diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2020-05-08 18:07:40 +0300 |
---|---|---|
committer | Tejun Heo <tj@kernel.org> | 2020-05-11 17:25:42 +0300 |
commit | b92b36eadf4d7fa4a34f048c2a3bb61a735a885e (patch) | |
tree | 509e65da7d8a1484708b97e6d2098758864c02e3 /kernel/workqueue.c | |
parent | f187b6974f6dfbeba4aafda972cc37f27d091b73 (diff) | |
download | linux-b92b36eadf4d7fa4a34f048c2a3bb61a735a885e.tar.xz |
workqueue: Fix an use after free in init_rescuer()
We need to preserve error code before freeing "rescuer".
Fixes: f187b6974f6df ("workqueue: Use IS_ERR and PTR_ERR instead of PTR_ERR_OR_ZERO.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'kernel/workqueue.c')
-rw-r--r-- | kernel/workqueue.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/kernel/workqueue.c b/kernel/workqueue.c index ddf0537dce14..10ed8d761e0b 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -4197,6 +4197,7 @@ static int wq_clamp_max_active(int max_active, unsigned int flags, static int init_rescuer(struct workqueue_struct *wq) { struct worker *rescuer; + int ret; if (!(wq->flags & WQ_MEM_RECLAIM)) return 0; @@ -4208,8 +4209,9 @@ static int init_rescuer(struct workqueue_struct *wq) rescuer->rescue_wq = wq; rescuer->task = kthread_create(rescuer_thread, rescuer, "%s", wq->name); if (IS_ERR(rescuer->task)) { + ret = PTR_ERR(rescuer->task); kfree(rescuer); - return PTR_ERR(rescuer->task); + return ret; } wq->rescuer = rescuer; |