Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]timers: Fix NULL function pointer race in timer_shutdown_sync()[EOL][EOL]There is a race condition between timer_shutdown_sync() and timer[EOL]expiration that can lead to hitting a WARN_ON in expire_timers().[EOL][EOL]The issue occurs when timer_shutdown_sync() clears the timer function[EOL]to NULL while the timer is still running on another CPU. The race[EOL]scenario looks like this:[EOL][EOL]CPU0\t\t\t\t\tCPU1[EOL]\t\t\t\t\t<SOFTIRQ>[EOL]\t\t\t\t\tlock_timer_base()[EOL]\t\t\t\t\texpire_timers()[EOL]\t\t\t\t\tbase->running_timer = timer;[EOL]\t\t\t\t\tunlock_timer_base()[EOL]\t\t\t\t\t[call_timer_fn enter][EOL]\t\t\t\t\tmod_timer()[EOL]\t\t\t\t\t...[EOL]timer_shutdown_sync()[EOL]lock_timer_base()[EOL]// For now, will not detach the timer but only clear its function to NULL[EOL]if (base->running_timer != timer)[EOL]\tret = detach_if_pending(timer, base, true);[EOL]if (shutdown)[EOL]\ttimer->function = NULL;[EOL]unlock_timer_base()[EOL]\t\t\t\t\t[call_timer_fn exit][EOL]\t\t\t\t\tlock_timer_base()[EOL]\t\t\t\t\tbase->running_timer = NULL;[EOL]\t\t\t\t\tunlock_timer_base()[EOL]\t\t\t\t\t...[EOL]\t\t\t\t\t// Now timer is pending while its function set to NULL.[EOL]\t\t\t\t\t// next timer trigger[EOL]\t\t\t\t\t<SOFTIRQ>[EOL]\t\t\t\t\texpire_timers()[EOL]\t\t\t\t\tWARN_ON_ONCE(!fn) // hit[EOL]\t\t\t\t\t...[EOL]lock_timer_base()[EOL]// Now timer will detach[EOL]if (base->running_timer != timer)[EOL]\tret = detach_if_pending(timer, base, true);[EOL]if (shutdown)[EOL]\ttimer->function = NULL;[EOL]unlock_timer_base()[EOL][EOL]The problem is that timer_shutdown_sync() clears the timer function[EOL]regardless of whether the timer is currently running. This can leave a[EOL]pending timer with a NULL function pointer, which triggers the[EOL]WARN_ON_ONCE(!fn) check in expire_timers().[EOL][EOL]Fix this by only clearing the timer function when actually detaching the[EOL]timer. If the timer is running, leave the function pointer intact, which is[EOL]safe because the timer will be properly detached when it finishes running.