292a089d78
Due to several bugs caused by timers being re-armed after they are
shutdown and just before they are freed, a new state of timers was added
called "shutdown". After a timer is set to this state, then it can no
longer be re-armed.
The following script was run to find all the trivial locations where
del_timer() or del_timer_sync() is called in the same function that the
object holding the timer is freed. It also ignores any locations where
the timer->function is modified between the del_timer*() and the free(),
as that is not considered a "trivial" case.
This was created by using a coccinelle script and the following
commands:
$ cat timer.cocci
@@
expression ptr, slab;
identifier timer, rfield;
@@
(
- del_timer(&ptr->timer);
+ timer_shutdown(&ptr->timer);
|
- del_timer_sync(&ptr->timer);
+ timer_shutdown_sync(&ptr->timer);
)
... when strict
when != ptr->timer
(
kfree_rcu(ptr, rfield);
|
kmem_cache_free(slab, ptr);
|
kfree(ptr);
)
$ spatch timer.cocci . > /tmp/t.patch
$ patch -p1 < /tmp/t.patch
Link: https://lore.kernel.org/lkml/20221123201306.823305113@linutronix.de/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Acked-by: Pavel Machek <pavel@ucw.cz> [ LED ]
Acked-by: Kalle Valo <kvalo@kernel.org> [ wireless ]
Acked-by: Paolo Abeni <pabeni@redhat.com> [ networking ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| aead_api.c | ||
| aead_api.h | ||
| aes_ccm.h | ||
| aes_cmac.c | ||
| aes_cmac.h | ||
| aes_gcm.h | ||
| aes_gmac.c | ||
| aes_gmac.h | ||
| agg-rx.c | ||
| agg-tx.c | ||
| airtime.c | ||
| cfg.c | ||
| chan.c | ||
| debug.h | ||
| debugfs.c | ||
| debugfs.h | ||
| debugfs_key.c | ||
| debugfs_key.h | ||
| debugfs_netdev.c | ||
| debugfs_netdev.h | ||
| debugfs_sta.c | ||
| debugfs_sta.h | ||
| driver-ops.c | ||
| driver-ops.h | ||
| eht.c | ||
| ethtool.c | ||
| fils_aead.c | ||
| fils_aead.h | ||
| he.c | ||
| ht.c | ||
| ibss.c | ||
| ieee80211_i.h | ||
| iface.c | ||
| key.c | ||
| key.h | ||
| led.c | ||
| led.h | ||
| link.c | ||
| main.c | ||
| mesh.c | ||
| mesh.h | ||
| mesh_hwmp.c | ||
| mesh_pathtbl.c | ||
| mesh_plink.c | ||
| mesh_ps.c | ||
| mesh_sync.c | ||
| michael.c | ||
| michael.h | ||
| mlme.c | ||
| ocb.c | ||
| offchannel.c | ||
| pm.c | ||
| rate.c | ||
| rate.h | ||
| rc80211_minstrel_ht.c | ||
| rc80211_minstrel_ht.h | ||
| rc80211_minstrel_ht_debugfs.c | ||
| rx.c | ||
| s1g.c | ||
| scan.c | ||
| spectmgmt.c | ||
| sta_info.c | ||
| sta_info.h | ||
| status.c | ||
| tdls.c | ||
| tkip.c | ||
| tkip.h | ||
| trace.c | ||
| trace.h | ||
| trace_msg.h | ||
| tx.c | ||
| util.c | ||
| vht.c | ||
| wep.c | ||
| wep.h | ||
| wme.c | ||
| wme.h | ||
| wpa.c | ||
| wpa.h | ||