On 2/22/21 4:45 AM, Pavel Begunkov wrote: > BUG: KASAN: double-free or invalid-free in io_req_caches_free.constprop.0+0x3ce/0x530 fs/io_uring.c:8709 > > Workqueue: events_unbound io_ring_exit_work > Call Trace: > [...] > __cache_free mm/slab.c:3424 [inline] > kmem_cache_free_bulk+0x4b/0x1b0 mm/slab.c:3744 > io_req_caches_free.constprop.0+0x3ce/0x530 fs/io_uring.c:8709 > io_ring_ctx_free fs/io_uring.c:8764 [inline] > io_ring_exit_work+0x518/0x6b0 fs/io_uring.c:8846 > process_one_work+0x98d/0x1600 kernel/workqueue.c:2275 > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > kthread+0x3b1/0x4a0 kernel/kthread.c:292 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > > Freed by task 11900: > [...] > kmem_cache_free_bulk+0x4b/0x1b0 mm/slab.c:3744 > io_req_caches_free.constprop.0+0x3ce/0x530 fs/io_uring.c:8709 > io_uring_flush+0x483/0x6e0 fs/io_uring.c:9237 > filp_close+0xb4/0x170 fs/open.c:1286 > close_files fs/file.c:403 [inline] > put_files_struct fs/file.c:418 [inline] > put_files_struct+0x1d0/0x350 fs/file.c:415 > exit_files+0x7e/0xa0 fs/file.c:435 > do_exit+0xc27/0x2ae0 kernel/exit.c:820 > do_group_exit+0x125/0x310 kernel/exit.c:922 > [...] > > io_req_caches_free() doesn't zero submit_state->free_reqs, so io_uring > considers just freed requests to be good and sound and will reuse or > double free them. Zero the counter. Oops indeed, thanks! Applied. -- Jens Axboe
