Commit d5e16d8e authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: fix ->work corruption with poll_add 



req->work might be already initialised by the time it gets into
__io_arm_poll_handler(), which will corrupt it by using fields that are
in an union with req->work. Luckily, the only side effect is missing
put_creds(). Clean req->work before going there.

Suggested-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 3e863ea3

fs/io_uring.c

+4 −0
Original line number Diff line number Diff line
@@ -4658,6 +4658,10 @@ static int io_poll_add(struct io_kiocb *req) 
	struct io_poll_table ipt;

	__poll_t mask;



	/* ->work is in union with hash_node and others */

	io_req_work_drop_env(req);

	req->flags &= ~REQ_F_WORK_INITIALIZED;



	INIT_HLIST_NODE(&req->hash_node);

	INIT_LIST_HEAD(&req->list);

	ipt.pt._qproc = io_poll_queue_proc;

CRA Git | Maintained and supported by SUSTech CRA and CCSE