[ upstream commit d63b0e8a628e62ca85a0f7915230186bb92f8bb4 ]
We do io_kbuf_recycle() when arming a poll but every iteration of a multishot can grab more buffers, which is why we need to flush the kbuf ring state before continuing with waiting.
Cc: stable@vger.kernel.org Fixes: b3fdea6ecb55c ("io_uring: multishot recv") Reported-by: Muhammad Ramdhan ramdhan@starlabs.sg Reported-by: Bing-Jhong Billy Jheng billy@starlabs.sg Reported-by: Jacob Soo jacob.soo@starlabs.sg Signed-off-by: Pavel Begunkov asml.silence@gmail.com Link: https://lore.kernel.org/r/1bfc9990fe435f1fc6152ca9efeba5eb3e68339c.173802557... Signed-off-by: Jens Axboe axboe@kernel.dk --- io_uring/poll.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/io_uring/poll.c b/io_uring/poll.c index a4084acaff91..ab27a627fd4c 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -305,6 +305,8 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked) } } else { int ret = io_poll_issue(req, locked); + io_kbuf_recycle(req, 0); + if (ret == IOU_STOP_MULTISHOT) return IOU_POLL_REMOVE_POLL_USE_RES; if (ret < 0)