On 5/17/22 12:34 PM, Jens Axboe wrote: > We gate whether to IOPOLL for a request on whether the opcode is allowed > on a ring setup for IOPOLL and if it's got a file assigned. MSG_RING > is the only one that allows a file yet isn't pollable, it's merely > supported to allow communication on an IOPOLL ring, not because we can > poll for completion of it. > > Put the assigned file early and clear it, so we don't attempt to poll > for it. > > Reported-by: syzbot+1a0a53300ce782f8b3ad@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 3f1d52abf098 ("io_uring: defer msg-ring file validity check until command issue") > Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> > > --- > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index 91de361ea9ab..3cb0bc68d822 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -5007,6 +5007,9 @@ static int io_fadvise(struct io_kiocb *req, unsigned int issue_flags) > if (ret < 0) > req_set_fail(req); > __io_req_complete(req, issue_flags, ret, 0); > + /* put file to avoid an attempt to IOPOLL the req */ > + io_put_file(req->file); > + req->file = NULL; > return 0; > } patch unhelpfully applying to the wrong function when ported from for-next to 5.18. Here's the right one: commit aa184e8671f0f911fc2fb3f68cd506e4d7838faa Author: Jens Axboe <axboe@xxxxxxxxx> Date: Tue May 17 12:32:05 2022 -0600 io_uring: don't attempt to IOPOLL for MSG_RING requests We gate whether to IOPOLL for a request on whether the opcode is allowed on a ring setup for IOPOLL and if it's got a file assigned. MSG_RING is the only one that allows a file yet isn't pollable, it's merely supported to allow communication on an IOPOLL ring, not because we can poll for completion of it. Put the assigned file early and clear it, so we don't attempt to poll for it. Reported-by: syzbot+1a0a53300ce782f8b3ad@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 3f1d52abf098 ("io_uring: defer msg-ring file validity check until command issue") Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> diff --git a/fs/io_uring.c b/fs/io_uring.c index 91de361ea9ab..e0823f58f795 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4481,6 +4481,9 @@ static int io_msg_ring(struct io_kiocb *req, unsigned int issue_flags) if (ret < 0) req_set_fail(req); __io_req_complete(req, issue_flags, ret, 0); + /* put file to avoid an attempt to IOPOLL the req */ + io_put_file(req->file); + req->file = NULL; return 0; } -- Jens Axboe