io_uring: fix uninit old data for poll event upd

Both IORING_POLL_UPDATE_EVENTS and IORING_POLL_UPDATE_USER_DATA need
old_user_data to find/cancel a poll request, but it's set only for the
first one.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/ab08fd35b7652e977f9a475f01741b04102297f1.1618278933.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 1af8bb5..57ee3d2 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5379,17 +5379,17 @@ static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
        if (!(flags & IORING_POLL_ADD_MULTI))
                events |= EPOLLONESHOT;
        poll->update_events = poll->update_user_data = false;
-       if (flags & IORING_POLL_UPDATE_EVENTS) {
-               poll->update_events = true;
+
+       if (flags & (IORING_POLL_UPDATE_EVENTS|IORING_POLL_UPDATE_USER_DATA)) {
                poll->old_user_data = READ_ONCE(sqe->addr);
+               poll->update_events = flags & IORING_POLL_UPDATE_EVENTS;
+               poll->update_user_data = flags & IORING_POLL_UPDATE_USER_DATA;
+               if (poll->update_user_data)
+                       poll->new_user_data = READ_ONCE(sqe->off);
+       } else {
+               if (sqe->off || sqe->addr)
+                       return -EINVAL;
        }
-       if (flags & IORING_POLL_UPDATE_USER_DATA) {
-               poll->update_user_data = true;
-               poll->new_user_data = READ_ONCE(sqe->off);
-       }
-       if (!(poll->update_events || poll->update_user_data) &&
-            (sqe->off || sqe->addr))
-               return -EINVAL;
        poll->events = demangle_poll(events) |
                                (events & (EPOLLEXCLUSIVE|EPOLLONESHOT));
        return 0;