On Tue, Oct 24, 2017 at 09:18:34AM +0800, Li Bin wrote: > When queue_work() is used in irq handler, there is a potential > case that trigger NULL pointer dereference. > ---------------------------------------------------------------- > worker_thread() > |-spin_lock_irq() > |-process_one_work() > |-worker->current_pwq = pwq > |-spin_unlock_irq() > |-worker->current_func(work) > |-spin_lock_irq() > |-worker->current_pwq = NULL > |-spin_unlock_irq() > > //interrupt here > |-irq_handler > |-__queue_work() > //assuming that the wq is > draining > |-is_chained_work(wq) > |-current_wq_worker() > //Here, 'current' is > the interrupted worker! > > |-current->current_pwq is NULL here! > |-schedule() > ---------------------------------------------------------------- > > Avoid it by checking for irq context in current_wq_worker(), and > if in irq context, we shouldn't use the 'current' to check the > condition. > > Reported-by: Xiaofei Tan <tanxiao...@huawei.com> > Signed-off-by: Li Bin <huawei.li...@huawei.com>
Applied to wq/for-4.14-fixes. Thanks. -- tejun
