[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <173457120329.744782.1920271046445831362.b4-ty@kernel.dk>
Date: Wed, 18 Dec 2024 18:20:03 -0700
From: Jens Axboe <axboe@...nel.dk>
To: Pavel Begunkov <asml.silence@...il.com>, Jann Horn <jannh@...gle.com>
Cc: io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] io_uring: Fix registered ring file refcount leak
On Wed, 18 Dec 2024 17:56:25 +0100, Jann Horn wrote:
> Currently, io_uring_unreg_ringfd() (which cleans up registered rings) is
> only called on exit, but __io_uring_free (which frees the tctx in which the
> registered ring pointers are stored) is also called on execve (via
> begin_new_exec -> io_uring_task_cancel -> __io_uring_cancel ->
> io_uring_cancel_generic -> __io_uring_free).
>
> This means: A process going through execve while having registered rings
> will leak references to the rings' `struct file`.
>
> [...]
Applied, thanks!
[1/1] io_uring: Fix registered ring file refcount leak
commit: 12d908116f7efd34f255a482b9afc729d7a5fb78
Best regards,
--
Jens Axboe
Powered by blists - more mailing lists