On Tue, Aug 11, 2020 at 09:52:55AM -0600, Jens Axboe wrote:
> Check the ipt.error value, it must have been either cleared to zero or
> set to another error than the default -EINVAL if we don't go through the
> waitqueue proc addition. Just give up on poll at that point and return
> failure, this will fallback to async work.
>
> io_poll_add() doesn't suffer from this failure case, as it returns the
> error value directly.
>
> Cc: stable@xxxxxxxxxxxxxxx # v5.7+
> Reported-by: syzbot+a730016dc0bdce4f6ff5@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
LGTM:
Reviewed-by: Stefano Garzarella <sgarzare@xxxxxxxxxx>
Stefano
>
> ---
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 99582cf5106b..8a2afd8c33c9 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -4883,7 +4883,7 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
>
> ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
> io_async_wake);
> - if (ret) {
> + if (ret || ipt.error) {
> io_poll_remove_double(req, apoll->double_poll);
> spin_unlock_irq(&ctx->completion_lock);
> kfree(apoll->double_poll);
> --
> Jens Axboe
>
