io_uring: fix punting req w/o grabbed env

It's not enough to check for REQ_F_WORK_INITIALIZED and punt async
assuming that io_req_work_grab_env() was called, it may not have been.
E.g. io_close_prep() and personality path set the flag without further
async init.

As a quick fix, always pass next work through io_req_task_queue().

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index dcf3ffb..483457f 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1766,12 +1766,8 @@ static void io_free_req(struct io_kiocb *req)
        io_req_find_next(req, &nxt);
        __io_free_req(req);
 
-       if (nxt) {
-               if (nxt->flags & REQ_F_WORK_INITIALIZED)
-                       io_queue_async_work(nxt);
-               else
-                       io_req_task_queue(nxt);
-       }
+       if (nxt)
+               io_req_task_queue(nxt);
 }
 
 /*