io_uring: mark ->work uninitialised after cleanup

isilence · axboe · commit b65e0dd6a2de · 2020-07-25T09:47:44.000-06:00
Remove REQ_F_WORK_INITIALIZED after io_req_clean_work(). That's a cold
path but is safer for those using io_req_clean_work() out of
*dismantle_req()/*io_free(). And for the same reason zero work.fs

Signed-off-by: Pavel Begunkov &lt;asml.silence@gmail.com&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
diff --git a/fs/io_uring.c b/fs/io_uring.c
@@ -1141,7 +1141,9 @@ static void io_req_clean_work(struct io_kiocb *req)
 		spin_unlock(&req->work.fs->lock);
 		if (fs)
 			free_fs_struct(fs);
+		req->work.fs = NULL;
 	}
+	req->flags &= ~REQ_F_WORK_INITIALIZED;
 }
 
 static void io_prep_async_work(struct io_kiocb *req)
@@ -4969,7 +4971,6 @@ static int io_poll_add(struct io_kiocb *req)
 
 	/* ->work is in union with hash_node and others */
 	io_req_clean_work(req);
-	req->flags &= ~REQ_F_WORK_INITIALIZED;
 
 	INIT_HLIST_NODE(&req->hash_node);
 	ipt.pt._qproc = io_poll_queue_proc;

Original file line number	Diff line number	Diff line change
`@@ -1141,7 +1141,9 @@ static void io_req_clean_work(struct io_kiocb *req)`
`1141`	`1141`	`spin_unlock(&req->work.fs->lock);`
`1142`	`1142`	`if (fs)`
`1143`	`1143`	`free_fs_struct(fs);`
	`1144`	`+ req->work.fs = NULL;`
`1144`	`1145`	`}`
	`1146`	`+ req->flags &= ~REQ_F_WORK_INITIALIZED;`
`1145`	`1147`	`}`
`1146`	`1148`
`1147`	`1149`	`static void io_prep_async_work(struct io_kiocb *req)`
`@@ -4969,7 +4971,6 @@ static int io_poll_add(struct io_kiocb *req)`
`4969`	`4971`
`4970`	`4972`	`/* ->work is in union with hash_node and others */`
`4971`	`4973`	`io_req_clean_work(req);`
`4972`		`- req->flags &= ~REQ_F_WORK_INITIALIZED;`
`4973`	`4974`
`4974`	`4975`	`INIT_HLIST_NODE(&req->hash_node);`
`4975`	`4976`	`ipt.pt._qproc = io_poll_queue_proc;`