diff mbox series

[for-linus] io_uring: Fix leaked shadow_req

Message ID 47835fb780667714ba2d21e9a00fe69bc9bbef47.1572203348.git.asml.silence@gmail.com (mailing list archive)
State New, archived
Headers show
Series [for-linus] io_uring: Fix leaked shadow_req | expand

Commit Message

Pavel Begunkov Oct. 27, 2019, 7:10 p.m. UTC 
io_queue_link_head() owns shadow_req after taking it as an argument.
By not freeing it in case of an error, it can leak the request along
with taken ctx->refs.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Jens Axboe Oct. 28, 2019, 3:29 a.m. UTC | #1 
On 10/27/19 1:10 PM, Pavel Begunkov wrote:
> io_queue_link_head() owns shadow_req after taking it as an argument.
> By not freeing it in case of an error, it can leak the request along
> with taken ctx->refs.

Thakns, applied.
diff mbox series

Patch

diff --git a/fs/io_uring.c b/fs/io_uring.c
index fa83ea2c16ee..5a48687c4efa 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2413,6 +2413,7 @@  static int io_queue_link_head(struct io_ring_ctx *ctx, struct io_kiocb *req,
 	if (ret) {
 		if (ret != -EIOCBQUEUED) {
 			io_free_req(req);
+			__io_free_req(shadow);
 			io_cqring_add_event(ctx, s->sqe->user_data, ret);
 			return 0;
 		}