My syzkaller instance reported a use-after-free bug in io_wqe_inc_running. I tried fixing this by checking if wq isn't NULL in io_wqe_worker. If it does; return an -EFAULT. This because create_io_worker() will clean-up the worker if there's an error. If you want I could send you the syzkaller reproducer and crash-logs :) Best Regards, Jordy Zomer Signed-off-by: Jordy Zomer <jordy@pwning.systems> --- fs/io-wq.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/io-wq.c b/fs/io-wq.c index 0ae9ecadf295..9ed92d88a088 100644 --- a/fs/io-wq.c +++ b/fs/io-wq.c @@ -482,6 +482,10 @@ static int io_wqe_worker(void *data) char buf[TASK_COMM_LEN]; worker->flags |= (IO_WORKER_F_UP | IO_WORKER_F_RUNNING); + + if (wq == NULL) + return -EFAULT; + io_wqe_inc_running(worker); sprintf(buf, "iou-wrk-%d", wq->task_pid); -- 2.25.1
