Re: [PATCH] workqueue: Fix NULL pointer dereference
From: Tejun Heo
Date: Tue Oct 24 2017 - 10:45:57 EST
On Tue, Oct 24, 2017 at 09:18:34AM +0800, Li Bin wrote:
> When queue_work() is used in irq handler, there is a potential
> case that trigger NULL pointer dereference.
> ----------------------------------------------------------------
> worker_thread()
> |-spin_lock_irq()
> |-process_one_work()
> |-worker->current_pwq = pwq
> |-spin_unlock_irq()
> |-worker->current_func(work)
> |-spin_lock_irq()
> |-worker->current_pwq = NULL
> |-spin_unlock_irq()
>
> //interrupt here
> |-irq_handler
> |-__queue_work()
> //assuming that the wq is draining
> |-is_chained_work(wq)
> |-current_wq_worker()
> //Here, 'current' is the interrupted worker!
> |-current->current_pwq is NULL here!
> |-schedule()
> ----------------------------------------------------------------
>
> Avoid it by checking for irq context in current_wq_worker(), and
> if in irq context, we shouldn't use the 'current' to check the
> condition.
>
> Reported-by: Xiaofei Tan <tanxiaofei@xxxxxxxxxx>
> Signed-off-by: Li Bin <huawei.libin@xxxxxxxxxx>
Applied to wq/for-4.14-fixes.
Thanks.
--
tejun