Fix heap corruption in timer subsystem

visitorckw · visitorckw · commit 7dcb79cc9ede · 2025-10-17T15:37:41.000+08:00
The system was encountering a critical kernel panic, manifesting as:
*** KERNEL PANIC (-16370) – heap corruption or invalid free

The core problem stemmed from a conflict between two memory management
strategies for linked-list nodes. The timer module utilized a custom
static memory pool for its nodes, while the generic list manipulation
functions performed their own malloc() and free() operations. This
architectural mismatch led to two critical bugs.

Firstly, a double-free occurred in mo_timer_destroy(). The generic
list_remove() function would free a list node's memory, and then the
same function would attempt to return this already-freed node to the
custom memory pool.

Secondly, a use-after-free vulnerability existed in the
_timer_tick_handler(). If an expired timer's callback function
destroyed the timer, the handler would subsequently attempt to access
the now-freed timer's memory to check its auto-reload status.

Fix these issues by removing the custom memory pool and unifying all
node memory management under the generic list API. The
_timer_tick_handler() now also re-validates the timer's existence after
its callback executes to prevent accessing freed memory.
diff --git a/kernel/timer.c b/kernel/timer.c
@@ -227,11 +227,14 @@ void _timer_tick_handler(void)
     /* Collect expired timers in one pass, limited to batch size */
     while (!list_is_empty(kcb->timer_list) &&
            expired_count < TIMER_BATCH_SIZE) {
-        timer_t *t = (timer_t *) kcb->timer_list->head->next->data;
+        list_node_t *node = kcb->timer_list->head->next;
+        timer_t *t = (timer_t *) node->data;
 
         if (now >= t->deadline_ticks) {
             expired_timers[expired_count++] = t;
-            list_pop(kcb->timer_list); /* O(1) removal from head */
+            kcb->timer_list->head->next = node->next;
+            kcb->timer_list->length--;
+            return_timer_node(node);
         } else {
             /* First timer not expired, so none further down are */
             break;
@@ -347,7 +350,15 @@ int32_t mo_timer_destroy(uint16_t id)
     }
 
     /* Remove from master list */
-    list_remove(all_timers_list, node);
+    list_node_t *prev = all_timers_list->head;
+    while (prev->next != all_timers_list->tail && prev->next != node)
+        prev = prev->next;
+
+    if (likely(prev->next == node)) {
+        prev->next = node->next;
+        all_timers_list->length--;
+    }
+
     free(t);
     return_timer_node(node);
 
