workqueue: fix race condition in unbound workqueue free path

8864b4e59 ("workqueue: implement get/put_pwq()") implemented pwq
(pool_workqueue) refcnting which frees workqueue when the last pwq
goes away.  It determined whether it was the last pwq by testing
wq->pwqs is empty.  Unfortunately, the test was done outside wq->mutex
and multiple pwq release could race and try to free wq multiple times
leading to oops.

Test wq->pwqs emptiness while holding wq->mutex.

Signed-off-by: Tejun Heo <tj@kernel.org>

1 files changed, 3 insertions, 1 deletions

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 04a8b98d30ce..4d344326ae97 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3534,6 +3534,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work)
                                                   unbound_release_work);
         struct workqueue_struct *wq = pwq->wq;
         struct worker_pool *pool = pwq->pool;
+        bool is_last;
 
         if (WARN_ON_ONCE(!(wq->flags & WQ_UNBOUND)))
                 return;
@@ -3545,6 +3546,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work)
          */
         mutex_lock(&wq->mutex);
         list_del_rcu(&pwq->pwqs_node);
+        is_last = list_empty(&wq->pwqs);
         mutex_unlock(&wq->mutex);
 
         put_unbound_pool(pool);
@@ -3554,7 +3556,7 @@ static void pwq_unbound_release_workfn(struct work_struct *work)
          * If we're the last pwq going away, @wq is already dead and no one
          * is gonna access it anymore.  Free it.
          */
-        if (list_empty(&wq->pwqs))
+        if (is_last)
                 kfree(wq);
 }