Commit 09c04714 authored by Zhan Xusheng's avatar Zhan Xusheng Committed by Thomas Gleixner
Browse files

alarmtimer: Access timerqueue node under lock in suspend 



In alarmtimer_suspend(), timerqueue_getnext() is called under
base->lock, but next->expires is read after the lock is released.

This is safe because suspend freezes all relevant task contexts,
but reading the node while holding the lock makes the code easier
to reason about and not worry about a theoretical UAF.

Signed-off-by: default avatarZhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: default avatarThomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260407143627.19405-1-zhanxusheng@xiaomi.com
parent c5283a1f

kernel/time/alarmtimer.c

+8 −4
Original line number Diff line number Diff line
@@ -238,15 +238,19 @@ static int alarmtimer_suspend(struct device *dev) 
	for (i = 0; i < ALARM_NUMTYPE; i++) {

		struct alarm_base *base = &alarm_bases[i];

		struct timerqueue_node *next;

		ktime_t next_expires;

		ktime_t delta;



		scoped_guard(spinlock_irqsave, &base->lock)

		scoped_guard(spinlock_irqsave, &base->lock) {

			next = timerqueue_getnext(&base->timerqueue);

			if (next)

				next_expires = next->expires;

		}

		if (!next)

			continue;

		delta = ktime_sub(next->expires, base->get_ktime());

		delta = ktime_sub(next_expires, base->get_ktime());

		if (!min || (delta < min)) {

			expires = next->expires;

			expires = next_expires;

			min = delta;

			type = i;

		}