io_uring: fix error handling for io_uring_cmd

Anuj Gupta · axboe · commit 3ed159c98407 · 2022-08-11T10:56:00.000-06:00
Commit 97b388d ("io_uring: handle completions in the core") moved the error handling from handler to core. But for io_uring_cmd handler we end up completing more than once (both in handler and in core) leading to use_after_free. Change io_uring_cmd handler to avoid calling io_uring_cmd_done in case of error. Fixes: 97b388d ("io_uring: handle completions in the core") Signed-off-by: Anuj Gupta <anuj20.g@samsung.com> Signed-off-by: Kanchan Joshi <joshi.k@samsung.com> Link: https://lore.kernel.org/r/20220811091459.6929-1-anuj20.g@samsung.com [axboe: fix ret vs req typo] Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
@@ -106,7 +106,9 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
 	}
 
 	if (ret != -EIOCBQUEUED) {
-		io_uring_cmd_done(ioucmd, ret, 0);
+		if (ret < 0)
+			req_set_fail(req);
+		io_req_set_res(req, ret, 0);
 		return IOU_OK;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,9 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`if (ret != -EIOCBQUEUED) {`
`109`		`- io_uring_cmd_done(ioucmd, ret, 0);`
	`109`	`+ if (ret < 0)`
	`110`	`+ req_set_fail(req);`
	`111`	`+ io_req_set_res(req, ret, 0);`
`110`	`112`	`return IOU_OK;`
`111`	`113`	`}`
`112`	`114`