CVE-2025-21786

The commit 68f83057b913("workqueue: Reap workers via kthreadstop() and remove detachcompletion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in putunboundpool(), which caused a use-after-free bug reported by Cheung Wall.

To avoid the use-after-free bug, the pool’s reference must be held until the detachment is complete. Therefore, move the code that puts the pwq after detaching the rescuer from the pool.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

68f83057b913467a999e1bf9e0da6a119668f769

Fixed

e7c16028a424dd35be1064a68fa318be4359310f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

68f83057b913467a999e1bf9e0da6a119668f769

Fixed

835b69c868f53f959d4986bbecd561ba6f38e492

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

68f83057b913467a999e1bf9e0da6a119668f769

Fixed

e76946110137703c16423baf6ee177b751a34b7e

Affected versions

v6.*

v6.10

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.2

v6.13.3

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.11.0

Fixed

6.12.16

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.4