summaryrefslogtreecommitdiff
path: root/io_uring
diff options
context:
space:
mode:
authorAnuj Gupta <anuj20.g@samsung.com>2022-08-11 14:44:59 +0530
committerJens Axboe <axboe@kernel.dk>2022-08-11 10:56:00 -0600
commit3ed159c984079baedff740505d609badb8538e0d (patch)
treeb392784a2ec0009fb964eef6a928fc039446afa7 /io_uring
parentd1f6222c4978817712e0f2825ce9e830763f0695 (diff)
downloadlwn-3ed159c984079baedff740505d609badb8538e0d.tar.gz
lwn-3ed159c984079baedff740505d609badb8538e0d.zip
io_uring: fix error handling for io_uring_cmd
Commit 97b388d70b53 ("io_uring: handle completions in the core") moved the error handling from handler to core. But for io_uring_cmd handler we end up completing more than once (both in handler and in core) leading to use_after_free. Change io_uring_cmd handler to avoid calling io_uring_cmd_done in case of error. Fixes: 97b388d70b53 ("io_uring: handle completions in the core") Signed-off-by: Anuj Gupta <anuj20.g@samsung.com> Signed-off-by: Kanchan Joshi <joshi.k@samsung.com> Link: https://lore.kernel.org/r/20220811091459.6929-1-anuj20.g@samsung.com [axboe: fix ret vs req typo] Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'io_uring')
-rw-r--r--io_uring/uring_cmd.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
index 849d9708d612..ee7036f2241f 100644
--- a/io_uring/uring_cmd.c
+++ b/io_uring/uring_cmd.c
@@ -106,7 +106,9 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
}
if (ret != -EIOCBQUEUED) {
- io_uring_cmd_done(ioucmd, ret, 0);
+ if (ret < 0)
+ req_set_fail(req);
+ io_req_set_res(req, ret, 0);
return IOU_OK;
}