Merge tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux

torvalds · torvalds · commit af145500afa5 · 2022-12-08T15:44:09.000-08:00
Pull io_uring fix from Jens Axboe:
 "A single small fix for an issue related to ordering between
  cancelation and current-&gt;io_uring teardown"

* tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux:
  io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
@@ -2707,8 +2707,10 @@ static __cold void io_tctx_exit_cb(struct callback_head *cb)
 	/*
 	 * When @in_idle, we're in cancellation and it's racy to remove the
 	 * node. It'll be removed by the end of cancellation, just ignore it.
+	 * tctx can be NULL if the queueing of this task_work raced with
+	 * work cancelation off the exec path.
 	 */
-	if (!atomic_read(&tctx->in_idle))
+	if (tctx && !atomic_read(&tctx->in_idle))
 		io_uring_del_tctx_node((unsigned long)work->ctx);
 	complete(&work->completion);
 }
