On 23/07/2020 21:12, Pavel Begunkov wrote:
> poll_add can have req->work initialised, which will be overwritten in
> __io_arm_poll_handler() because of the union. Luckily, hash_node is
> zeroed in the end, so the damage is limited to lost put for work.creds,
> and probably corrupted work.list.
>
> That's the easiest and really dirty fix, which rearranges members in the
> union, arm_poll*() modifies and zeroes only work.files and work.mm,
> which are never taken for poll add.
> note: io_kiocb is exactly 4 cachelines now.
Please, tell me if anybody has a good lean solution, because I'm a bit
too tired at the moment to fix it properly.
BTW, that's for 5.8, for-5.9 it should be done differently because of
io_kiocb compaction.
>
> Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
> ---
> fs/io_uring.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 32b0064f806e..58e6f7d938b6 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -669,12 +669,12 @@ struct io_kiocb {
> * restore the work, if needed.
> */
> struct {
> - struct callback_head task_work;
> - struct hlist_node hash_node;
> struct async_poll *apoll;
> + struct hlist_node hash_node;
> };
> struct io_wq_work work;
> };
> + struct callback_head task_work;
> };
>
> #define IO_PLUG_THRESHOLD 2
>
--
Pavel Begunkov
