From: Jens Axboe <axboe@kernel.dk>
Date: Tue, 6 Apr 2021 15:49:31 +0000 (-0600)
Subject: io_uring: don't attempt re-add of multishot poll request if racing
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=cb3b200e4f66524d03d6410dd51bcf42f265a4d0;p=linux.git

io_uring: don't attempt re-add of multishot poll request if racing

We currently allow racy updates to multishot requests, but we can end up
double adding the poll request if both completion and update does it.
Ensure that we skip re-add on the update side if someone else is
completing it.

Fixes: b69de288e913 ("io_uring: allow events and user_data update of running poll requests")
Reported-by: Joakim Hassila <joj@mac.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ceb5ddd368261..0fcb0f477d9ee 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5432,6 +5432,7 @@ static int io_poll_update(struct io_kiocb *req)
 {
 	struct io_ring_ctx *ctx = req->ctx;
 	struct io_kiocb *preq;
+	bool completing;
 	int ret;
 
 	spin_lock_irq(&ctx->completion_lock);
@@ -5444,17 +5445,22 @@ static int io_poll_update(struct io_kiocb *req)
 		ret = -EACCES;
 		goto err;
 	}
-	if (!__io_poll_remove_one(preq, &preq->poll, false)) {
-		if (preq->poll.events & EPOLLONESHOT) {
-			ret = -EALREADY;
-			goto err;
-		}
+
+	/*
+	 * Don't allow racy completion with singleshot, as we cannot safely
+	 * update those. For multishot, if we're racing with completion, just
+	 * let completion re-add it.
+	 */
+	completing = !__io_poll_remove_one(preq, &preq->poll, false);
+	if (completing && (preq->poll.events & EPOLLONESHOT)) {
+		ret = -EALREADY;
+		goto err;
 	}
 	/* we now have a detached poll request. reissue. */
 	ret = 0;
 err:
-	spin_unlock_irq(&ctx->completion_lock);
 	if (ret < 0) {
+		spin_unlock_irq(&ctx->completion_lock);
 		req_set_fail_links(req);
 		io_req_complete(req, ret);
 		return 0;
@@ -5468,13 +5474,17 @@ err:
 	if (req->poll.update_user_data)
 		preq->user_data = req->poll.new_user_data;
 
+	spin_unlock_irq(&ctx->completion_lock);
+
 	/* complete update request, we're done with it */
 	io_req_complete(req, ret);
 
-	ret = __io_poll_add(preq);
-	if (ret < 0) {
-		req_set_fail_links(preq);
-		io_req_complete(preq, ret);
+	if (!completing) {
+		ret = __io_poll_add(preq);
+		if (ret < 0) {
+			req_set_fail_links(preq);
+			io_req_complete(preq, ret);
+		}
 	}
 	return 0;
 }