diff options
| author | Jens Axboe <axboe@kernel.dk> | 2026-04-16 19:05:41 +0300 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2026-04-20 23:47:37 +0300 |
| commit | 41859843f27dd5c8d3bc43489ad9196c96d39f2b (patch) | |
| tree | e2f0d29a02e099c7bb3c230222eccc07c0a1d2e7 | |
| parent | ee5417fd02cabb6235a89daf5142ffde9aa957fd (diff) | |
| download | linux-41859843f27dd5c8d3bc43489ad9196c96d39f2b.tar.xz | |
io_uring/tctx: mark io_wq as exiting before error path teardown
syzbot reports that it's hitting the below condition for exiting an
io_wq context:
WARN_ON_ONCE(!test_bit(IO_WQ_BIT_EXIT, &wq->state))
in io_wq_put_and_exit(), which can be triggered with memory allocation
fault injection. Ensure that the io_wq is marked as exiting to silence
this warning trigger.
Reported-by: syzbot+79a4cc863a8db58cd92b@syzkaller.appspotmail.com
Fixes: 7880174e1e5e ("io_uring/tctx: clean up __io_uring_add_tctx_node() error handling")
Reviewed-by: Clément Léger <cleger@meta.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
| -rw-r--r-- | io_uring/tctx.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/io_uring/tctx.c b/io_uring/tctx.c index c011a593c0ad..80366320276d 100644 --- a/io_uring/tctx.c +++ b/io_uring/tctx.c @@ -171,8 +171,10 @@ int __io_uring_add_tctx_node(struct io_ring_ctx *ctx) } if (!current->io_uring) { err_free: - if (tctx->io_wq) + if (tctx->io_wq) { + io_wq_exit_start(tctx->io_wq); io_wq_put_and_exit(tctx->io_wq); + } percpu_counter_destroy(&tctx->inflight); kfree(tctx); } |