| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALm+0cVf+E_Y41AdEwLjm2gZAjzeKaZev1Tu1hUS-VpYH0eEHQ@mail.gmail.com> Date: Wed, 6 Sep 2023 10:12:34 +0800 From: Z qiang <qiang.zhang1211@...il.com> To: Tejun Heo <tj@...nel.org> Cc: jiangshanlai@...il.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH] workqueue: Fix UAF report by KASAN in pwq_release_workfn() > > Hello, > > On Sat, Sep 02, 2023 at 07:50:26PM +0800, Zqiang wrote: > > diff --git a/kernel/workqueue.c b/kernel/workqueue.c > > index c85825e17df8..f3f9c9222070 100644 > > --- a/kernel/workqueue.c > > +++ b/kernel/workqueue.c > > @@ -4609,6 +4609,10 @@ static int alloc_and_link_pwqs(struct workqueue_struct *wq) > > free_percpu(wq->cpu_pwq); > > wq->cpu_pwq = NULL; > > } > > + wq_unregister_lockdep(wq); > > + wq_free_lockdep(wq); > > + free_workqueue_attrs(wq->unbound_attrs); > > + kfree(wq); > > So, this would fix the bug but it's quite confusing because we end up taking > two separate error handling paths and alloc_and_link_pwqs() ends up freeing > stuff allocated outside the function. Wouldn't it be enough to flush the > pwq_release_worker after apply_workqueue_attrs() failure so that the cleanup > operation ordering is maintained? Hello, Tejun Flush the pwq_release_worker is insufficient, the call_rcu() is invoked to release wq in pwq_release_workfn(), this is also asynchronous. Thanks Zqiang > > Thanks. > > -- > tejun
Powered by blists - more mailing lists