Merge tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux

Pull io_uring fix from Jens Axboe: "A single small fix for an issue related to ordering between cancelation and current->io_uring teardown" * tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
author: Linus Torvalds <torvalds@linux-foundation.org> 2022-12-08 15:44:09 -0800
committer: Linus Torvalds <torvalds@linux-foundation.org> 2022-12-08 15:44:09 -0800
commit: af145500afa53fce55c9ee98e405fd0d65f018d0 (patch)
tree: 221c893896a7c9da635cd3cab3a6273b2e5716a0
parent: 010b6761a9fc5006267d99abb6f9f196bf5d3d13 (diff)
parent: 998b30c3948e4d0b1097e639918c5cff332acac5 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 8840cf3e20f2..61cd7ffd0f6a 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2707,8 +2707,10 @@ static __cold void io_tctx_exit_cb(struct callback_head *cb)
 	/*
 	 * When @in_idle, we're in cancellation and it's racy to remove the
 	 * node. It'll be removed by the end of cancellation, just ignore it.
+	 * tctx can be NULL if the queueing of this task_work raced with
+	 * work cancelation off the exec path.
 	 */
-	if (!atomic_read(&tctx->in_idle))
+	if (tctx && !atomic_read(&tctx->in_idle))
 		io_uring_del_tctx_node((unsigned long)work->ctx);
 	complete(&work->completion);
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2022-12-08 15:44:09 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	2022-12-08 15:44:09 -0800
commit	af145500afa53fce55c9ee98e405fd0d65f018d0 (patch)
tree	221c893896a7c9da635cd3cab3a6273b2e5716a0
parent	010b6761a9fc5006267d99abb6f9f196bf5d3d13 (diff)
parent	998b30c3948e4d0b1097e639918c5cff332acac5 (diff)