public inbox for io-uring@vger.kernel.org
 help / color / mirror / Atom feed
* [bug report] io_uring/tctx: clean up __io_uring_add_tctx_node() error handling
@ 2026-04-13  9:20 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2026-04-13  9:20 UTC (permalink / raw)
  To: Jens Axboe; +Cc: io-uring

Hello Jens Axboe,

Commit 7880174e1e5e ("io_uring/tctx: clean up
__io_uring_add_tctx_node() error handling") from Apr 8, 2026
(linux-next), leads to the following Smatch static checker warning:

	io_uring/tctx.c:174 __io_uring_add_tctx_node()
	error: we previously assumed 'tctx->io_wq' could be null (see line 164)

io_uring/tctx.c
    139 int __io_uring_add_tctx_node(struct io_ring_ctx *ctx)
    140 {
    141         struct io_uring_task *tctx = current->io_uring;
    142         int ret;
    143 
    144         if (unlikely(!tctx)) {
    145                 tctx = io_uring_alloc_task_context(current, ctx);
    146                 if (IS_ERR(tctx))
    147                         return PTR_ERR(tctx);
    148 
    149                 if (ctx->int_flags & IO_RING_F_IOWQ_LIMITS_SET) {
    150                         unsigned int limits[2] = { ctx->iowq_limits[0],
    151                                                    ctx->iowq_limits[1], };
    152 
    153                         ret = io_wq_max_workers(tctx->io_wq, limits);
    154                         if (ret)
    155                                 goto err_free;
    156                 }
    157         }
    158 
    159         /*
    160          * Re-activate io-wq keepalive on any new io_uring usage. The wq may have
    161          * been marked for idle-exit when the task temporarily had no active
    162          * io_uring instances.
    163          */
    164         if (tctx->io_wq)
                    ^^^^^^^^^^^
This assumes ->io_wq can be NULL

    165                 io_wq_set_exit_on_idle(tctx->io_wq, false);
    166 
    167         ret = io_tctx_install_node(ctx, tctx);
    168         if (!ret) {
    169                 current->io_uring = tctx;
    170                 return 0;
    171         }
    172         if (!current->io_uring) {
    173 err_free:
--> 174                 io_wq_put_and_exit(tctx->io_wq);
                                           ^^^^^^^^^^^
Dereferenced without checking

    175                 percpu_counter_destroy(&tctx->inflight);
    176                 kfree(tctx);
    177         }
    178         return ret;
    179 }

This email is a free service from the Smatch-CI project [smatch.sf.net].

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2026-04-13  9:20 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13  9:20 [bug report] io_uring/tctx: clean up __io_uring_add_tctx_node() error handling Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox