io_uring/rw: free potentially allocated iovec on cache put failure

If a read/write request goes through io_req_rw_cleanup() and has an
allocated iovec attached and fails to put to the rw_cache, then it may
end up with an unaccounted iovec pointer. Have io_rw_recycle() return
whether it recycled the request or not, and use that to gauge whether to
free a potential iovec or not.

Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 331af6bf423483b176f4f880d86dba2cb3ceb256..2b7521129f8b9a09409ee52aadf3a6e78b9134dd 100644 (file)
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -144,19 +144,22 @@ static inline int io_import_rw_buffer(int rw, struct io_kiocb *req,
        return 0;
 }
 
-static void io_rw_recycle(struct io_kiocb *req, unsigned int issue_flags)
+static bool io_rw_recycle(struct io_kiocb *req, unsigned int issue_flags)
 {
        struct io_async_rw *rw = req->async_data;
 
        if (unlikely(issue_flags & IO_URING_F_UNLOCKED))
-               return;
+               return false;
 
        io_alloc_cache_vec_kasan(&rw->vec);
        if (rw->vec.nr > IO_VEC_CACHE_SOFT_CAP)
                io_vec_free(&rw->vec);
 
-       if (io_alloc_cache_put(&req->ctx->rw_cache, rw))
+       if (io_alloc_cache_put(&req->ctx->rw_cache, rw)) {
                io_req_async_data_clear(req, 0);
+               return true;
+       }
+       return false;
 }
 
 static void io_req_rw_cleanup(struct io_kiocb *req, unsigned int issue_flags)
@@ -190,7 +193,11 @@ static void io_req_rw_cleanup(struct io_kiocb *req, unsigned int issue_flags)
         */
        if (!(req->flags & (REQ_F_REISSUE | REQ_F_REFCOUNT))) {
                req->flags &= ~REQ_F_NEED_CLEANUP;
-               io_rw_recycle(req, issue_flags);
+               if (!io_rw_recycle(req, issue_flags)) {
+                       struct io_async_rw *rw = req->async_data;
+
+                       io_vec_free(&rw->vec);
+               }
        }
 }