io_uring: drop req submit reference always in async punt

If we don't end up actually calling submit in io_sq_wq_submit_work(),
we still need to drop the submit reference to the request. If we
don't, then we can leak the request. This can happen if we race
with ring shutdown while flushing the workqueue for requests that
require use of the mm_struct.

Fixes: e65ef56db494 ("io_uring: use regular request ref counts")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 046fc4e..18cecb6 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1568,10 +1568,11 @@ restart:
                                        break;
                                cond_resched();
                        } while (1);
-
-                       /* drop submission reference */
-                       io_put_req(req);
                }
+
+               /* drop submission reference */
+               io_put_req(req);
+
                if (ret) {
                        io_cqring_add_event(ctx, sqe->user_data, ret, 0);
                        io_put_req(req);