Commit 5da02886 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'wq-for-6.11-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 

Pull workqueue fix from Tejun Heo:
 "A fix for a NULL worker->pool deref bug which can be triggered when a
  worker is created and then destroyed immediately"

* tag 'wq-for-6.11-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: Clear worker->pool in the worker thread context
parents 8581ae1e 73613840

kernel/workqueue.c

+6 −2
Original line number Diff line number Diff line
@@ -2709,7 +2709,6 @@ static void detach_worker(struct worker *worker) 


	unbind_worker(worker);

	list_del(&worker->node);

	worker->pool = NULL;

}



/**
@@ -2729,6 +2728,7 @@ static void worker_detach_from_pool(struct worker *worker) 


	mutex_lock(&wq_pool_attach_mutex);

	detach_worker(worker);

	worker->pool = NULL;

	mutex_unlock(&wq_pool_attach_mutex);



	/* clear leftover flags without pool->lock after it is detached */
@@ -3349,7 +3349,11 @@ static int worker_thread(void *__worker) 
	if (unlikely(worker->flags & WORKER_DIE)) {

		raw_spin_unlock_irq(&pool->lock);

		set_pf_worker(false);



		/*

		 * The worker is dead and PF_WQ_WORKER is cleared, worker->pool

		 * shouldn't be accessed, reset it to NULL in case otherwise.

		 */

		worker->pool = NULL;

		ida_free(&pool->worker_ida, worker->id);

		return 0;

	}