diff options
author | Anuj Gupta <anuj20.g@samsung.com> | 2022-08-11 14:44:59 +0530 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2022-08-11 10:56:00 -0600 |
commit | 3ed159c984079baedff740505d609badb8538e0d (patch) | |
tree | b392784a2ec0009fb964eef6a928fc039446afa7 /io_uring | |
parent | d1f6222c4978817712e0f2825ce9e830763f0695 (diff) |
io_uring: fix error handling for io_uring_cmd
Commit 97b388d70b53 ("io_uring: handle completions in the core") moved the
error handling from handler to core. But for io_uring_cmd handler we end
up completing more than once (both in handler and in core) leading to
use_after_free.
Change io_uring_cmd handler to avoid calling io_uring_cmd_done in case
of error.
Fixes: 97b388d70b53 ("io_uring: handle completions in the core")
Signed-off-by: Anuj Gupta <anuj20.g@samsung.com>
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20220811091459.6929-1-anuj20.g@samsung.com
[axboe: fix ret vs req typo]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'io_uring')
-rw-r--r-- | io_uring/uring_cmd.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index 849d9708d612..ee7036f2241f 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -106,7 +106,9 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags) } if (ret != -EIOCBQUEUED) { - io_uring_cmd_done(ioucmd, ret, 0); + if (ret < 0) + req_set_fail(req); + io_req_set_res(req, ret, 0); return IOU_OK; } |