Commit 4518a3cc authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe

io_uring: fix flush req->refs underflow

In io_uring_cancel_files(), after refcount_sub_and_test() leaves 0
req->refs, it calls io_put_req(), which would also put a ref. Call
io_free_req() instead.

Cc: stable@vger.kernel.org
Fixes: 2ca10259 ("io_uring: prune request from overflow list on flush")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 6b668c9b
...@@ -7534,7 +7534,7 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx, ...@@ -7534,7 +7534,7 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
* all we had, then we're done with this request. * all we had, then we're done with this request.
*/ */
if (refcount_sub_and_test(2, &cancel_req->refs)) { if (refcount_sub_and_test(2, &cancel_req->refs)) {
io_put_req(cancel_req); io_free_req(cancel_req);
finish_wait(&ctx->inflight_wait, &wait); finish_wait(&ctx->inflight_wait, &wait);
continue; continue;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment