io_recvmsg() doesn't free memory allocated for struct io_buffer.
Fix it.
Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
---
1. This one is ugly, but automatically mergeable.
I have a half prepared set for-5.9.
2. to reproduce run
sudo sh -c 'for i in $(seq 1 100000000); do ./send_recvmsg; done'
and look for growing "kmalloc-32" slab
p.s. test(1, 0) in send_recvmsg.c is the one leaking
fs/io_uring.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 9fd7e69696c3..74bc4a04befa 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3845,10 +3845,16 @@ static int io_recvmsg(struct io_kiocb *req, bool force_nonblock)
ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.msg,
kmsg->uaddr, flags);
- if (force_nonblock && ret == -EAGAIN)
- return io_setup_async_msg(req, kmsg);
+ if (force_nonblock && ret == -EAGAIN) {
+ ret = io_setup_async_msg(req, kmsg);
+ if (ret != -EAGAIN)
+ kfree(kbuf);
+ return ret;
+ }
if (ret == -ERESTARTSYS)
ret = -EINTR;
+ if (kbuf)
+ kfree(kbuf);
}
if (kmsg && kmsg->iov != kmsg->fast_iov)
--
2.24.0
