io_uring: fix a use after free in io_async_task_func()

The "apoll" variable is freed and then used on the next line. We need to move the free down a few lines. Fixes: 0be0b0e33b0b ("io_uring: simplify io_async_task_func()") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Dan Carpenter <dan.carpenter@oracle.com> 2020-07-08 21:47:11 +0300
committer: Jens Axboe <axboe@kernel.dk> 2020-07-08 22:15:04 +0300
commit: aa340845ae6f019e0a12321a1741c14679bb0664 (patch)
tree: a3e80c1d69261f0debc3c31188f79164ff9f124c /fs/io_uring.c
parent: b2edc0a77fac19bbdef63cedb2ea34aec1a9a499 (diff)
download: linux-aa340845ae6f019e0a12321a1741c14679bb0664.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 4c9a494c9f9f..14168fbc7d79 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4655,12 +4655,13 @@ static void io_async_task_func(struct callback_head *cb)
 	/* restore ->work in case we need to retry again */
 	if (req->flags & REQ_F_WORK_INITIALIZED)
 		memcpy(&req->work, &apoll->work, sizeof(req->work));
-	kfree(apoll);
 
 	if (!READ_ONCE(apoll->poll.canceled))
 		__io_req_task_submit(req);
 	else
 		__io_req_task_cancel(req, -ECANCELED);
+
+	kfree(apoll);
 }
 
 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
author	Dan Carpenter <dan.carpenter@oracle.com>	2020-07-08 21:47:11 +0300
committer	Jens Axboe <axboe@kernel.dk>	2020-07-08 22:15:04 +0300
commit	aa340845ae6f019e0a12321a1741c14679bb0664 (patch)
tree	a3e80c1d69261f0debc3c31188f79164ff9f124c /fs/io_uring.c
parent	b2edc0a77fac19bbdef63cedb2ea34aec1a9a499 (diff)
download	linux-aa340845ae6f019e0a12321a1741c14679bb0664.tar.xz