From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F147B318B9E
	for <linux-kernel@vger.kernel.org>; Tue,  3 Feb 2026 16:59:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.173
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770137963; cv=none; b=JjJQFgq8XmbwbaGaKTZYUffiAmpTgcrIQYxh7P/7S9EGU+7LzGSd9OIaHijLQVuyL/+4uelnNzY2hRyRR8zsM3osTxwPS/V65ego7w5xExUQbuyNJAm4C1dAqjp1evXmCafEQX4ZTpxvJh/Hy/VJbnJbvY7tvy3cafSf3ZFFXaI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770137963; c=relaxed/simple;
	bh=AGaAxrlBpBZmrmdtu6I6cfE3CliMuvpvRGBpxzo0q9M=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=i7LyxuExFRbjnwX3WQyPU7PAo3NsWDhng4Qi2K0M9vstMZmAGkNpiBMaKw0FhjRov4FEx2Wco3qs2GAeHFR9ozIoulvAdrvsG+iqo7s/FJt8N0593MjqHU9V76pVKJs19TcxxOet/dOrupW+3EEyH6KIYnnwNKMHRWkkzK935+c=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk; spf=pass smtp.mailfrom=kernel.dk; dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b=lkSbwWWM; arc=none smtp.client-ip=209.85.167.173
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kernel.dk
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b="lkSbwWWM"
Received: by mail-oi1-f173.google.com with SMTP id 5614622812f47-45c733ccc32so3710619b6e.0
        for <linux-kernel@vger.kernel.org>; Tue, 03 Feb 2026 08:59:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1770137960; x=1770742760; darn=vger.kernel.org;
        h=content-transfer-encoding:in-reply-to:content-language:from
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :from:to:cc:subject:date:message-id:reply-to;
        bh=VWyZM67dFHK1T+WfKjMaoJ/w9zQ97181m9aF4PVU3Ac=;
        b=lkSbwWWMt1ihSwgjDd3A0KnZF2bN6r0fb1heh6SCu9aSrt2QTFm76/s+QxyDTk4z2U
         IKIIa25mwVoxihX5MVix0H9v9FsKm4D78Na8uOfhAXgjhU1kZhoUK35uSRSTkOQlNsdD
         f9aFw//i6B6W+8Al+6g9IGJNcj4bpxd06W0eECExH7UCzfFTvNkNLwVKm30UE6g+cNHI
         8+5t9zuEJW/bqi7wvJQRhAxPK+70puU3mCaKeK8vLiCbV+YdQg/y6qUG3FGbY12HeeG9
         LtiHXmWojXDFghttFsA24ONbdHWhmEHI0wnrHq+z/8pwy7btY2C1t48t47uk4jpHPafy
         8wsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770137960; x=1770742760;
        h=content-transfer-encoding:in-reply-to:content-language:from
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=VWyZM67dFHK1T+WfKjMaoJ/w9zQ97181m9aF4PVU3Ac=;
        b=IA1C2Dk6i0s7mm/RAdg3z5IzYqezvdCNLozwsPNrU8r+QCelnV7fkOvSFklA3ePQsB
         RB+a5ZX3CuK/XZUYNcTiBJLEuDwLEzsQCYs0+smy5PFbfrRuqFSAryGTP8bZW1ST8F74
         kue/YtBzGmPVLzd1ZDcE9jRVvTVx/aavkgUV4480hI72dXk2MlCb91X2L5ajQudWAHqH
         ILJSXNPzmyB4Wjo0YxOG+VHyuV+9RXhUsPe60gMfsSNKbXPGq6OPysF8Bk1BTAYWP3gx
         KNu4sTy5J408/tE++16dVKLs6ax06e87xkILBx+P6c6fxKmXAgf3aHyEp+/Bcs7hJyjO
         Fwwg==
X-Gm-Message-State: AOJu0YzETwmIScJwrnO8XgD1kGGTtuj0stAIkfkCTP2ywmukdjGgM4NV
	CBlqAI9+L+yH6tARvVm9qNMdIJ7zV+j0T5uj54y4QPm/zh3q1Tgwna4Tt9akUC/wU04=
X-Gm-Gg: AZuq6aKZt5IFRwZVKFdMHJMYATQEG0Z2tFxQymO4++klRcQOr3TDa9IZBnX8aUjXxfW
	KzsrO9M3LnuB/ZCuXq9M69La1swt7wPIWgmBJNer8JXDfVOYD8GmFXyC414fcjfS6tyrvltvOg5
	DLHABxJ6/k9p/pNabhi8JcpviHHlf/TsOqCtdU4as6fgQv3U2F8QcpEdbaM7mGJhAOU5EJPuRDo
	hb5R+ejkr3/sKwo4y+MxWjXEDOH5nhHjPprJV327bsOokTfxpGB/KLyz98gIUmcYc3c1LseHeLj
	0R2dA2yZ1quBsCI3UCIDoIDDs1A0UsBP5o67aCIwHS19v/jIf1veVfKbB/rGtU3v9vX0k7W8pbS
	23WVfB432nb0FOT71Jehi7R6dIlqbLJrYl/dxR0F9IK3KV9cOhXIpeE3VWeKryPIMy22N2We4S1
	t4tJhRquXlFBoiJmcHQeuvYeGj546uUHYLEHcBAVAT/vz50RP9aBtqwNX5HsprdHKDzKyZ
X-Received: by 2002:a05:6808:1925:b0:45f:4610:fc72 with SMTP id 5614622812f47-462d5a26131mr16875b6e.39.1770137959892;
        Tue, 03 Feb 2026 08:59:19 -0800 (PST)
Received: from [192.168.1.102] ([96.43.243.2])
        by smtp.gmail.com with ESMTPSA id 5614622812f47-45f08f5ff30sm11534309b6e.16.2026.02.03.08.59.18
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 03 Feb 2026 08:59:19 -0800 (PST)
Message-ID: <7fdc9f43-9ee6-4fcf-a44b-06ceb7a2db32@kernel.dk>
Date: Tue, 3 Feb 2026 09:59:18 -0700
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [BUG] soft lockup in seq_read while reading io_uring fdinfo
To: =?UTF-8?B?5piv5Y+C5beu?= <shicenci@gmail.com>,
 io-uring <io-uring@vger.kernel.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <PS1PPF7E1D7501FE5631002D242DD89403FAB9BA@PS1PPF7E1D7501F.apcprd02.prod.outlook.com>
From: Jens Axboe <axboe@kernel.dk>
Content-Language: en-US
In-Reply-To: <PS1PPF7E1D7501FE5631002D242DD89403FAB9BA@PS1PPF7E1D7501F.apcprd02.prod.outlook.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 2/3/26 2:39 AM, ??? wrote:
> Hi,
> 
> I?m reporting a reproducible soft lockup observed in the seq_file read path when reading io_uring fdinfo via procfs.
> 
> The lockup is triggered by a syzkaller C reproducer that:
> 
> creates an io_uring instance with a large number of entries, and then
> 
> reads /proc/thread-self/fdinfo/<uring_fd>.
> 
> The watchdog reports a soft lockup with CPU stuck in __sanitizer_cov_trace_pc() while the task is executing seq_read() -> io_uring_show_fdinfo().

It's feeding invalid cq ring head/tail entries, so it'll loop for
potentially quite a long time, particularly with debugging measures
enabled. This should sort it out:


diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
index 4f12e98b22c3..74ea0d965d78 100644
--- a/io_uring/fdinfo.c
+++ b/io_uring/fdinfo.c
@@ -67,7 +67,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
 	unsigned int cq_head = READ_ONCE(r->cq.head);
 	unsigned int cq_tail = READ_ONCE(r->cq.tail);
 	unsigned int sq_shift = 0;
-	unsigned int sq_entries;
+	unsigned int cq_entries, sq_entries;
 	int sq_pid = -1, sq_cpu = -1;
 	u64 sq_total_time = 0, sq_work_time = 0;
 	unsigned int i;
@@ -146,13 +146,15 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
 			}
 		}
 		seq_printf(m, "\n");
+		cond_resched();
 	}
 	seq_printf(m, "CQEs:\t%u\n", cq_tail - cq_head);
-	while (cq_head < cq_tail) {
+	cq_entries = min(cq_tail - cq_head, ctx->sq_entries);
+	for (i = 0; i < cq_entries; i++) {
 		struct io_uring_cqe *cqe;
 		bool cqe32 = false;
 
-		cqe = &r->cqes[(cq_head & cq_mask)];
+		cqe = &r->cqes[((cq_head + i) & cq_mask)];
 		if (cqe->flags & IORING_CQE_F_32 || ctx->flags & IORING_SETUP_CQE32)
 			cqe32 = true;
 		seq_printf(m, "%5u: user_data:%llu, res:%d, flags:%x",
@@ -165,6 +167,7 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
 		cq_head++;
 		if (cqe32)
 			cq_head++;
+		cond_resched();
 	}
 
 	if (ctx->flags & IORING_SETUP_SQPOLL) {

-- 
Jens Axboe