lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250601232937.3510379-12-sashal@kernel.org>
Date: Sun,  1 Jun 2025 19:28:04 -0400
From: Sasha Levin <sashal@...nel.org>
To: patches@...ts.linux.dev,
	stable@...r.kernel.org
Cc: Jiayuan Chen <jiayuan.chen@...ux.dev>,
	syzbot+01affb1491750534256d@...kaller.appspotmail.com,
	Tejun Heo <tj@...nel.org>,
	Sasha Levin <sashal@...nel.org>,
	linux-kernel@...r.kernel.org
Subject: [PATCH AUTOSEL 6.14 012/102] workqueue: Fix race condition in wq->stats incrementation

From: Jiayuan Chen <jiayuan.chen@...ux.dev>

[ Upstream commit 70e1683ca3a6474360af1d3a020a9a98c8492cc0 ]

Fixed a race condition in incrementing wq->stats[PWQ_STAT_COMPLETED] by
moving the operation under pool->lock.

Reported-by: syzbot+01affb1491750534256d@...kaller.appspotmail.com
Signed-off-by: Jiayuan Chen <jiayuan.chen@...ux.dev>
Signed-off-by: Tejun Heo <tj@...nel.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---

**YES** This commit should be backported to stable kernel trees. Here's
my detailed analysis: ## Race Condition Analysis The commit fixes a
**data race condition** in `pwq->stats[PWQ_STAT_COMPLETED]++` that is
directly related to a previously fixed race condition for
`pwq->stats[PWQ_STAT_STARTED]++` (commit fe48ba7daefe). **The Problem:**
- Line 3244 in the current kernel shows
`pwq->stats[PWQ_STAT_COMPLETED]++` is executed **outside** the
`pool->lock` protection - Multiple worker threads can concurrently
increment this counter, creating a race condition identical to the one
fixed in commit fe48ba7daefe - The syzbot report confirms this is a real
issue affecting production systems **The Fix:** The commit moves
`pwq->stats[PWQ_STAT_COMPLETED]++` from line ~3244 (before
`lock_map_release`) to after `raw_spin_lock_irq(&pool->lock)` at line
~3273, ensuring atomic access under lock protection. ## Backport
Suitability Criteria **✅ Fixes Important Bug:** Yes - race conditions
can lead to incorrect statistics and potential corruption **✅ Small and
Contained:** The change is minimal - just moving one line of code to a
different location **✅ No Side Effects:** Moving the stats increment
under lock protection has no functional side effects beyond fixing the
race **✅ No Architectural Changes:** This is purely a synchronization
fix with no design changes **✅ Critical Subsystem:** Workqueue is a core
kernel subsystem used throughout the kernel **✅ Clear Stable Tree
Compliance:** - Important bugfix ✓ - Minimal risk ✓ - Confined to
workqueue subsystem ✓ - Reported by automated testing (syzbot) ✓ ##
Historical Precedent The commit directly parallels the **previously
backported** commit fe48ba7daefe (Similar Commit #1), which fixed the
same type of race condition for `PWQ_STAT_STARTED`. That commit was
marked "Backport Status: YES" and demonstrates that: 1. KCSAN-detected
race conditions in workqueue stats are considered backport-worthy 2.
Moving stats increments under lock protection is an established fix
pattern 3. The workqueue maintainer (Tejun Heo) accepts such fixes ##
Risk Assessment **Minimal Risk:** The change only affects when the
counter is incremented (under lock vs. outside lock). Since both
locations are in the same execution path, there's no functional behavior
change - only proper synchronization. **No Regression Potential:** The
fix follows the exact same pattern as the successful previous fix,
reducing the likelihood of introducing new issues. This commit
represents a clear, low-risk bug fix that addresses a real concurrency
issue in a critical kernel subsystem, making it an ideal candidate for
stable tree backporting.

 kernel/workqueue.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index bfe030b443e27..2e7845fe47e47 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3241,7 +3241,7 @@ __acquires(&pool->lock)
 	 * point will only record its address.
 	 */
 	trace_workqueue_execute_end(work, worker->current_func);
-	pwq->stats[PWQ_STAT_COMPLETED]++;
+
 	lock_map_release(&lockdep_map);
 	if (!bh_draining)
 		lock_map_release(pwq->wq->lockdep_map);
@@ -3272,6 +3272,8 @@ __acquires(&pool->lock)
 
 	raw_spin_lock_irq(&pool->lock);
 
+	pwq->stats[PWQ_STAT_COMPLETED]++;
+
 	/*
 	 * In addition to %WQ_CPU_INTENSIVE, @worker may also have been marked
 	 * CPU intensive by wq_worker_tick() if @work hogged CPU longer than
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ