Re: WARNING in percpu_ref_kill_and_confirm

From: Jens Axboe
Date: Mon Apr 22 2019 - 12:32:37 EST

On 4/22/19 10:27 AM, Linus Torvalds wrote:
> [ Crossed emails ]
> On Mon, Apr 22, 2019 at 9:23 AM Jens Axboe <axboe@xxxxxxxxx> wrote:
>> I think the below should fix this. Very early versions of io_uring didn't
>> have this issue, since we did the percpu ref tryget for io_uring_register().
> Ok, so I like your patch better than mine, but note how syzbot
> bisected this to the initial merge of the io_uring code.

Yes, I did think about that too...

> I agree that code shouldn't have had this particular issue, but it
> looks like it does.
> Is there some way to race with io_ring_ctx_wait_and_kill(), which
> _also_ does that ref_kill() thing? I'm not seeing how that could
> happen, but maybe if the file ref counts get screwed up you have
> ->release() called early..

I just tried on the current code and it triggers easily, but that's
with that mutex patch in there. I agree it should not trigger before
that, unless something is wonky. I'll try and play around with it a bit
and see what is going on (or if I can trigger it at all with the mutex
change reverted).

Jens Axboe