[bug report] io_uring/tctx: clean up __io_uring_add_tctx_node() error handling

public inbox for io-uring@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <error27@gmail.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: io-uring@vger.kernel.org
Subject: [bug report] io_uring/tctx: clean up __io_uring_add_tctx_node() error handling
Date: Mon, 13 Apr 2026 12:20:44 +0300	[thread overview]
Message-ID: <ady1bB1t8l7LBjGG@stanley.mountain> (raw)

Hello Jens Axboe,

Commit 7880174e1e5e ("io_uring/tctx: clean up
__io_uring_add_tctx_node() error handling") from Apr 8, 2026
(linux-next), leads to the following Smatch static checker warning:

	io_uring/tctx.c:174 __io_uring_add_tctx_node()
	error: we previously assumed 'tctx->io_wq' could be null (see line 164)

io_uring/tctx.c
    139 int __io_uring_add_tctx_node(struct io_ring_ctx *ctx)
    140 {
    141         struct io_uring_task *tctx = current->io_uring;
    142         int ret;
    143 
    144         if (unlikely(!tctx)) {
    145                 tctx = io_uring_alloc_task_context(current, ctx);
    146                 if (IS_ERR(tctx))
    147                         return PTR_ERR(tctx);
    148 
    149                 if (ctx->int_flags & IO_RING_F_IOWQ_LIMITS_SET) {
    150                         unsigned int limits[2] = { ctx->iowq_limits[0],
    151                                                    ctx->iowq_limits[1], };
    152 
    153                         ret = io_wq_max_workers(tctx->io_wq, limits);
    154                         if (ret)
    155                                 goto err_free;
    156                 }
    157         }
    158 
    159         /*
    160          * Re-activate io-wq keepalive on any new io_uring usage. The wq may have
    161          * been marked for idle-exit when the task temporarily had no active
    162          * io_uring instances.
    163          */
    164         if (tctx->io_wq)
                    ^^^^^^^^^^^
This assumes ->io_wq can be NULL

    165                 io_wq_set_exit_on_idle(tctx->io_wq, false);
    166 
    167         ret = io_tctx_install_node(ctx, tctx);
    168         if (!ret) {
    169                 current->io_uring = tctx;
    170                 return 0;
    171         }
    172         if (!current->io_uring) {
    173 err_free:
--> 174                 io_wq_put_and_exit(tctx->io_wq);
                                           ^^^^^^^^^^^
Dereferenced without checking

    175                 percpu_counter_destroy(&tctx->inflight);
    176                 kfree(tctx);
    177         }
    178         return ret;
    179 }

This email is a free service from the Smatch-CI project [smatch.sf.net].

regards,
dan carpenter

                 reply	other threads:[~2026-04-13  9:20 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ady1bB1t8l7LBjGG@stanley.mountain \
    --to=error27@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox