There is a race condition between rescuer_thread() and pwq_unbound_release_workfn().
The works of the @pwq may be processed by some other worker, and @pwq is scheduled to release before the rescuer starts to process. In this case pwq_unbound_release_workfn() will corrupt wq->maydays, and rescuer_thead will access to corrupted data. Using get_pwq() when send_mayday() will keep @pwq's lifetime and avoid the race condition. Signed-off-by: Lai Jiangshan <[email protected]> --- kernel/workqueue.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 82ef9f3..7066519 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -1902,6 +1902,12 @@ static void send_mayday(struct work_struct *work) /* mayday mayday mayday */ if (list_empty(&pwq->mayday_node)) { + /* + * Keep the pwq and avoid the pwq to be scheduled to release + * when someone else processes all the works before the rescuer + * starts to process. + */ + get_pwq(pwq); list_add_tail(&pwq->mayday_node, &wq->maydays); wake_up_process(wq->rescuer->task); } @@ -2418,6 +2424,7 @@ repeat: /* migrate to the target cpu if possible */ worker_maybe_bind_and_lock(pool); rescuer->pool = pool; + put_pwq(pwq); /* * Slurp in all works issued via this workqueue and -- 1.7.7.6 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
