292a089d78
Due to several bugs caused by timers being re-armed after they are shutdown and just before they are freed, a new state of timers was added called "shutdown". After a timer is set to this state, then it can no longer be re-armed. The following script was run to find all the trivial locations where del_timer() or del_timer_sync() is called in the same function that the object holding the timer is freed. It also ignores any locations where the timer->function is modified between the del_timer*() and the free(), as that is not considered a "trivial" case. This was created by using a coccinelle script and the following commands: $ cat timer.cocci @@ expression ptr, slab; identifier timer, rfield; @@ ( - del_timer(&ptr->timer); + timer_shutdown(&ptr->timer); | - del_timer_sync(&ptr->timer); + timer_shutdown_sync(&ptr->timer); ) ... when strict when != ptr->timer ( kfree_rcu(ptr, rfield); | kmem_cache_free(slab, ptr); | kfree(ptr); ) $ spatch timer.cocci . > /tmp/t.patch $ patch -p1 < /tmp/t.patch Link: https://lore.kernel.org/lkml/20221123201306.823305113@linutronix.de/ Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Acked-by: Pavel Machek <pavel@ucw.cz> [ LED ] Acked-by: Kalle Valo <kvalo@kernel.org> [ wireless ] Acked-by: Paolo Abeni <pabeni@redhat.com> [ networking ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
---|---|---|
.. | ||
alloc.c | ||
alloc.h | ||
bmap.c | ||
bmap.h | ||
btnode.c | ||
btnode.h | ||
btree.c | ||
btree.h | ||
cpfile.c | ||
cpfile.h | ||
dat.c | ||
dat.h | ||
dir.c | ||
direct.c | ||
direct.h | ||
export.h | ||
file.c | ||
gcinode.c | ||
ifile.c | ||
ifile.h | ||
inode.c | ||
ioctl.c | ||
Kconfig | ||
Makefile | ||
mdt.c | ||
mdt.h | ||
namei.c | ||
nilfs.h | ||
page.c | ||
page.h | ||
recovery.c | ||
segbuf.c | ||
segbuf.h | ||
segment.c | ||
segment.h | ||
sufile.c | ||
sufile.h | ||
super.c | ||
sysfs.c | ||
sysfs.h | ||
the_nilfs.c | ||
the_nilfs.h |