From 21870e02fcd385c39fe635e6531ce78302f3cd71 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@kernel.dk>
Date: Thu, 26 May 2022 11:34:33 -0600
Subject: [PATCH] io_uring: fix a memory leak of buffer group list on exit
Git-commit: 21870e02fcd385c39fe635e6531ce78302f3cd71
Patch-mainline: v5.19-rc1
References: bsc#1205205

If we use a buffer group ID that is large enough to require io_uring
to allocate it, then we don't correctly free it if the cleanup is
deferred to the ring exit. The explicit removal paths are fine.

Fixes: 9cfc7e94e42b ("io_uring: get rid of hashed provided buffer groups")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
---
 fs/io_uring.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ae2cc17edd2c..f14ebe4bb65d 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -11065,6 +11065,7 @@ static void io_destroy_buffers(struct io_ring_ctx *ctx)
 	xa_for_each(&ctx->io_bl_xa, index, bl) {
 		xa_erase(&ctx->io_bl_xa, bl->bgid);
 		__io_remove_buffers(ctx, bl, -1U);
+		kfree(bl);
 	}
 
 	while (!list_empty(&ctx->io_buffers_pages)) {
-- 
2.35.3