From: Pavel Begunkov <asml.silence@gmail.com>
Date: Tue, 26 May 2020 17:34:02 +0000 (+0300)
Subject: io_uring: fix flush req->refs underflow
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=4518a3cc273cf82efdd36522fb1f13baad173c70;p=linux.git

io_uring: fix flush req->refs underflow

In io_uring_cancel_files(), after refcount_sub_and_test() leaves 0
req->refs, it calls io_put_req(), which would also put a ref. Call
io_free_req() instead.

Cc: stable@vger.kernel.org
Fixes: 2ca10259b418 ("io_uring: prune request from overflow list on flush")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 0b51f21e54327..37422fcdaa7fa 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7534,7 +7534,7 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
 			 * all we had, then we're done with this request.
 			 */
 			if (refcount_sub_and_test(2, &cancel_req->refs)) {
-				io_put_req(cancel_req);
+				io_free_req(cancel_req);
 				finish_wait(&ctx->inflight_wait, &wait);
 				continue;
 			}