[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210802134345.107815242@linuxfoundation.org>
Date: Mon, 2 Aug 2021 15:44:30 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Hao Xu <haoxu@...ux.alibaba.com>,
Jens Axboe <axboe@...nel.dk>
Subject: [PATCH 5.13 033/104] io_uring: fix poll requests leaking second poll entries
From: Hao Xu <haoxu@...ux.alibaba.com>
commit a890d01e4ee016978776e45340e521b3bbbdf41f upstream.
For pure poll requests, it doesn't remove the second poll wait entry
when it's done, neither after vfs_poll() or in the poll completion
handler. We should remove the second poll wait entry.
And we use io_poll_remove_double() rather than io_poll_remove_waitqs()
since the latter has some redundant logic.
Fixes: 88e41cf928a6 ("io_uring: add multishot mode for IORING_OP_POLL_ADD")
Cc: stable@...r.kernel.org # 5.13+
Signed-off-by: Hao Xu <haoxu@...ux.alibaba.com>
Link: https://lore.kernel.org/r/20210728030322.12307-1-haoxu@linux.alibaba.com
Signed-off-by: Jens Axboe <axboe@...nel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
fs/io_uring.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4924,7 +4924,6 @@ static bool io_poll_complete(struct io_k
if (req->poll.events & EPOLLONESHOT)
flags = 0;
if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) {
- io_poll_remove_waitqs(req);
req->poll.done = true;
flags = 0;
}
@@ -4948,6 +4947,7 @@ static void io_poll_task_func(struct cal
done = io_poll_complete(req, req->result);
if (done) {
+ io_poll_remove_double(req);
hash_del(&req->hash_node);
} else {
req->result = 0;
@@ -5136,7 +5136,7 @@ static __poll_t __io_arm_poll_handler(st
ipt->error = -EINVAL;
spin_lock_irq(&ctx->completion_lock);
- if (ipt->error)
+ if (ipt->error || (mask && (poll->events & EPOLLONESHOT)))
io_poll_remove_double(req);
if (likely(poll->head)) {
spin_lock(&poll->head->lock);
@@ -5207,7 +5207,6 @@ static bool io_arm_poll_handler(struct i
ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
io_async_wake);
if (ret || ipt.error) {
- io_poll_remove_double(req);
spin_unlock_irq(&ctx->completion_lock);
return false;
}
Powered by blists - more mailing lists