On 7/19/21 11:28 AM, Pavel Begunkov wrote: > On 7/19/21 6:13 PM, Jens Axboe wrote: >> On 7/19/21 10:57 AM, Pavel Begunkov wrote: >>> On 7/16/21 11:57 AM, syzbot wrote: >>>> Hello, >>>> >>>> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >>>> WARNING in io_uring_cancel_generic >>> >>> __arm_poll doesn't remove a second poll entry in case of failed >>> __io_queue_proc(), it's most likely the cause here. >>> >>> #syz test: https://github.com/isilence/linux.git syztest_sqpoll_hang >> >> Was my thought on seeing the last debug run too. Haven't written a test >> case, but my initial thought was catching this at the time that double >> poll is armed, in __io_queue_proc(). Totally untested, just tossing >> it out there. > > Wouldn't help, unfortunately, the way syz triggers it is making a > request to go through __io_queue_proc() three times. > > Either it's 3 waitqueues or we need to extend the check below to > the double poll entry. > > if (poll_one->head == head) > return; Yes good point, that'd depend on single poll erroring first. Given the variety of cases for it, catching it after the fact like in your patch is likely the simplest/cleanest way. -- Jens Axboe
