diff options
author | Pavel Begunkov <asml.silence@gmail.com> | 2020-04-09 08:17:59 +0300 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2020-04-09 09:38:18 -0600 |
commit | c398ecb3d611925e4a5411afdf7489914a5c0460 (patch) | |
tree | 9f9abd0e95912c35d5851e88edf07967c78b4d72 /fs | |
parent | 9c280f9087118099f50566e906b9d9d5a0fb4529 (diff) | |
download | lwn-c398ecb3d611925e4a5411afdf7489914a5c0460.tar.gz lwn-c398ecb3d611925e4a5411afdf7489914a5c0460.zip |
io_uring: fix fs cleanup on cqe overflow
If completion queue overflow occurs, __io_cqring_fill_event() will
update req->cflags, which is in a union with req->work and happens to
be aliased to req->work.fs. Following io_free_req() ->
io_req_work_drop_env() may get a bunch of different problems (miscount
fs->users, segfault, etc) on cleaning @fs.
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/io_uring.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c index 21e1c69b9c43..be65eda059ac 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -608,6 +608,7 @@ struct io_kiocb { }; struct io_async_ctx *io; + int cflags; bool needs_fixed_file; u8 opcode; @@ -638,7 +639,6 @@ struct io_kiocb { struct callback_head task_work; struct hlist_node hash_node; struct async_poll *apoll; - int cflags; }; struct io_wq_work work; }; |