Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6436791rwb;
        Mon, 12 Dec 2022 01:40:42 -0800 (PST)
X-Google-Smtp-Source: AA0mqf6AkAjjFUOahdMcWrmNYzUu3Ad63QlHJcB8+ye4QRkwbtEVbvgX5IKJ3t7HFpx1hlJZT7yM
X-Received: by 2002:a17:902:aa81:b0:18f:a70d:d686 with SMTP id d1-20020a170902aa8100b0018fa70dd686mr894957plr.2.1670838041832;
        Mon, 12 Dec 2022 01:40:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670838041; cv=none;
        d=google.com; s=arc-20160816;
        b=xluJgjLIFP33dyN402tBB+cEDrHy3wFW5KzNG/W5iKR+/00NYIPaYb9yhLGfKir7AA
         BUsovXWTn5u5LJZjzqW/hNZFfPzCKOp4mgqT2QEUUHESATz8YfNZzlB2kClmZmfLcj/7
         WTmXj6EHE8oeLqRT53UzzFRoTm0uzS7MbA8GYXJNmj/wYavR6orh0LmqiBcgC1T6lUJ0
         dXACfwTXGPyUQA5CH7oTXMBzgs3/Mr+0jgHO1vdKyzwc27n0dzJBhWb9UHp+ASLfYuZR
         9yZTWV3Tkpt9HNmlw9VeKBTvxlfLkpgQgASlzzTwFWkrmHgcq/ZYN0nGf+1NdGL/XSjj
         hh1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=DvqLjkQWzDmTIRIYzZtvS21E0eB9F/PhqJejB/D5W8A=;
        b=zfzlXn2pqhYyqFADWT2mBG8CaRe9fITYGV7d6gGsFsbNUIWlZp4mLcyLkDu1xQwrrl
         sCPhv5lU3+0LRsaXF0FBx1Go2+JTB4nkNaLYmgobBT+xbkDQH5131/dUGakOSAOuDNxy
         odos/u96tDjy7mO7x7TPcf8E1RkQZKuuV04tCHs69fDZotXD4alHmMEJKALnM4KEhMy9
         SmN3C0VPLqLEiMdAR+3iryURsHnLAZBvOHknq1w6piNSrU/avRJg4UafX5lEuw2dsqen
         6U0ZOKqxUlBwyhIqcOb1nPUx+0vFHplQbzFEG6auOvQPpeqdXF28PFGJi8gXT+IgbJS6
         OuBA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=HhRQEW0P;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id im22-20020a170902bb1600b00186ba56bda8si8548970plb.61.2022.12.12.01.40.31;
        Mon, 12 Dec 2022 01:40:41 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=HhRQEW0P;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231835AbiLLJTX (ORCPT <rfc822;4ak.abc@gmail.com> + 75 others);
        Mon, 12 Dec 2022 04:19:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45808 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231784AbiLLJSY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Dec 2022 04:18:24 -0500
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1385FFAFE
        for <linux-kernel@vger.kernel.org>; Mon, 12 Dec 2022 01:17:39 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id h8-20020a1c2108000000b003d1efd60b65so4584380wmh.0
        for <linux-kernel@vger.kernel.org>; Mon, 12 Dec 2022 01:17:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=DvqLjkQWzDmTIRIYzZtvS21E0eB9F/PhqJejB/D5W8A=;
        b=HhRQEW0Pz2DQPpZllLf6WVe7Zat4DnmpdrUJpyDzLSHUkYQw4vCkBuNsUZrTfPTaSq
         5Kv6Bt8iLAbQ6QWjBfbkr7jXP4qvJ9BhZm4Zo9WpO65I2EeyNc+H/P3/iRENmAFZdqGC
         +gK6bX7DOOgYyBvL9BeeGqNYNZ8KNPR+SntLh4ipAlphw4BiN7rTyz/vg4ZmCq0Dfz2H
         /IL0gjq8bqWdg0Men94Imn5hGGsKDDBqzPEroLOMChn/cfgNdmpyrrBf58nyPt9y2xyG
         mlUx5JajafX3WgcCWw4WVII1c3HfVhVcjVuWQZwxfkQiIYJJkjf0d/r+Zjd0T1RZIJAY
         RupQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=DvqLjkQWzDmTIRIYzZtvS21E0eB9F/PhqJejB/D5W8A=;
        b=JiOlJE4nUStyHRRkj3e5+eC0qMtNKr4f8QvoeNurLzUDOjdOwtFxasag8CtluasBwv
         FK+FuWXeWyk7Nj3pnHdXZ4w4p4nOKt4Ab14Pdn1TnAf47ZiWxFiFShDNf3Ius61b4AGP
         ETiJmnyXgIV6b2RgqMshFyNbVN14hRQtXDANAsPZ7jYf9JxfU16wWWZ7uiwItBlLSrlf
         3cqHQHmhAgwi2GjvRcELfPkm1rQ0Q1KnSLUW77QirVF0p7XyxWIJhkrMzfWeOL24NqGO
         sBsscy1dVSIamZtARqglUsWaNWHtmBjoByazM6JlfHiT58HOshahcXscmeIl+jK/NFHW
         TbAw==
X-Gm-Message-State: ANoB5pkxs0rb1mItbN24MjOhgp1HwrSHy+N1RoX9boq49Hmbnq7SwDOb
        LIMhQn0acz9dfGHLV08KJzI40JEjCztWmaZNNpk=
X-Received: by 2002:a05:600c:500f:b0:3c7:135a:2e4f with SMTP id
 n15-20020a05600c500f00b003c7135a2e4fmr74313281wmr.30.1670836658218; Mon, 12
 Dec 2022 01:17:38 -0800 (PST)
MIME-Version: 1.0
References: <20221212061836.3620-1-richard.xnu.clark@gmail.com> <Y5bI9ZbjpzNFpk/8@slm.duckdns.org>
In-Reply-To: <Y5bI9ZbjpzNFpk/8@slm.duckdns.org>
From:   richard clark <richard.xnu.clark@gmail.com>
Date:   Mon, 12 Dec 2022 17:17:26 +0800
Message-ID: <CAJNi4rNzSOyRt01G6=EYH-ojVHPaOLDJVnLbfeehXbcTxBEa=g@mail.gmail.com>
Subject: Re: [PATCH] workqueue: Prevent a new work item from queueing into a
 destruction wq
To:     Tejun Heo <tj@kernel.org>
Cc:     jiangshanlai@gmail.com, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Dec 12, 2022 at 2:23 PM Tejun Heo <tj@kernel.org> wrote:
>
> On Mon, Dec 12, 2022 at 02:18:36PM +0800, Richard Clark wrote:
> > Currently the __WQ_DRAINING is used to prevent a new work item from queueing
> > to a draining workqueue, but this flag will be cleared before the end of a
> > RCU grace period. Because the workqueue instance is actually freed after
> > the RCU grace period, this fact results in an opening window in which a new
> > work item can be queued into a destorying workqueue and be scheduled
> > consequently, for instance, the below code snippet demos this accident:
>
> I mean, this is just use-after-free. The same scenario can happen with

IMO, it's not exactly the use-after-free since no free action before
the end of RCU grace period, if it really is then the code will
trigger a kernel BUG:

    BUG: kernel NULL pointer dereference, address: 0000000000000000
    #PF: supervisor read access in kernel mode
    #PF: error_code(0x0000) - not-present page
    ...

Which can be easily observed for both non-RCU frees and RCU frees.

Thanks

> non-RCU frees or if there happens to be an RCU grace period inbetween. I'm
> not sure what's being protected here.
>
> Thanks.
>
> --
> tejun