From: Jens Axboe <axboe@kernel.dk>
Date: Tue, 30 Apr 2019 20:44:05 +0000 (-0600)
Subject: io_uring: drop req submit reference always in async punt
X-Git-Tag: v6.6-pxa1908~11902^2~3
X-Git-Url: https://git.dujemihanovic.xyz/?a=commitdiff_plain;h=817869d2519f0cb7be5b3482129dadc806dfb747;p=linux.git

io_uring: drop req submit reference always in async punt

If we don't end up actually calling submit in io_sq_wq_submit_work(),
we still need to drop the submit reference to the request. If we
don't, then we can leak the request. This can happen if we race
with ring shutdown while flushing the workqueue for requests that
require use of the mm_struct.

Fixes: e65ef56db494 ("io_uring: use regular request ref counts")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 046fc4e1e155..18cecb6a0151 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1568,10 +1568,11 @@ restart:
 					break;
 				cond_resched();
 			} while (1);
-
-			/* drop submission reference */
-			io_put_req(req);
 		}
+
+		/* drop submission reference */
+		io_put_req(req);
+
 		if (ret) {
 			io_cqring_add_event(ctx, sqe->user_data, ret, 0);
 			io_put_req(req);