Commit 7a121ced authored Jul 07, 2022 by Pavel Begunkov Committed by Jens Axboe Jul 24, 2022

io_uring: don't miss setting REQ_F_DOUBLE_POLL

When adding a second poll entry we should set REQ_F_DOUBLE_POLL
unconditionally. We might race with the first entry removal but that
doesn't change the rule.

Fixes: a18427bb2d9b ("io_uring: optimise submission side poll_refs")
Reported-and-tested-by: <syzbot+49950ba66096b1f0209b@syzkaller.appspotmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/8b680d83ded07424db83e8745585e7a6d72826ef.1657203020.git.asml.silence@gmail.com

Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent cf0dd952

io_uring/poll.c

+10 −8

Original line number	Diff line number	Diff line
		@@ -401,16 +401,18 @@ static void io_poll_double_prepare(struct io_kiocb *req)
		/* head is RCU protected, see io_poll_remove_entries() comments */
		rcu_read_lock();
		head = smp_load_acquire(&poll->head);
		if (head) {
		/*
		* poll arm may not hold ownership and so race with
		* io_poll_wake() by modifying req->flags. There is only one
		* poll entry queued, serialise with it by taking its head lock.
		*/
		if (head)
		spin_lock_irq(&head->lock);

		req->flags \|= REQ_F_DOUBLE_POLL;

		if (head)
		spin_unlock_irq(&head->lock);
		}
		rcu_read_unlock();
		}