st 28. 4. 2021 v 9:06 odesílatel Martin Wilck <mwilck@xxxxxxxx> napsal: > > Yes, that's what I think has happened. timer_setup() doesn't clear any > pointers in the list of pending timers pointing to this entry. If the > newly-initialized timer is then added with mod_timer(), it becomes > linked in a second timer list. When the first one expires, the timer > will be detached, but only from one of the lists it's pending in. In a > scenario like the one we faced, this could actually happen multiple > times. If the detached timer remains linked into a timer list, once > that list is traversed, the kernel dereferences a pointer with value > LIST_POISON2, and crashes. Yes I think it makes sense. timer_setup() modifies the timer's base in the "flags" field, then mod_timer() could add the timer to the wrong base structure. Maurizio
