io_uring: don't modify req->poll for rw

__io_queue_proc() is used by both poll and apoll, so we should not access req->poll directly but selecting right struct io_poll_iocb depending on use case. Reported-and-tested-by: syzbot+a84b8783366ecb1c65d0@syzkaller.appspotmail.com Fixes: ea6a693d862d ("io_uring: disable multishot poll for double poll add cases") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/4a6a1de31142d8e0250fe2dfd4c8923d82a5bbfc.1621251795.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Pavel Begunkov 2021-05-17 12:43:34 +0100
committer: Jens Axboe 2021-05-17 07:28:48 -0600
commit: 7a274727702cc07d27cdebd36d1d5132abeea12f (patch)
tree: aefa2d62f367048dfe415f13a4e506ff38f2b571 /fs
parent: 489809e2e22b3dedc0737163d97eb2b574137b42 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index e481ac8a757a..89ec10471b30 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5019,10 +5019,10 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
 		 * Can't handle multishot for double wait for now, turn it
 		 * into one-shot mode.
 		 */
-		if (!(req->poll.events & EPOLLONESHOT))
-			req->poll.events |= EPOLLONESHOT;
+		if (!(poll_one->events & EPOLLONESHOT))
+			poll_one->events |= EPOLLONESHOT;
 		/* double add on the same waitqueue head, ignore */
-		if (poll->head == head)
+		if (poll_one->head == head)
 			return;
 		poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
 		if (!poll) {
author	Pavel Begunkov	2021-05-17 12:43:34 +0100
committer	Jens Axboe	2021-05-17 07:28:48 -0600
commit	7a274727702cc07d27cdebd36d1d5132abeea12f (patch)
tree	aefa2d62f367048dfe415f13a4e506ff38f2b571 /fs
parent	489809e2e22b3dedc0737163d97eb2b574137b42 (diff)