lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240604113834.GO3884@unreal>
Date: Tue, 4 Jun 2024 14:38:34 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Hillf Danton <hdanton@...a.com>, Tejun Heo <tj@...nel.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
	Lai Jiangshan <jiangshanlai@...il.com>,
	Zqiang <qiang.zhang1211@...il.com>, linux-kernel@...r.kernel.org,
	Gal Pressman <gal@...dia.com>, Tariq Toukan <tariqt@...dia.com>,
	RDMA mailing list <linux-rdma@...r.kernel.org>
Subject: Re: [PATCH -rc] workqueue: Reimplement UAF fix to avoid lockdep
 worning

On Tue, Jun 04, 2024 at 06:54:56PM +0800, Hillf Danton wrote:
> On Tue, 4 Jun 2024 11:09:58 +0300 Leon Romanovsky <leon@...nel.org>
> > On Mon, Jun 03, 2024 at 10:10:36AM -1000, Tejun Heo wrote:
> > > 
> > > And KASAN is reporting use-after-free on a completely unrelated VFS object.
> > > I can't tell for sure from the logs alone but lockdep_register_key()
> > > iterates entries in the hashtable trying to find whether the key is a
> > > duplicate and it could be that that walk is triggering the use-after-free
> > > warning. If so, it doesn't really have much to do with workqueue. The
> > > corruption happened elsewhere and workqueue just happens to traverse the
> > > hashtable afterwards.
> > 
> > The problem is that revert of commit 643445531829
> > ("workqueue: Fix UAF report by KASAN in pwq_release_workfn()")
> > fixed these use-after-free reports.
> > 
> Given revert makes sense,

Thanks, it is very rare situation where call to flush/drain queue
(in our case kthread_flush_worker) in the middle of the allocation
flow can be correct. I can't remember any such case.

So even we don't fully understand the root cause, the reimplementation
is still valid and improves existing code.

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ