io_uring: fix memory leak when cache init fail

[ Upstream commit 3a87e264290d71ec86a210ab3e8d23b715ad266d ]

Exit the percpu ref when cache init fails to free the data memory with
in struct percpu_ref.

Fixes: 206aefde4f88 ("io_uring: reduce/pack size of io_ring_ctx")
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Link: https://lore.kernel.org/r/20240923100512.64638-1-kanie@linux.alibaba.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index c0d8ee0c9786df5e9f184721e48642ad0cd38256..ff243f6b51199a2681ba24d7f84ed38a7278dc22 100644 (file)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -316,7 +316,7 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
                            sizeof(struct uring_cache));
        ret |= io_futex_cache_init(ctx);
        if (ret)
-               goto err;
+               goto free_ref;
        init_completion(&ctx->ref_comp);
        xa_init_flags(&ctx->personalities, XA_FLAGS_ALLOC1);
        mutex_init(&ctx->uring_lock);
@@ -344,6 +344,9 @@ static __cold struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
        io_napi_init(ctx);
 
        return ctx;
+
+free_ref:
+       percpu_ref_exit(&ctx->refs);
 err:
        io_alloc_cache_free(&ctx->rsrc_node_cache, kfree);
        io_alloc_cache_free(&ctx->apoll_cache, kfree);