Commit 9f2a5216 authored by Frederic Weisbecker's avatar Frederic Weisbecker Committed by Xiongfeng Wang
Browse files

hrtimer: Report offline hrtimer enqueue 

stable inclusion
from stable-v5.10.210
commit b1f576be92d06228d4626b8c411e18dc408b8f6f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPLI0
CVE: CVE-2025-21816

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1f576be92d06228d4626b8c411e18dc408b8f6f



--------------------------------

commit dad6a09f3148257ac1773cd90934d721d68ab595 upstream.

The hrtimers migration on CPU-down hotplug process has been moved
earlier, before the CPU actually goes to die. This leaves a small window
of opportunity to queue an hrtimer in a blind spot, leaving it ignored.

For example a practical case has been reported with RCU waking up a
SCHED_FIFO task right before the CPUHP_AP_IDLE_DEAD stage, queuing that
way a sched/rt timer to the local offline CPU.

Make sure such situations never go unnoticed and warn when that happens.

Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
Reported-by: default avatarPaul E. McKenney <paulmck@kernel.org>
Signed-off-by: default avatarFrederic Weisbecker <frederic@kernel.org>
Signed-off-by: default avatarPaul E. McKenney <paulmck@kernel.org>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240129235646.3171983-4-boqun.feng@gmail.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarXiongfeng Wang <wangxiongfeng2@huawei.com>
parent c2f6be99

include/linux/hrtimer.h

+3 −1
Original line number Original line Diff line number Diff line
@@ -211,6 +211,7 @@ enum hrtimer_base_type { 
 * @max_hang_time:	Maximum time spent in hrtimer_interrupt

 * @max_hang_time:	Maximum time spent in hrtimer_interrupt

 * @softirq_expiry_lock: Lock which is taken while softirq based hrtimer are

 * @softirq_expiry_lock: Lock which is taken while softirq based hrtimer are

 *			 expired

 *			 expired

 * @online:		CPU is online from an hrtimers point of view

 * @timer_waiters:	A hrtimer_cancel() invocation waits for the timer

 * @timer_waiters:	A hrtimer_cancel() invocation waits for the timer

 *			callback to finish.

 *			callback to finish.

 * @expires_next:	absolute time of the next event, is required for remote

 * @expires_next:	absolute time of the next event, is required for remote
@@ -233,7 +234,8 @@ struct hrtimer_cpu_base { 
	unsigned int			hres_active		: 1,

	unsigned int			hres_active		: 1,

					in_hrtirq		: 1,

					in_hrtirq		: 1,

					hang_detected		: 1,

					hang_detected		: 1,

					softirq_activated       : 1;

					softirq_activated       : 1,

					online			: 1;

#ifdef CONFIG_HIGH_RES_TIMERS

#ifdef CONFIG_HIGH_RES_TIMERS

	unsigned int			nr_events;

	unsigned int			nr_events;

	unsigned short			nr_retries;

	unsigned short			nr_retries;

kernel/time/hrtimer.c

+3 −0
Original line number Original line Diff line number Diff line
@@ -980,6 +980,7 @@ static int enqueue_hrtimer(struct hrtimer *timer, 
			   enum hrtimer_mode mode)

			   enum hrtimer_mode mode)

{

{

	debug_activate(timer, mode);

	debug_activate(timer, mode);

	WARN_ON_ONCE(!base->cpu_base->online);





	base->cpu_base->active_bases |= 1 << base->index;

	base->cpu_base->active_bases |= 1 << base->index;
@@ -2078,6 +2079,7 @@ int hrtimers_prepare_cpu(unsigned int cpu) 
	cpu_base->softirq_next_timer = NULL;

	cpu_base->softirq_next_timer = NULL;

	cpu_base->expires_next = KTIME_MAX;

	cpu_base->expires_next = KTIME_MAX;

	cpu_base->softirq_expires_next = KTIME_MAX;

	cpu_base->softirq_expires_next = KTIME_MAX;

	cpu_base->online = 1;

	hrtimer_cpu_base_init_expiry_lock(cpu_base);

	hrtimer_cpu_base_init_expiry_lock(cpu_base);

	return 0;

	return 0;

}

}
@@ -2145,6 +2147,7 @@ int hrtimers_cpu_dying(unsigned int dying_cpu) 
	smp_call_function_single(ncpu, retrigger_next_event, NULL, 0);

	smp_call_function_single(ncpu, retrigger_next_event, NULL, 0);





	raw_spin_unlock(&new_base->lock);

	raw_spin_unlock(&new_base->lock);

	old_base->online = 0;

	raw_spin_unlock(&old_base->lock);

	raw_spin_unlock(&old_base->lock);





	return 0;

	return 0;