kthread: zero the kthread data structure

kthread() could bail out early before we initialize blkcg_css (if the
kthread is killed very early. Please see xchg() statement in kthread()),
which confuses free_kthread_struct. Instead of moving the blkcg_css
initialization early, we simply zero the whole 'self' data structure,
which doesn't sound much overhead.

Reported-by: syzbot <[email protected]>
Fixes: 05e3db95ebfc ("kthread: add a mechanism to store cgroup info")
Cc: Andrew Morton <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Dmitry Vyukov <[email protected]>
Acked-by: Tejun Heo <[email protected]>
Signed-off-by: Shaohua Li <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>

diff --git a/kernel/kthread.c b/kernel/kthread.c
index f87cd8b4eb2a17adcb2ed4c739a56ca3b8f142a0..8dbe2454cb1deed1447450ea301e2b7ac481ea9d 100644 (file)
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -204,7 +204,7 @@ static int kthread(void *_create)
        struct kthread *self;
        int ret;
 
-       self = kmalloc(sizeof(*self), GFP_KERNEL);
+       self = kzalloc(sizeof(*self), GFP_KERNEL);
        set_kthread_struct(self);
 
        /* If user was SIGKILLed, I release the structure. */
@@ -220,13 +220,9 @@ static int kthread(void *_create)
                do_exit(-ENOMEM);
        }
 
-       self->flags = 0;
        self->data = data;
        init_completion(&self->exited);
        init_completion(&self->parked);
-#ifdef CONFIG_BLK_CGROUP
-       self->blkcg_css = NULL;
-#endif
        current->vfork_done = &self->exited;
 
        /* OK, tell user we're spawned, wait for stop or wakeup */