Commit 41859843 authored Apr 16, 2026 by Jens Axboe

io_uring/tctx: mark io_wq as exiting before error path teardown



syzbot reports that it's hitting the below condition for exiting an
io_wq context:

WARN_ON_ONCE(!test_bit(IO_WQ_BIT_EXIT, &wq->state))

in io_wq_put_and_exit(), which can be triggered with memory allocation
fault injection. Ensure that the io_wq is marked as exiting to silence
this warning trigger.

Reported-by:  <syzbot+79a4cc863a8db58cd92b@syzkaller.appspotmail.com>
Fixes: 7880174e ("io_uring/tctx: clean up __io_uring_add_tctx_node() error handling")
Reviewed-by: Clément Léger <cleger@meta.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent ee5417fd

io_uring/tctx.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -171,8 +171,10 @@ int __io_uring_add_tctx_node(struct io_ring_ctx *ctx)
		}
		if (!current->io_uring) {
		err_free:
		if (tctx->io_wq)
		if (tctx->io_wq) {
		io_wq_exit_start(tctx->io_wq);
		io_wq_put_and_exit(tctx->io_wq);
		}
		percpu_counter_destroy(&tctx->inflight);
		kfree(tctx);
		}