io_uring: don't modify req->poll for rw __io_queue_proc() is used by both poll and apoll, so we should not access req->poll directly but selecting right struct io_poll_iocb depending on use case. Reported-and-tested-by: syzbot+a84b8783366ecb1c65d0@syzkaller.appspotmail.com Fixes: ea6a693d862d ("io_uring: disable multishot poll for double poll add cases") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/4a6a1de31142d8e0250fe2dfd4c8923d82a5bbfc.1621251795.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit: 7a274727702cc07d27cdebd36d1d5132abeea12f [log] [tgz]
author: Pavel Begunkov <asml.silence@gmail.com> Mon May 17 12:43:34 2021 +0100
committer: Jens Axboe <axboe@kernel.dk> Mon May 17 07:28:48 2021 -0600
tree: aefa2d62f367048dfe415f13a4e506ff38f2b571
parent: 489809e2e22b3dedc0737163d97eb2b574137b42 [diff] [blame]
diff --git a/fs/io_uring.c b/fs/io_uring.c
index e481ac8..89ec104 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c

@@ -5019,10 +5019,10 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
 		 * Can't handle multishot for double wait for now, turn it
 		 * into one-shot mode.
 		 */
-		if (!(req->poll.events & EPOLLONESHOT))
-			req->poll.events |= EPOLLONESHOT;
+		if (!(poll_one->events & EPOLLONESHOT))
+			poll_one->events |= EPOLLONESHOT;
 		/* double add on the same waitqueue head, ignore */
-		if (poll->head == head)
+		if (poll_one->head == head)
 			return;
 		poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
 		if (!poll) {
commit	7a274727702cc07d27cdebd36d1d5132abeea12f	[log] [tgz]
author	Pavel Begunkov <asml.silence@gmail.com>	Mon May 17 12:43:34 2021 +0100
committer	Jens Axboe <axboe@kernel.dk>	Mon May 17 07:28:48 2021 -0600
tree	aefa2d62f367048dfe415f13a4e506ff38f2b571
parent	489809e2e22b3dedc0737163d97eb2b574137b42 [diff] [blame]