From: Jiayuan Chen <jiayuan.chen@linux.dev>
Date: Wed, 23 Apr 2025 16:17:42 +0000 (+0800)
Subject: workqueue: Fix race condition in wq->stats incrementation
X-Git-Tag: v6.16-rc1~155^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=70e1683ca3a6474360af1d3a020a9a98c8492cc0;p=thirdparty%2Fkernel%2Flinux.git

workqueue: Fix race condition in wq->stats incrementation

Fixed a race condition in incrementing wq->stats[PWQ_STAT_COMPLETED] by
moving the operation under pool->lock.

Reported-by: syzbot+01affb1491750534256d@syzkaller.appspotmail.com
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Tejun Heo <tj@kernel.org>
---

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 2cb8276a27a99..f9ef467020cff 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3241,7 +3241,7 @@ __acquires(&pool->lock)
 	 * point will only record its address.
 	 */
 	trace_workqueue_execute_end(work, worker->current_func);
-	pwq->stats[PWQ_STAT_COMPLETED]++;
+
 	lock_map_release(&lockdep_map);
 	if (!bh_draining)
 		lock_map_release(pwq->wq->lockdep_map);
@@ -3272,6 +3272,8 @@ __acquires(&pool->lock)
 
 	raw_spin_lock_irq(&pool->lock);
 
+	pwq->stats[PWQ_STAT_COMPLETED]++;
+
 	/*
 	 * In addition to %WQ_CPU_INTENSIVE, @worker may also have been marked
 	 * CPU intensive by wq_worker_tick() if @work hogged CPU longer than