io_uring/net: ensure compat import handlers clear free_iov

If we're not allocating the vectors because the count is below
UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent
an erronous free of on-stack data.

Reported-by: Jiri Slaby <[email protected]>
Fixes: 4c17a49 ("io_uring/net: fix cleanup double free free_iov init")
Cc: [email protected]
Signed-off-by: Jens Axboe <[email protected]>

Author: axboe

io_uring/net.c

@@ -494,6 +494,7 @@ static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req,
 	if (req->flags & REQ_F_BUFFER_SELECT) {
 		compat_ssize_t clen;
 
+		iomsg->free_iov = NULL;
 		if (msg.msg_iovlen == 0) {
 			sr->len = 0;
 		} else if (msg.msg_iovlen > 1) {