summaryrefslogtreecommitdiffstats
path: root/fs/io_uring.c
diff options
context:
space:
mode:
authorPavel Begunkov <asml.silence@gmail.com>2020-04-09 07:17:59 +0200
committerJens Axboe <axboe@kernel.dk>2020-04-09 17:38:18 +0200
commitc398ecb3d611925e4a5411afdf7489914a5c0460 (patch)
tree9f9abd0e95912c35d5851e88edf07967c78b4d72 /fs/io_uring.c
parentio_uring: don't read user-shared sqe flags twice (diff)
downloadlinux-c398ecb3d611925e4a5411afdf7489914a5c0460.tar.xz
linux-c398ecb3d611925e4a5411afdf7489914a5c0460.zip
io_uring: fix fs cleanup on cqe overflow
If completion queue overflow occurs, __io_cqring_fill_event() will update req->cflags, which is in a union with req->work and happens to be aliased to req->work.fs. Following io_free_req() -> io_req_work_drop_env() may get a bunch of different problems (miscount fs->users, segfault, etc) on cleaning @fs. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'fs/io_uring.c')
-rw-r--r--fs/io_uring.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 21e1c69b9c43..be65eda059ac 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -608,6 +608,7 @@ struct io_kiocb {
};
struct io_async_ctx *io;
+ int cflags;
bool needs_fixed_file;
u8 opcode;
@@ -638,7 +639,6 @@ struct io_kiocb {
struct callback_head task_work;
struct hlist_node hash_node;
struct async_poll *apoll;
- int cflags;
};
struct io_wq_work work;
};