Message ID | 20191220233322.13599-1-colin.king@canonical.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [next] io_uring: fix missing error return when percpu_ref_init fails | expand |
On 12/20/19 4:33 PM, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Currently when the call to percpu_ref_init fails ctx->file_data is > set to null and because there is a missing return statement the > following statement dereferences this null pointer causing an oops. > Fix this by adding the missing -ENOMEM return to avoid the oops. Nice, thanks! I'm guessing I didn't have the necessary magic debug options to allow failure injection for failing.
On 20/12/2019 23:48, Jens Axboe wrote: > On 12/20/19 4:33 PM, Colin King wrote: >> From: Colin Ian King <colin.king@canonical.com> >> >> Currently when the call to percpu_ref_init fails ctx->file_data is >> set to null and because there is a missing return statement the >> following statement dereferences this null pointer causing an oops. >> Fix this by adding the missing -ENOMEM return to avoid the oops. > > Nice, thanks! I'm guessing I didn't have the necessary magic debug > options to allow failure injection for failing. Fortunately we have Coverity to the rescue :-) Colin
On 12/20/19 4:49 PM, Colin Ian King wrote: > On 20/12/2019 23:48, Jens Axboe wrote: >> On 12/20/19 4:33 PM, Colin King wrote: >>> From: Colin Ian King <colin.king@canonical.com> >>> >>> Currently when the call to percpu_ref_init fails ctx->file_data is >>> set to null and because there is a missing return statement the >>> following statement dereferences this null pointer causing an oops. >>> Fix this by adding the missing -ENOMEM return to avoid the oops. >> >> Nice, thanks! I'm guessing I didn't have the necessary magic debug >> options to allow failure injection for failing. > > Fortunately we have Coverity to the rescue :-) Indeed!
diff --git a/fs/io_uring.c b/fs/io_uring.c index c756b8fc44c6..1d31294f5914 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4937,6 +4937,7 @@ static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg, kfree(ctx->file_data->table); kfree(ctx->file_data); ctx->file_data = NULL; + return -ENOMEM; } ctx->file_data->put_llist.first = NULL; INIT_WORK(&ctx->file_data->ref_work, io_ring_file_ref_switch);