Merge tag 'wq-for-6.14-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq

Pull workqueue fix from Tejun Heo: - Fix a regression where a worker pool can be freed before rescuer workers are done with it leading to user-after-free * tag 'wq-for-6.14-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue: Put the pwq after detaching the rescuer from the pool
author: Linus Torvalds <torvalds@linux-foundation.org> 2025-02-14 10:58:03 -0800
committer: Linus Torvalds <torvalds@linux-foundation.org> 2025-02-14 10:58:03 -0800
commit: f4d4680965aa3be2b2bf392a54fabb244fdce46a (patch)
tree: 5bf260a6ced50b8d9ba616379b6593f5c24ef541 /kernel/workqueue.c
parent: 111b29599c189247919a514b6c3a93e828db27c2 (diff)
parent: e76946110137703c16423baf6ee177b751a34b7e (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 3c2c45313c88..97152f2250fe 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3517,12 +3517,6 @@ repeat:
 		}
 
 		/*
-		 * Put the reference grabbed by send_mayday().  @pool won't
-		 * go away while we're still attached to it.
-		 */
-		put_pwq(pwq);
-
-		/*
 		 * Leave this pool. Notify regular workers; otherwise, we end up
 		 * with 0 concurrency and stalling the execution.
 		 */
@@ -3532,6 +3526,12 @@ repeat:
 
 		worker_detach_from_pool(rescuer);
 
+		/*
+		 * Put the reference grabbed by send_mayday().  @pool might
+		 * go away any time after it.
+		 */
+		put_pwq_unlocked(pwq);
+
 		raw_spin_lock_irq(&wq_mayday_lock);
 	}
author	Linus Torvalds <torvalds@linux-foundation.org>	2025-02-14 10:58:03 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	2025-02-14 10:58:03 -0800
commit	f4d4680965aa3be2b2bf392a54fabb244fdce46a (patch)
tree	5bf260a6ced50b8d9ba616379b6593f5c24ef541 /kernel/workqueue.c
parent	111b29599c189247919a514b6c3a93e828db27c2 (diff)
parent	e76946110137703c16423baf6ee177b751a34b7e (diff)