Re: [PATCH] io_uring: take page references for NOMMU pbuf_ring mmaps

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

[-- Attachment #1: Type: text/plain, Size: 2793 bytes --]

On Tue, Apr 21, 2026 at 10:21:04AM -0600, Jens Axboe wrote:
> On 4/21/26 10:05 AM, Jens Axboe wrote:
> > On 4/21/26 10:01 AM, Greg Kroah-Hartman wrote:
> >> On Tue, Apr 21, 2026 at 03:55:38PM +0200, Greg Kroah-Hartman wrote:
> >>> On Tue, Apr 21, 2026 at 07:50:32AM -0600, Jens Axboe wrote:
> >>>> On 4/21/26 7:46 AM, Greg Kroah-Hartman wrote:
> >>>>> Note, I have no way of testing this, I'm only forwarding this on because
> >>>>> I got the bug report and was able to generate something that "seems"
> >>>>
> >>>> AI bug report I presume? Because I can't imagine anyone ever attempted
> >>>> to run this.
> >>>
> >>> Yes, I got a bunch of "non-mmu" bug reports, which is a bit odd but I
> >>> guess you can do that with qemu these days?  I should dig into that,
> >>> maybe that way I can test this and get a reproducer for you.  If not,
> >>> let's just bin the thing.
> >>>
> >>>>> correct, but it might be a total load of crap here, my knowledge of the
> >>>>> vm layer is very low so take this for where it is coming from (i.e. a
> >>>>> non-deterministic pattern matching system.)
> >>>>>
> >>>>> I do have another patch that just disables io_uring for !MMU systems, if
> >>>>> you want that instead?  Or is this feature something that !MMU devices
> >>>>> actually care about?
> >>>>
> >>>> I mean, who really cares about !MMU in the first place, we should just
> >>>> kill that off with a passion.
> >>>>
> >>>> Let me take a closer look at this and bounce it past some vm people, my
> >>>> nommu knowledge is close to zero as it's never been relevant in my
> >>>> professional life time. Which is saying something...
> >>>
> >>> Let me try to get a reproducer going first, let's not waste any more
> >>> human time on this just yet, sorry for sending this out without that
> >>> done first...
> >>
> >> Ok, attached is a poc.c and a script to run it.  If you run this on a
> >> 7.0 kernel today, it "should" crash. and then if you apply the patch it
> >> doesn't (or at least that's what happened in my testing.)
> >>
> >> Note, I have run this locally, and it seems to work, but be careful, I
> >> can't guarantee anything, it does seem quite odd in that it "crashes"
> >> the kernel with a sysrq call to show "proof".  Although that is a cool
> >> trick, I need to remember that...
> > 
> > I'll try and run a nommu qemu and see what pops out on my end. What a
> > waste of time for a nothing burger ;-)
> 
> What is fix-paddr.py? It's referenced in the build script.

Oops, this thing scattered crud all over the filesystem.  Here's what is
in the cross-wrap directory that it created.  If I forgot anything else,
let me know, sorry about that.  I need to clean up my working directory
for this box (which is rightfully air-gapped) as it's accumulated a lot
of cruft...

greg k-h

[-- Attachment #2: fix-paddr.py --]
[-- Type: text/plain, Size: 562 bytes --]

#!/usr/bin/env python3
# Set p_paddr = p_vaddr in every program header so qemu -kernel loads
# the ELF at its link address.  riscv vmlinux.lds sets LMA=VMA-LOAD_OFFSET
# for the Image target; we want qemu to honour VMA instead.
import sys, struct

with open(sys.argv[1], 'r+b') as f:
    f.seek(0x20); phoff, = struct.unpack('<Q', f.read(8))
    f.seek(0x36); phentsize, phnum = struct.unpack('<HH', f.read(4))
    for i in range(phnum):
        base = phoff + i * phentsize
        f.seek(base + 16); vaddr = f.read(8)
        f.seek(base + 24); f.write(vaddr)

[-- Attachment #3: objcopy --]
[-- Type: text/plain, Size: 926 bytes --]

#!/bin/sh
# Host objcopy lacks the riscv backend.  Force the generic elf64-little
# reader so it can parse the input, then restore e_machine/e_flags in
# the output (which objcopy writes as EM_NONE) from the input file.
#
# Kernel objcopy invocations are: objcopy [FLAGS] INPUT OUTPUT
# (cmd_objcopy in scripts/Makefile.lib).  The last two args are always
# the in/out files.

in=""
out=""
for a; do
	case "$a" in
	-*) ;;
	*)  in=$out; out=$a ;;
	esac
done

/usr/bin/objcopy -I elf64-little "$@" || exit $?

# If output is ELF, restore e_machine (0x12, 2 bytes) and e_flags
# (0x30, 4 bytes) from the input so lld recognises it as riscv.
if [ -n "$in" ] && [ -f "$in" ] && [ -f "$out" ] && \
   [ "$(head -c4 "$out" 2>/dev/null)" = "$(printf '\177ELF')" ]; then
	dd if="$in" of="$out" bs=1 skip=18 seek=18 count=2 conv=notrunc 2>/dev/null
	dd if="$in" of="$out" bs=1 skip=48 seek=48 count=4 conv=notrunc 2>/dev/null
fi
exit 0

[-- Attachment #4: objdump --]
[-- Type: text/plain, Size: 99 bytes --]

#!/bin/sh
exec /usr/bin/objdump -b elf64-little -m riscv "$@" 2>/dev/null || /usr/bin/objdump "$@"