CVE-2025-21786: workqueue: Put the pwq after detaching the rescuer from the pool

JIRA: https://issues.redhat.com/browse/RHEL-81472
CVE: CVE-2025-21786

commit e76946110137703c16423baf6ee177b751a34b7e
Author: Lai Jiangshan <jiangshan.ljs@antgroup.com>
Date:   Thu Jan 23 16:25:35 2025 +0800

    workqueue: Put the pwq after detaching the rescuer from the pool
    
    The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and
    remove detach_completion") adds code to reap the normal workers but
    mistakenly does not handle the rescuer and also removes the code waiting
    for the rescuer in put_unbound_pool(), which caused a use-after-free bug
    reported by Cheung Wall.
    
    To avoid the use-after-free bug, the pool’s reference must be held until
    the detachment is complete. Therefore, move the code that puts the pwq
    after detaching the rescuer from the pool.
    
    Reported-by: cheung wall <zzqq0103.hey@gmail.com>
    Cc: cheung wall <zzqq0103.hey@gmail.com>
    Link: https://lore.kernel.org/lkml/CAKHoSAvP3iQW+GwmKzWjEAOoPvzeWeoMO0Gz7Pp3_4kxt-RMoA@mail.gmail.com/
    Fixes: 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion")
    Signed-off-by: Lai Jiangshan <jiangshan.ljs@antgroup.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

---

<small>Created 2025-02-27 22:46 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small>

added FixesOK label

ACK/NACK Summary: AcksOK

Approved by:

• Waiman Long (llong1)
• Phil Auld (prauld)

Satisfied Approvals:

• Approval Rule "workqueue" already has 2 ACK(s) (0 required).

Merge Request has all necessary non-bot Approvals.

---

Updated 2025-03-06 13:20 UTC by ack_nack - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

added Subsystem:workqueue label

added ConfigsOK label

added SignoffOK label

Fixes Status: FixesOK

No missing upstream fixes for MR 6476 found at this time.

---

Updated 2025-02-27 22:54 UTC by fixes - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

DCO Signoff Check Report SignoffOK

The DCO Signoff Check for all commits and the MR description has PASSED.

---

Updated 2025-02-27 22:54 UTC by signoff - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

added CommitRefsOK DependenciesOK labels

Kernel Configuration Evaluation: ConfigsOK

This report indicates how any detected Kconfig changes compare with expected changes in the merged .config and with the ARK configs.

This Merge Request has no detected kernel config changes in it.

To request re-evalution after resolving any issues with the configs in the merge request, add a comment to this MR with only the text: request-configs-evaluation

---

Created 2025-02-27 22:47 UTC by configshook - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

Upstream Commit ID Readiness: CommitRefsOK

This report indicates how backported commits compare to the upstream source commit. Matching (or not matching) is not a guarantee of correctness. KABI, missing or un-backportable dependencies, or existing RHEL differences against upstream may lead to a difference in commits. As always, care should be taken in the review to ensure code correctness.

Total number of commits analyzed: 1
Merge Request passes commit ID validation, all required references present.

---

Updated 2025-02-27 22:54 UTC by commit_compare - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

JIRA Hook Readiness Report

Target Branch: main

This merge request passes jirahook validation: JIRAOK

JIRA Issue tags:

JIRA Issue	CVEs	Commits	Readiness	Policy Check	Notes
RHEL-81472 (IN_PROGRESS)	CVE-2025-21786	80162867	READY_FOR_MERGE	Passed	-

CVE tags:

CVEs	Priority	Commits	Clones	Readiness	Notes
CVE-2025-21786	Medium	80162867	N/A	READY_FOR_MERGE	-

Linked JIRA Issues:

JIRA Issue	CVEs	Component	Readiness	Policy Check	Variant Subsystems	Notes
RHEL-81474 (TASK: CLOSED)	None	kernel-rt	READY_FOR_MERGE	Passed		-

Guidelines for these entries can be found in CommitRules: https://red.ht/kwf_commit_rules.
To request re-evalution either remove the JIRA label from the MR or add a comment with only the text: request-jirahook-evaluation.

---

Updated 2025-03-17 17:09 UTC by jirahook - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

added JIRAPlanning SeverityModerate labels

changed milestone to %RHEL-9.7.0

added CKIRunning label

CKI Pipelines Status: CKIOK

Summary

All required pipelines have passed!

Pipeline	State
64K	OK
CentOS	OK
RHEL Compat	OK
Realtime 64K	OK
Realtime	OK

---

Updated 2025-02-28 12:54 UTC by ckihook - CKI FAQ - Slack #team-kernel-cki - Source - Documentation - Report an issue

added MergeOK label

Mergeability Summary: MergeOK

This MR can be merged cleanly to its target branch.

---

Updated 2025-02-27 22:56 UTC by mergehook - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

assigned to @llong1

approved this merge request

marked this merge request as ready