Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965111AbdIYPZl (ORCPT ); Mon, 25 Sep 2017 11:25:41 -0400 Received: from mail-qt0-f196.google.com ([209.85.216.196]:35098 "EHLO mail-qt0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964909AbdIYPZk (ORCPT ); Mon, 25 Sep 2017 11:25:40 -0400 X-Google-Smtp-Source: AOwi7QCv1Naxpj57m0BWz8kUUMOpwhncR+1VhcWYDdYwHoRaB2RjGlac5jKLqAWO/mjfBH3XV1deGQ== Date: Mon, 25 Sep 2017 08:25:36 -0700 From: Tejun Heo To: tanxiaofei Cc: jiangshanlai@gmail.com, linux-kernel@vger.kernel.org, Linuxarm Subject: Re: [Question] null pointer risk of kernel workqueue Message-ID: <20170925152536.GL828415@devbig577.frc2.facebook.com> References: <59C62398.6040101@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <59C62398.6040101@huawei.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 973 Lines: 24 Hello, On Sat, Sep 23, 2017 at 05:04:24PM +0800, tanxiaofei wrote: > Hi Tejun & Jiangshan, > > I find an null pointer risk in the code of workqueue. Here is description: > > If draining, __queue_work() will call the function is_chained_work() to do some checks. > In is_chained_work(), worker->current_pwq is used directly. It should be not safe. > http://elixir.free-electrons.com/linux/latest/source/kernel/workqueue.c#L1384 > > If you check the thread function of this worker, worker_thread(), you will find worker->current_pwq > is null when one work is done or ready to be processed. > This issue may happen only if we queue work during executing drain_workqueue(). > http://elixir.free-electrons.com/linux/latest/source/kernel/workqueue.c#L2173 Hmmm? I don't get it. worker->current_pwq is guaranteed to be set while a work function is being executed and the chained check can only get there iff the the worker is executing a work function. Thanks. -- tejun