From: Jens Axboe <axboe@kernel.dk>
To: Dan Carpenter <error27@gmail.com>
Cc: io-uring@vger.kernel.org
Subject: Re: [bug report] io_uring/tctx: clean up __io_uring_add_tctx_node() error handling
Date: Wed, 15 Apr 2026 14:24:33 -0600 [thread overview]
Message-ID: <499e9c02-3600-441c-bc8c-6ab41128d2bd@kernel.dk> (raw)
In-Reply-To: <ady1bB1t8l7LBjGG@stanley.mountain>
On 4/13/26 3:20 AM, Dan Carpenter wrote:
> Hello Jens Axboe,
>
> Commit 7880174e1e5e ("io_uring/tctx: clean up
> __io_uring_add_tctx_node() error handling") from Apr 8, 2026
> (linux-next), leads to the following Smatch static checker warning:
>
> io_uring/tctx.c:174 __io_uring_add_tctx_node()
> error: we previously assumed 'tctx->io_wq' could be null (see line 164)
>
> io_uring/tctx.c
> 139 int __io_uring_add_tctx_node(struct io_ring_ctx *ctx)
> 140 {
> 141 struct io_uring_task *tctx = current->io_uring;
> 142 int ret;
> 143
> 144 if (unlikely(!tctx)) {
> 145 tctx = io_uring_alloc_task_context(current, ctx);
> 146 if (IS_ERR(tctx))
> 147 return PTR_ERR(tctx);
> 148
> 149 if (ctx->int_flags & IO_RING_F_IOWQ_LIMITS_SET) {
> 150 unsigned int limits[2] = { ctx->iowq_limits[0],
> 151 ctx->iowq_limits[1], };
> 152
> 153 ret = io_wq_max_workers(tctx->io_wq, limits);
> 154 if (ret)
> 155 goto err_free;
> 156 }
> 157 }
> 158
> 159 /*
> 160 * Re-activate io-wq keepalive on any new io_uring usage. The wq may have
> 161 * been marked for idle-exit when the task temporarily had no active
> 162 * io_uring instances.
> 163 */
> 164 if (tctx->io_wq)
> ^^^^^^^^^^^
> This assumes ->io_wq can be NULL
>
> 165 io_wq_set_exit_on_idle(tctx->io_wq, false);
> 166
> 167 ret = io_tctx_install_node(ctx, tctx);
> 168 if (!ret) {
> 169 current->io_uring = tctx;
> 170 return 0;
> 171 }
> 172 if (!current->io_uring) {
> 173 err_free:
> --> 174 io_wq_put_and_exit(tctx->io_wq);
> ^^^^^^^^^^^
> Dereferenced without checking
>
> 175 percpu_counter_destroy(&tctx->inflight);
> 176 kfree(tctx);
> 177 }
> 178 return ret;
> 179 }
>
> This email is a free service from the Smatch-CI project [smatch.sf.net].
Thanks, I'll make them consistent.
--
Jens Axboe
prev parent reply other threads:[~2026-04-15 20:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 9:20 [bug report] io_uring/tctx: clean up __io_uring_add_tctx_node() error handling Dan Carpenter
2026-04-15 20:24 ` Jens Axboe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499e9c02-3600-441c-bc8c-6ab41128d2bd@kernel.dk \
--to=axboe@kernel.dk \
--cc=error27@gmail.com \
--cc=io-uring@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox