On 08/07/2020 21:47, Dan Carpenter wrote:
> The "apoll" variable is freed and then used on the next line. We need
> to move the free down a few lines.
My bad, thanks for spotting that!
A comment below
>
> Fixes: 0be0b0e33b0b ("io_uring: simplify io_async_task_func()")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> fs/io_uring.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 70828e2470e2..f2993070a9e8 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -4652,12 +4652,13 @@ static void io_async_task_func(struct callback_head *cb)
> /* restore ->work in case we need to retry again */
> if (req->flags & REQ_F_WORK_INITIALIZED)
> memcpy(&req->work, &apoll->work, sizeof(req->work));
> - kfree(apoll);
__io_req_task_submit() can take some time, e.g. waiting for a mutex, so
I'd rather free it before, but save req->poll.canceled in a local var.
>
> if (!READ_ONCE(apoll->poll.canceled))
> __io_req_task_submit(req);
> else
> __io_req_task_cancel(req, -ECANCELED);
> +
> + kfree(apoll);
> }
>
> static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
>
--
Pavel Begunkov
