Skip to content

Commit 9eef902

Browse files
isilencegregkh
isilence
authored and
gregkh
committed
io_uring: explicitly count entries for poll reqs
commit 68b11e8 upstream. If __io_queue_proc() fails to add a second poll entry, e.g. kmalloc() failed, but it goes on with a third waitqueue, it may succeed and overwrite the error status. Count the number of poll entries we added, so we can set pt->error to zero at the beginning and find out when the mentioned scenario happens. Cc: [email protected] Fixes: 18bceab ("io_uring: allow POLL_ADD with double poll_wait() users") Signed-off-by: Pavel Begunkov <[email protected]> Link: https://lore.kernel.org/r/9d6b9e561f88bcc0163623b74a76c39f712151c3.1626774457.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 1077e2b commit 9eef902

File tree

1 file changed

+10
-6
lines changed

1 file changed

+10
-6
lines changed

fs/io_uring.c

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4916,6 +4916,7 @@ static int io_connect(struct io_kiocb *req, bool force_nonblock,
49164916
struct io_poll_table {
49174917
struct poll_table_struct pt;
49184918
struct io_kiocb *req;
4919+
int nr_entries;
49194920
int error;
49204921
};
49214922

@@ -5098,11 +5099,11 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
50985099
struct io_kiocb *req = pt->req;
50995100

51005101
/*
5101-
* If poll->head is already set, it's because the file being polled
5102-
* uses multiple waitqueues for poll handling (eg one for read, one
5103-
* for write). Setup a separate io_poll_iocb if this happens.
5102+
* The file being polled uses multiple waitqueues for poll handling
5103+
* (e.g. one for read, one for write). Setup a separate io_poll_iocb
5104+
* if this happens.
51045105
*/
5105-
if (unlikely(poll->head)) {
5106+
if (unlikely(pt->nr_entries)) {
51065107
struct io_poll_iocb *poll_one = poll;
51075108

51085109
/* already have a 2nd entry, fail a third attempt */
@@ -5124,7 +5125,7 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
51245125
*poll_ptr = poll;
51255126
}
51265127

5127-
pt->error = 0;
5128+
pt->nr_entries++;
51285129
poll->head = head;
51295130

51305131
if (poll->events & EPOLLEXCLUSIVE)
@@ -5210,9 +5211,12 @@ static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
52105211

52115212
ipt->pt._key = mask;
52125213
ipt->req = req;
5213-
ipt->error = -EINVAL;
5214+
ipt->error = 0;
5215+
ipt->nr_entries = 0;
52145216

52155217
mask = vfs_poll(req->file, &ipt->pt) & poll->events;
5218+
if (unlikely(!ipt->nr_entries) && !ipt->error)
5219+
ipt->error = -EINVAL;
52165220

52175221
spin_lock_irq(&ctx->completion_lock);
52185222
if (likely(poll->head)) {

0 commit comments

Comments
 (0)