git.baikalelectronics.ru Git - kernel.git/commit

author	Pavel Begunkov <asml.silence@gmail.com>
	Tue, 20 Jul 2021 09:50:44 +0000 (10:50 +0100)
committer	Jens Axboe <axboe@kernel.dk>
	Tue, 20 Jul 2021 13:50:42 +0000 (07:50 -0600)
commit	2f548ebf9a843ed97a966b305d6e61e788cbc88a
tree	77a311f9ff1e7b4d5e66deb1ecb42acf311fff44	tree \| snapshot
parent	fc7348d2e98b63d102bc3efbf6641e206a08e77a	commit \| diff

io_uring: remove double poll entry on arm failure

__io_queue_proc() can enqueue both poll entries and still fail
afterwards, so the callers trying to cancel it should also try to remove
the second poll entry (if any).

For example, it may leave the request alive referencing a io_uring
context but not accessible for cancellation:

[  282.599913][ T1620] task:iou-sqp-23145   state:D stack:28720 pid:23155 ppid:  8844 flags:0x00004004
[  282.609927][ T1620] Call Trace:
[  282.613711][ T1620]  __schedule+0x93a/0x26f0
[  282.634647][ T1620]  schedule+0xd3/0x270
[  282.638874][ T1620]  io_uring_cancel_generic+0x54d/0x890
[  282.660346][ T1620]  io_sq_thread+0xaac/0x1250
[  282.696394][ T1620]  ret_from_fork+0x1f/0x30

Cc: stable@vger.kernel.org
Fixes: 374aa5b0b032f ("io_uring: allow POLL_ADD with double poll_wait() users")
Reported-and-tested-by: syzbot+ac957324022b7132accf@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/0ec1228fc5eda4cb524eeda857da8efdc43c331c.1626774457.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>