Re: [PATCH v4] watchdog/hardlockup: Fix UAF in perf event cleanup due to migration race

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Qiliang Yuan <realwujing@gmail.com>
To: dianders@chromium.org
Cc: akpm@linux-foundation.org, lihuafei1@huawei.com,
	linux-kernel@vger.kernel.org, mingo@kernel.org,
	mm-commits@vger.kernel.org, realwujing@gmail.com,
	song@kernel.org, stable@vger.kernel.org, sunshx@chinatelecom.cn,
	thorsten.blum@linux.dev, wangjinchao600@gmail.com,
	yangyicong@hisilicon.com, yuanql9@chinatelecom.cn,
	zhangjn11@chinatelecom.cn
Subject: Re: [PATCH v4] watchdog/hardlockup: Fix UAF in perf event cleanup due to migration race
Date: Tue, 27 Jan 2026 21:37:52 -0500	[thread overview]
Message-ID: <20260128023757.1693269-1-realwujing@gmail.com> (raw)
In-Reply-To: <CAD=FV=U6sM71UuPbYZRWV87=p1ZO8-gpv3yzK8eMEv3dRNVgdA@mail.gmail.com>

Hi Doug,

Thanks for your detailed feedback and for the patient explanation regarding the 
mainline workqueue behavior.

On Tue, 27 Jan 2026 13:37:28 Doug Anderson <dianders@chromium.org> wrote:
> Really, it matters what schedule_work() does on anyone who happens to have
> commit 930d8f8dbab9 ("watchdog/perf: adapt the watchdog_perf interface
> for async model")... we have to focus on supporting the mainline kernel here.

I completely agree that the focus must be on the mainline kernel. I've since
checked and confirmed that in mainline, schedule_work() is redirected to
system_percpu_wq (via include/linux/workqueue.h), which provides the
necessary CPU affinity.

> To ask directly: have you seen this WARN_ON in mainline, or is this
> all speculative?

To be direct: no, I haven't seen this WARN_ON on a pure mainline kernel. As
you suspected, the issue was identified in a downstream 4.19-based kernel
with different initialization timings and workqueue behavior. My assumption
that it would also affect mainline was indeed speculative and based on an
incomplete understanding of include/linux/sched.h's is_percpu_thread()
implementation on modern kernels.

> I'm still not convinced that there was ever a UAF in mainline nor that
> this actually "Fixes" anything in mainline. I do agree that the code
> is better by not having it write the per-cpu variable at probe time

Since the risk is not currently manifested in mainline, I have refactored
the patch as a "cleanup and robustness improvement" as you suggested. This
removes the fragile implicit dependency on the caller's context and makes
the probe stateless.

I have sent v6 with these changes. Please ignore v5 and review v6 instead.

v6 changes:
- Renamed the title to "simplify perf event probe and remove per-cpu dependency".
- Removed the "Fixes:" tag and "Cc: stable".
- Rewrote the commit record in the imperative mood.
- Updated the description to clarify that it addresses code brittleness
  rather than a confirmed mainline bug.

v6 link: https://lore.kernel.org/all/20260127025814.1200345-1-realwujing@gmail.com/

Best regards,
Qiliang

next prev parent reply	other threads:[~2026-01-28  2:38 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260122042717.657231-1-realwujing@gmail.com>
2026-01-22  5:24 ` [PATCH v2] watchdog/hardlockup: Fix UAF in perf event cleanup due to migration race Qiliang Yuan
2026-01-22 21:59   ` Andrew Morton
2026-01-23  2:39     ` Doug Anderson
2026-01-23  6:34       ` [PATCH v3] " Qiliang Yuan
2026-01-24  0:01         ` Doug Anderson
2026-01-24  6:57           ` Qiliang Yuan
2026-01-24 23:36             ` Doug Anderson
2026-01-26  3:30               ` Qiliang Yuan
2026-01-27  1:14                 ` Doug Anderson
2026-01-27  2:16                   ` [PATCH v4] " Qiliang Yuan
2026-01-27 21:37                     ` Doug Anderson
2026-01-28  2:37                       ` Qiliang Yuan [this message]
2026-01-24  7:08           ` Qiliang Yuan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260128023757.1693269-1-realwujing@gmail.com \
    --to=realwujing@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=dianders@chromium.org \
    --cc=lihuafei1@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=mm-commits@vger.kernel.org \
    --cc=song@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=sunshx@chinatelecom.cn \
    --cc=thorsten.blum@linux.dev \
    --cc=wangjinchao600@gmail.com \
    --cc=yangyicong@hisilicon.com \
    --cc=yuanql9@chinatelecom.cn \
    --cc=zhangjn11@chinatelecom.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox