On Tue, 4 Jun 2024 11:09:58 +0300 Leon Romanovsky <leon@xxxxxxxxxx>
> On Mon, Jun 03, 2024 at 10:10:36AM -1000, Tejun Heo wrote:
> >
> > And KASAN is reporting use-after-free on a completely unrelated VFS object.
> > I can't tell for sure from the logs alone but lockdep_register_key()
> > iterates entries in the hashtable trying to find whether the key is a
> > duplicate and it could be that that walk is triggering the use-after-free
> > warning. If so, it doesn't really have much to do with workqueue. The
> > corruption happened elsewhere and workqueue just happens to traverse the
> > hashtable afterwards.
>
> The problem is that revert of commit 643445531829
> ("workqueue: Fix UAF report by KASAN in pwq_release_workfn()")
> fixed these use-after-free reports.
>
Given revert makes sense,
if (alloc_and_link_pwqs(wq) < 0)
goto err_unreg_lockdep;
err_unreg_lockdep:
wq_unregister_lockdep(wq);
wq_free_lockdep(wq);
err_free_wq:
free_workqueue_attrs(wq->unbound_attrs);
kfree(wq); <-- freed
return NULL;
the difference 643445531829 makes is double free.
alloc_and_link_pwqs(struct workqueue_struct *wq)
if (ret)
kthread_flush_worker(pwq_release_worker);
pwq_release_workfn()
if (is_last) {
wq_unregister_lockdep(wq);
call_rcu(&wq->rcu, rcu_free_wq); <-- freed again
}
