io_uring: don't modify req->poll for rw

__io_queue_proc() is used by both poll and apoll, so we should not
access req->poll directly but selecting right struct io_poll_iocb
depending on use case.

Reported-and-tested-by: syzbot+a84b8783366ecb1c65d0@syzkaller.appspotmail.com
Fixes: ea6a693d862d ("io_uring: disable multishot poll for double poll add cases")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/4a6a1de31142d8e0250fe2dfd4c8923d82a5bbfc.1621251795.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index e481ac8..89ec104 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5019,10 +5019,10 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
                 * Can't handle multishot for double wait for now, turn it
                 * into one-shot mode.
                 */
-               if (!(req->poll.events & EPOLLONESHOT))
-                       req->poll.events |= EPOLLONESHOT;
+               if (!(poll_one->events & EPOLLONESHOT))
+                       poll_one->events |= EPOLLONESHOT;
                /* double add on the same waitqueue head, ignore */
-               if (poll->head == head)
+               if (poll_one->head == head)
                        return;
                poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
                if (!poll) {