[PATCH] alarmtimer: Fix use-after-free of timerqueue node in alarmtimer

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] alarmtimer: Fix use-after-free of timerqueue node in alarmtimer_suspend()
@ 2026-03-30  6:15 Zhan Xusheng
  2026-04-07 13:57 ` Thomas Gleixner
  0 siblings, 1 reply; 2+ messages in thread
From: Zhan Xusheng @ 2026-03-30  6:15 UTC (permalink / raw)
  To: Thomas Gleixner; +Cc: linux-kernel, Zhan Xusheng

In alarmtimer_suspend(), the timerqueue_node pointer 'next' is obtained
under base->lock via scoped_guard(), but its members (next->expires)
are accessed after the lock has been released when the scoped_guard
goes out of scope.

Between the lock release and the dereference, a concurrent timer
cancellation on another CPU could remove and free the timerqueue node,
leading to a use-after-free.

Fix this by copying next->expires into a local ktime_t variable while
still holding the lock.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
 kernel/time/alarmtimer.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index b64db405ba5c..6e173d70d825 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -234,19 +234,23 @@ static int alarmtimer_suspend(struct device *dev)
 	if (!rtc)
 		return 0;
 
-	/* Find the soonest timer to expire*/
+	/* Find the soonest timer to expire */
 	for (i = 0; i < ALARM_NUMTYPE; i++) {
 		struct alarm_base *base = &alarm_bases[i];
 		struct timerqueue_node *next;
+		ktime_t next_expires;
 		ktime_t delta;
 
-		scoped_guard(spinlock_irqsave, &base->lock)
+		scoped_guard(spinlock_irqsave, &base->lock) {
 			next = timerqueue_getnext(&base->timerqueue);
+			if (next)
+				next_expires = next->expires;
+		}
 		if (!next)
 			continue;
-		delta = ktime_sub(next->expires, base->get_ktime());
+		delta = ktime_sub(next_expires, base->get_ktime());
 		if (!min || (delta < min)) {
-			expires = next->expires;
+			expires = next_expires;
 			min = delta;
 			type = i;
 		}
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] alarmtimer: Fix use-after-free of timerqueue node in alarmtimer_suspend()
  2026-03-30  6:15 [PATCH] alarmtimer: Fix use-after-free of timerqueue node in alarmtimer_suspend() Zhan Xusheng
@ 2026-04-07 13:57 ` Thomas Gleixner
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Gleixner @ 2026-04-07 13:57 UTC (permalink / raw)
  To: Zhan Xusheng; +Cc: linux-kernel, Zhan Xusheng

On Mon, Mar 30 2026 at 14:15, Zhan Xusheng wrote:
> In alarmtimer_suspend(), the timerqueue_node pointer 'next' is obtained
> under base->lock via scoped_guard(), but its members (next->expires)
> are accessed after the lock has been released when the scoped_guard
> goes out of scope.
>
> Between the lock release and the dereference, a concurrent timer
> cancellation on another CPU could remove and free the timerqueue node,
> leading to a use-after-free.

That's correct in theory, but it's a made up scenario as this runs
during suspend after all processes which could remove and free it have
been frozen already.

That said, I have no objections against the patch per se, but I'm not
accepting the unrealistic argument backing it up.

Using AI is fine, but taking the output at face value is not.

Thanks,

        tglx

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-07 13:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-30  6:15 [PATCH] alarmtimer: Fix use-after-free of timerqueue node in alarmtimer_suspend() Zhan Xusheng
2026-04-07 13:57 ` Thomas Gleixner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox