From: Pavel Begunkov <asml.silence@gmail.com>
Date: Fri, 24 Jul 2020 17:07:20 +0000 (+0300)
Subject: io_uring: fix ->work corruption with poll_add
X-Git-Tag: v5.8~20^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5e16d8e23825304c6a9945116cc6b6f8d51f28c;p=thirdparty%2Fkernel%2Flinux.git

io_uring: fix ->work corruption with poll_add

req->work might be already initialised by the time it gets into
__io_arm_poll_handler(), which will corrupt it by using fields that are
in an union with req->work. Luckily, the only side effect is missing
put_creds(). Clean req->work before going there.

Suggested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 32b0064f806ef..98e8079e67e71 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4658,6 +4658,10 @@ static int io_poll_add(struct io_kiocb *req)
 	struct io_poll_table ipt;
 	__poll_t mask;
 
+	/* ->work is in union with hash_node and others */
+	io_req_work_drop_env(req);
+	req->flags &= ~REQ_F_WORK_INITIALIZED;
+
 	INIT_HLIST_NODE(&req->hash_node);
 	INIT_LIST_HEAD(&req->list);
 	ipt.pt._qproc = io_poll_queue_proc;