From nobody Mon Jun 15 02:48:44 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 730D2282F3C; Tue, 7 Apr 2026 17:16:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582190; cv=none; b=ODYfonUV877hmy9V8kshwLHLcpUEXxc1uh810PKU6ROEl8F1bRJysLdodCX2yAMsEItQMZjvxiO1WVdA8jzHfmpEQeDfEwfRSojLmtfX7vSVnh82KhB7ja+8kSNMDdUA2tP6N3P/Udvm031XCKMnOllvfhugGr4CWDiSp0gIhHU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582190; c=relaxed/simple; bh=4Sq5XLjUzS/Jp2fXfrTd5AXKMF4yUVbnimsOYYnmoTc=; h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version: Message-ID:Content-Type; b=BP5OeyuVb1sjZrrgHbx2c4IAaaus8+lYamgtqkSyqT9x932A9qidfcuFgHt7xAgcw098RWnBCwiEdA/87Cd1r9+/ikmkkXvwRcxO6Yhbzy/gss+fzL2Q5SOh3Tg6Og0zsKPfmS0VccX01/DLb7e9G0tPQpAihLKVlJ6JMjhlvAc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=TYFwBWws; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=hQh1bxdI; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="TYFwBWws"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="hQh1bxdI" Date: Tue, 07 Apr 2026 17:16:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1775582187; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lGq0MeAZtGWEMJXLO/4LhgsR2PYpDnaCYCB3n8H8LSA=; b=TYFwBWwsIwRhhpI7S30/xsHuwMkglsQqOTgXvcIMciu3E4pn/wQEp2c9UOE7QmrGAIepM4 1ZP3o0wnMwwynigpglRjNtvGx/byome/0gCa3FfKr56gPv1TayP3sq1XWrWkMIqTPKzRmH gMYPiJ2xP52ABPT8MXCvOJUOI2b6B3R/KL3dW33qvhm2yFXOqLsJAapwlNbEO0vAlJjcx7 psfhv8iTQq1kiXl819FV1dymt4J2oIrsX9hW5DbPu2orURgs+7lspmiz+DpLhpHHU3sSBy wJtm5YFwoUPz15nKj/8lFd+iF06brxr8TDqZFFZ5QYdvhWdpptYC270vlj6ZjA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1775582187; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lGq0MeAZtGWEMJXLO/4LhgsR2PYpDnaCYCB3n8H8LSA=; b=hQh1bxdIvDp/qzdyfxKCvRWX4UmKjspXjQ3NYXnGiswJYOd4fVkjIVv43PI+gtcZErK1c1 f0i11rawajmapcDg== From: "tip-bot2 for Zhan Xusheng" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: timers/core] alarmtimer: Access timerqueue node under lock in suspend Cc: Zhan Xusheng , Thomas Gleixner , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20260407143627.19405-1-zhanxusheng@xiaomi.com> References: <20260407143627.19405-1-zhanxusheng@xiaomi.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <177558218577.801717.11831622228418994565.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Precedence: bulk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The following commit has been merged into the timers/core branch of tip: Commit-ID: 09c04714cb455debc1dcc3535b6becb52c5b01e0 Gitweb: https://git.kernel.org/tip/09c04714cb455debc1dcc3535b6becb52= c5b01e0 Author: Zhan Xusheng AuthorDate: Tue, 07 Apr 2026 22:36:27 +08:00 Committer: Thomas Gleixner CommitterDate: Tue, 07 Apr 2026 19:14:26 +02:00 alarmtimer: Access timerqueue node under lock in suspend In alarmtimer_suspend(), timerqueue_getnext() is called under base->lock, but next->expires is read after the lock is released. This is safe because suspend freezes all relevant task contexts, but reading the node while holding the lock makes the code easier to reason about and not worry about a theoretical UAF. Signed-off-by: Zhan Xusheng Signed-off-by: Thomas Gleixner Link: https://patch.msgid.link/20260407143627.19405-1-zhanxusheng@xiaomi.com --- kernel/time/alarmtimer.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c index 069d93b..7c07737 100644 --- a/kernel/time/alarmtimer.c +++ b/kernel/time/alarmtimer.c @@ -234,19 +234,23 @@ static int alarmtimer_suspend(struct device *dev) if (!rtc) return 0; =20 - /* Find the soonest timer to expire*/ + /* Find the soonest timer to expire */ for (i =3D 0; i < ALARM_NUMTYPE; i++) { struct alarm_base *base =3D &alarm_bases[i]; struct timerqueue_node *next; + ktime_t next_expires; ktime_t delta; =20 - scoped_guard(spinlock_irqsave, &base->lock) + scoped_guard(spinlock_irqsave, &base->lock) { next =3D timerqueue_getnext(&base->timerqueue); + if (next) + next_expires =3D next->expires; + } if (!next) continue; - delta =3D ktime_sub(next->expires, base->get_ktime()); + delta =3D ktime_sub(next_expires, base->get_ktime()); if (!min || (delta < min)) { - expires =3D next->expires; + expires =3D next_expires; min =3D delta; type =3D i; }