Re: [PATCH v1] irq_work: Fix use-after-free in irq_work_single on PREEMPT_RT

Next message: Bj&#xF6;rn T&#xF6;pel: "[PATCH net-next v2 06/12] selftests: drv-net: Add loopback driver test"
Previous message: Pedro Falcato: "Re: [PATCH 6/6] tools/testing/vma: add test for vma_flags_test(), vma_desc_test()"
In reply to: Steven Rostedt: "Re: [PATCH v1] irq_work: Fix use-after-free in irq_work_single on PREEMPT_RT"
Next in thread: Steven Rostedt: "Re: [PATCH v1] irq_work: Fix use-after-free in irq_work_single on PREEMPT_RT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sebastian Andrzej Siewior

Date: Wed Mar 25 2026 - 11:46:06 EST

On 2026-03-25 11:13:51 [-0400], Steven Rostedt wrote:
> Yeah, this is open coding the rcuwait_wake_up().
>
> I'm not sure we want to do this.
>
> Perhaps RCU could provide a way to save the rcuwait?
>
> struct rcuwait = __RCUWAIT_INITIALIZER(rcuwait);
>
> [..]
>
> rcuwait_copy(&rcuwait, &work->irqwait);
>
> [..]
>
> rcuwait_wake_up(&rcuwait);
>
> ?

Most irq-work aren't free()ed since they are static and remain around.
There is no task assigned if there is no active waiter.
Wouldn't it be easier to kfree_rcu() the struct using the irq-work?

> > + put_task_struct(waiter);
> > + }
>
> -- Steve

Sebastian