From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22C5B379EE7 for ; Tue, 28 Apr 2026 15:00:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777388425; cv=none; b=AV2h/6eNgYfWeSGXbA/cq7itL6GoSQuSsiogFWuDc32ua+E1jpgXce/44GzShLu4ZIexLwij+hyxlzB49vVjCZ6tC1pl61m+2SkYgaj/aq3xQLe24qc7E0OhFQ4Sdw0YWwszYyF6SxfxotAqBZu3hjaJaWzLp6i6YXDxAUP5nWA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777388425; c=relaxed/simple; bh=1I2Jo1/es6dPVccT0m9Ros/mVxknHGLV10+qyyHPaA0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ImV2KJBylFSzCD8QLS5FNH4CJSWLX9tb9bUT1qqDX+dYwmGXROqtZCNdhV16g+ZYIlkKtf6OhsEJ2VtZHm+RAwIo9Uoa3q5l+knGDc0YCnOGqYYGS+wB8oPLoYHnSTG+Bbv7HDrxrCEqVzjhwL4IUjw7SgygyaBzW8ohI8aY4zk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=wAYO0d84; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="wAYO0d84" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=SQBqz5wU69hAr8T+mhwFvi80cM1lUXg/WDDzsnF0cd8=; b=wAYO0d84Mgs7NqXHgPui8CCck/ j7ziCnVVuYLwlKO1+KvNuxaGreByRmhY/jc5NM1ZXAY7LVcxO+PYFgk4oxTGJVcFtfmjj+bMb3Tpr nokKg5NtuRu7UWCqTmTfXfYN9bzz6rHsHTrH107e5H+pf0Ceti3gnCJPIPCn04iaU/SZuWluxj70J z0T9+hwUyAMZPiP9/gleIwKfflfExKWdRPOPoHElU8eQF30hy66WW4RqcQLdY0eRX+6eld0UaRj0Q viUF4c3prqQE2R9DhZJhLNTTrGMCT4KMqOXN2BcuFmrgIXFDA9gpBsXN6yUw5ViUy3nK//mPx1mp0 DItfVP/g==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wHjun-006KxD-1b; Tue, 28 Apr 2026 14:59:57 +0000 Date: Tue, 28 Apr 2026 07:59:52 -0700 From: Breno Leitao To: Andy Shevchenko Cc: Tejun Heo , Lai Jiangshan , Krzysztof Kozlowski , clm@fb.com, linux-kernel@vger.kernel.org, kernel-team@meta.com Subject: Re: [PATCH] workqueue: fix devm_alloc_workqueue() va_list misuse Message-ID: References: <20260427-wq_fix_chris-v1-1-988649834b79@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Debian-User: leitao On Mon, Apr 27, 2026 at 08:51:22PM +0300, Andy Shevchenko wrote: > On Mon, Apr 27, 2026 at 09:47:44AM -0700, Breno Leitao wrote: > > devm_alloc_workqueue() builds a va_list from its own variadic > > arguments and then passes that va_list as a single positional > > argument to the variadic alloc_workqueue() macro: > > > > va_start(args, max_active); > > wq = alloc_workqueue(fmt, flags, max_active, args); > > va_end(args); > > > > alloc_workqueue() expands to alloc_workqueue_noprof(), which > > performs its own va_start() over its ... parameters. The inner > > vsnprintf(wq->name, sizeof(wq->name), fmt, args) inside > > __alloc_workqueue() therefore receives the outer va_list object > > as the first variadic slot, not the caller's actual format > > arguments. On x86-64 SysV a "%s" conversion dereferences the > > pointer inside that va_list as a char * and copies arbitrary > > stack bytes from devm_alloc_workqueue()'s register-save area > > into wq->name. The write is bounded by WQ_NAME_LEN but the > > read is not, so this is an out-of-bounds stack read whose result > > also surfaces via show_all_workqueues(), print_worker_info(), > > the WQ_NAME_LEN pr_warn_once(), and lockdep lock names. > > > > C does not allow forwarding a va_list through a ... parameter; > > a v-style entry point is required. __alloc_workqueue() is > > exactly that and is already used by alloc_workqueue_noprof(). > > Split devm_alloc_workqueue() into devm_alloc_workqueue_noprof() > > plus an alloc_hooks() macro wrapper, mirroring the > > alloc_workqueue / alloc_workqueue_noprof split. The _noprof > > function calls __alloc_workqueue() directly with the va_list we > > already hold, and runs wq_init_lockdep(wq) afterwards to mirror > > alloc_workqueue_noprof() (otherwise wq->lockdep_map stays NULL > > and __flush_workqueue()'s on-stack > > COMPLETION_INITIALIZER_ONSTACK_MAP would NULL-deref it). > > > > Keeping the alloc_hooks() wrapper preserves memory allocation > > profiling attribution under CONFIG_MEM_ALLOC_PROFILING=y: the > > kzalloc_noprof() and alloc_workqueue_attrs_noprof() inside > > __alloc_workqueue() are charged to the driver call site rather > > than to a single line in kernel/workqueue.c. > > > > No caller changes are required. Drivers continue to write > > devm_alloc_workqueue() and devm_alloc_ordered_workqueue() as > > before; the new macro forwards through alloc_hooks() into the > > renamed _noprof function transparently. Out-of-tree modules > > need only be recompiled against the updated header to pick up > > the renamed export, mirroring the precedent set by the existing > > alloc_workqueue / alloc_workqueue_noprof split. > > > > devm_alloc_ordered_workqueue() in include/linux/workqueue.h is > > a macro that forwards to devm_alloc_workqueue(), so it inherits > > this fix automatically. Two in-tree callers actively trigger > > the broken path on every probe: > > > > drivers/power/supply/mt6370-charger.c:889 > > drivers/power/supply/max77705_charger.c:649 > > > > both of which use devm_alloc_ordered_workqueue(dev, "%s", 0, > > dev_name(dev)). > > > > A standalone reproducer module is available at[1]: > > > > Link: https://github.com/leitao/debug/blob/main/workqueue/valist/wq_va_test.c [1] > > > > > There shouldn't be blank line(s) in the tag block. Ack, I will remove it in the respin. > > > Fixes: 1dfc9d60a69e ("workqueue: devres: Add device-managed allocate workqueue") > > Signed-off-by: Breno Leitao > > Otherwise second Tejun's "nice catch"!