io_uring: fix a memory leak of buffer group list on exit

If we use a buffer group ID that is large enough to require io_uring
to allocate it, then we don't correctly free it if the cleanup is
deferred to the ring exit. The explicit removal paths are fine.

Fixes: 788b05f6311b ("io_uring: get rid of hashed provided buffer groups")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ae2cc17edd2c1842e572775b8e2125dd867b7d2b..f14ebe4bb65d88a83c5cc91b57a3decea40f816d 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -11065,6 +11065,7 @@ static void io_destroy_buffers(struct io_ring_ctx *ctx)
        xa_for_each(&ctx->io_bl_xa, index, bl) {
                xa_erase(&ctx->io_bl_xa, bl->bgid);
                __io_remove_buffers(ctx, bl, -1U);
+               kfree(bl);
        }
 
        while (!list_empty(&ctx->io_buffers_pages)) {