[SRU,Jammy,OEM-6.1,1/2] timers: Replace BUG_ON()s

From: Thomas Gleixner <tglx@linutronix.de>

The timer code still has a few BUG_ON()s left which are crashing the kernel
in situations where it still can recover or simply refuse to take an
action.

Remove the one in the hotplug callback which checks for the CPU being
offline. If that happens then the whole hotplug machinery will explode in
colourful ways.

Replace the rest with WARN_ON_ONCE() and conditional returns where
appropriate.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.de

(cherry picked from commit 82ed6f7ef58f9634fe4462dd721902c580f01569)
CVE-2023-6039
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 kernel/time/timer.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

On 24/03/19 05:25PM, Yuxuan Luo wrote:
> From: Thomas Gleixner <tglx@linutronix.de>
> 
> The timer code still has a few BUG_ON()s left which are crashing the kernel
> in situations where it still can recover or simply refuse to take an
> action.
> 
> Remove the one in the hotplug callback which checks for the CPU being
> offline. If that happens then the whole hotplug machinery will explode in
> colourful ways.
> 
> Replace the rest with WARN_ON_ONCE() and conditional returns where
> appropriate.
> 
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Tested-by: Guenter Roeck <linux@roeck-us.net>
> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
> Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
> Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.de
> 

NIT: There is an extra newline here.

> (cherry picked from commit 82ed6f7ef58f9634fe4462dd721902c580f01569)
> CVE-2023-6039
> Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
> ---
>  kernel/time/timer.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/kernel/time/timer.c b/kernel/time/timer.c
> index ef25b242dfa2f..14913aea1fd49 100644
> --- a/kernel/time/timer.c
> +++ b/kernel/time/timer.c
> @@ -1155,7 +1155,8 @@ EXPORT_SYMBOL(timer_reduce);
>   */
>  void add_timer(struct timer_list *timer)
>  {
> -	BUG_ON(timer_pending(timer));
> +	if (WARN_ON_ONCE(timer_pending(timer)))
> +		return;
>  	__mod_timer(timer, timer->expires, MOD_TIMER_NOTPENDING);
>  }
>  EXPORT_SYMBOL(add_timer);
> @@ -1174,7 +1175,8 @@ void add_timer_on(struct timer_list *timer, int cpu)
>  	struct timer_base *new_base, *base;
>  	unsigned long flags;
>  
> -	BUG_ON(timer_pending(timer) || !timer->function);
> +	if (WARN_ON_ONCE(timer_pending(timer) || !timer->function))
> +		return;
>  
>  	new_base = get_timer_cpu_base(timer->flags, cpu);
>  
> @@ -2148,8 +2150,6 @@ int timers_dead_cpu(unsigned int cpu)
>  	struct timer_base *new_base;
>  	int b, i;
>  
> -	BUG_ON(cpu_online(cpu));
> -
>  	for (b = 0; b < NR_BASES; b++) {
>  		old_base = per_cpu_ptr(&timer_bases[b], cpu);
>  		new_base = get_cpu_ptr(&timer_bases[b]);
> @@ -2166,7 +2166,8 @@ int timers_dead_cpu(unsigned int cpu)
>  		 */
>  		forward_timer_base(new_base);
>  
> -		BUG_ON(old_base->running_timer);
> +		WARN_ON_ONCE(old_base->running_timer);
> +		old_base->running_timer = NULL;
>  
>  		for (i = 0; i < WHEEL_SIZE; i++)

On 3/20/24 05:36, Andrei Gherzan wrote:
> On 24/03/19 05:25PM, Yuxuan Luo wrote:
>> From: Thomas Gleixner <tglx@linutronix.de>
>>
>> The timer code still has a few BUG_ON()s left which are crashing the kernel
>> in situations where it still can recover or simply refuse to take an
>> action.
>>
>> Remove the one in the hotplug callback which checks for the CPU being
>> offline. If that happens then the whole hotplug machinery will explode in
>> colourful ways.
>>
>> Replace the rest with WARN_ON_ONCE() and conditional returns where
>> appropriate.
>>
>> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
>> Tested-by: Guenter Roeck <linux@roeck-us.net>
>> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
>> Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
>> Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.de
>>
> NIT: There is an extra newline here.
It is from the original patch, kept on purpose/I did not touch it.
>
>> (cherry picked from commit 82ed6f7ef58f9634fe4462dd721902c580f01569)
>> CVE-2023-6039
>> Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
>> ---
>>   kernel/time/timer.c | 11 ++++++-----
>>   1 file changed, 6 insertions(+), 5 deletions(-)
>>
>> diff --git a/kernel/time/timer.c b/kernel/time/timer.c
>> index ef25b242dfa2f..14913aea1fd49 100644
>> --- a/kernel/time/timer.c
>> +++ b/kernel/time/timer.c
>> @@ -1155,7 +1155,8 @@ EXPORT_SYMBOL(timer_reduce);
>>    */
>>   void add_timer(struct timer_list *timer)
>>   {
>> -	BUG_ON(timer_pending(timer));
>> +	if (WARN_ON_ONCE(timer_pending(timer)))
>> +		return;
>>   	__mod_timer(timer, timer->expires, MOD_TIMER_NOTPENDING);
>>   }
>>   EXPORT_SYMBOL(add_timer);
>> @@ -1174,7 +1175,8 @@ void add_timer_on(struct timer_list *timer, int cpu)
>>   	struct timer_base *new_base, *base;
>>   	unsigned long flags;
>>   
>> -	BUG_ON(timer_pending(timer) || !timer->function);
>> +	if (WARN_ON_ONCE(timer_pending(timer) || !timer->function))
>> +		return;
>>   
>>   	new_base = get_timer_cpu_base(timer->flags, cpu);
>>   
>> @@ -2148,8 +2150,6 @@ int timers_dead_cpu(unsigned int cpu)
>>   	struct timer_base *new_base;
>>   	int b, i;
>>   
>> -	BUG_ON(cpu_online(cpu));
>> -
>>   	for (b = 0; b < NR_BASES; b++) {
>>   		old_base = per_cpu_ptr(&timer_bases[b], cpu);
>>   		new_base = get_cpu_ptr(&timer_bases[b]);
>> @@ -2166,7 +2166,8 @@ int timers_dead_cpu(unsigned int cpu)
>>   		 */
>>   		forward_timer_base(new_base);
>>   
>> -		BUG_ON(old_base->running_timer);
>> +		WARN_ON_ONCE(old_base->running_timer);
>> +		old_base->running_timer = NULL;
>>   
>>   		for (i = 0; i < WHEEL_SIZE; i++)