st 28. 4. 2021 v 9:06 odesÃlatel Martin Wilck mwilck@suse.com napsal:
Yes, that's what I think has happened. timer_setup() doesn't clear any pointers in the list of pending timers pointing to this entry. If the newly-initialized timer is then added with mod_timer(), it becomes linked in a second timer list. When the first one expires, the timer will be detached, but only from one of the lists it's pending in. In a scenario like the one we faced, this could actually happen multiple times. If the detached timer remains linked into a timer list, once that list is traversed, the kernel dereferences a pointer with value LIST_POISON2, and crashes.
Yes I think it makes sense. timer_setup() modifies the timer's base in the "flags" field, then mod_timer() could add the timer to the wrong base structure.
Maurizio