The crash matches a known workqueue state-machine bug fixed upstream by
commit a7488f089bdfa87c4fef1744d4dca9f4f8b46f8b ("workqueue: Release
PENDING in __queue_work() drain/destroy reject path"), authored by Breno
Leitao, applied by Tejun Heo to wq/for-7.1-fixes on 2026-05-08, merged
mainline via wq-for-7.1-rc3-fixes pull (2026-05-13).
The bug: when delayed_work_timer_fn() -> __queue_work() hits the
__WQ_DESTROYING | __WQ_DRAINING reject path, it WARNs and returns
without clearing WORK_STRUCT_PENDING, leaving the work in an
inconsistent state (PENDING=1, PWQ=0, entry empty). This matches our
observed sequence: the WARNING at 17:44:49 was the reject path firing,
and the NULL pointer dereference at 19:06:42 was the downstream
consequence.
An AUTOSEL backport to 7.0 stable was posted 2026-05-20 but has not
landed in any released 7.0.x point release through 7.0.12 (2026-06-09)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2157584
Title:
Kernel NULL pointer dereference in __queue_work via
delayed_work_timer_fn on 7.0.0-22-generic (Ubuntu 26.04)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2157584/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
