diff options
| author |   Linus Torvalds <torvalds@linux-foundation.org> | 2025-02-14 10:58:03 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-02-14 10:58:03 -0800 |
| commit | f4d4680965aa3be2b2bf392a54fabb244fdce46a (patch) | |
| tree | 5bf260a6ced50b8d9ba616379b6593f5c24ef541 | |
| parent | Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux (diff) | |
| parent | workqueue: Put the pwq after detaching the rescuer from the pool (diff) | |
| download | wireguard-linux-f4d4680965aa3be2b2bf392a54fabb244fdce46a.tar.xz wireguard-linux-f4d4680965aa3be2b2bf392a54fabb244fdce46a.zip | |
Merge tag 'wq-for-6.14-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
Pull workqueue fix from Tejun Heo:
- Fix a regression where a worker pool can be freed before rescuer
workers are done with it leading to user-after-free
* tag 'wq-for-6.14-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
workqueue: Put the pwq after detaching the rescuer from the pool
| -rw-r--r-- | kernel/workqueue.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 3c2c45313c88..97152f2250fe 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3517,12 +3517,6 @@ repeat: } /* - * Put the reference grabbed by send_mayday(). @pool won't - * go away while we're still attached to it. - */ - put_pwq(pwq); - - /* * Leave this pool. Notify regular workers; otherwise, we end up * with 0 concurrency and stalling the execution. */ @@ -3532,6 +3526,12 @@ repeat: worker_detach_from_pool(rescuer); + /* + * Put the reference grabbed by send_mayday(). @pool might + * go away any time after it. + */ + put_pwq_unlocked(pwq); + raw_spin_lock_irq(&wq_mayday_lock); } |