From nobody Sat Feb  7 09:31:33 2026
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D345220C48C
	for <linux-kernel@vger.kernel.org>; Thu, 23 Jan 2025 08:24:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1737620663; cv=none;
 b=EYCUaKf6lYrUoTMZ7+yIcEII50yRRWFv4MeIAmQXMLBvL9Uwjd8CjCRVa+uHx2dmKbrrd8W2VnZzVslPImjt0ncCI8YAYTwDw61HKDE0SbFsHsLhwCKAaxcTD/a7KjS4VEKxBJG+cWAznDaNFujiX997cnu8fdE8woB+ugj2k0s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1737620663; c=relaxed/simple;
	bh=jwdaTks4ezldgUDFsbIrOWArbJGqrOwaPH/6gYWKL3s=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type;
 b=cIZPvTGtaGF9ICYmeETqS46SY8JJiaV+NfnTC0sRIcmaju/fcjggNgqCDcu2wdSQ4UeU7MrxLfRpYkzE4mhGuQPcBOU6lKA/E1D1b4IpK3BbvookmNGex5VWsA73W80dmqsxt0ZF8WDb8q0G4cE4onwqh1je9Sn2lzMUvBNNw3I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=dw7/YrRj; arc=none smtp.client-ip=209.85.216.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="dw7/YrRj"
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-2f44353649aso968204a91.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 23 Jan 2025 00:24:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1737620661; x=1738225461;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=cehkFGWb4yF/FElI1At0/Y4aeVy4ZQhazo71HdLcQdQ=;
        b=dw7/YrRj2UAOVupJtt7QsFW7+yluT5JXv3gmIrT0F71ppLIcigY4f2EWs4xZdnVLdL
         btWTvBxvBojEZj7xShSiqPWoH8LeotKa2Nn7y+RADzYIPm+SRhX0bXdQm31qsgil4alO
         BjRpFFef46ChcD2OMvLm/gPo2mKFKbrgP05nPueVmOPt4xUqOzOXvpgtP04m0gPdjCgM
         JRWPDEWGegKy+ANZ+KrtMcUNoC7B4nQ9KhnZleUAKJOvX1QXi4tBxPsyxpi5EfVOhH2a
         rkRedxPP8+FPVeFaub9X1dlwXY5/I1oU3W8Jm/hiYg24G5MtvIgA2Hdg67hoNq3nFOnW
         wiZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1737620661; x=1738225461;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cehkFGWb4yF/FElI1At0/Y4aeVy4ZQhazo71HdLcQdQ=;
        b=wgZrx1xjT4IqjOpU/2TSq8ijaGkbJ+P7XQQKL2vxLsGrNq91SA8qt+uNFtIowitpB+
         /R5NNDQ9XlxAWTd0xvYJIde7hhDYInVMg8nCnLbkZ0STyJdH5HU963lTaPgB4TS3+adL
         R6jPPyfe4MQ0eR0K2ixJBMOt3TmV+DN5C1qYcKZYr5qxmrQpb22Wf3urnPHKsM5l4Tzj
         Wf+0bystCpubdK0x0YypomLGfCHg2svW56XQVU9Rtn1perV2RFwioT1IqamThrgP9Q0v
         gVgZr1k2gj+oayv9zEmg3K82eKbPm+mPd0chC/BfpaA+reK8TfbrgjCma2WW4S90H10R
         2oEw==
X-Gm-Message-State: AOJu0Yzmtloe+t2kHk7+Rcszo6UrDYG8IjRgaZa8zQIIssgv3kmpjkJZ
	Cg8JMoEfDpbZNU0WHSkefIiSxJrl9CzStyxCO+F5Eh2Yk/klhA6FG/x3bgkL
X-Gm-Gg: ASbGnctyBtI4tfHv1BiTYfwmcSbzgqkFks6Wr7vhlu2Skuyc29Zm0duCPMqpGb75xrB
	BH7L+MDrfHp4FJolLHKT2hgeRnyR+mtzeD+ZDhS0X7yBBl7UdoZStqp533Ld7hgBfXmiKdAlDVh
	zB7id6vp9Ib9GVq0p024VYdNd8BAzm9UBDU2w/GKm9ck2bg1NljguK+6KeuGvmbwrmuvJy9JkxO
	J8leG6rq3bTqU+X4bzfQcczTSXucncKlnv4OTLJUBZ0CujZC1M4R7MLU1Peq+ffd1eTjIWGdCXg
	TUg=
X-Google-Smtp-Source: 
 AGHT+IETlkYT4vkw7pA/Th49Hq00wqnMRMP2WP5hhd/1AfJT4V5ft7LCdyIjdWtX1MugFqqhEamUiQ==
X-Received: by 2002:a17:90b:288a:b0:2ee:bc7b:9237 with SMTP id
 98e67ed59e1d1-2f782d35fafmr35885973a91.27.1737620660774;
        Thu, 23 Jan 2025 00:24:20 -0800 (PST)
Received: from localhost ([47.254.74.32])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2f7e6a7afc9sm3547384a91.18.2025.01.23.00.24.19
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 23 Jan 2025 00:24:20 -0800 (PST)
From: Lai Jiangshan <jiangshanlai@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: Lai Jiangshan <jiangshan.ljs@antgroup.com>,
	cheung wall <zzqq0103.hey@gmail.com>,
	Tejun Heo <tj@kernel.org>,
	Lai Jiangshan <jiangshanlai@gmail.com>
Subject: [PATCH] workqueue: Put the pwq after detaching the rescuer from the
 pool
Date: Thu, 23 Jan 2025 16:25:35 +0800
Message-Id: <20250123082535.1538074-1-jiangshanlai@gmail.com>
X-Mailer: git-send-email 2.19.1.6.gb485710b
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Lai Jiangshan <jiangshan.ljs@antgroup.com>

The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and
remove detach_completion") adds code to reap the normal workers but
mistakenly does not handle the rescuer and also removes the code waiting
for the rescuer in put_unbound_pool(), which caused a use-after-free bug
reported by Cheung Wall.

To avoid the use-after-free bug, the pool=E2=80=99s reference must be held =
until
the detachment is complete. Therefore, move the code that puts the pwq
after detaching the rescuer from the pool.

Reported-by: cheung wall <zzqq0103.hey@gmail.com>
Cc: cheung wall <zzqq0103.hey@gmail.com>
Link: https://lore.kernel.org/lkml/CAKHoSAvP3iQW+GwmKzWjEAOoPvzeWeoMO0Gz7Pp=
3_4kxt-RMoA@mail.gmail.com/
Fixes: 68f83057b913("workqueue: Reap workers via kthread_stop() and remove =
detach_completion")
Signed-off-by: Lai Jiangshan <jiangshan.ljs@antgroup.com>
---
 kernel/workqueue.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 33a23c7b2274..ccad33001c58 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3516,12 +3516,6 @@ static int rescuer_thread(void *__rescuer)
 			}
 		}
=20
-		/*
-		 * Put the reference grabbed by send_mayday().  @pool won't
-		 * go away while we're still attached to it.
-		 */
-		put_pwq(pwq);
-
 		/*
 		 * Leave this pool. Notify regular workers; otherwise, we end up
 		 * with 0 concurrency and stalling the execution.
@@ -3532,6 +3526,12 @@ static int rescuer_thread(void *__rescuer)
=20
 		worker_detach_from_pool(rescuer);
=20
+		/*
+		 * Put the reference grabbed by send_mayday().  @pool might
+		 * go away any time after it.
+		 */
+		put_pwq_unlocked(pwq);
+
 		raw_spin_lock_irq(&wq_mayday_lock);
 	}
=20
--=20
2.19.1.6.gb485710b