Commit f7b24bee authored by Matthew Wilcox (Oracle)'s avatar Matthew Wilcox (Oracle) Committed by Greg Kroah-Hartman
io_uring: Fix XArray usage in io_uring_add_task_file

commit 236434c3438c4da3dfbd6aeeab807577b85e951a upstream.

The xas_store() wasn't paired with an xas_nomem() loop, so if it couldn't
allocate memory using GFP_NOWAIT, it would leak the reference to the file
descriptor.  Also the node pointed to by the xas could be freed between
the call to xas_load() under the rcu_read_lock() and the acquisition of
the xa_lock.

It's easier to just use the normal xa_load/xa_store interface here.
Signed-off-by: default avatarMatthew Wilcox (Oracle) <>
[axboe: fix missing assign after alloc, cur_uring -> tctx rename]
Signed-off-by: default avatarJens Axboe <>
Signed-off-by: default avatarGreg Kroah-Hartman <>
......@@ -7929,27 +7929,24 @@ static void io_uring_cancel_task_requests(struct io_ring_ctx *ctx,
static int io_uring_add_task_file(struct file *file)
if (unlikely(!current->io_uring)) {
struct io_uring_task *tctx = current->io_uring;
if (unlikely(!tctx)) {
int ret;
ret = io_uring_alloc_task_context(current);
if (unlikely(ret))
return ret;
tctx = current->io_uring;
if (current->io_uring->last != file) {
XA_STATE(xas, &current->io_uring->xa, (unsigned long) file);
void *old;
if (tctx->last != file) {
void *old = xa_load(&tctx->xa, (unsigned long)file);
old = xas_load(&xas);
if (old != file) {
if (!old) {
xas_store(&xas, file);
xa_store(&tctx->xa, (unsigned long)file, file, GFP_KERNEL);
current->io_uring->last = file;
tctx->last = file;
return 0;
