Re: [PATCH] fs/resctrl: Fix use-after-free in resctrl_offline_mon_domain()

[Reinette Chatre]

Hi Tony,

On 5/6/26 3:11 PM, Luck, Tony wrote:
>> Unrelated to this question but may be worth a mention in the fix is that this work focuses
>> and fixes resctrl to not access freed memory from the worker self. To complement this it may
>> be worthwhile to highlight that it is safe for the work_struct self to be deleted while the
>> work is running (but blocked on cpus_read_lock()) based on the following comment from
>> kernel/workqueue.c:process_one_work():
>> "It is permissible to free the struct work_struct from inside the function that is called
>> from it ..."
> 
> Scope increased from just the use-after-free when the domain was deleted. The case
> for taking the current worker CPU offline doesn't involve a use-after-free. It just results
> in running the workier on the wrong CPU for one iteration.
> 
> Deleting the work_struct inside the called function is different from some agent deleting
> the work_struct while the worker is running.

Right. I interpret this to mean that judging the safety of work_struct removal should consider not
only the workqueue API itself but also external agents that may access the work_struct after its
removal. The current fix addresses access to removed work_struct from within worker itself while I
interpret the workqueue API to guarantee that there will be no access to work_struct during or
after worker execution. The fix under development thus makes it possible to safely remove the
domain even if a worker belonging to it is executing and blocked on cpus_read_lock(). Do you
see any remaining issues here?

Reinette