io_uring: fix potential use after free on fallback request free

After __io_free_req() puts a ctx ref, it should be assumed that the ctx
may already be gone. However, it can be accessed when putting the
fallback req. Free the req first and then put the ctx.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 8495c17b53d6c85fe8d109a3691399220bf083b9..b54e358e6b31e7e4d1e083b3fa2a4b597508b1f6 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1526,12 +1526,15 @@ static void io_dismantle_req(struct io_kiocb *req)
 
 static void __io_free_req(struct io_kiocb *req)
 {
+       struct io_ring_ctx *ctx;
+
        io_dismantle_req(req);
-       percpu_ref_put(&req->ctx->refs);
+       ctx = req->ctx;
        if (likely(!io_is_fallback_req(req)))
                kmem_cache_free(req_cachep, req);
        else
-               clear_bit_unlock(0, (unsigned long *) &req->ctx->fallback_req);
+               clear_bit_unlock(0, (unsigned long *) &ctx->fallback_req);
+       percpu_ref_put(&ctx->refs);
 }
 
 static bool io_link_cancel_timeout(struct io_kiocb *req)