@@ -2741,7 +2741,6 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
sq_ring->ring_mask = p->sq_entries - 1;
sq_ring->ring_entries = p->sq_entries;
ctx->sq_mask = sq_ring->ring_mask;
- ctx->sq_entries = sq_ring->ring_entries;
size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
if (size == SIZE_MAX)
@@ -2764,7 +2763,6 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
cq_ring->ring_mask = p->cq_entries - 1;
cq_ring->ring_entries = p->cq_entries;
ctx->cq_mask = cq_ring->ring_mask;
- ctx->cq_entries = cq_ring->ring_entries;
return 0;
}
@@ -2854,6 +2852,8 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p)
ctx->compat = in_compat_syscall();
ctx->account_mem = account_mem;
ctx->user = user;
+ ctx->sq_entries = p->sq_entries;
+ ctx->cq_entries = p->cq_entries;
ret = io_allocate_scq_urings(ctx, p);
if (ret)
io_allocate_scq_urings() may fail to allocate scq rings, and fail to set ctx->sq_entries or ctx->cq_entries. In io_ring_ctx_free(), the code ' if (ctx->account_mem) io_unaccount_mem(ctx->user, ring_pages(ctx->sq_entries, ctx->cq_entries)); ' may not unaccount properly. E.g, in io_uring_create(), we have ctx allocated with zero filled. Later, io_allocate_scq_urings() fails, and we may still have 0-valued ctx->sq_entries & ctx->cq_entries. Then the unaccount code cannot unaccout what io_account_mem() has changed. Signed-off-by: Shenghui Wang <shhuiw@foxmail.com> --- fs/io_uring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)