[PATCH] workqueue: fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

* [PATCH] workqueue: fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
@ 2026-05-08 16:22 Breno Leitao
  2026-05-08 18:04 ` Tejun Heo
  0 siblings, 1 reply; 2+ messages in thread
From: Breno Leitao @ 2026-05-08 16:22 UTC (permalink / raw)
  To: Tejun Heo, Lai Jiangshan, Dennis Dalessandro
  Cc: linux-kernel, kernel-team, stable, Breno Leitao

For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
failure it returns the error directly, bypassing the enomem: label
which holds the only free_percpu(wq->cpu_pwq) in this function.

The caller's error path kfree()s wq without touching wq->cpu_pwq,
leaking one percpu pointer table (nr_cpu_ids * sizeof(void *) bytes) per
failed call.

If kmemleak is enabled, we can see:

  unreferenced object (percpu) 0xc0fffa5b121048 (size 8):
    comm "insmod", pid 776, jiffies 4294682844
    backtrace (crc 0):
      pcpu_alloc_noprof+0x665/0xac0
      __alloc_workqueue+0x33f/0xa20
      alloc_workqueue_noprof+0x60/0x100

Route the error through the existing enomem: cleanup and any error
before this one.

Cc: stable@kernel.org
Fixes: 636b927eba5b ("workqueue: Make unbound workqueues to use per-cpu pool_workqueues")
Signed-off-by: Breno Leitao <leitao@debian.org>
---
 kernel/workqueue.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 3d2e3b2ec5283..3b839ddf2fdd2 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -5642,7 +5642,9 @@ static int alloc_and_link_pwqs(struct workqueue_struct *wq)
 		ret = apply_workqueue_attrs_locked(wq, unbound_std_wq_attrs[highpri]);
 	}
 
-	return ret;
+	if (ret)
+		goto enomem;
+	return 0;
 
 enomem:
 	if (wq->cpu_pwq) {

---
base-commit: fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0
change-id: 20260508-wq_leak-6c48e722bdc2

Best regards,
--  
Breno Leitao <leitao@debian.org>


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] workqueue: fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
  2026-05-08 16:22 [PATCH] workqueue: fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Breno Leitao
@ 2026-05-08 18:04 ` Tejun Heo
  0 siblings, 0 replies; 2+ messages in thread
From: Tejun Heo @ 2026-05-08 18:04 UTC (permalink / raw)
  To: Breno Leitao, Lai Jiangshan, Dennis Dalessandro
  Cc: linux-kernel, kernel-team, stable

Hello,

On Fri, 08 May 2026 09:22:03 -0700, Breno Leitao wrote:
> For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
> via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
> failure it returns the error directly, bypassing the enomem: label
> which holds the only free_percpu(wq->cpu_pwq) in this function.
>
> [...]

Applied to wq/for-7.1-fixes (capitalized the first word of the
subject).

Thanks.

--
tejun

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-08 18:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 16:22 [PATCH] workqueue: fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Breno Leitao
2026-05-08 18:04 ` Tejun Heo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox