forked from Minki/linux
io_uring: fix a use after free in io_async_task_func()
The "apoll" variable is freed and then used on the next line. We need
to move the free down a few lines.
Fixes: 0be0b0e33b
("io_uring: simplify io_async_task_func()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
parent
b2edc0a77f
commit
aa340845ae
@ -4655,12 +4655,13 @@ static void io_async_task_func(struct callback_head *cb)
|
||||
/* restore ->work in case we need to retry again */
|
||||
if (req->flags & REQ_F_WORK_INITIALIZED)
|
||||
memcpy(&req->work, &apoll->work, sizeof(req->work));
|
||||
kfree(apoll);
|
||||
|
||||
if (!READ_ONCE(apoll->poll.canceled))
|
||||
__io_req_task_submit(req);
|
||||
else
|
||||
__io_req_task_cancel(req, -ECANCELED);
|
||||
|
||||
kfree(apoll);
|
||||
}
|
||||
|
||||
static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
|
||||
|
Loading…
Reference in New Issue
Block a user