A recent syzbot report unearthed abuse of hrtimer_forward() which can cause runaway timers hogging the CPU in timer expiry context by rearming the timer in the past over and over.

This happens when the caller uses timer->expiry for the 'now' argument of hrtimer_forward(). That works as long as the timer expiry is on time, but can cause a long period of rearm/fire loops which hog the CPU. Expiring late can have various causes, but obviously virtualization is prone to that due to VCPU scheduling.

The correct usage of hrtimer_forward() is to hand the current time to the 'now' argument which ensures that the next event on the periodic time line is past now. This is what hrtimer_forward_now() provides.

The following series addresses this:

1) Add a debug mechanism to the hrtimer expiry loop

2) Convert all hrtimer_forward() usage outside of kernel/time/ to use hrtimer_forward_now().

3) Confine hrtimer_forward() to kernel/time/ core code.

The mac80211_hwsim patch has already been picked up by the wireless maintainer and all other patches which affect usage outside the core code can be picked up by the relevant subsystems. If a maintainer wants me to pick a particular patch up, please let me know.

The last patch which confines hrtimer_forward() will be postponed until all other patches have been merged into Linus tree.

The series is also available from git:

git://git.kernel.org/pub/scm/linux/kernel/git/tglx/devel.git hrtimer

Thanks,

tglx --- drivers/gpu/drm/i915/i915_pmu.c | 2 - drivers/net/wireless/mac80211_hwsim.c | 4 +- drivers/net/wwan/iosm/iosm_ipc_imem.c | 4 +- drivers/power/reset/ltc2952-poweroff.c | 4 -- include/linux/hrtimer.h | 26 ----------------- include/linux/posix-timers.h | 3 ++ kernel/signal.c | 14 +-------- kernel/time/hrtimer.c | 48 ++++++++++++++++++++++++++++++++- kernel/time/itimer.c | 13 ++++++++ kernel/time/posix-timers.c | 42 +++++++++++----------------- kernel/time/tick-internal.h | 1 net/can/bcm.c | 2 - sound/drivers/pcsp/pcsp_lib.c | 2 - 13 files changed, 92 insertions(+), 73 deletions(-)