Commit fe1cdd55 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: fix read memory leak 



Don't forget to free iovec read inline completion and bunch of other
cases that do "goto done" before setting up an async context.

Fixes: 5ea5dd45 ("io_uring: inline io_read()'s iovec freeing")
Reported-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 0b81e80c

fs/io_uring.c

+6 −4
Original line number Diff line number Diff line
@@ -3602,10 +3602,7 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags) 
	ret = io_iter_do_read(req, iter);



	if (ret == -EIOCBQUEUED) {

		/* it's faster to check here then delegate to kfree */

		if (iovec)

			kfree(iovec);

		return 0;

		goto out_free;

	} else if (ret == -EAGAIN) {

		/* IOPOLL retry should happen for io-wq threads */

		if (!force_nonblock && !(req->ctx->flags & IORING_SETUP_IOPOLL))
@@ -3626,6 +3623,7 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags) 
	if (ret2)

		return ret2;



	iovec = NULL;

	rw = req->async_data;

	/* now use our persistent iterator, if we aren't already */

	iter = &rw->iter;
@@ -3652,6 +3650,10 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags) 
	} while (ret > 0 && ret < io_size);

done:

	kiocb_done(kiocb, ret, issue_flags);

out_free:

	/* it's faster to check here then delegate to kfree */

	if (iovec)

		kfree(iovec);

	return 0;

}