On 7/19/21 10:57 AM, Pavel Begunkov wrote: > On 7/16/21 11:57 AM, syzbot wrote: >> Hello, >> >> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >> WARNING in io_uring_cancel_generic > > __arm_poll doesn't remove a second poll entry in case of failed > __io_queue_proc(), it's most likely the cause here. > > #syz test: https://github.com/isilence/linux.git syztest_sqpoll_hang Was my thought on seeing the last debug run too. Haven't written a test case, but my initial thought was catching this at the time that double poll is armed, in __io_queue_proc(). Totally untested, just tossing it out there. diff --git a/fs/io_uring.c b/fs/io_uring.c index 0cac361bf6b8..ed33de5fffd2 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -5002,6 +5002,9 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt, if (unlikely(poll->head)) { struct io_poll_iocb *poll_one = poll; + /* first poll failed, don't arm double poll */ + if (pt->error) + return; /* already have a 2nd entry, fail a third attempt */ if (*poll_ptr) { pt->error = -EINVAL; -- Jens Axboe
