Commit b89eacfe authored by Ronny Meeus's avatar Ronny Meeus Committed by Jan Kiszka

copperplate/timerobj: fix corrupted timer list.

We observe an issue that the timer-list gets corrupted resulting in an
endless loop executed by the timer-server thread.

During the processing of the timeout list, a pointer to the next timer
to be handled is kept in the tmp stack variable.
Just before calling the timer handler of the current timer the lock on
the timer list is released giving other threads to change the list.
If the timer currently referenced by tmp is deleted, we end up with an
invalid node (next pointer pointing to itself) and this will result in
an endless loop of the timer server.

Test code is not available but I have seen this issue in our real
production code and after applying this path, the issue is solved.

The patch basically changes the timer server logic to always start
from the beginning of the list since when a timer is processed, it is
either removed (one-shot) or reinserted in a different location in the
The processing of the list will stop anyhow if all timers that need
to expire up to "now" are handled.
Signed-off-by: default avatarRonny Meeus <>
Signed-off-by: Jan Kiszka's avatarJan Kiszka <>
parent d98c9979
......@@ -100,7 +100,7 @@ static void *timerobj_server(void *arg)
void (*handler)(struct timerobj *tmobj);
struct timespec now, value, interval;
struct timerobj *tmobj, *tmp;
struct timerobj *tmobj;
sigset_t set;
int sig, ret;
......@@ -119,7 +119,10 @@ static void *timerobj_server(void *arg)
__RT(clock_gettime(CLOCK_COPPERPLATE, &now));
pvlist_for_each_entry_safe(tmobj, tmp, &svtimers, next) {
while (!pvlist_empty(&svtimers)) {
tmobj = pvlist_first_entry(&svtimers, typeof(*tmobj),
value = tmobj->itspec.it_value;
interval = tmobj->itspec.it_interval;
handler = tmobj->handler;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment