From: Pavel Begunkov <asml.silence@xxxxxxxxx>
commit cce64ef01308b677a687d90927fc2b2e0e1cba67 upstream.
We pass "unlocked" into io_assign_file() in io_poll_check_events(),
which can lead to double locking.
Fixes: 6bf9c47a3989 ("io_uring: defer file assignment")
Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
Link: https://lore.kernel.org/r/2476d4ae46554324b599ee4055447b105f20a75a.1649862516.git.asml.silence@xxxxxxxxx
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/io_uring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5510,8 +5510,9 @@ static int io_poll_check_events(struct i
if (!req->result) {
struct poll_table_struct pt = { ._key = poll->events };
+ unsigned flags = locked ? 0 : IO_URING_F_UNLOCKED;
- if (unlikely(!io_assign_file(req, IO_URING_F_UNLOCKED)))
+ if (unlikely(!io_assign_file(req, flags)))
req->result = -EBADF;
else
req->result = vfs_poll(req->file, &pt) & poll->events;
Patches currently in stable-queue which might be from asml.silence@xxxxxxxxx are
queue-5.17/io_uring-fix-assign-file-locking-issue.patch
queue-5.17/io_uring-fix-poll-error-reporting.patch
queue-5.17/io_uring-use-right-issue_flags-for-splice-tee.patch
queue-5.17/io_uring-use-nospec-annotation-for-more-indexes.patch
queue-5.17/io_uring-zero-tag-on-rsrc-removal.patch
queue-5.17/io_uring-fix-poll-file-assign-deadlock.patch
