Re: [syzbot] INFO: task hung in io_sq_thread_park (2)
From: Pavel Begunkov
Date: Mon Jul 19 2021 - 14:28:05 EST
On 7/19/21 6:13 PM, Jens Axboe wrote:
> On 7/19/21 10:57 AM, Pavel Begunkov wrote:
>> On 7/16/21 11:57 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>>> WARNING in io_uring_cancel_generic
>>
>> __arm_poll doesn't remove a second poll entry in case of failed
>> __io_queue_proc(), it's most likely the cause here.
>>
>> #syz test: https://github.com/isilence/linux.git syztest_sqpoll_hang
>
> Was my thought on seeing the last debug run too. Haven't written a test
> case, but my initial thought was catching this at the time that double
> poll is armed, in __io_queue_proc(). Totally untested, just tossing
> it out there.
Wouldn't help, unfortunately, the way syz triggers it is making a
request to go through __io_queue_proc() three times.
Either it's 3 waitqueues or we need to extend the check below to
the double poll entry.
if (poll_one->head == head)
return;
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 0cac361bf6b8..ed33de5fffd2 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -5002,6 +5002,9 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
> if (unlikely(poll->head)) {
> struct io_poll_iocb *poll_one = poll;
>
> + /* first poll failed, don't arm double poll */
> + if (pt->error)
> + return;
> /* already have a 2nd entry, fail a third attempt */
> if (*poll_ptr) {
> pt->error = -EINVAL;
>
--
Pavel Begunkov