Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'wq-for-6.11-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
Pull workqueue fix from Tejun Heo:
"A fix for a NULL worker->pool deref bug which can be triggered when a
worker is created and then destroyed immediately"
* tag 'wq-for-6.11-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
workqueue: Clear worker->pool in the worker thread context
+6
-2
+6
-2
kernel/workqueue.c
+6
-2
kernel/workqueue.c
···
2709
2709
2710
2710
unbind_worker(worker);
2711
2711
list_del(&worker->node);
2712
-
worker->pool = NULL;
2713
2712
}
2714
2713
2715
2714
/**
···
2728
2729
2729
2730
mutex_lock(&wq_pool_attach_mutex);
2730
2731
detach_worker(worker);
2732
+
worker->pool = NULL;
2731
2733
mutex_unlock(&wq_pool_attach_mutex);
2732
2734
2733
2735
/* clear leftover flags without pool->lock after it is detached */
···
3349
3349
if (unlikely(worker->flags & WORKER_DIE)) {
3350
3350
raw_spin_unlock_irq(&pool->lock);
3351
3351
set_pf_worker(false);
3352
-
3352
+
/*
3353
+
* The worker is dead and PF_WQ_WORKER is cleared, worker->pool
3354
+
* shouldn't be accessed, reset it to NULL in case otherwise.
3355
+
*/
3356
+
worker->pool = NULL;
3353
3357
ida_free(&pool->worker_ida, worker->id);
3354
3358
return 0;
3355
3359
}