kthread() could bail out early before we initialize blkcg_css (if the
kthread is killed very early. Please see xchg() statement in kthread()),
which confuses free_kthread_struct. Instead of moving the blkcg_css
initialization early, we simply zero the whole 'self' data structure,
which doesn't sound much overhead.
Reported-by: syzbot <[email protected]>
Fixes: 05e3db95ebfc ("kthread: add a mechanism to store cgroup info")
Cc: Andrew Morton <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Tejun Heo <[email protected]>
Cc: Dmitry Vyukov <[email protected]>
Signed-off-by: Shaohua Li <[email protected]>
---
kernel/kthread.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/kernel/kthread.c b/kernel/kthread.c
index f87cd8b4..8dbe245 100644
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -204,7 +204,7 @@ static int kthread(void *_create)
struct kthread *self;
int ret;
- self = kmalloc(sizeof(*self), GFP_KERNEL);
+ self = kzalloc(sizeof(*self), GFP_KERNEL);
set_kthread_struct(self);
/* If user was SIGKILLed, I release the structure. */
@@ -220,13 +220,9 @@ static int kthread(void *_create)
do_exit(-ENOMEM);
}
- self->flags = 0;
self->data = data;
init_completion(&self->exited);
init_completion(&self->parked);
-#ifdef CONFIG_BLK_CGROUP
- self->blkcg_css = NULL;
-#endif
current->vfork_done = &self->exited;
/* OK, tell user we're spawned, wait for stop or wakeup */
--
2.9.5
From 1583463364453779917@xxx Wed Nov 08 02:32:21 +0000 2017
X-GM-THRID: 1583463356155294722
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread
On 11/07/2017 12:09 PM, Shaohua Li wrote:
> kthread() could bail out early before we initialize blkcg_css (if the
> kthread is killed very early. Please see xchg() statement in kthread()),
> which confuses free_kthread_struct. Instead of moving the blkcg_css
> initialization early, we simply zero the whole 'self' data structure,
> which doesn't sound much overhead.
Applied, thanks Shaohua.
--
Jens Axboe
From 1583463356155294722@xxx Wed Nov 08 02:32:13 +0000 2017
X-GM-THRID: 1583463356155294722
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread
On Tue, Nov 07, 2017 at 11:09:50AM -0800, Shaohua Li wrote:
> kthread() could bail out early before we initialize blkcg_css (if the
> kthread is killed very early. Please see xchg() statement in kthread()),
> which confuses free_kthread_struct. Instead of moving the blkcg_css
> initialization early, we simply zero the whole 'self' data structure,
> which doesn't sound much overhead.
>
> Reported-by: syzbot <[email protected]>
> Fixes: 05e3db95ebfc ("kthread: add a mechanism to store cgroup info")
> Cc: Andrew Morton <[email protected]>
> Cc: Ingo Molnar <[email protected]>
> Cc: Tejun Heo <[email protected]>
> Cc: Dmitry Vyukov <[email protected]>
> Signed-off-by: Shaohua Li <[email protected]>
Acked-by: Tejun Heo <[email protected]>
Thanks.
--
tejun
From 1583341657205743400@xxx Mon Nov 06 18:17:52 +0000 2017
X-GM-THRID: 1579035004249070389
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread