| From a36da65c46565d2527eec3efdb546251e38253fd Mon Sep 17 00:00:00 2001 |
| From: Jens Axboe <axboe@kernel.dk> |
| Date: Tue, 11 Aug 2020 09:50:19 -0600 |
| Subject: io_uring: fail poll arm on queue proc failure |
| |
| From: Jens Axboe <axboe@kernel.dk> |
| |
| commit a36da65c46565d2527eec3efdb546251e38253fd upstream. |
| |
| Check the ipt.error value, it must have been either cleared to zero or |
| set to another error than the default -EINVAL if we don't go through the |
| waitqueue proc addition. Just give up on poll at that point and return |
| failure, this will fallback to async work. |
| |
| io_poll_add() doesn't suffer from this failure case, as it returns the |
| error value directly. |
| |
| Cc: stable@vger.kernel.org # v5.7+ |
| Reported-by: syzbot+a730016dc0bdce4f6ff5@syzkaller.appspotmail.com |
| Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> |
| Signed-off-by: Jens Axboe <axboe@kernel.dk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/io_uring.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/io_uring.c |
| +++ b/fs/io_uring.c |
| @@ -4544,7 +4544,7 @@ static bool io_arm_poll_handler(struct i |
| |
| ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask, |
| io_async_wake); |
| - if (ret) { |
| + if (ret || ipt.error) { |
| io_poll_remove_double(req, apoll->double_poll); |
| spin_unlock_irq(&ctx->completion_lock); |
| memcpy(&req->work, &apoll->work, sizeof(req->work)); |
