[PATCH] workqueue: unregister wq lockdep on error path in alloc_workqueue()

Kefeng Wang Thu, 07 Mar 2019 23:25:21 -0800

syzkaller report an issue "KASAN: use-after-free Read in alloc_workqueue",


alloc_workqueue
 - kzalloc wq
 - wq_init_lockdep(wq);
   - lockdep_register_key(&wq->key);  // add to hlist
 - kfree wq

But forget to call wq_unregister_lockdep()->lockdep_unregister_key(), it
will delete the entry from hlist.

Reported-by: syzbot+17335689e239ce135...@syzkaller.appspotmail.com
Fixes: 669de8bda87b ("kernel/workqueue: Use dynamic lockdep keys for 
workqueues")
Signed-off-by: Kefeng Wang <wangkefeng.w...@huawei.com>
---
 kernel/workqueue.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 7abbeed13421..9209d25dfade 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4291,6 +4291,7 @@ struct workqueue_struct *alloc_workqueue(const char *fmt,
        return wq;
 
 err_free_wq:
+       wq_unregister_lockdep(wq);
        free_workqueue_attrs(wq->unbound_attrs);
        kfree(wq);
        return NULL;
-- 
2.20.1

[PATCH] workqueue: unregister wq lockdep on error path in alloc_workqueue()

Reply via email to