On 7/19/21 6:13 PM, Jens Axboe wrote: > On 7/19/21 10:57 AM, Pavel Begunkov wrote: >> On 7/16/21 11:57 AM, syzbot wrote: >>> Hello, >>> >>> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >>> WARNING in io_uring_cancel_generic >> >> __arm_poll doesn't remove a second poll entry in case of failed >> __io_queue_proc(), it's most likely the cause here. >> >> #syz test: https://github.com/isilence/linux.git syztest_sqpoll_hang > > Was my thought on seeing the last debug run too. Haven't written a test > case, but my initial thought was catching this at the time that double > poll is armed, in __io_queue_proc(). Totally untested, just tossing > it out there. Wouldn't help, unfortunately, the way syz triggers it is making a request to go through __io_queue_proc() three times. Either it's 3 waitqueues or we need to extend the check below to the double poll entry. if (poll_one->head == head) return; > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index 0cac361bf6b8..ed33de5fffd2 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -5002,6 +5002,9 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt, > if (unlikely(poll->head)) { > struct io_poll_iocb *poll_one = poll; > > + /* first poll failed, don't arm double poll */ > + if (pt->error) > + return; > /* already have a 2nd entry, fail a third attempt */ > if (*poll_ptr) { > pt->error = -EINVAL; > -- Pavel Begunkov
