From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Xiaofei Tan <tanxiaofei@huawei.com>,
Li Bin <huawei.libin@huawei.com>,
Lai Jiangshan <jiangshanlai@gmail.com>, Tejun Heo <tj@kernel.org>
Subject: [PATCH 4.13 03/33] workqueue: Fix NULL pointer dereference
Date: Mon, 13 Nov 2017 13:56:24 +0100 [thread overview]
Message-ID: <20171113125611.449334556@linuxfoundation.org> (raw)
In-Reply-To: <20171113125611.096767733@linuxfoundation.org>
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Bin <huawei.libin@huawei.com>
commit cef572ad9bd7f85035ba8272e5352040e8be0152 upstream.
When queue_work() is used in irq (not in task context), there is
a potential case that trigger NULL pointer dereference.
----------------------------------------------------------------
worker_thread()
|-spin_lock_irq()
|-process_one_work()
|-worker->current_pwq = pwq
|-spin_unlock_irq()
|-worker->current_func(work)
|-spin_lock_irq()
|-worker->current_pwq = NULL
|-spin_unlock_irq()
//interrupt here
|-irq_handler
|-__queue_work()
//assuming that the wq is draining
|-is_chained_work(wq)
|-current_wq_worker()
//Here, 'current' is the interrupted worker!
|-current->current_pwq is NULL here!
|-schedule()
----------------------------------------------------------------
Avoid it by checking for task context in current_wq_worker(), and
if not in task context, we shouldn't use the 'current' to check the
condition.
Reported-by: Xiaofei Tan <tanxiaofei@huawei.com>
Signed-off-by: Li Bin <huawei.libin@huawei.com>
Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 8d03ecfe4718 ("workqueue: reimplement is_chained_work() using current_wq_worker()")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/workqueue_internal.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/workqueue_internal.h
+++ b/kernel/workqueue_internal.h
@@ -9,6 +9,7 @@
#include <linux/workqueue.h>
#include <linux/kthread.h>
+#include <linux/preempt.h>
struct worker_pool;
@@ -59,7 +60,7 @@ struct worker {
*/
static inline struct worker *current_wq_worker(void)
{
- if (current->flags & PF_WQ_WORKER)
+ if (in_task() && (current->flags & PF_WQ_WORKER))
return kthread_data(current);
return NULL;
}
next prev parent reply other threads:[~2017-11-13 13:03 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-13 12:56 [PATCH 4.13 00/33] 4.13.13-stable review Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 01/33] netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 02/33] netfilter: nft_set_hash: disable fast_ops for 2-len keys Greg Kroah-Hartman
2017-11-13 12:56 ` Greg Kroah-Hartman [this message]
2017-11-13 12:56 ` [PATCH 4.13 04/33] crypto: ccm - preserve the IV buffer Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 05/33] crypto: x86/sha1-mb - fix panic due to unaligned access Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 06/33] crypto: x86/sha256-mb " Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 07/33] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 08/33] ACPI / PM: Blacklist Low Power S0 Idle _DSM for Dell XPS13 9360 Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 09/33] ACPICA: Dispatch active GPEs at init time Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 10/33] ACPICA: Make it possible to enable runtime GPEs earlier Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 11/33] ACPI / scan: Enable GPEs before scanning the namespace Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 12/33] ARM: 8720/1: ensure dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 14/33] ALSA: usb-audio: support new Amanero Combo384 firmware version Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 15/33] ALSA: hda - fix headset mic problem for Dell machines with alc274 Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 16/33] ALSA: seq: Fix OSS sysex delivery in OSS emulation Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 17/33] ALSA: seq: Avoid invalid lockdep class warning Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 18/33] MIPS: Fix CM region target definitions Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 19/33] MIPS: BMIPS: Fix missing cbr address Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 20/33] MIPS: AR7: Defer registration of GPIO Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 21/33] MIPS: AR7: Ensure that serial ports are properly set up Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 22/33] KVM: PPC: Book3S HV: Fix exclusion between HPT resizing and other HPT updates Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 23/33] Input: elan_i2c - add ELAN060C to the ACPI table Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 24/33] rbd: use GFP_NOIO for parent stat and data requests Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 25/33] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 26/33] Revert "x86: CPU: Fix up "cpu MHz" in /proc/cpuinfo" Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 27/33] can: sun4i: handle overrun in RX FIFO Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 28/33] can: peak: Add support for new PCIe/M2 CAN FD interfaces Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 29/33] can: ifi: Fix transmitter delay calculation Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 31/33] x86/debug: Handle warnings before the notifier chain, to fix KGDB crash Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 32/33] x86/smpboot: Make optimization of delay calibration work correctly Greg Kroah-Hartman
2017-11-13 12:56 ` [PATCH 4.13 33/33] x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context Greg Kroah-Hartman
2017-11-13 21:52 ` [PATCH 4.13 00/33] 4.13.13-stable review Shuah Khan
2017-11-13 22:29 ` Guenter Roeck
2017-11-14 7:49 ` Greg Kroah-Hartman
[not found] ` <5a0a1664.87c7df0a.74220.6a5a@mx.google.com>
2017-11-14 7:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171113125611.449334556@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=huawei.libin@huawei.com \
--cc=jiangshanlai@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tanxiaofei@huawei.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).