From: Thomas Gleixner <tglx@linutronix.de>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: Hillf Danton <hdanton@sina.com>,
syzbot <syzbot+6fb78d577e89e69602f9@syzkaller.appspotmail.com>,
linux-kernel@vger.kernel.org, pbonzini@redhat.com,
syzkaller-bugs@googlegroups.com,
Steven Rostedt <rosted@goodmis.org>,
Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [syzbot] WARNING in call_timer_fn
Date: Fri, 18 Nov 2022 02:17:58 +0100 [thread overview]
Message-ID: <875yfdkqm1.ffs@tglx> (raw)
In-Reply-To: <d38fe3c3-1f0b-b5f6-2895-aee9476b20bf@I-love.SAKURA.ne.jp>
On Fri, Nov 18 2022 at 09:53, Tetsuo Handa wrote:
> On 2022/11/18 6:16, Luiz Augusto von Dentz wrote:
> The comment for drain_workqueue() says
>
> * Wait until the workqueue becomes empty. While draining is in progress,
> * only chain queueing is allowed. IOW, only currently pending or running
> * work items on @wq can queue further work items on it. @wq is flushed
> * repeatedly until it becomes empty. The number of flushing is determined
> * by the depth of chaining and should be relatively short. Whine if it
> * takes too long.
>
> but why limited to "only currently pending or running work items on @wq" (that is,
> only process context) ?
>
> Although drain_workqueue() is also called from destroy_workqueue() (which would cause
> use-after-free bug if interrupt handler calls queue_work() some time after drain_workqueue()),
> I think that we can wait for drain_workqueue() to call __flush_workqueue() again if a further
> work item is queued from interrupt handler...
Which is correct because at that point it's expecting to only accept the
pending and chained pending work otherwise it will go on in circles and/or
just be unable to provide the functionality of draining work, right?
> Anyway, stopping all works and delayed works before calling
> drain_workqueue() would address this problem.
Only partially.
You also have to make sure that none of the works can be rearmed or
rescheduled after that point by any other context, e.g interrupts ...
Thanks,
tglx
next prev parent reply other threads:[~2022-11-18 1:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-16 15:25 [syzbot] WARNING in call_timer_fn syzbot
2022-11-16 18:29 ` Thomas Gleixner
[not found] ` <20221117024511.3606-1-hdanton@sina.com>
2022-11-17 11:54 ` Thomas Gleixner
[not found] ` <20221117125523.3783-1-hdanton@sina.com>
2022-11-17 16:06 ` Thomas Gleixner
2022-11-17 21:04 ` Luiz Augusto von Dentz
2022-11-17 21:16 ` Luiz Augusto von Dentz
2022-11-18 0:53 ` Tetsuo Handa
2022-11-18 1:17 ` Thomas Gleixner [this message]
[not found] ` <20221118012805.3862-1-hdanton@sina.com>
2022-11-18 20:01 ` Luiz Augusto von Dentz
[not found] <20221117010835.3474-1-hdanton@sina.com>
2022-11-17 1:35 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875yfdkqm1.ffs@tglx \
--to=tglx@linutronix.de \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=pbonzini@redhat.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=rosted@goodmis.org \
--cc=syzbot+6fb78d577e89e69602f9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.