Merge tag 'io_uring-6.16-20250619' of git://git.kernel.dk/linux

Pull io_uring fixes from Jens Axboe:

 - Two fixes for error injection failures. One fixes a task leak issue
   introduced in this merge window, the other an older issue with
   handling allocation of a mapped buffer.

 - Fix for a syzbot issue that triggers a kmalloc warning on attempting
   an allocation that's too large

 - Fix for an error injection failure causing a double put of a task,
   introduced in this merge window

* tag 'io_uring-6.16-20250619' of git://git.kernel.dk/linux:
  io_uring: fix potential page leak in io_sqe_buffer_register()
  io_uring/sqpoll: don't put task_struct on tctx setup failure
  io_uring: remove duplicate io_uring_alloc_task_context() definition
  io_uring: fix task leak issue in io_wq_create()
  io_uring/rsrc: validate buffer count with offset for cloning

1 files changed, 2 insertions, 4 deletions

diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index 268d2fbe6160..a3f11349ce06 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -16,6 +16,7 @@
 #include <uapi/linux/io_uring.h>
 
 #include "io_uring.h"
+#include "tctx.h"
 #include "napi.h"
 #include "sqpoll.h"
 
@@ -419,7 +420,6 @@ void io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
 __cold int io_sq_offload_create(struct io_ring_ctx *ctx,
 				struct io_uring_params *p)
 {
-	struct task_struct *task_to_put = NULL;
 	int ret;
 
 	/* Retain compatibility with failing for an invalid attach attempt */
@@ -498,7 +498,7 @@ __cold int io_sq_offload_create(struct io_ring_ctx *ctx,
 		rcu_assign_pointer(sqd->thread, tsk);
 		mutex_unlock(&sqd->lock);
 
-		task_to_put = get_task_struct(tsk);
+		get_task_struct(tsk);
 		ret = io_uring_alloc_task_context(tsk, ctx);
 		wake_up_new_task(tsk);
 		if (ret)
@@ -513,8 +513,6 @@ err_sqpoll:
 	complete(&ctx->sq_data->exited);
 err:
 	io_sq_thread_finish(ctx);
-	if (task_to_put)
-		put_task_struct(task_to_put);
 	return ret;
 }