL under the
+ * timer base lock which prevents further rearming of the time. In that
+ * case any attempt to rearm @timer after this function returns will be
+ * silently ignored.
  *
  * Return:
  * * %0 - The timer was not pending
  * * %1 - The timer was pending and deactivated
  */
-static int __timer_delete(struct timer_list *timer)
+static int __timer_delete(struct timer_list *timer, bool shutdown)
 {
 	struct timer_base *base;
 	unsigned long flags;
@@ -1270,9 +1277,22 @@ static int __timer_delete(struct timer_list *timer)
 
 	debug_assert_init(timer);
 
-	if (timer_pending(timer)) {
+	/*
+	 * If @shutdown is set then the lock has to be taken whether the
+	 * timer is pending or not to protect against a concurrent rearm
+	 * which might hit between the lockless pending check and the lock
+	 * aquisition. By taking the lock it is ensured that such a newly
+	 * enqueued timer is dequeued and cannot end up with
+	 * timer->function == NULL in the expiry code.
+	 *
+	 * If timer->function is currently executed, then this makes sure
+	 * that the callback cannot requeue the timer.
+	 */
+	if (timer_pending(timer) || shutdown) {
 		base = lock_timer_base(timer, &flags);
 		ret = detach_if_pending(timer, base, true);
+		if (shutdown)
+			timer->function = NULL;
 		raw_spin_unlock_irqrestore(&base->lock, flags);
 	}
 
@@ -1295,20 +1315,31 @@ static int __timer_delete(struct timer_list *timer)
  */
 int timer_delete(struct timer_list *timer)
 {
-	return __timer_delete(timer);
+	return __timer_delete(timer, false);
 }
 EXPORT_SYMBOL(timer_delete);
 
 /**
  * __try_to_del_timer_sync - Internal function: Try to deactivate a timer
  * @timer:	Timer to deactivate
+ * @shutdown:	If true, this indicates that the timer is about to be
+ *		shutdown permanently.
+ *
+ * If @shutdown is true then @timer->function is set to NULL under the
+ * timer base lock which prevents further rearming of the timer. Any
+ * attempt to rearm @timer after this function returns will be silently
+ * ignored.
+ *
+ * This function cannot guarantee that the timer cannot be rearmed
+ * right after dropping the base lock if @shutdown is false. That
+ * needs to be prevented by the calling code if necessary.
  *
  * Return:
  * * %0  - The timer was not pending
  * * %1  - The timer was pending and deactivated
  * * %-1 - The timer callback function is running on a different CPU
  */
-static int __try_to_del_timer_sync(struct timer_list *timer)
+static int __try_to_del_timer_sync(struct timer_list *timer, bool shutdown)
 {
 	struct timer_base *base;
 	unsigned long flags;
@@ -1320,6 +1351,8 @@ static int __try_to_del_timer_sync(struct timer_list *timer)
 
 	if (base->running_timer != timer)
 		ret = detach_if_pending(timer, base, true);
+	if (shutdown)
+		timer->function = NULL;
 
 	raw_spin_unlock_irqrestore(&base->lock, flags);
 
@@ -1344,7 +1377,7 @@ static int __try_to_del_timer_sync(struct timer_list *timer)
  */
 int try_to_del_timer_sync(struct timer_list *timer)
 {
-	return __try_to_del_timer_sync(timer);
+	return __try_to_del_timer_sync(timer, false);
 }
 EXPORT_SYMBOL(try_to_del_timer_sync);
 
@@ -1425,12 +1458,25 @@ static inline void del_timer_wait_running(struct timer_list *timer) { }
  * __timer_delete_sync - Internal function: Deactivate a timer and wait
  *			 for the handler to finish.
  * @timer:	The timer to be deactivated
+ * @shutdown:	If true, @timer->function will be set to NULL under the
+ *		timer base lock which prevents rearming of @timer
+ *
+ * If @shutdown is not set the timer can be rearmed later. If the timer can
+ * be rearmed concurrently, i.e. after dropping the base lock then the
+ * return value is meaningless.
+ *
+ * If @shutdown is set then @timer->function is set to NULL under timer
+ * base lock which prevents rearming of the timer. Any attempt to rearm
+ * a shutdown timer is silently ignored.
+ *
+ * If the timer should be reused after shutdown it has to be initialized
+ * again.
  *
  * Return:
  * * %0	- The timer was not pending
  * * %1	- The timer was pending and deactivated
  */
-static int __timer_delete_sync(struct timer_list *timer)
+static int __timer_delete_sync(struct timer_list *timer, bool shutdown)
 {
 	int ret;
 
@@ -1460,7 +1506,7 @@ static int __timer_delete_sync(struct timer_list *timer)
 		lockdep_assert_preemption_enabled();
 
 	do {
-		ret = __try_to_del_timer_sync(timer);
+		ret = __try_to_del_timer_sync(timer, shutdown);
 
 		if (unlikely(ret < 0)) {
 			del_timer_wait_running(timer);
@@ -1512,7 +1558,7 @@ static int __timer_delete_sync(struct timer_list *timer)
  */
 int timer_delete_sync(struct timer_list *timer)
 {
-	return __timer_delete_sync(timer);
+	return __timer_delete_sync(timer, false);
 }
 EXPORT_SYMBOL(timer_delete_sync);