io_uring/rsrc: don't put/free empty buffers

If cloning of buffers fail and we have to put the ones already grabbed,
check for NULL buffers and skip those. They used to be dummy ubufs, but
now they are just NULL and that should be checked before reaping them.

Reported-by: chase xd <sl1589472800@gmail.com>
Link: https://lore.kernel.org/io-uring/CADZouDQ7TcKn8gz8_efnyAEp1JvU1ktRk8PWz-tO0FXUoh8VGQ@mail.gmail.com/
Fixes: d50f94d761a5 ("io_uring/rsrc: get rid of the empty node and dummy_ubuf")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index adaae86309322e5efbee6831fe8253588025aa67..077f84684c18a0b3f5e622adb4978b6a00353b2f 100644 (file)
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1036,8 +1036,10 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx
 out_put_free:
        i = data.nr;
        while (i--) {
-               io_buffer_unmap(src_ctx, data.nodes[i]);
-               kfree(data.nodes[i]);
+               if (data.nodes[i]) {
+                       io_buffer_unmap(src_ctx, data.nodes[i]);
+                       kfree(data.nodes[i]);
+               }
        }
 out_unlock:
        io_rsrc_data_free(ctx, &data);