> This is caused by access ctx->rings in io_ring_ctx_wait_and_kill() > while ctx->rings is NULL because of allocation failure. Yep, missed it out but already fixed https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.12&id=51520426f4bc3e61cbbf7a39ccf4e411b665002d > Reported-by: Abaci <abaci@xxxxxxxxxxxxxxxxx> > Signed-off-by: Hao Xu <haoxu@xxxxxxxxxxxxxxxxx> > --- > fs/io_uring.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index 1949b80677e7..03f593f5e740 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -8616,12 +8616,16 @@ static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx) > unsigned long index; > struct creds *creds; > > + if (!ctx->rings) { > + io_ring_ctx_free(ctx); > + return; > + } > + > mutex_lock(&ctx->uring_lock); > percpu_ref_kill(&ctx->refs); > /* if force is set, the ring is going away. always drop after that */ > ctx->cq_overflow_flushed = 1; > - if (ctx->rings) > - __io_cqring_overflow_flush(ctx, true, NULL, NULL); > + __io_cqring_overflow_flush(ctx, true, NULL, NULL); > xa_for_each(&ctx->personalities, index, creds) > io_unregister_personality(ctx, index); > mutex_unlock(&ctx->uring_lock); > -- Pavel Begunkov
