io_allocate_scq_urings() may fail to allocate scq rings, and fail to
set ctx->sq_entries or ctx->cq_entries. In io_ring_ctx_free(), the code
'
if (ctx->account_mem)
io_unaccount_mem(ctx->user,
ring_pages(ctx->sq_entries, ctx->cq_entries));
'
may not unaccount properly.
E.g, in io_uring_create(), we have ctx allocated with zero filled.
Later, io_allocate_scq_urings() fails, and we may still have
0-valued ctx->sq_entries & ctx->cq_entries. Then the unaccount code
cannot unaccout what io_account_mem() has changed.
Signed-off-by: Shenghui Wang <shhuiw@xxxxxxxxxxx>
---
fs/io_uring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index f65f85d89217..9d382ac27e63 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2741,7 +2741,6 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
sq_ring->ring_mask = p->sq_entries - 1;
sq_ring->ring_entries = p->sq_entries;
ctx->sq_mask = sq_ring->ring_mask;
- ctx->sq_entries = sq_ring->ring_entries;
size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
if (size == SIZE_MAX)
@@ -2764,7 +2763,6 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
cq_ring->ring_mask = p->cq_entries - 1;
cq_ring->ring_entries = p->cq_entries;
ctx->cq_mask = cq_ring->ring_mask;
- ctx->cq_entries = cq_ring->ring_entries;
return 0;
}
@@ -2854,6 +2852,8 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p)
ctx->compat = in_compat_syscall();
ctx->account_mem = account_mem;
ctx->user = user;
+ ctx->sq_entries = p->sq_entries;
+ ctx->cq_entries = p->cq_entries;
ret = io_allocate_scq_urings(ctx, p);
if (ret)
--
2.20.1
