projects / platform / kernel / linux-starfive.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
[platform/kernel/linux-starfive.git] / io_uring / io_uring.c
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 8840cf3..61cd7ff 100644 (file)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2707,8 +2707,10 @@ static __cold void io_tctx_exit_cb(struct callback_head *cb)
        /*
         * When @in_idle, we're in cancellation and it's racy to remove the
         * node. It'll be removed by the end of cancellation, just ignore it.
+        * tctx can be NULL if the queueing of this task_work raced with
+        * work cancelation off the exec path.
         */
-       if (!atomic_read(&tctx->in_idle))
+       if (tctx && !atomic_read(&tctx->in_idle))
                io_uring_del_tctx_node((unsigned long)work->ctx);
        complete(&work->completion);
 }
Domain: System / Kernel;