Merge: CVE-2025-21786: workqueue: Put the pwq after detaching the rescuer from the pool

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6476

JIRA: https://issues.redhat.com/browse/RHEL-81472
CVE: CVE-2025-21786

```
commit e769461
Author: Lai Jiangshan <jiangshan.ljs@antgroup.com>
Date:   Thu Jan 23 16:25:35 2025 +0800

    workqueue: Put the pwq after detaching the rescuer from the pool

    The commit 68f8305("workqueue: Reap workers via kthread_stop() and
    remove detach_completion") adds code to reap the normal workers but
    mistakenly does not handle the rescuer and also removes the code waiting
    for the rescuer in put_unbound_pool(), which caused a use-after-free bug
    reported by Cheung Wall.

    To avoid the use-after-free bug, the pool’s reference must be held until
    the detachment is complete. Therefore, move the code that puts the pwq
    after detaching the rescuer from the pool.

    Reported-by: cheung wall <zzqq0103.hey@gmail.com>
    Cc: cheung wall <zzqq0103.hey@gmail.com>
    Link: https://lore.kernel.org/lkml/CAKHoSAvP3iQW+GwmKzWjEAOoPvzeWeoMO0Gz7Pp3_4kxt-RMoA@mail.gmail.com/
    Fixes: 68f8305("workqueue: Reap workers via kthread_stop() and remove detach_completion")
    Signed-off-by: Lai Jiangshan <jiangshan.ljs@antgroup.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

---

<small>Created 2025-02-27 22:46 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small>

Approved-by: Waiman Long <longman@redhat.com>
Approved-by: Phil Auld <pauld@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Augusto Caringi <acaringi@redhat.com>

Author: caringi

kernel/workqueue.c

@@ -3579,12 +3579,6 @@ static int rescuer_thread(void *__rescuer)
 			}
 		}
 
-		/*
-		 * Put the reference grabbed by send_mayday().  @pool won't
-		 * go away while we're still attached to it.
-		 */
-		put_pwq(pwq);
-
 		/*
 		 * Leave this pool. Notify regular workers; otherwise, we end up
 		 * with 0 concurrency and stalling the execution.
@@ -3595,6 +3589,12 @@ static int rescuer_thread(void *__rescuer)
 
 		worker_detach_from_pool(rescuer);
 
+		/*
+		 * Put the reference grabbed by send_mayday().  @pool might
+		 * go away any time after it.
+		 */
+		put_pwq_unlocked(pwq);
+
 		raw_spin_lock_irq(&wq_mayday_lock);
 	}