This is a note to let you know that I've just added the patch titled io_uring/net: fix cleanup after recycle to the 6.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: io_uring-net-fix-cleanup-after-recycle.patch and it can be found in the queue-6.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 6c3e8955d4bd9811a6e1761eea412a14fb51a2e6 Mon Sep 17 00:00:00 2001 From: Pavel Begunkov <asml.silence@xxxxxxxxx> Date: Mon, 19 Dec 2022 15:11:40 +0000 Subject: io_uring/net: fix cleanup after recycle From: Pavel Begunkov <asml.silence@xxxxxxxxx> commit 6c3e8955d4bd9811a6e1761eea412a14fb51a2e6 upstream. Don't access io_async_msghdr io_netmsg_recycle(), it may be reallocated. Cc: stable@xxxxxxxxxxxxxxx Fixes: 9bb66906f23e5 ("io_uring: support multishot in recvmsg") Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx> Link: https://lore.kernel.org/r/9e326f4ad4046ddadf15bf34bf3fa58c6372f6b5.1671461985.git.asml.silence@xxxxxxxxx Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- io_uring/net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/io_uring/net.c +++ b/io_uring/net.c @@ -772,10 +772,10 @@ retry_multishot: goto retry_multishot; if (mshot_finished) { - io_netmsg_recycle(req, issue_flags); /* fast path, check for non-NULL to avoid function call */ if (kmsg->free_iov) kfree(kmsg->free_iov); + io_netmsg_recycle(req, issue_flags); req->flags &= ~REQ_F_NEED_CLEANUP; } Patches currently in stable-queue which might be from asml.silence@xxxxxxxxx are queue-6.0/io_uring-net-fix-cleanup-after-recycle.patch queue-6.0/io_uring-protect-cq_timeouts-with-timeout_lock.patch queue-6.0/io_uring-add-completion-locking-for-iopoll.patch queue-6.0/io_uring-improve-io_double_lock_ctx-fail-handling.patch