Commit 720df231 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring/zcrx: fix null ifq on area destruction 



Dan reports that ifq can be null when infering arguments for
io_unaccount_mem() from io_zcrx_free_area(). Fix it by always setting a
correct ifq.

Reported-by: default avatarkernel test robot <lkp@intel.com>
Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202507180628.gBxrOgqr-lkp@intel.com/


Fixes: 262ab205 ("io_uring/zcrx: account area memory")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/20670d163bb90dba2a81a4150f1125603cefb101.1753091564.git.asml.silence@gmail.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent d1fbe1eb

io_uring/zcrx.c

+2 −3
Original line number Diff line number Diff line
@@ -377,7 +377,6 @@ static void io_free_rbuf_ring(struct io_zcrx_ifq *ifq) 


static void io_zcrx_free_area(struct io_zcrx_area *area)

{

	if (area->ifq)

	io_zcrx_unmap_area(area->ifq, area);

	io_release_area_mem(&area->mem);
@@ -411,6 +410,7 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq, 
	area = kzalloc(sizeof(*area), GFP_KERNEL);

	if (!area)

		goto err;

	area->ifq = ifq;



	ret = io_import_area(ifq, &area->mem, area_reg);

	if (ret)
@@ -445,7 +445,6 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq, 
	}



	area->free_count = nr_iovs;

	area->ifq = ifq;

	/* we're only supporting one area per ifq for now */

	area->area_id = 0;

	area_reg->rq_area_token = (u64)area->area_id << IORING_ZCRX_AREA_SHIFT;