Commit 4e8b22bd authored Sep 10, 2013 by Li Bin Committed by Tejun Heo Nov 22, 2013

workqueue: fix pool ID allocation leakage and remove BUILD_BUG_ON() in init_workqueues



When one work starts execution, the high bits of work's data contain
pool ID. It can represent a maximum of WORK_OFFQ_POOL_NONE. Pool ID
is assigned WORK_OFFQ_POOL_NONE when the work being initialized
indicating that no pool is associated and get_work_pool() uses it to
check the associated pool. So if worker_pool_assign_id() assigns a
ID greater than or equal WORK_OFFQ_POOL_NONE to a pool, it triggers
leakage, and it may break the non-reentrance guarantee.

This patch fix this issue by modifying the worker_pool_assign_id()
function calling idr_alloc() by setting @end param WORK_OFFQ_POOL_NONE.

Furthermore, in the current implementation, the BUILD_BUG_ON() in
init_workqueues makes no sense. The number of worker pools needed
cannot be determined at compile time, because the number of backing
pools for UNBOUND workqueues is dynamic based on the assigned custom
attributes. So remove it.

tj: Minor comment and indentation updates.

Signed-off-by: Li Bin <huawei.libin@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

parent 9ef28a73

kernel/workqueue.c

+9 −6

Original line number	Diff line number	Diff line
		@@ -521,14 +521,21 @@ static inline void debug_work_activate(struct work_struct *work) { }
		static inline void debug_work_deactivate(struct work_struct *work) { }
		#endif

		/* allocate ID and assign it to @pool */
		/**
		* worker_pool_assign_id - allocate ID and assing it to @pool
		* @pool: the pool pointer of interest
		*
		* Returns 0 if ID in [0, WORK_OFFQ_POOL_NONE) is allocated and assigned
		* successfully, -errno on failure.
		*/
		static int worker_pool_assign_id(struct worker_pool *pool)
		{
		int ret;

		lockdep_assert_held(&wq_pool_mutex);

		ret = idr_alloc(&worker_pool_idr, pool, 0, 0, GFP_KERNEL);
		ret = idr_alloc(&worker_pool_idr, pool, 0, WORK_OFFQ_POOL_NONE,
		GFP_KERNEL);
		if (ret >= 0) {
		pool->id = ret;
		return 0;
		@@ -5020,10 +5027,6 @@ static int __init init_workqueues(void)
		int std_nice[NR_STD_WORKER_POOLS] = { 0, HIGHPRI_NICE_LEVEL };
		int i, cpu;

		/* make sure we have enough bits for OFFQ pool ID */
		BUILD_BUG_ON((1LU << (BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT)) <
		WORK_CPU_END * NR_STD_WORKER_POOLS);

		WARN_ON(__alignof__(struct pool_workqueue) < __alignof__(long long));

		pwq_cache = KMEM_CACHE(pool_workqueue, SLAB_PANIC);

Admin message