Commit f4d46809 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'wq-for-6.14-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 

Pull workqueue fix from Tejun Heo:

 - Fix a regression where a worker pool can be freed before rescuer
   workers are done with it leading to user-after-free

* tag 'wq-for-6.14-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: Put the pwq after detaching the rescuer from the pool
parents 111b2959 e7694611

kernel/workqueue.c

+6 −6
Original line number Diff line number Diff line
@@ -3516,12 +3516,6 @@ static int rescuer_thread(void *__rescuer) 
			}

		}



		/*

		 * Put the reference grabbed by send_mayday().  @pool won't

		 * go away while we're still attached to it.

		 */

		put_pwq(pwq);



		/*

		 * Leave this pool. Notify regular workers; otherwise, we end up

		 * with 0 concurrency and stalling the execution.
@@ -3532,6 +3526,12 @@ static int rescuer_thread(void *__rescuer) 


		worker_detach_from_pool(rescuer);



		/*

		 * Put the reference grabbed by send_mayday().  @pool might

		 * go away any time after it.

		 */

		put_pwq_unlocked(pwq);



		raw_spin_lock_irq(&wq_mayday_lock);

	}