From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751630AbdIWJFN (ORCPT <rfc822;w@1wt.eu>);
        Sat, 23 Sep 2017 05:05:13 -0400
Received: from szxga04-in.huawei.com ([45.249.212.190]:6986 "EHLO
        szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751461AbdIWJFM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 23 Sep 2017 05:05:12 -0400
From: tanxiaofei <tanxiaofei@huawei.com>
To: <tj@kernel.org>, <jiangshanlai@gmail.com>,
        <linux-kernel@vger.kernel.org>
Subject: [Question] null pointer risk of kernel workqueue
CC: Linuxarm <linuxarm@huawei.com>
Message-ID: <59C62398.6040101@huawei.com>
Date: Sat, 23 Sep 2017 17:04:24 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.74.185.74]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
        refid=str=0001.0A020205.59C623C2.00C6,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0,
        ip=0.0.0.0,
        so=2014-11-16 11:51:01,
        dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: fd26a60af68e0ee896b8c1f60576525c
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Tejun & Jiangshan,

I find an null pointer risk in the code of workqueue. Here is description:

If draining, __queue_work() will call the function is_chained_work() to do some checks.
In is_chained_work(), worker->current_pwq is used directly. It should be not safe.
http://elixir.free-electrons.com/linux/latest/source/kernel/workqueue.c#L1384

If you check the thread function of this worker, worker_thread(), you will find worker->current_pwq
is null when one work is done or ready to be processed.
This issue may happen only if we queue work during executing drain_workqueue().
http://elixir.free-electrons.com/linux/latest/source/kernel/workqueue.c#L2173

There are very few places to call drain_workqueue() in the whole linux kernel.
I think that's why no one noticed this risk.

Xiaofei Tan
_______________________________________________
linuxarm mailing list
linuxarm@huawei.com
http://rnd-openeuler.huawei.com/mailman/listinfo/linuxarm

.