Skip to content

Commit

Permalink
io_uring: fix error handling for io_uring_cmd
Browse files Browse the repository at this point in the history 
Commit 97b388d ("io_uring: handle completions in the core") moved the
error handling from handler to core. But for io_uring_cmd handler we end
up completing more than once (both in handler and in core) leading to
use_after_free.
Change io_uring_cmd handler to avoid calling io_uring_cmd_done in case
of error.

Fixes: 97b388d ("io_uring: handle completions in the core")
Signed-off-by: Anuj Gupta <anuj20.g@samsung.com>
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20220811091459.6929-1-anuj20.g@samsung.com
[axboe: fix ret vs req typo]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
  • Loading branch information
Anuj Gupta authored and Jens Axboe committed Aug 11, 2022
1 parent d1f6222 commit 3ed159c
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion io_uring/uring_cmd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,9 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
}

if (ret != -EIOCBQUEUED) {
io_uring_cmd_done(ioucmd, ret, 0);
if (ret < 0)
req_set_fail(req);
io_req_set_res(req, ret, 0);
return IOU_OK;
}

Expand Down

0 comments on commit 3ed159c

Please sign in to comment.