Linux 7.2 Protects Against "Stupid Or Malicious" DoS Attempts By Arming Timers In The Past
There are a number of time(r) core subsystem changes for the Linux 7.2 kernel to better harden the kernel.
One of the most interesting changes of the timer code for Linux 7.2 is to fend off user-space being "stupid or malicious" with the HRTIMER interface where unprivileged users could cause potential denial of service (DoS) issues by arming timers in the past. Surprisingly the kernel to now wasn't checking at enqueue time whether the timer was already in the past and this could run into some complexities and system issues.
Thomas Gleixner explained back in an April patch series to prevent HRTIMER interrupt starvation after a user reported an NMI watchdog lock-up over the CPU being locked-up in user-space:
In addition to dealing with the issue of arming timers in the past, another change worth mentioning is fixing a PID reference count leak in the POSIX CPU timer code. What makes this interesting is that the leak has existed for more than twenty years in the Linux kernel before finally being spotted and fixed. This reference leak in a POSIX CPU timer error path has existed going back to the Linux 2.6.12 kernel.
More details on the timer changes for Linux 7.2 can be found via this pull request already merged to Git.
One of the most interesting changes of the timer code for Linux 7.2 is to fend off user-space being "stupid or malicious" with the HRTIMER interface where unprivileged users could cause potential denial of service (DoS) issues by arming timers in the past. Surprisingly the kernel to now wasn't checking at enqueue time whether the timer was already in the past and this could run into some complexities and system issues.
Thomas Gleixner explained back in an April patch series to prevent HRTIMER interrupt starvation after a user reported an NMI watchdog lock-up over the CPU being locked-up in user-space:
"As the expiry time is in the past, the timer ends up as the first expiring timer in the per CPU hrtimer base and the clockevent device is programmed with the minimum delta value. If the machine is fast enough, this ends up in a endless loop of programming the delta value to the minimum value defined by the clock event device, before the timer interrupt can fire, which starves the interrupt and consequently triggers the lockup detector because the hrtimer callback of the lockup mechanism is never invoked.
...
There needs to be some discussion about the scope of backporting. The first patch preventing the stall is obviously a backport candidate. The remaining series can be obviously argued about, but in my opinion it should be backported as well as it prevents stupid or malicious user space from generating tons of pointless timer interrupts."
In addition to dealing with the issue of arming timers in the past, another change worth mentioning is fixing a PID reference count leak in the POSIX CPU timer code. What makes this interesting is that the leak has existed for more than twenty years in the Linux kernel before finally being spotted and fixed. This reference leak in a POSIX CPU timer error path has existed going back to the Linux 2.6.12 kernel.
More details on the timer changes for Linux 7.2 can be found via this pull request already merged to Git.