Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp235457rdb; Mon, 18 Sep 2023 13:27:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHG90A0ND+x+VoKxDE33v9WfIx6dtvSpJytL//LAykxxHzZDW8OI6/qzwoctKJWVtQvKvgE X-Received: by 2002:a17:90b:3786:b0:26d:269d:c758 with SMTP id mz6-20020a17090b378600b0026d269dc758mr7384297pjb.4.1695068840278; Mon, 18 Sep 2023 13:27:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695068840; cv=none; d=google.com; s=arc-20160816; b=W4vCfHpkzybPQa7eGoWsiST3+dyIXeIczYzNaT+hMy4fKXgnuqFyMAylUtDifFY6T9 8bONNzNNhok3z/NUvlgvn4lXd5GHH3Ybnqi+GzYXR/j04x7GF9+e6u2UM+Z2hhkf4MsD nirYUba87lI5CZzoe/HYuvruZgQH/zk80OV8o+s5MajL8ep27jAvL//34vHIXTG6ssFr iFK5XdCQ9MYSOJO02Xa/RVkS1OJs7REwpAJxAGpbpGqOy3LHN/sClcY9ak7uLMXFiBUZ JMfa6h1E5NIuFj3LQyQBM7n8WNzz6i1aq+i8KQnHZ34iD9C5HLxuL7E1n2Pu9ndp5jBw oc5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:dkim-signature; bh=kh8r+G9HDwPFrsGLZh4L+phZy5FZ1r48b60Noorm0yg=; fh=HjReGp4ZirHPpfSIy3MBNcETQjuQb7vNZNKsK4iURgU=; b=f34SEfLV5cIK3xUb4KhnDi/WsKWRNNQ3WlOM/7wxT7TerK4qmUUnIkud2no7iCJr/T ijLNiy7CYX0KiD+YjiOJCLsNZ9QuyeDUkk3HYXNftcgerITSk3SGrd2TASuV6o2Dq6Bq WVZAP6YjRBGPH+1ZvvNP2RC79wGcFbbpqQ0W6r8FdbgUhXeCUTlk8hEvtAQ7HSLd4QXr MAcYz5+FwUg0TDCthcodWJR12kIUTDDQwlTxHNWt59LWBv8c9broQfndvzaYFFFdoEB5 wj8wbU0yV1cp913uunjFE749lVWe1Yl+14QDeIcMIjjjUcW3/R9mcCm+arGQx/nN/aVG yJNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Y2CWCpcC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id mm8-20020a17090b358800b002697d5c423csi10438961pjb.61.2023.09.18.13.27.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Sep 2023 13:27:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Y2CWCpcC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 762D98073283; Mon, 18 Sep 2023 11:06:32 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229563AbjIRSGb (ORCPT + 99 others); Mon, 18 Sep 2023 14:06:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37894 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229561AbjIRSG3 (ORCPT ); Mon, 18 Sep 2023 14:06:29 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A612B102 for ; Mon, 18 Sep 2023 11:06:23 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-2764b04dc5cso671365a91.3 for ; Mon, 18 Sep 2023 11:06:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695060383; x=1695665183; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=kh8r+G9HDwPFrsGLZh4L+phZy5FZ1r48b60Noorm0yg=; b=Y2CWCpcCDChSlnLmVmkAjyahrqM80EkS1QsK0ePor5I7PmiDh0NjCeQJM/D5nj9s9z R6Hwnsra7sG5hHFyTAPBWMYDdZID8EZVXPdXK2KRzVDKK1PnzGjsMtg8v+B1svASo0Iy NHRRwW5WsLT7KChYYZSKflSpR1rsYH5eBjyv/SMqT+WVTQbXx2/Ek0KC1oPjUR2LcpwK Q96Ql4B9LXtB/Kn2C0y0r4u13S8h3Ebqy/P2AIPmLyMgFooc10F3jMeph8SWGNZ6F61k 4H7TrcxNg2JiemelzuPj/OmhbSR4qTPDksgohhQqPYfQvswSrkOB8jysZzwz86NFbs5v ZYag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695060383; x=1695665183; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kh8r+G9HDwPFrsGLZh4L+phZy5FZ1r48b60Noorm0yg=; b=QyRu28aL8Ebs1Au9pBJvBh4CPI6/sU1kL+DFzJeqvUww5H8X6ajZ1qYH1wFOmTpkwi h62myyvs+mNEQc3NpSD4OkHyg1eY9vksbbgWkWwDfo+DsWb9dGpIual2AKaatWcHSkE2 Gt3TDk0fEqs999BD0ZdiZU3J96RessAMkGME3pkN6GwduN2r9LffjXA47Aj52QzlTa7A 1cbp+WTsG3OKoTDezbnmehK8V0GsUmwn6OAhlVGbrDpdscQg9bb5dOachD4YyuRsrUcI 2wNA4NZ5psJTtRhP73n98xEwq6Eqpn+Zi4+xfEUO5QhAgJ3r5iGSrywR733SsaaWqxcv 1qUQ== X-Gm-Message-State: AOJu0YwcbCaSsfDhiKEoEaMQ+vFF6689HMgWeV21Ssm4E6Q85Wm72gYG 91zwKr7JnWdyls4zuOIfN+2ZFNxabh3Xgw== X-Received: by 2002:a17:90b:1887:b0:274:566a:3477 with SMTP id mn7-20020a17090b188700b00274566a3477mr7051984pjb.39.1695060382758; Mon, 18 Sep 2023 11:06:22 -0700 (PDT) Received: from localhost (dhcp-72-235-13-41.hawaiiantel.net. [72.235.13.41]) by smtp.gmail.com with ESMTPSA id ie18-20020a17090b401200b0026971450601sm7422233pjb.7.2023.09.18.11.06.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Sep 2023 11:06:22 -0700 (PDT) Sender: Tejun Heo Date: Mon, 18 Sep 2023 08:06:21 -1000 From: Tejun Heo To: Z qiang Cc: jiangshanlai@gmail.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH] workqueue: Fix UAF report by KASAN in pwq_release_workfn() Message-ID: References: <20230902115026.13460-1-qiang.zhang1211@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 18 Sep 2023 11:06:32 -0700 (PDT) On Thu, Sep 07, 2023 at 10:13:23AM +0800, Z qiang wrote: > > > > On Wed, Sep 06, 2023 at 10:12:34AM +0800, Z qiang wrote: > > > Flush the pwq_release_worker is insufficient, the call_rcu() is > > > invoked to release wq > > > in pwq_release_workfn(), this is also asynchronous. > > > > But rcu_free_pwq() doesn't access wq or anything. The last access is from > > the work function. > > The rcu_free_wq() will access wq->cpu_pwq or unbound_attrs, > but at this time, the kfree(wq) may have been called in alloc_workqueue(). I'm not following. The only way alloc_and_link fails is if apply_wqattrs_prepare() fails and if prepare fails, none of the pwq's are installed and pwq_unbound_release_workfn() won't try to free the wq as the pwq's don't have any reference on it. So, if you flush the pwq release work items, there can be no rcu_free_wq() in flight. Can you please try to see whether the problem is reproducible with flushing? Thanks. -- tejun