[PATCH v3] nvme: rdma/tcp: fix list corruption with anatt timer

Maurizio Lombardi mlombard at redhat.com
Wed Apr 28 08:21:56 BST 2021


st 28. 4. 2021 v 9:06 odesílatel Martin Wilck <mwilck at suse.com> napsal:
>
> Yes, that's what I think has happened. timer_setup() doesn't clear any
> pointers in the list of pending timers pointing to this entry. If the
> newly-initialized timer is then added with mod_timer(), it becomes
> linked in a second timer list. When the first one expires, the timer
> will be detached, but only from one of the lists it's pending in. In a
> scenario like the one we faced, this could actually happen multiple
> times. If the detached timer remains linked into a timer list, once
> that list is traversed, the kernel dereferences a pointer with value
> LIST_POISON2, and crashes.

Yes I think it makes sense.
timer_setup() modifies the timer's base in the "flags" field, then mod_timer()
could add the timer to the wrong base structure.

Maurizio




More information about the Linux-nvme mailing list