On May 16, 2025 / 00:26, Ming Lei wrote:
> Commit f40139fde527 ("ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd")
> adds request state check in ublk_cancel_cmd(), and if the request is
> started, skip canceling this uring_cmd.
>
> However, the current uring_cmd may be in ACTIVE state, without block
> request coming to the uring command. Meantime, the cached request in
> tag_set.tags[tag] is recycled and has been delivered to ublk server,
> then this uring_cmd can't be canceled.
>
> ublk requests are aborted in ublk char device release handler, which
> depends on canceling all ACTIVE uring_cmd. So cause dead loop.
>
> Fix this issue by not taking stale request into account when canceling
> uring_cmd in ublk_cancel_cmd().
>
> Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@xxxxxxx>
> Closes: https://lore.kernel.org/linux-block/mruqwpf4tqenkbtgezv5oxwq7ngyq24jzeyqy4ixzvivatbbxv@4oh2wzz4e6qn/
> Fixes: f40139fde527 ("ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd")
> Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
FYI, I confirmed that this patch avoids the hang that I reported in the link
of the Closed tag. Thanks!
Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx>
