On Wed, 18 Dec 2024 17:56:25 +0100, Jann Horn wrote:
> Currently, io_uring_unreg_ringfd() (which cleans up registered rings) is
> only called on exit, but __io_uring_free (which frees the tctx in which the
> registered ring pointers are stored) is also called on execve (via
> begin_new_exec -> io_uring_task_cancel -> __io_uring_cancel ->
> io_uring_cancel_generic -> __io_uring_free).
>
> This means: A process going through execve while having registered rings
> will leak references to the rings' `struct file`.
>
> [...]
Applied, thanks!
[1/1] io_uring: Fix registered ring file refcount leak
commit: 12d908116f7efd34f255a482b9afc729d7a5fb78
Best regards,
--
Jens Axboe
