Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bc0caf09 authored by Tejun Heo's avatar Tejun Heo
Browse files

workqueue: fix race condition in unbound workqueue free path 



8864b4e5 ("workqueue: implement get/put_pwq()") implemented pwq
(pool_workqueue) refcnting which frees workqueue when the last pwq
goes away.  It determined whether it was the last pwq by testing
wq->pwqs is empty.  Unfortunately, the test was done outside wq->mutex
and multiple pwq release could race and try to free wq multiple times
leading to oops.

Test wq->pwqs emptiness while holding wq->mutex.

Signed-off-by: default avatarTejun Heo <tj@kernel.org>
parent b5927605

kernel/workqueue.c

+3 −1
Original line number Original line Diff line number Diff line
@@ -3534,6 +3534,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work) 
						  unbound_release_work);

						  unbound_release_work);

	struct workqueue_struct *wq = pwq->wq;

	struct workqueue_struct *wq = pwq->wq;

	struct worker_pool *pool = pwq->pool;

	struct worker_pool *pool = pwq->pool;

	bool is_last;





	if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND)))

	if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND)))

		return;

		return;
@@ -3545,6 +3546,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work) 
	 */

	 */

	mutex_lock(&wq->mutex);

	mutex_lock(&wq->mutex);

	list_del_rcu(&pwq->pwqs_node);

	list_del_rcu(&pwq->pwqs_node);

	is_last = list_empty(&wq->pwqs);

	mutex_unlock(&wq->mutex);

	mutex_unlock(&wq->mutex);





	put_unbound_pool(pool);

	put_unbound_pool(pool);
@@ -3554,7 +3556,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work) 
	 * If we're the last pwq going away, @wq is already dead and no one

	 * If we're the last pwq going away, @wq is already dead and no one

	 * is gonna access it anymore.  Free it.

	 * is gonna access it anymore.  Free it.

	 */

	 */

	if (list_empty(&wq->pwqs))

	if (is_last)

		kfree(wq);

		kfree(wq);

}

}