On 7/23/20 12:15 PM, Pavel Begunkov wrote: > On 23/07/2020 21:12, Pavel Begunkov wrote: >> poll_add can have req->work initialised, which will be overwritten in >> __io_arm_poll_handler() because of the union. Luckily, hash_node is >> zeroed in the end, so the damage is limited to lost put for work.creds, >> and probably corrupted work.list. >> >> That's the easiest and really dirty fix, which rearranges members in the >> union, arm_poll*() modifies and zeroes only work.files and work.mm, >> which are never taken for poll add. >> note: io_kiocb is exactly 4 cachelines now. > > Please, tell me if anybody has a good lean solution, because I'm a bit > too tired at the moment to fix it properly. > BTW, that's for 5.8, for-5.9 it should be done differently because of > io_kiocb compaction. Do you have a test case that leaks the reference? -- Jens Axboe
