From: Jens Axboe axboe@kernel.dk
mainline inclusion from mainline-5.10-rc2 commit c8b5e2600a2cfa1cdfbecf151afd67aee227381d category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA ---------------------------
io_poll_double_wake() is called for both request types - both pure poll requests, and internal polls. This means that we should be using the right handler based on the request type. Use the one that the original caller already assigned for the waitqueue handling, that will always match the correct type.
Cc: stable@vger.kernel.org # v5.8+ Reported-by: Pavel Begunkov asml.silence@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/io_uring.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 10ce1ceeef0b..1cec7adeec2b 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4215,8 +4215,10 @@ static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode, if (!done) list_del_init(&poll->wait.entry); spin_unlock(&poll->head->lock); - if (!done) - __io_async_wake(req, poll, mask, io_poll_task_func); + if (!done) { + /* use wait func handler, so it matches the rq type */ + poll->wait.func(&poll->wait, mode, sync, key); + } } refcount_dec(&req->refs); return 1;