diff options
| author | Jens Axboe <axboe@kernel.dk> | 2025-10-07 07:46:00 -0600 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-10-15 12:04:15 +0200 |
| commit | 3e2205db2f0608898d535da1964e1b376aacfdaa (patch) | |
| tree | 6d0896d54290dc2dd6a6a3f4375dc298da7f2e61 /io_uring | |
| parent | c15e20a219bd28bf6263b4b25187a5f2a3c9f726 (diff) | |
| download | linux-3e2205db2f0608898d535da1964e1b376aacfdaa.tar.gz linux-3e2205db2f0608898d535da1964e1b376aacfdaa.tar.bz2 linux-3e2205db2f0608898d535da1964e1b376aacfdaa.zip | |
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
commit 2f8229d53d984c6a05b71ac9e9583d4354e3b91f upstream.
For a successful return, always remove our entry from the wait queue
entry list. Previously this was skipped if a cancelation was in
progress, but this can race with another invocation of the wait queue
entry callback.
Cc: stable@vger.kernel.org
Fixes: f31ecf671ddc ("io_uring: add IORING_OP_WAITID support")
Reported-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com
Tested-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com
Link: https://lore.kernel.org/io-uring/68e5195e.050a0220.256323.001f.GAE@google.com/
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'io_uring')
| -rw-r--r-- | io_uring/waitid.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/io_uring/waitid.c b/io_uring/waitid.c index e07a94694397..3101ad8ec0cf 100644 --- a/io_uring/waitid.c +++ b/io_uring/waitid.c @@ -232,13 +232,14 @@ static int io_waitid_wait(struct wait_queue_entry *wait, unsigned mode, if (!pid_child_should_wake(wo, p)) return 0; + list_del_init(&wait->entry); + /* cancel is in progress */ if (atomic_fetch_inc(&iw->refs) & IO_WAITID_REF_MASK) return 1; req->io_task_work.func = io_waitid_cb; io_req_task_work_add(req); - list_del_init(&wait->entry); return 1; } |