From: Anuj Gupta <anuj20.g@samsung.com>
Date: Thu, 11 Aug 2022 09:14:59 +0000 (+0530)
Subject: io_uring: fix error handling for io_uring_cmd
X-Git-Tag: v6.1-rc5~606^2~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=3ed159c984079baedff740505d609badb8538e0d;p=platform%2Fkernel%2Flinux-starfive.git

io_uring: fix error handling for io_uring_cmd

Commit 97b388d70b53 ("io_uring: handle completions in the core") moved the
error handling from handler to core. But for io_uring_cmd handler we end
up completing more than once (both in handler and in core) leading to
use_after_free.
Change io_uring_cmd handler to avoid calling io_uring_cmd_done in case
of error.

Fixes: 97b388d70b53 ("io_uring: handle completions in the core")
Signed-off-by: Anuj Gupta <anuj20.g@samsung.com>
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20220811091459.6929-1-anuj20.g@samsung.com
[axboe: fix ret vs req typo]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
index 849d9708d612..ee7036f2241f 100644
--- a/io_uring/uring_cmd.c
+++ b/io_uring/uring_cmd.c
@@ -106,7 +106,9 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
 	}
 
 	if (ret != -EIOCBQUEUED) {
-		io_uring_cmd_done(ioucmd, ret, 0);
+		if (ret < 0)
+			req_set_fail(req);
+		io_req_set_res(req, ret, 0);
 		return IOU_OK;
 	}