Hi, Jens, It looks to me like calling io_uring_register more than once (for either IORING_REGISTER_BUFFERS or IORING_REGISTER_FILES) will leak the references taken in previous calls.
Signed-off-by: Jeff Moyer <[email protected]> --- If this makes sense to you, feel free to just fold this into your patches w/o any attribution. diff --git a/fs/io_uring.c b/fs/io_uring.c index 3650e8b63a32..f0492b0e23a0 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1399,6 +1399,9 @@ static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg, if (!nr_args) return -EINVAL; + if (ctx->user_files) + return -EINVAL; + ctx->user_files = kcalloc(nr_args, sizeof(struct file *), GFP_KERNEL); if (!ctx->user_files) return -ENOMEM; @@ -1580,6 +1583,9 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg, if (!nr_args || nr_args > UIO_MAXIOV) return -EINVAL; + if (ctx->user_bufs) + return -EINVAL; + ctx->user_bufs = kcalloc(nr_args, sizeof(struct io_mapped_ubuf), GFP_KERNEL); if (!ctx->user_bufs)
