diff options
| author | Tejun Heo <tj@kernel.org> | 2013-04-01 11:23:31 -0700 |
|---|---|---|
| committer | Tejun Heo <tj@kernel.org> | 2013-04-01 11:23:31 -0700 |
| commit | bc0caf099d9df4dd0fad24992b043b40541f4200 (patch) | |
| tree | dddcccaf93af1eacd1606aadb06105e1a8f5ee11 /kernel/workqueue.c | |
| parent | b5927605478b740d73192f587e458de1632106e8 (diff) | |
| download | olio-linux-3.10-bc0caf099d9df4dd0fad24992b043b40541f4200.tar.xz olio-linux-3.10-bc0caf099d9df4dd0fad24992b043b40541f4200.zip | |
workqueue: fix race condition in unbound workqueue free path
8864b4e59 ("workqueue: implement get/put_pwq()") implemented pwq
(pool_workqueue) refcnting which frees workqueue when the last pwq
goes away. It determined whether it was the last pwq by testing
wq->pwqs is empty. Unfortunately, the test was done outside wq->mutex
and multiple pwq release could race and try to free wq multiple times
leading to oops.
Test wq->pwqs emptiness while holding wq->mutex.
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'kernel/workqueue.c')
| -rw-r--r-- | kernel/workqueue.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 04a8b98d30c..4d344326ae9 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3534,6 +3534,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work) unbound_release_work); struct workqueue_struct *wq = pwq->wq; struct worker_pool *pool = pwq->pool; + bool is_last; if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND))) return; @@ -3545,6 +3546,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work) */ mutex_lock(&wq->mutex); list_del_rcu(&pwq->pwqs_node); + is_last = list_empty(&wq->pwqs); mutex_unlock(&wq->mutex); put_unbound_pool(pool); @@ -3554,7 +3556,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work) * If we're the last pwq going away, @wq is already dead and no one * is gonna access it anymore. Free it. */ - if (list_empty(&wq->pwqs)) + if (is_last) kfree(wq); } |