From cce64ef01308b677a687d90927fc2b2e0e1cba67 Mon Sep 17 00:00:00 2001
From: Pavel Begunkov <asml.silence@gmail.com>
Date: Wed, 13 Apr 2022 16:10:34 +0100
Subject: [PATCH] io_uring: fix poll file assign deadlock
Git-commit: cce64ef01308b677a687d90927fc2b2e0e1cba67
Patch-mainline: v5.18-rc3
References: bsc#1205205

We pass "unlocked" into io_assign_file() in io_poll_check_events(),
which can lead to double locking.

Fixes: 6bf9c47a3989 ("io_uring: defer file assignment")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/2476d4ae46554324b599ee4055447b105f20a75a.1649862516.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
---
 fs/io_uring.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 3d6cbf77c89d..d06f1952fdfa 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5858,8 +5858,9 @@ static int io_poll_check_events(struct io_kiocb *req, bool locked)
 
 		if (!req->result) {
 			struct poll_table_struct pt = { ._key = req->apoll_events };
+			unsigned flags = locked ? 0 : IO_URING_F_UNLOCKED;
 
-			if (unlikely(!io_assign_file(req, IO_URING_F_UNLOCKED)))
+			if (unlikely(!io_assign_file(req, flags)))
 				req->result = -EBADF;
 			else
 				req->result = vfs_poll(req->file, &pt) & req->apoll_events;
-- 
2.35.3