Commit 7a274727 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe

io_uring: don't modify req->poll for rw

__io_queue_proc() is used by both poll and apoll, so we should not
access req->poll directly but selecting right struct io_poll_iocb
depending on use case.

Reported-and-tested-by: syzbot+a84b8783366ecb1c65d0@syzkaller.appspotmail.com
Fixes: ea6a693d ("io_uring: disable multishot poll for double poll add cases")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/4a6a1de31142d8e0250fe2dfd4c8923d82a5bbfc.1621251795.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 489809e2
...@@ -5019,10 +5019,10 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt, ...@@ -5019,10 +5019,10 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
* Can't handle multishot for double wait for now, turn it * Can't handle multishot for double wait for now, turn it
* into one-shot mode. * into one-shot mode.
*/ */
if (!(req->poll.events & EPOLLONESHOT)) if (!(poll_one->events & EPOLLONESHOT))
req->poll.events |= EPOLLONESHOT; poll_one->events |= EPOLLONESHOT;
/* double add on the same waitqueue head, ignore */ /* double add on the same waitqueue head, ignore */
if (poll->head == head) if (poll_one->head == head)
return; return;
poll = kmalloc(sizeof(*poll), GFP_ATOMIC); poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
if (!poll) { if (!poll) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment