summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorPavel Begunkov <asml.silence@gmail.com>2020-07-24 20:07:20 +0300
committerJens Axboe <axboe@kernel.dk>2020-07-24 21:51:33 +0300
commitd5e16d8e23825304c6a9945116cc6b6f8d51f28c (patch)
treeb386921fbd47c05693f732e95f19f90822d50805 /fs
parent3e863ea3bb1a2203ae648eb272db0ce6a1a2072c (diff)
downloadlinux-d5e16d8e23825304c6a9945116cc6b6f8d51f28c.tar.xz
io_uring: fix ->work corruption with poll_add
req->work might be already initialised by the time it gets into __io_arm_poll_handler(), which will corrupt it by using fields that are in an union with req->work. Luckily, the only side effect is missing put_creds(). Clean req->work before going there. Suggested-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'fs')
-rw-r--r--fs/io_uring.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 32b0064f806e..98e8079e67e7 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4658,6 +4658,10 @@ static int io_poll_add(struct io_kiocb *req)
struct io_poll_table ipt;
__poll_t mask;
+ /* ->work is in union with hash_node and others */
+ io_req_work_drop_env(req);
+ req->flags &= ~REQ_F_WORK_INITIALIZED;
+
INIT_HLIST_NODE(&req->hash_node);
INIT_LIST_HEAD(&req->list);
ipt.pt._qproc = io_poll_queue_proc;