io_uring: fix fs cleanup on cqe overflow
If completion queue overflow occurs, __io_cqring_fill_event() will update req->cflags, which is in a union with req->work and happens to be aliased to req->work.fs. Following io_free_req() -> io_req_work_drop_env() may get a bunch of different problems (miscount fs->users, segfault, etc) on cleaning @fs. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
parent
9c280f9087
commit
c398ecb3d6
|
@ -608,6 +608,7 @@ struct io_kiocb {
|
|||
};
|
||||
|
||||
struct io_async_ctx *io;
|
||||
int cflags;
|
||||
bool needs_fixed_file;
|
||||
u8 opcode;
|
||||
|
||||
|
@ -638,7 +639,6 @@ struct io_kiocb {
|
|||
struct callback_head task_work;
|
||||
struct hlist_node hash_node;
|
||||
struct async_poll *apoll;
|
||||
int cflags;
|
||||
};
|
||||
struct io_wq_work work;
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue