io_uring: Fix leaking linked timeouts

let have a dependant link: REQ -> LINK_TIMEOUT -> LINK_TIMEOUT

1. submission stage: submission references for REQ and LINK_TIMEOUT
are dropped. So, references respectively (1,1,2)

2. io_put(REQ) + FAIL_LINKS stage: calls io_fail_links(), which for all
linked timeouts will call cancel_timeout() and drop 1 reference.
So, references after: (0,0,1). That's a leak.

Make it treat only the first linked timeout as such, and pass others
through __io_double_put_req().

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index fd60939a8a595f8860cd6cbd453250ce1bd4cef5..f88e12b971c7474659ac410bcfdecae34a11a221 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -942,6 +942,7 @@ static void io_fail_links(struct io_kiocb *req)
                if ((req->flags & REQ_F_LINK_TIMEOUT) &&
                    link->submit.sqe->opcode == IORING_OP_LINK_TIMEOUT) {
                        io_link_cancel_timeout(link);
+                       req->flags &= ~REQ_F_LINK_TIMEOUT;
                } else {
                        io_cqring_fill_event(link, -ECANCELED);
                        __io_double_put_req(link);