[PATCH] io-wq: fix memory leak in create_io_worker()

Hao Xu <haoxu@xxxxxxxxxxxxxxxxx> · Thu, 9 Sep 2021 12:05:07 +0800

We should free memory the variable worker point to in fail path.

Reported-by: syzbot+65454c239241d3d647da@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 3146cba99aa2 ("io-wq: make worker creation resilient against signals")
Signed-off-by: Hao Xu <haoxu@xxxxxxxxxxxxxxxxx>
---
 fs/io-wq.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/fs/io-wq.c b/fs/io-wq.c
index d80e4a735677..382efca4812b 100644
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -737,15 +737,8 @@ static bool create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index)
 	__set_current_state(TASK_RUNNING);
 
 	worker = kzalloc_node(sizeof(*worker), GFP_KERNEL, wqe->node);
-	if (!worker) {
-fail:
-		atomic_dec(&acct->nr_running);
-		raw_spin_lock(&wqe->lock);
-		acct->nr_workers--;
-		raw_spin_unlock(&wqe->lock);
-		io_worker_ref_put(wq);
-		return false;
-	}
+	if (!worker)
+		goto fail;
 
 	refcount_set(&worker->ref, 1);
 	worker->wqe = wqe;
@@ -759,7 +752,14 @@ static bool create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index)
 	if (!IS_ERR(tsk)) {
 		io_init_new_worker(wqe, worker, tsk);
 	} else if (!io_should_retry_thread(PTR_ERR(tsk))) {
-		goto fail;
+		kfree(worker);
+fail:
+		atomic_dec(&acct->nr_running);
+		raw_spin_lock(&wqe->lock);
+		acct->nr_workers--;
+		raw_spin_unlock(&wqe->lock);
+		io_worker_ref_put(wq);
+		return false;
 	} else {
 		INIT_WORK(&worker->work, io_workqueue_create);
 		schedule_work(&worker->work);
-- 
2.24.4







