forked from Minki/linux
workqueue: fix race condition in unbound workqueue free path
8864b4e59
("workqueue: implement get/put_pwq()") implemented pwq
(pool_workqueue) refcnting which frees workqueue when the last pwq
goes away. It determined whether it was the last pwq by testing
wq->pwqs is empty. Unfortunately, the test was done outside wq->mutex
and multiple pwq release could race and try to free wq multiple times
leading to oops.
Test wq->pwqs emptiness while holding wq->mutex.
Signed-off-by: Tejun Heo <tj@kernel.org>
This commit is contained in:
parent
b592760547
commit
bc0caf099d
@ -3534,6 +3534,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work)
|
||||
unbound_release_work);
|
||||
struct workqueue_struct *wq = pwq->wq;
|
||||
struct worker_pool *pool = pwq->pool;
|
||||
bool is_last;
|
||||
|
||||
if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND)))
|
||||
return;
|
||||
@ -3545,6 +3546,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work)
|
||||
*/
|
||||
mutex_lock(&wq->mutex);
|
||||
list_del_rcu(&pwq->pwqs_node);
|
||||
is_last = list_empty(&wq->pwqs);
|
||||
mutex_unlock(&wq->mutex);
|
||||
|
||||
put_unbound_pool(pool);
|
||||
@ -3554,7 +3556,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work)
|
||||
* If we're the last pwq going away, @wq is already dead and no one
|
||||
* is gonna access it anymore. Free it.
|
||||
*/
|
||||
if (list_empty(&wq->pwqs))
|
||||
if (is_last)
|
||||
kfree(wq);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user