io_uring: fix a use after free in io_async_task_func()

The "apoll" variable is freed and then used on the next line.  We need
to move the free down a few lines.

Fixes: 0be0b0e33b0b ("io_uring: simplify io_async_task_func()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 4c9a494..14168fb 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4655,12 +4655,13 @@ static void io_async_task_func(struct callback_head *cb)
        /* restore ->work in case we need to retry again */
        if (req->flags & REQ_F_WORK_INITIALIZED)
                memcpy(&req->work, &apoll->work, sizeof(req->work));
-       kfree(apoll);
 
        if (!READ_ONCE(apoll->poll.canceled))
                __io_req_task_submit(req);
        else
                __io_req_task_cancel(req, -ECANCELED);
+
+       kfree(apoll);
 }
 
 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,