io_uring: drop req submit reference always in async punt
authorJens Axboe <axboe@kernel.dk>
Tue, 30 Apr 2019 20:44:05 +0000 (14:44 -0600)
committerJens Axboe <axboe@kernel.dk>
Wed, 1 May 2019 14:38:47 +0000 (08:38 -0600)
If we don't end up actually calling submit in io_sq_wq_submit_work(),
we still need to drop the submit reference to the request. If we
don't, then we can leak the request. This can happen if we race
with ring shutdown while flushing the workqueue for requests that
require use of the mm_struct.

Fixes: e65ef56db494 ("io_uring: use regular request ref counts")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
fs/io_uring.c

index 046fc4e1e1552ee3387f65fa006e798935610dd1..18cecb6a0151821e65208fccb819b3a5d90bef63 100644 (file)
@@ -1568,10 +1568,11 @@ restart:
                                        break;
                                cond_resched();
                        } while (1);
-
-                       /* drop submission reference */
-                       io_put_req(req);
                }
+
+               /* drop submission reference */
+               io_put_req(req);
+
                if (ret) {
                        io_cqring_add_event(ctx, sqe->user_data, ret, 0);
                        io_put_req(req);