lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 23 Sep 2021 18:04:18 +0200 (CEST)
From:   Thomas Gleixner <>
To:     LKML <>
Cc:     Peter Zijlstra <>,
        Dmitry Vyukov <>,
        Johannes Berg <>,
        Loic Poulain <>,,
        Sergey Ryazanov <>,
        Jakub Kicinski <>,
        M Chetan Kumar <>,
        Johannes Berg <>,
        "David S. Miller" <>,
        Intel Corporation <>,, Takashi Iwai <>,
        Jaroslav Kysela <>,
        Oliver Hartkopp <>,, Marc Kleine-Budde <>,
        Sebastian Reichel <>,,
        David Airlie <>,,
        Joonas Lahtinen <>,
        Jani Nikula <>,, Daniel Vetter <>,
        Rodrigo Vivi <>,
        "Eric W. Biederman" <>
Subject: [patch 00/11] hrtimers: Cleanup hrtimer_forward() [ab]use

A recent syzbot report unearthed abuse of hrtimer_forward() which can cause
runaway timers hogging the CPU in timer expiry context by rearming the
timer in the past over and over.

This happens when the caller uses timer->expiry for the 'now' argument of
hrtimer_forward(). That works as long as the timer expiry is on time, but
can cause a long period of rearm/fire loops which hog the CPU. Expiring
late can have various causes, but obviously virtualization is prone to that
due to VCPU scheduling.

The correct usage of hrtimer_forward() is to hand the current time to the
'now' argument which ensures that the next event on the periodic time line
is past now. This is what hrtimer_forward_now() provides.

The following series addresses this:

    1) Add a debug mechanism to the hrtimer expiry loop

    2) Convert all hrtimer_forward() usage outside of kernel/time/ to
       use hrtimer_forward_now().

    3) Confine hrtimer_forward() to kernel/time/ core code.

The mac80211_hwsim patch has already been picked up by the wireless
maintainer and all other patches which affect usage outside the core code
can be picked up by the relevant subsystems. If a maintainer wants me to
pick a particular patch up, please let me know.

The last patch which confines hrtimer_forward() will be postponed until all
other patches have been merged into Linus tree.

The series is also available from git:

    git:// hrtimer


 drivers/gpu/drm/i915/i915_pmu.c        |    2 -
 drivers/net/wireless/mac80211_hwsim.c  |    4 +-
 drivers/net/wwan/iosm/iosm_ipc_imem.c  |    4 +-
 drivers/power/reset/ltc2952-poweroff.c |    4 --
 include/linux/hrtimer.h                |   26 -----------------
 include/linux/posix-timers.h           |    3 ++
 kernel/signal.c                        |   14 +--------
 kernel/time/hrtimer.c                  |   48 ++++++++++++++++++++++++++++++++-
 kernel/time/itimer.c                   |   13 ++++++++
 kernel/time/posix-timers.c             |   42 +++++++++++-----------------
 kernel/time/tick-internal.h            |    1 
 net/can/bcm.c                          |    2 -
 sound/drivers/pcsp/pcsp_lib.c          |    2 -
 13 files changed, 92 insertions(+), 73 deletions(-)

Powered by blists - more mailing lists