On 4/22/19 10:27 AM, Linus Torvalds wrote: > [ Crossed emails ] > > On Mon, Apr 22, 2019 at 9:23 AM Jens Axboe <axboe@xxxxxxxxx> wrote: >> >> I think the below should fix this. Very early versions of io_uring didn't >> have this issue, since we did the percpu ref tryget for io_uring_register(). > > Ok, so I like your patch better than mine, but note how syzbot > bisected this to the initial merge of the io_uring code. Yes, I did think about that too... > I agree that code shouldn't have had this particular issue, but it > looks like it does. > > Is there some way to race with io_ring_ctx_wait_and_kill(), which > _also_ does that ref_kill() thing? I'm not seeing how that could > happen, but maybe if the file ref counts get screwed up you have > ->release() called early.. I just tried on the current code and it triggers easily, but that's with that mutex patch in there. I agree it should not trigger before that, unless something is wonky. I'll try and play around with it a bit and see what is going on (or if I can trigger it at all with the mutex change reverted). -- Jens Axboe
