回复: possible deadlock in io_poll_double_wake (2)
From: Zhang, Qiang <hidden>
Date: 2021-03-04 00:20:26
Also in:
linux-fsdevel, lkml
________________________________________ 发件人: Zhang, Qiang [off-list ref] 发送时间: 2021年3月3日 20:15 收件人: Jens Axboe; syzbot; asml.silence@gmail.com; io-uring@vger.kernel.org; linux-fsdevel@vger.kernel.org; linux-kernel@vger.kernel.org; syzkaller-bugs@googlegroups.com; viro@zeniv.linux.org.uk 主题: 回复: possible deadlock in io_poll_double_wake (2) ________________________________________ 发件人: Jens Axboe [off-list ref] 发送时间: 2021年3月3日 1:20 收件人: syzbot; asml.silence@gmail.com; io-uring@vger.kernel.org; linux-fsdevel@vger.kernel.org; linux-kernel@vger.kernel.org; syzkaller-bugs@googlegroups.com; viro@zeniv.linux.org.uk 主题: Re: possible deadlock in io_poll_double_wake (2) [Please note: This e-mail is from an EXTERNAL e-mail address] On 2/28/21 9:18 PM, syzbot wrote:
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in io_poll_double_wake
============================================
WARNING: possible recursive locking detected
5.11.0-syzkaller #0 Not tainted
--------------------------------------------
syz-executor.0/10241 is trying to acquire lock:
ffff888012e09130 (&runtime->sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff888012e09130 (&runtime->sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921
but task is already holding lock:
ffff888013b00130 (&runtime->sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&runtime->sleep);
lock(&runtime->sleep);
*** DEADLOCK ***
May be due to missing lock nesting notation
Since the fix is in yet this keeps failing (and I didn't get it), >I looked
closer at this report. While the names of the locks are the >same, they are
really two different locks. So let's try this...Hello Jens Axboe
Sorry for I make noise, please ignore this information.
quoted hunk ↗ jump to hunk
Sorry, I provided the wrong information before. I'm not very familiar with io_uring, before we start >vfs_poll again, should we set 'poll->head = NULL' ?diff --git a/fs/io_uring.c b/fs/io_uring.c index 42b675939582..cae605c14510 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c@@ -4824,7 +4824,7 @@ static bool io_poll_rewait(struct >io_kiocb *req, struct io_poll_iocb *poll) if (!req->result && !READ_ONCE(poll->canceled)) { struct poll_table_struct pt = { ._key = poll->events >}; - + poll->head = NULL; req->result = vfs_poll(req->file, &pt) & >poll->events; }
Thanks Qiang
#syz test: git://git.kernel.dk/linux-block syzbot-test -- Jens Axboe