releases/5.13.6/io_uring-explicitly-count-entries-for-poll-reqs.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 68b11e8b1562986c134764433af64e97d30c9fc0 Mon Sep 17 00:00:00 2001
 From: Pavel Begunkov <asml.silence@gmail.com>
 Date: Tue, 20 Jul 2021 10:50:43 +0100
 Subject: io_uring: explicitly count entries for poll reqs

 From: Pavel Begunkov <asml.silence@gmail.com>

 commit 68b11e8b1562986c134764433af64e97d30c9fc0 upstream.

 If __io_queue_proc() fails to add a second poll entry, e.g. kmalloc()
 failed, but it goes on with a third waitqueue, it may succeed and
 overwrite the error status. Count the number of poll entries we added,
 so we can set pt->error to zero at the beginning and find out when the
 mentioned scenario happens.

 Cc: stable@vger.kernel.org
 Fixes: 18bceab101add ("io_uring: allow POLL_ADD with double poll_wait() users")
 Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
 Link: https://lore.kernel.org/r/9d6b9e561f88bcc0163623b74a76c39f712151c3.1626774457.git.asml.silence@gmail.com
 Signed-off-by: Jens Axboe <axboe@kernel.dk>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  fs/io_uring.c |   16 ++++++++++------
  1 file changed, 10 insertions(+), 6 deletions(-)

 --- a/fs/io_uring.c
 +++ b/fs/io_uring.c
 @@ -4805,6 +4805,7 @@ IO_NETOP_FN(recv);
  struct io_poll_table {
  	struct poll_table_struct pt;
  	struct io_kiocb *req;
 +	int nr_entries;
  	int error;
  };

 @@ -5002,11 +5003,11 @@ static void __io_queue_proc(struct io_po
  	struct io_kiocb *req = pt->req;

  	/*
 -	 * If poll->head is already set, it's because the file being polled
 -	 * uses multiple waitqueues for poll handling (eg one for read, one
 -	 * for write). Setup a separate io_poll_iocb if this happens.
 +	 * The file being polled uses multiple waitqueues for poll handling
 +	 * (e.g. one for read, one for write). Setup a separate io_poll_iocb
 +	 * if this happens.
  	 */
 -	if (unlikely(poll->head)) {
 +	if (unlikely(pt->nr_entries)) {
  		struct io_poll_iocb *poll_one = poll;

  		/* already have a 2nd entry, fail a third attempt */
 @@ -5034,7 +5035,7 @@ static void __io_queue_proc(struct io_po
  		*poll_ptr = poll;
  	}

 -	pt->error = 0;
 +	pt->nr_entries++;
  	poll->head = head;

  	if (poll->events & EPOLLEXCLUSIVE)
 @@ -5112,9 +5113,12 @@ static __poll_t __io_arm_poll_handler(st

  	ipt->pt._key = mask;
  	ipt->req = req;
 -	ipt->error = -EINVAL;
 +	ipt->error = 0;
 +	ipt->nr_entries = 0;

  	mask = vfs_poll(req->file, &ipt->pt) & poll->events;
 +	if (unlikely(!ipt->nr_entries) && !ipt->error)
 +		ipt->error = -EINVAL;

  	spin_lock_irq(&ctx->completion_lock);
  	if (likely(poll->head)) {
	From 68b11e8b1562986c134764433af64e97d30c9fc0 Mon Sep 17 00:00:00 2001
	From: Pavel Begunkov <asml.silence@gmail.com>
	Date: Tue, 20 Jul 2021 10:50:43 +0100
	Subject: io_uring: explicitly count entries for poll reqs

	From: Pavel Begunkov <asml.silence@gmail.com>

	commit 68b11e8b1562986c134764433af64e97d30c9fc0 upstream.

	If __io_queue_proc() fails to add a second poll entry, e.g. kmalloc()
	failed, but it goes on with a third waitqueue, it may succeed and
	overwrite the error status. Count the number of poll entries we added,
	so we can set pt->error to zero at the beginning and find out when the
	mentioned scenario happens.

	Cc: stable@vger.kernel.org
	Fixes: 18bceab101add ("io_uring: allow POLL_ADD with double poll_wait() users")
	Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
	Link: https://lore.kernel.org/r/9d6b9e561f88bcc0163623b74a76c39f712151c3.1626774457.git.asml.silence@gmail.com
	Signed-off-by: Jens Axboe <axboe@kernel.dk>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	fs/io_uring.c \| 16 ++++++++++------
	1 file changed, 10 insertions(+), 6 deletions(-)

	--- a/fs/io_uring.c
	+++ b/fs/io_uring.c
	@@ -4805,6 +4805,7 @@ IO_NETOP_FN(recv);
	struct io_poll_table {
	struct poll_table_struct pt;
	struct io_kiocb *req;
	+ int nr_entries;
	int error;
	};

	@@ -5002,11 +5003,11 @@ static void __io_queue_proc(struct io_po
	struct io_kiocb *req = pt->req;

	/*
	- * If poll->head is already set, it's because the file being polled
	- * uses multiple waitqueues for poll handling (eg one for read, one
	- * for write). Setup a separate io_poll_iocb if this happens.
	+ * The file being polled uses multiple waitqueues for poll handling
	+ * (e.g. one for read, one for write). Setup a separate io_poll_iocb
	+ * if this happens.
	*/
	- if (unlikely(poll->head)) {
	+ if (unlikely(pt->nr_entries)) {
	struct io_poll_iocb *poll_one = poll;

	/* already have a 2nd entry, fail a third attempt */
	@@ -5034,7 +5035,7 @@ static void __io_queue_proc(struct io_po
	*poll_ptr = poll;
	}

	- pt->error = 0;
	+ pt->nr_entries++;
	poll->head = head;

	if (poll->events & EPOLLEXCLUSIVE)
	@@ -5112,9 +5113,12 @@ static __poll_t __io_arm_poll_handler(st

	ipt->pt._key = mask;
	ipt->req = req;
	- ipt->error = -EINVAL;
	+ ipt->error = 0;
	+ ipt->nr_entries = 0;

	mask = vfs_poll(req->file, &ipt->pt) & poll->events;
	+ if (unlikely(!ipt->nr_entries) && !ipt->error)
	+ ipt->error = -EINVAL;

	spin_lock_irq(&ctx->completion_lock);
	if (likely(poll->head)) {