From: Jens Axboe axboe@kernel.dk
No upstream commit exists for this patch.
Don't free the request unconditionally, if the request is issued async then someone else may be holding a submit reference to it.
Reported-and-tested-by: Lee Jones lee@kernel.org Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/io_uring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -551,7 +551,8 @@ static void io_kill_timeout(struct io_ki atomic_inc(&req->ctx->cq_timeouts); list_del(&req->list); io_cqring_fill_event(req->ctx, req->user_data, 0); - __io_free_req(req); + if (refcount_dec_and_test(&req->refs)) + __io_free_req(req); } }