On 9/26/22 7:35 AM, Pavel Begunkov wrote: > Having ->async_data doesn't mean it's initialised and previously we vere > relying on setting F_CLEANUP at the right moment. With zc sendmsg > though, we set F_CLEANUP early in prep when we alloc a notif and so we > may allocate async_data, fail in copy_msg_hdr() leaving > struct io_async_msghdr not initialised correctly but with F_CLEANUP > set, which causes a ->free_iov double free and probably other nastiness. > > Always initialise ->free_iov. Also, now it might point to fast_iov when > fails, so avoid freeing it during cleanups. APplied, thanks. -- Jens Axboe
