On 23/07/2020 21:19, Jens Axboe wrote: > On 7/23/20 12:15 PM, Pavel Begunkov wrote: >> On 23/07/2020 21:12, Pavel Begunkov wrote: >>> poll_add can have req->work initialised, which will be overwritten in >>> __io_arm_poll_handler() because of the union. Luckily, hash_node is >>> zeroed in the end, so the damage is limited to lost put for work.creds, >>> and probably corrupted work.list. >>> >>> That's the easiest and really dirty fix, which rearranges members in the >>> union, arm_poll*() modifies and zeroes only work.files and work.mm, >>> which are never taken for poll add. >>> note: io_kiocb is exactly 4 cachelines now. >> >> Please, tell me if anybody has a good lean solution, because I'm a bit >> too tired at the moment to fix it properly. >> BTW, that's for 5.8, for-5.9 it should be done differently because of >> io_kiocb compaction. > > Do you have a test case that leaks the reference? link-timeout.c::test_timeout_link_chain2() - add IOSQE_ASYNC after poll_add_prep() (probably, not even needed) - close() pipes fds at the end. - while(1) test_timeout_link_chain2() That's what I did to test it. Confirmed with printk + it killed the system in 10-30 minutes. I can get something faster sometime later. -- Pavel Begunkov
