Commit e10237cc authored by Shaohua Li's avatar Shaohua Li Committed by Jens Axboe

kthread: zero the kthread data structure

kthread() could bail out early before we initialize blkcg_css (if the
kthread is killed very early. Please see xchg() statement in kthread()),
which confuses free_kthread_struct. Instead of moving the blkcg_css
initialization early, we simply zero the whole 'self' data structure,
which doesn't sound much overhead.
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Fixes: 05e3db95 ("kthread: add a mechanism to store cgroup info")
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Acked-by: default avatarTejun Heo <tj@kernel.org>
Signed-off-by: default avatarShaohua Li <shli@fb.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 18c53e40
...@@ -204,7 +204,7 @@ static int kthread(void *_create) ...@@ -204,7 +204,7 @@ static int kthread(void *_create)
struct kthread *self; struct kthread *self;
int ret; int ret;
self = kmalloc(sizeof(*self), GFP_KERNEL); self = kzalloc(sizeof(*self), GFP_KERNEL);
set_kthread_struct(self); set_kthread_struct(self);
/* If user was SIGKILLed, I release the structure. */ /* If user was SIGKILLed, I release the structure. */
...@@ -220,13 +220,9 @@ static int kthread(void *_create) ...@@ -220,13 +220,9 @@ static int kthread(void *_create)
do_exit(-ENOMEM); do_exit(-ENOMEM);
} }
self->flags = 0;
self->data = data; self->data = data;
init_completion(&self->exited); init_completion(&self->exited);
init_completion(&self->parked); init_completion(&self->parked);
#ifdef CONFIG_BLK_CGROUP
self->blkcg_css = NULL;
#endif
current->vfork_done = &self->exited; current->vfork_done = &self->exited;
/* OK, tell user we're spawned, wait for stop or wakeup */ /* OK, tell user we're spawned, wait for stop or wakeup */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment