diff options
author | Pavel Begunkov <asml.silence@gmail.com> | 2020-07-24 20:07:20 +0300 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2020-07-24 12:51:33 -0600 |
commit | d5e16d8e23825304c6a9945116cc6b6f8d51f28c (patch) | |
tree | b386921fbd47c05693f732e95f19f90822d50805 /fs/io_uring.c | |
parent | 3e863ea3bb1a2203ae648eb272db0ce6a1a2072c (diff) | |
download | lwn-d5e16d8e23825304c6a9945116cc6b6f8d51f28c.tar.gz lwn-d5e16d8e23825304c6a9945116cc6b6f8d51f28c.zip |
io_uring: fix ->work corruption with poll_add
req->work might be already initialised by the time it gets into
__io_arm_poll_handler(), which will corrupt it by using fields that are
in an union with req->work. Luckily, the only side effect is missing
put_creds(). Clean req->work before going there.
Suggested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'fs/io_uring.c')
-rw-r--r-- | fs/io_uring.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c index 32b0064f806e..98e8079e67e7 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4658,6 +4658,10 @@ static int io_poll_add(struct io_kiocb *req) struct io_poll_table ipt; __poll_t mask; + /* ->work is in union with hash_node and others */ + io_req_work_drop_env(req); + req->flags &= ~REQ_F_WORK_INITIALIZED; + INIT_HLIST_NODE(&req->hash_node); INIT_LIST_HEAD(&req->list); ipt.pt._qproc = io_poll_queue_proc; |