| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210923153311.225307347@linutronix.de>
Date: Thu, 23 Sep 2021 18:04:18 +0200 (CEST)
From: Thomas Gleixner <tglx@...utronix.de>
To: LKML <linux-kernel@...r.kernel.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Johannes Berg <johannes.berg@...el.com>,
Loic Poulain <loic.poulain@...aro.org>, netdev@...r.kernel.org,
Sergey Ryazanov <ryazanov.s.a@...il.com>,
Jakub Kicinski <kuba@...nel.org>,
M Chetan Kumar <m.chetan.kumar@...el.com>,
Johannes Berg <johannes@...solutions.net>,
"David S. Miller" <davem@...emloft.net>,
Intel Corporation <linuxwwan@...el.com>,
alsa-devel@...a-project.org, Takashi Iwai <tiwai@...e.com>,
Jaroslav Kysela <perex@...ex.cz>,
Oliver Hartkopp <socketcan@...tkopp.net>,
linux-can@...r.kernel.org, Marc Kleine-Budde <mkl@...gutronix.de>,
Sebastian Reichel <sre@...nel.org>, linux-pm@...r.kernel.org,
David Airlie <airlied@...ux.ie>,
intel-gfx@...ts.freedesktop.org,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Jani Nikula <jani.nikula@...ux.intel.com>,
dri-devel@...ts.freedesktop.org, Daniel Vetter <daniel@...ll.ch>,
Rodrigo Vivi <rodrigo.vivi@...el.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: [patch 00/11] hrtimers: Cleanup hrtimer_forward() [ab]use
A recent syzbot report unearthed abuse of hrtimer_forward() which can cause
runaway timers hogging the CPU in timer expiry context by rearming the
timer in the past over and over.
This happens when the caller uses timer->expiry for the 'now' argument of
hrtimer_forward(). That works as long as the timer expiry is on time, but
can cause a long period of rearm/fire loops which hog the CPU. Expiring
late can have various causes, but obviously virtualization is prone to that
due to VCPU scheduling.
The correct usage of hrtimer_forward() is to hand the current time to the
'now' argument which ensures that the next event on the periodic time line
is past now. This is what hrtimer_forward_now() provides.
The following series addresses this:
1) Add a debug mechanism to the hrtimer expiry loop
2) Convert all hrtimer_forward() usage outside of kernel/time/ to
use hrtimer_forward_now().
3) Confine hrtimer_forward() to kernel/time/ core code.
The mac80211_hwsim patch has already been picked up by the wireless
maintainer and all other patches which affect usage outside the core code
can be picked up by the relevant subsystems. If a maintainer wants me to
pick a particular patch up, please let me know.
The last patch which confines hrtimer_forward() will be postponed until all
other patches have been merged into Linus tree.
The series is also available from git:
git://git.kernel.org/pub/scm/linux/kernel/git/tglx/devel.git hrtimer
Thanks,
tglx
---
drivers/gpu/drm/i915/i915_pmu.c | 2 -
drivers/net/wireless/mac80211_hwsim.c | 4 +-
drivers/net/wwan/iosm/iosm_ipc_imem.c | 4 +-
drivers/power/reset/ltc2952-poweroff.c | 4 --
include/linux/hrtimer.h | 26 -----------------
include/linux/posix-timers.h | 3 ++
kernel/signal.c | 14 +--------
kernel/time/hrtimer.c | 48 ++++++++++++++++++++++++++++++++-
kernel/time/itimer.c | 13 ++++++++
kernel/time/posix-timers.c | 42 +++++++++++-----------------
kernel/time/tick-internal.h | 1
net/can/bcm.c | 2 -
sound/drivers/pcsp/pcsp_lib.c | 2 -
13 files changed, 92 insertions(+), 73 deletions(-)
Powered by blists - more mailing lists