io_uring: fix a use after free in io_async_task_func()

The "apoll" variable is freed and then used on the next line. We need to move the free down a few lines. Fixes: 0be0b0e3 ("io_uring: simplify io_async_task_func()") Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk>

io_uring: fix a use after free in io_async_task_func()
The "apoll" variable is freed and then used on the next line. We need to move the free down a few lines. Fixes: 0be0b0e3 ("io_uring: simplify io_async_task_func()") Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk>
aa340845 · Dan Carpenter · Jens Axboe · b2edc0a7 · aa340845
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

fs/io_uring.c fs/io_uring.c +2 -1

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4655,12 +4655,13 @@ static void io_async_task_func(struct callback_head *cb)
 	/* restore ->work in case we need to retry again */
 	if (req->flags & REQ_F_WORK_INITIALIZED)
 		memcpy(&req->work, &apoll->work, sizeof(req->work));
-	kfree(apoll);

 	if (!READ_ONCE(apoll->poll.canceled))
 		__io_req_task_submit(req);
 	else
 		__io_req_task_cancel(req, -ECANCELED);
+
+	kfree(apoll);
 }

 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,