Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4037983pxv; Tue, 13 Jul 2021 09:19:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzznJkQo42lVNuKnECuvbr1LQbtTRLGcKS9TT1FmXHEitTgCGj4/tdJjJdf1DRQslDfH0w2 X-Received: by 2002:a17:907:3c16:: with SMTP id gh22mr6802888ejc.158.1626193175375; Tue, 13 Jul 2021 09:19:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626193175; cv=none; d=google.com; s=arc-20160816; b=xhfITBLlgla6rWxgleYApPlBdW3AEMlPEDNahwC9qttB0nf0x36CIqop7j2j1iyAok yDsTsvMbDR4HwHxLHLWhKS4dgJmTbTMtP+8IYSB5hs0bWjbxxFWDSmE0L8hnIi4sDBDc J2XgSUxfvLJpDpIv00OtxThEn0Af1Ymrm2Lmcz0/DK1Vt8SiO6RGj6/6eqsPysuU16Jr kT0uzBgO+JceJC5IZTWp+1iAUQC0riDFVS/yv2dk6tEoz3qcA1eEgdHw3XwfxgAZJ3ut RF8TfAab4OyLOhhcRsn08WubJiZrHOTWsdIHoFXNm0Ph2d11FHOBMyd/oZzxIskFGq7q 1cLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:dkim-signature; bh=A5YhPK+U85k0SKsYlDjEBbw9AMYz32iyaMx2KI0XJrU=; b=juoUmxQdAZRBa7/kIJFE4iSUG7BDIKGdhKpF/twJuaZ241XT49J2g4MNXj3Noe2rUB XAH0qBCT7W7Tzt68q0q7Hw1dr7LbQSKOtb9txiyiy+cRjSRqdgF26JXm4A5OgvnFa9MC IUaRhbFmhIK1VxBNYtNvTTlPeKi2UP0kLsMIOImC+KllVRTwpn18JDkwv9NgHSdQOYaT UkjDkbo1hAZWOkM9YhGSPmja5AqaNnQqQceJngHk7X1mbpku/wLV/E48/MbFK4TggCmp yY+mwMHV+3Xblf5OKHOXOnig4n0u5xr/JhPcJ2cIuFtxr74gtjw5D0cQl2A1iD4erYg6 3VSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Qfwg9sDK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bx22si7991333edb.157.2021.07.13.09.19.12; Tue, 13 Jul 2021 09:19:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Qfwg9sDK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229650AbhGMQVK (ORCPT + 99 others); Tue, 13 Jul 2021 12:21:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41196 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229454AbhGMQVG (ORCPT ); Tue, 13 Jul 2021 12:21:06 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB8E0C0613DD for ; Tue, 13 Jul 2021 09:18:15 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id bt15so7364200pjb.2 for ; Tue, 13 Jul 2021 09:18:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=A5YhPK+U85k0SKsYlDjEBbw9AMYz32iyaMx2KI0XJrU=; b=Qfwg9sDKAm5t+RWonrl91t9f06nWp0+7onIoZC3nBS9NUBXEur05hfosoHDL9VU2p+ 2Kf/R5KU+lhnSUhdi9MkfDM09b2TmogQwIijHnuiDDIIp4WVA6hJ+hDIid928ms23HgM slmX0nlW6DwQ4CAkltMqxGOvpkemWqcPgiHOX9aiP6mYrgKrf9JAX3DCRmh7ZGhJnOTI 6n3GmonwtA2d3ngFbsWSdNEc5NwYClUrDvQuiT/QEpkhNqiSzzQYRoS9fL3YuPj38013 GZpacX8lefNmjSpZPHpI0XzbxTdyuxMgKp6wVqMy9nZVfdu1sqq0jZZqqdo8DPqu9/8C 5L7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=A5YhPK+U85k0SKsYlDjEBbw9AMYz32iyaMx2KI0XJrU=; b=sHR6mMpIKA+LGjkE+gXoyA9/CjPvuNw2rdadaVyLYalDdoTM5h8GPCVH45thmgLt65 yyr4HBpErD/C1U5fvfDMHDJASokcId6CZFNDberG7D5tZ30pfhex5kx1tSppa+QBOPxg bMjICoiAJezB9efzZ1clupskVF9SmPmXro0N76jaxjxDVMBo9FCpfaELajVaBwha//ks WYMuP+IiJ57NP+nxTpSJ/qrtdladU0yhBVI9TPkqC42h75Dcj5otfHjeYEqn0L0/onRK wUSdlUZvMEHoXCnOPQhD4ICK22aiiZ53dJmP/Y17g+hUSkwjQSCdtJ4dq6XlEcV4JT3A fGWg== X-Gm-Message-State: AOAM533V/Sr+9I0dWwWgqBTB92gu0csgXtIKxGdRDYpyvEr2OENf+kT/ bK99ApspOlw0sYjaYK1EsrU= X-Received: by 2002:a17:902:ead2:b029:12a:ec28:7bc9 with SMTP id p18-20020a170902ead2b029012aec287bc9mr4034711pld.79.1626193095174; Tue, 13 Jul 2021 09:18:15 -0700 (PDT) Received: from localhost (udp264798uds.hawaiiantel.net. [72.253.242.87]) by smtp.gmail.com with ESMTPSA id j20sm17014874pfc.203.2021.07.13.09.18.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Jul 2021 09:18:14 -0700 (PDT) Sender: Tejun Heo Date: Tue, 13 Jul 2021 06:18:13 -1000 From: Tejun Heo To: Lai Jiangshan Cc: Yang Yingliang , LKML , Xu Qiang , Pavel Skripkin Subject: Re: [PATCH v2] workqueue: fix UAF in pwq_unbound_release_workfn() Message-ID: References: <20210709071100.4057639-1-yangyingliang@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Lai. On Tue, Jul 13, 2021 at 01:56:12PM +0800, Lai Jiangshan wrote: > > Does something like the following work? > > It works since it has a flush_scheduled_work() in > alloc_and_link_pwqs(). But I don't think it works for > workqueue_apply_unbound_cpumask() when apply_wqattrs_commit() > is not called. Yeah, but in that path, wq is fully initialized and will always have existing pwqs, so the wq free path shouldn't get activated. During wq allocation, the problem is that we're installing the first set of pwqs, so if they fail, the workqueue doesn't have any pwqs and thus triggers self-destruction. > If we want to reuse the current apply_wqattrs_cleanup(), I would prefer > something like this: (untested) > > @@ -3680,15 +3676,21 @@ static void pwq_unbound_release_workfn(struct > work_struct *work) > unbound_release_work); > struct workqueue_struct *wq = pwq->wq; > struct worker_pool *pool = pwq->pool; > - bool is_last; > + bool is_last = false; > > - if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND))) > - return; > + /* > + * when @pwq is not linked, it doesn't hold any reference to the > + * @wq, and @wq is invalid to access. > + */ > + if (!list_empty(&pwq->pwqs_node)) { > + if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND))) > + return; > > - mutex_lock(&wq->mutex); > - list_del_rcu(&pwq->pwqs_node); > - is_last = list_empty(&wq->pwqs); > - mutex_unlock(&wq->mutex); > + mutex_lock(&wq->mutex); > + list_del_rcu(&pwq->pwqs_node); > + is_last = list_empty(&wq->pwqs); > + mutex_unlock(&wq->mutex); > + } > > mutex_lock(&wq_pool_mutex); > put_unbound_pool(pool); But, oh yeah, this is way better. Thanks. -- tejun