From: Jens Axboe <axboe@kernel.dk>
To: Matthew Wilcox <willy@infradead.org>, Jann Horn <jannh@google.com>
Cc: syzbot <syzbot+cc36d44ec9f368e443d3@syzkaller.appspotmail.com>,
asml.silence@gmail.com, io-uring@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [syzbot] [io-uring?] WARNING in __io_uring_free
Date: Fri, 29 Nov 2024 07:17:55 -0700 [thread overview]
Message-ID: <bc40bd75-7eac-4635-8c91-ccd42c2f1aa6@kernel.dk> (raw)
In-Reply-To: <Z0kDWtjmlI_LwP5S@casper.infradead.org>
On 11/28/24 4:57 PM, Matthew Wilcox wrote:
> On Fri, Nov 29, 2024 at 12:30:35AM +0100, Jann Horn wrote:
>>> ------------[ cut here ]------------
>>> WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51
>>
>> This warning is a check for WARN_ON_ONCE(!xa_empty(&tctx->xa)); and as
>> Jens pointed out, this was triggered after error injection caused a
>> memory allocation inside xa_store() to fail.
>>
>> Is there maybe an issue where xa_store() can fail midway through while
>> allocating memory for the xarray, so that xa_empty() is no longer true
>> even though there is nothing in the xarray? (And if yes, is that
>> working as intended?)
Heh, I had the exact same thought when I originally looked at this
issue. I did code inspection on the io_uring side and tried with error
injection, but could not trigger it. Hence the io_uring side looks fine,
so must be lower down.
> Yes, that's a known possibility. We have similar problems when people
> use error injection with mapping->i_pages. The effort to fix it seems
> disproportionate to the severity of the problem.
Doesn't seem like a big deal, particularly when you essentially need
fault injection to trigger it. As long as the xa_empty() is the only
false positive. I wonder if I should just change the io_uring side to do
something ala:
xa_for_each(&tctx->xa, index, node) {
WARN_ON_ONCE(1);
break;
}
rather than the xa_empty() warn on. That should get rid of it on my side
at least.
--
Jens Axboe
next prev parent reply other threads:[~2024-11-29 14:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-19 4:38 [syzbot] [io-uring?] WARNING in __io_uring_free syzbot
2024-11-20 2:09 ` Jens Axboe
2024-11-28 23:30 ` Jann Horn
2024-11-28 23:57 ` Matthew Wilcox
2024-11-29 14:17 ` Jens Axboe [this message]
2024-12-29 19:42 ` Fedor Pchelkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc40bd75-7eac-4635-8c91-ccd42c2f1aa6@kernel.dk \
--to=axboe@kernel.dk \
--cc=asml.silence@gmail.com \
--cc=io-uring@vger.kernel.org \
--cc=jannh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+cc36d44ec9f368e443d3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.