On 2022-10-06 09:39:46 [-0700], Sultan Alsawaf wrote: > Hi Sebastian, Hi Sultan, > But since a timer is marked as not-pending prior to when it runs, add_timer_on() > can't detect if the timer is actively running; the above BUG_ON() won't be > tripped. So the UaF scenario I forsee is that doing this: > add_timer_on(timer, 0); > // timer is actively running on CPU0, timer is no longer pending > add_timer_on(timer, 1); // changes timer base, won't wait for timer to stop > del_timer_sync(timer); // only checks CPU1 timer base for the running timer /me taking notes. > Sultan Sebastian
