From: Dan Carpenter dan.carpenter@oracle.com
mainline inclusion from mainline-5.9-rc1 commit aa340845ae6f019e0a12321a1741c14679bb0664 category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA ---------------------------
The "apoll" variable is freed and then used on the next line. We need to move the free down a few lines.
Fixes: 0be0b0e33b0b ("io_uring: simplify io_async_task_func()") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Jens Axboe axboe@kernel.dk
Conflicts: fs/io_uring.c [760618f7a8e3 ("Merge branch 'io_uring-5.8' into for-5.9/io_uring"), this merge has some change, we need backport too]
Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/io_uring.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 46dde280cb0f..94e5795fc41c 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4546,14 +4546,15 @@ static void io_async_task_func(struct callback_head *cb) /* restore ->work in case we need to retry again */ if (req->flags & REQ_F_WORK_INITIALIZED) memcpy(&req->work, &apoll->work, sizeof(req->work)); - percpu_ref_put(&ctx->refs); - kfree(apoll->double_poll); - kfree(apoll);
if (!READ_ONCE(apoll->poll.canceled)) __io_req_task_submit(req); else __io_req_task_cancel(req, -ECANCELED); + + percpu_ref_put(&ctx->refs); + kfree(apoll->double_poll); + kfree(apoll); }
static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,