Commit 1967f0b1 authored Apr 21, 2026 by Jens Axboe

io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE

Commit:

aacf2f9f ("io_uring: fix req->apoll_events")

fixed an issue where poll->events and req->apoll_events weren't
synchronized, but then when the commit referenced in Fixes got added,
it didn't ensure the same thing.

If we mask in EPOLLONESHOT in the regular EPOLL_URING_WAKE path, then
ensure it's done for both. Including a link to the original report
below, even though it's mostly nonsense. But it includes a reproducer
that does show that IORING_CQE_F_MORE is set in the previous CQE,
while no more CQEs will be generated for this request. Just ignore
anything that pretends this is security related in any way, it's just
the typical AI nonsense.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/io-uring/CAM0zi7yQzF3eKncgHo4iVM5yFLAjsiob_ucqyWKs=hyd_GqiMg@mail.gmail.com/


Reported-by: Azizcan Daştan <azizcan.d@mileniumsec.com>
Fixes: 44648532 ("io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 770594e7

io_uring/poll.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -417,8 +417,10 @@ static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
		* disable multishot as there is a circular dependency between
		* CQ posting and triggering the event.
		*/
		if (mask & EPOLL_URING_WAKE)
		if (mask & EPOLL_URING_WAKE) {
		poll->events \|= EPOLLONESHOT;
		req->apoll_events \|= EPOLLONESHOT;
		}

		/* optional, saves extra locking for removal in tw handler */
		if (mask && poll->events & EPOLLONESHOT) {