io_uring/net: ensure expanded bundle recv gets marked for cleanup

If the iovec inside the kmsg isn't already allocated AND one gets
expanded beyond the fixed size, then the request may not already have
been marked for cleanup. Ensure that it is.

Cc: stable@vger.kernel.org
Fixes: 2f9c9515bdfd ("io_uring/net: support bundles for recv")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/net.c b/io_uring/net.c
index 594490a1389ba25e7ecc2b092298e4de70f247da..97a48408cec39b2e821fd051fb28ba67e5e7fc6f 100644 (file)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1094,6 +1094,7 @@ static int io_recv_buf_select(struct io_kiocb *req, struct io_async_msghdr *kmsg
                if (arg.iovs != &kmsg->fast_iov && arg.iovs != kmsg->free_iov) {
                        kmsg->free_iov_nr = ret;
                        kmsg->free_iov = arg.iovs;
+                       req->flags |= REQ_F_NEED_CLEANUP;
                }
        } else {
                void __user *buf;