io_uring: fix ->work corruption with poll_add

to #29608102 commit d5e16d8e23825304c6a9945116cc6b6f8d51f28c upstream. req->work might be already initialised by the time it gets into __io_arm_poll_handler(), which will corrupt it by using fields that are in an union with req->work. Luckily, the only side effect is missing put_creds(). Clean req->work before going there. Suggested-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Jiufei Xue <jiufei.xue@linux.alibaba.com> Reviewed-by: N Joseph Qi <joseph.qi@linux.alibaba.com>

io_uring: fix ->work corruption with poll_add
to #29608102 commit d5e16d8e23825304c6a9945116cc6b6f8d51f28c upstream. req->work might be already initialised by the time it gets into __io_arm_poll_handler(), which will corrupt it by using fields that are in an union with req->work. Luckily, the only side effect is missing put_creds(). Clean req->work before going there. Suggested-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Jiufei Xue <jiufei.xue@linux.alibaba.com> Reviewed-by: N Joseph Qi <joseph.qi@linux.alibaba.com>
7943eeed · Pavel Begunkov · Caspar Zhang · e6508674 · 7943eeed
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

fs/io_uring.c fs/io_uring.c +4 -0

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4620,6 +4620,10 @@ static int io_poll_add(struct io_kiocb *req)
 	struct io_poll_table ipt;
 	__poll_t mask;

+	/* ->work is in union with hash_node and others */
+	io_req_work_drop_env(req);
+	req->flags &= ~REQ_F_WORK_INITIALIZED;
+
 	INIT_HLIST_NODE(&req->hash_node);
 	INIT_LIST_HEAD(&req->list);
 	ipt.pt._qproc = io_poll_queue_proc;