From: Jens Axboe <axboe@kernel.dk>
To: syzbot <syzbot+10a9b495f54a17b607a6@syzkaller.appspotmail.com>,
io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, Keith Busch <kbusch@kernel.org>
Subject: Re: [syzbot] [io-uring?] INFO: task hung in io_uring_del_tctx_node (5)
Date: Mon, 27 Oct 2025 16:04:05 -0600 [thread overview]
Message-ID: <d0cd8a65-b565-4275-b87d-51d10e88069f@kernel.dk> (raw)
In-Reply-To: <68ffdf18.050a0220.3344a1.039e.GAE@google.com>
On 10/27/25 3:07 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 72fb0170ef1f Add linux-next specific files for 20251024
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13087be2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e812d103f45aa955
> dashboard link: https://syzkaller.appspot.com/bug?extid=10a9b495f54a17b607a6
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14725d2f980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11233b04580000
[snip]
> RAX: ffffffff82431501 RBX: 0000000000000018 RCX: ffffffff824315fd
> RDX: 0000000000000001 RSI: 0000000000000018 RDI: ffffc9000383f880
> RBP: 0000000000000000 R08: ffffc9000383f897 R09: 1ffff92000707f12
> R10: dffffc0000000000 R11: fffff52000707f13 R12: 0000000000000003
> R13: ffff888079527128 R14: fffff52000707f13 R15: 1ffff92000707f10
> FS: 00007f4e567906c0(0000) GS:ffff888125cdc000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055db9a726918 CR3: 000000002ec48000 CR4: 00000000003526f0
> Call Trace:
> <TASK>
> __asan_memset+0x22/0x50 mm/kasan/shadow.c:84
> seq_printf+0xad/0x270 fs/seq_file.c:403
> __io_uring_show_fdinfo io_uring/fdinfo.c:142 [inline]
> io_uring_show_fdinfo+0x734/0x17d0 io_uring/fdinfo.c:256
> seq_show+0x5bc/0x730 fs/proc/fd.c:68
> seq_read_iter+0x4ef/0xe20 fs/seq_file.c:230
> seq_read+0x369/0x480 fs/seq_file.c:162
> vfs_read+0x200/0xa30 fs/read_write.c:570
> ksys_read+0x145/0x250 fs/read_write.c:715
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
Keith, I'm pretty sure your change:
commit 1cba30bf9fdd6c982708f3587f609a30c370d889
Author: Keith Busch <kbusch@kernel.org>
Date: Thu Oct 16 11:09:38 2025 -0700
io_uring: add support for IORING_SETUP_SQE_MIXED
leaves fdinfo open up to being broken. Before, we had:
sq_entries = min(sq_tail - sq_head, ctx->sq_entries);
as a cap for the loop, now you just have:
while (sq_head < sq_tail) {
which seems like a bad idea. It's also missing an sq_head increment if
we hit this condition:
if (sq_idx > sq_mask)
continue;
which is also something you can trigger, and which would also end up in
an infinite loop.
Totally untested, but how about something like the below:
diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
index 7fb900f1d8f6..3f254ae0ad61 100644
--- a/io_uring/fdinfo.c
+++ b/io_uring/fdinfo.c
@@ -66,6 +66,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
unsigned int cq_head = READ_ONCE(r->cq.head);
unsigned int cq_tail = READ_ONCE(r->cq.tail);
unsigned int sq_shift = 0;
+ unsigned int sq_entries;
int sq_pid = -1, sq_cpu = -1;
u64 sq_total_time = 0, sq_work_time = 0;
unsigned int i;
@@ -88,17 +89,18 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
seq_printf(m, "CqTail:\t%u\n", cq_tail);
seq_printf(m, "CachedCqTail:\t%u\n", data_race(ctx->cached_cq_tail));
seq_printf(m, "SQEs:\t%u\n", sq_tail - sq_head);
- while (sq_head < sq_tail) {
+ sq_entries = min(sq_tail - sq_head, ctx->sq_entries);
+ for (i = 0; i < sq_entries; i++) {
+ unsigned int entry = i + sq_head;
struct io_uring_sqe *sqe;
unsigned int sq_idx;
bool sqe128 = false;
u8 opcode;
if (ctx->flags & IORING_SETUP_NO_SQARRAY)
- sq_idx = sq_head & sq_mask;
+ sq_idx = entry & sq_mask;
else
- sq_idx = READ_ONCE(ctx->sq_array[sq_head & sq_mask]);
-
+ sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]);
if (sq_idx > sq_mask)
continue;
@@ -140,7 +142,6 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
}
}
seq_printf(m, "\n");
- sq_head++;
}
seq_printf(m, "CQEs:\t%u\n", cq_tail - cq_head);
while (cq_head < cq_tail) {
--
Jens Axboe
next prev parent reply other threads:[~2025-10-27 22:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 21:07 [syzbot] [io-uring?] INFO: task hung in io_uring_del_tctx_node (5) syzbot
2025-10-27 22:04 ` Jens Axboe [this message]
2025-10-27 22:57 ` Keith Busch
2025-10-27 23:15 ` Jens Axboe
2025-10-28 0:03 ` Keith Busch
2025-10-28 1:09 ` Jens Axboe
2025-10-27 22:24 ` Hillf Danton
2025-10-28 0:15 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d0cd8a65-b565-4275-b87d-51d10e88069f@kernel.dk \
--to=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+10a9b495f54a17b607a6@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.