diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-07-27 22:55:30 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-07-27 22:55:30 +0200 |
commit | 82d712f6d147a2fb9998d0ede483949e80fed759 (patch) | |
tree | 939cfdbee4cdd1676fbe780e45d809cc82d7e220 /kernel | |
parent | Linux 5.14-rc3 (diff) | |
parent | workqueue: fix UAF in pwq_unbound_release_workfn() (diff) | |
download | linux-82d712f6d147a2fb9998d0ede483949e80fed759.tar.xz linux-82d712f6d147a2fb9998d0ede483949e80fed759.zip |
Merge branch 'for-5.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
Pull workqueue fix from Tejun Heo:
"Fix a use-after-free in allocation failure handling path"
* 'for-5.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
workqueue: fix UAF in pwq_unbound_release_workfn()
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/workqueue.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 50142fc08902..f148eacda55a 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3676,15 +3676,21 @@ static void pwq_unbound_release_workfn(struct work_struct *work) unbound_release_work); struct workqueue_struct *wq = pwq->wq; struct worker_pool *pool = pwq->pool; - bool is_last; + bool is_last = false; - if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND))) - return; + /* + * when @pwq is not linked, it doesn't hold any reference to the + * @wq, and @wq is invalid to access. + */ + if (!list_empty(&pwq->pwqs_node)) { + if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND))) + return; - mutex_lock(&wq->mutex); - list_del_rcu(&pwq->pwqs_node); - is_last = list_empty(&wq->pwqs); - mutex_unlock(&wq->mutex); + mutex_lock(&wq->mutex); + list_del_rcu(&pwq->pwqs_node); + is_last = list_empty(&wq->pwqs); + mutex_unlock(&wq->mutex); + } mutex_lock(&wq_pool_mutex); put_unbound_pool(pool); |