[PATCH] io_uring: rename "copy buffers" to "clone buffers"

[PATCH] io_uring: rename "copy buffers" to "clone buffers"

[Jens Axboe]

A recent commit added support for copying registered buffers from one
ring to another. But that term is a bit confusing, as no copying of
buffer data is done here. What is being done is simply cloning the
buffer registrations from one ring to another.

Rename it while we still can, so that it's more descriptive. No
functional changes in this patch.

Fixes: 7cc2a6eadcd7 ("io_uring: add IORING_REGISTER_COPY_BUFFERS method")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

---

diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
index 9dc5bb428c8a..1fe79e750470 100644
--- a/include/uapi/linux/io_uring.h
+++ b/include/uapi/linux/io_uring.h
@@ -609,8 +609,8 @@ enum io_uring_register_op {
 
 	IORING_REGISTER_CLOCK			= 29,
 
-	/* copy registered buffers from source ring to current ring */
-	IORING_REGISTER_COPY_BUFFERS		= 30,
+	/* clone registered buffers from source ring to current ring */
+	IORING_REGISTER_CLONE_BUFFERS		= 30,
 
 	/* this goes last */
 	IORING_REGISTER_LAST,
@@ -701,7 +701,7 @@ enum {
 	IORING_REGISTER_SRC_REGISTERED = 1,
 };
 
-struct io_uring_copy_buffers {
+struct io_uring_clone_buffers {
 	__u32	src_fd;
 	__u32	flags;
 	__u32	pad[6];
diff --git a/io_uring/register.c b/io_uring/register.c
index dab0f8024ddf..b8a48a6a89ee 100644
--- a/io_uring/register.c
+++ b/io_uring/register.c
@@ -542,11 +542,11 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
 			break;
 		ret = io_register_clock(ctx, arg);
 		break;
-	case IORING_REGISTER_COPY_BUFFERS:
+	case IORING_REGISTER_CLONE_BUFFERS:
 		ret = -EINVAL;
 		if (!arg || nr_args != 1)
 			break;
-		ret = io_register_copy_buffers(ctx, arg);
+		ret = io_register_clone_buffers(ctx, arg);
 		break;
 	default:
 		ret = -EINVAL;
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 40696a395f0a..9264e555ae59 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1139,7 +1139,7 @@ int io_import_fixed(int ddir, struct iov_iter *iter,
 	return 0;
 }
 
-static int io_copy_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx)
+static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx)
 {
 	struct io_mapped_ubuf **user_bufs;
 	struct io_rsrc_data *data;
@@ -1203,9 +1203,9 @@ static int io_copy_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx)
  *
  * Since the memory is already accounted once, don't account it again.
  */
-int io_register_copy_buffers(struct io_ring_ctx *ctx, void __user *arg)
+int io_register_clone_buffers(struct io_ring_ctx *ctx, void __user *arg)
 {
-	struct io_uring_copy_buffers buf;
+	struct io_uring_clone_buffers buf;
 	bool registered_src;
 	struct file *file;
 	int ret;
@@ -1223,7 +1223,7 @@ int io_register_copy_buffers(struct io_ring_ctx *ctx, void __user *arg)
 	file = io_uring_register_get_file(buf.src_fd, registered_src);
 	if (IS_ERR(file))
 		return PTR_ERR(file);
-	ret = io_copy_buffers(ctx, file->private_data);
+	ret = io_clone_buffers(ctx, file->private_data);
 	if (!registered_src)
 		fput(file);
 	return ret;
diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h
index 93546ab337a6..eb4803e473b0 100644
--- a/io_uring/rsrc.h
+++ b/io_uring/rsrc.h
@@ -68,7 +68,7 @@ int io_import_fixed(int ddir, struct iov_iter *iter,
 			   struct io_mapped_ubuf *imu,
 			   u64 buf_addr, size_t len);
 
-int io_register_copy_buffers(struct io_ring_ctx *ctx, void __user *arg);
+int io_register_clone_buffers(struct io_ring_ctx *ctx, void __user *arg);
 void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx);
 int io_sqe_buffers_unregister(struct io_ring_ctx *ctx);
 int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,

-- 
Jens Axboe

Re: [PATCH] io_uring: rename "copy buffers" to "clone buffers"

[Lai, Yi]

Hi Jens Axboe,

Greetings!

I used Syzkaller and found that there is BUG: unable to handle kernel paging request in io_register_clone_buffers in v6.12-rc2

After bisection and the first bad commit is:
"
636119af94f2 io_uring: rename "copy buffers" to "clone buffers"
"

All detailed into can be found at:
https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers
Syzkaller repro code:
https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/repro.c
Syzkaller repro syscall steps:
https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/repro.prog
Syzkaller report:
https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/repro.report
Kconfig(make olddefconfig):
https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/kconfig_origin
Bisect info:
https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/bisect_info.log
bzImage:
https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/241015_200715_io_register_clone_buffers/bzImage_8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b
Issue dmesg:
https://github.com/laifryiee/syzkaller_logs/blob/main/241015_200715_io_register_clone_buffers/8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b_dmesg.log

"
[   29.812887] Oops: Oops: 0003 [#1] PREEMPT SMP KASAN NOPTI
[   29.813730] CPU: 1 UID: 0 PID: 731 Comm: repro Not tainted 6.12.0-rc2-8cf0b93919e1 #1
[   29.814907] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[   29.816616] RIP: 0010:io_register_clone_buffers+0x45e/0x810
[   29.817524] Code: 3c 08 00 0f 85 3c 03 00 00 48 8b 1b be 04 00 00 00 41 bf 01 00 00 00 48 8d 43 14 48 89 c7 48 89 85 08 ff ff ff e8 82 de f0 fe <f0> 44 0f c1 7b 14 31 ff 44 89 fe e8 e2 02 89 fe 45 85 ff 0f 84 b1
[   29.820286] RSP: 0018:ffff88801469fc50 EFLAGS: 00010246
[   29.821100] RAX: 0000000000000001 RBX: ffffffff85f7ca20 RCX: ffffffff82de91ae
[   29.822165] RDX: fffffbfff0bef947 RSI: 0000000000000004 RDI: ffffffff85f7ca34
[   29.823328] RBP: ffff88801469fd98 R08: 0000000000000001 R09: fffffbfff0bef946
[   29.823868] R10: ffffffff85f7ca37 R11: 0000000000000001 R12: ffff88800ef21560
[   29.824407] R13: 0000000000000000 R14: ffff88801469fd70 R15: 0000000000000001
[   29.824924] FS:  00007feaa461a600(0000) GS:ffff88806c500000(0000) knlGS:0000000000000000
[   29.825512] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.825934] CR2: ffffffff85f7ca34 CR3: 00000000143a4000 CR4: 0000000000750ef0
[   29.826473] PKRU: 55555554
[   29.826683] Call Trace:
[   29.826874]  <TASK>
[   29.827047]  ? show_regs+0x6d/0x80
[   29.827333]  ? __die+0x29/0x70
[   29.827584]  ? page_fault_oops+0x391/0xc50
[   29.827897]  ? __pfx_page_fault_oops+0x10/0x10
[   29.828258]  ? __pfx_is_prefetch.constprop.0+0x10/0x10
[   29.828650]  ? search_module_extables+0x3f/0x110
[   29.829010]  ? io_register_clone_buffers+0x45e/0x810
[   29.829404]  ? search_exception_tables+0x65/0x70
[   29.829756]  ? fixup_exception+0x114/0xb10
[   29.830082]  ? kernelmode_fixup_or_oops.constprop.0+0xcc/0x100
[   29.830543]  ? __bad_area_nosemaphore+0x3b2/0x650
[   29.830911]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
[   29.831327]  ? spurious_kernel_fault_check+0xbf/0x1c0
[   29.831724]  ? bad_area_nosemaphore+0x33/0x40
[   29.832100]  ? do_kern_addr_fault+0x14e/0x180
[   29.832441]  ? exc_page_fault+0x1b0/0x1d0
[   29.832767]  ? asm_exc_page_fault+0x2b/0x30
[   29.833101]  ? io_register_clone_buffers+0x45e/0x810
[   29.833485]  ? io_register_clone_buffers+0x45e/0x810
[   29.833892]  ? __pfx_io_register_clone_buffers+0x10/0x10
[   29.834345]  ? rcu_is_watching+0x19/0xc0
[   29.834663]  ? trace_contention_end+0xe1/0x120
[   29.835018]  ? __mutex_lock+0x258/0x1490
[   29.835340]  ? lock_release+0x441/0x870
[   29.835650]  __io_uring_register+0x61d/0x20f0
[   29.836002]  ? __pfx___io_uring_register+0x10/0x10
[   29.836398]  ? __fget_files+0x23c/0x4b0
[   29.836715]  ? trace_irq_enable+0x111/0x120
[   29.837056]  __x64_sys_io_uring_register+0x172/0x2a0
[   29.837445]  x64_sys_call+0x14bd/0x20d0
[   29.837758]  do_syscall_64+0x6d/0x140
[   29.838050]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   29.838457] RIP: 0033:0x7feaa443ee5d
[   29.838743] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
[   29.840161] RSP: 002b:00007ffdd5c54e98 EFLAGS: 00000217 ORIG_RAX: 00000000000001ab
[   29.840751] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007feaa443ee5d
[   29.841332] RDX: 00000000200002c0 RSI: 000000000000001e RDI: 0000000000000004
[   29.841881] RBP: 00007ffdd5c54eb0 R08: 00007ffdd5c54eb0 R09: 00007ffdd5c54eb0
[   29.842439] R10: 0000000000000001 R11: 0000000000000217 R12: 00007ffdd5c55008
[   29.842985] R13: 00000000004019e5 R14: 0000000000403e08 R15: 00007feaa4661000
[   29.843551]  </TASK>
[   29.843724] Modules linked in:
[   29.843973] CR2: ffffffff85f7ca34
[   29.844247] ---[ end trace 0000000000000000 ]---
[   29.844608] RIP: 0010:io_register_clone_buffers+0x45e/0x810
[   29.845054] Code: 3c 08 00 0f 85 3c 03 00 00 48 8b 1b be 04 00 00 00 41 bf 01 00 00 00 48 8d 43 14 48 89 c7 48 89 85 08 ff ff ff e8 82 de f0 fe <f0> 44 0f c1 7b 14 31 ff 44 89 fe e8 e2 02 89 fe 45 85 ff 0f 84 b1
[   29.846459] RSP: 0018:ffff88801469fc50 EFLAGS: 00010246
[   29.846864] RAX: 0000000000000001 RBX: ffffffff85f7ca20 RCX: ffffffff82de91ae
[   29.847409] RDX: fffffbfff0bef947 RSI: 0000000000000004 RDI: ffffffff85f7ca34
[   29.847945] RBP: ffff88801469fd98 R08: 0000000000000001 R09: fffffbfff0bef946
[   29.848492] R10: ffffffff85f7ca37 R11: 0000000000000001 R12: ffff88800ef21560
[   29.849031] R13: 0000000000000000 R14: ffff88801469fd70 R15: 0000000000000001
[   29.849586] FS:  00007feaa461a600(0000) GS:ffff88806c500000(0000) knlGS:0000000000000000
[   29.850195] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.850631] CR2: ffffffff85f7ca34 CR3: 00000000143a4000 CR4: 0000000000750ef0
[   29.851184] PKRU: 55555554
[   29.851403] note: repro[731] exited with irqs disabled
"

I hope you find it useful.

Regards,
Yi Lai

---

If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following information.

How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
  // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
  // You could change the bzImage_xxx as you want
  // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@localhost

After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/

Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage           //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel in vm.


Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install 

On Sun, Sep 15, 2024 at 09:21:48AM -0600, Jens Axboe wrote:
> A recent commit added support for copying registered buffers from one
> ring to another. But that term is a bit confusing, as no copying of
> buffer data is done here. What is being done is simply cloning the
> buffer registrations from one ring to another.
> 
> Rename it while we still can, so that it's more descriptive. No
> functional changes in this patch.
> 
> Fixes: 7cc2a6eadcd7 ("io_uring: add IORING_REGISTER_COPY_BUFFERS method")
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> ---
> 
> diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
> index 9dc5bb428c8a..1fe79e750470 100644
> --- a/include/uapi/linux/io_uring.h
> +++ b/include/uapi/linux/io_uring.h
> @@ -609,8 +609,8 @@ enum io_uring_register_op {
>  
>  	IORING_REGISTER_CLOCK			= 29,
>  
> -	/* copy registered buffers from source ring to current ring */
> -	IORING_REGISTER_COPY_BUFFERS		= 30,
> +	/* clone registered buffers from source ring to current ring */
> +	IORING_REGISTER_CLONE_BUFFERS		= 30,
>  
>  	/* this goes last */
>  	IORING_REGISTER_LAST,
> @@ -701,7 +701,7 @@ enum {
>  	IORING_REGISTER_SRC_REGISTERED = 1,
>  };
>  
> -struct io_uring_copy_buffers {
> +struct io_uring_clone_buffers {
>  	__u32	src_fd;
>  	__u32	flags;
>  	__u32	pad[6];
> diff --git a/io_uring/register.c b/io_uring/register.c
> index dab0f8024ddf..b8a48a6a89ee 100644
> --- a/io_uring/register.c
> +++ b/io_uring/register.c
> @@ -542,11 +542,11 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
>  			break;
>  		ret = io_register_clock(ctx, arg);
>  		break;
> -	case IORING_REGISTER_COPY_BUFFERS:
> +	case IORING_REGISTER_CLONE_BUFFERS:
>  		ret = -EINVAL;
>  		if (!arg || nr_args != 1)
>  			break;
> -		ret = io_register_copy_buffers(ctx, arg);
> +		ret = io_register_clone_buffers(ctx, arg);
>  		break;
>  	default:
>  		ret = -EINVAL;
> diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
> index 40696a395f0a..9264e555ae59 100644
> --- a/io_uring/rsrc.c
> +++ b/io_uring/rsrc.c
> @@ -1139,7 +1139,7 @@ int io_import_fixed(int ddir, struct iov_iter *iter,
>  	return 0;
>  }
>  
> -static int io_copy_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx)
> +static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx)
>  {
>  	struct io_mapped_ubuf **user_bufs;
>  	struct io_rsrc_data *data;
> @@ -1203,9 +1203,9 @@ static int io_copy_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx)
>   *
>   * Since the memory is already accounted once, don't account it again.
>   */
> -int io_register_copy_buffers(struct io_ring_ctx *ctx, void __user *arg)
> +int io_register_clone_buffers(struct io_ring_ctx *ctx, void __user *arg)
>  {
> -	struct io_uring_copy_buffers buf;
> +	struct io_uring_clone_buffers buf;
>  	bool registered_src;
>  	struct file *file;
>  	int ret;
> @@ -1223,7 +1223,7 @@ int io_register_copy_buffers(struct io_ring_ctx *ctx, void __user *arg)
>  	file = io_uring_register_get_file(buf.src_fd, registered_src);
>  	if (IS_ERR(file))
>  		return PTR_ERR(file);
> -	ret = io_copy_buffers(ctx, file->private_data);
> +	ret = io_clone_buffers(ctx, file->private_data);
>  	if (!registered_src)
>  		fput(file);
>  	return ret;
> diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h
> index 93546ab337a6..eb4803e473b0 100644
> --- a/io_uring/rsrc.h
> +++ b/io_uring/rsrc.h
> @@ -68,7 +68,7 @@ int io_import_fixed(int ddir, struct iov_iter *iter,
>  			   struct io_mapped_ubuf *imu,
>  			   u64 buf_addr, size_t len);
>  
> -int io_register_copy_buffers(struct io_ring_ctx *ctx, void __user *arg);
> +int io_register_clone_buffers(struct io_ring_ctx *ctx, void __user *arg);
>  void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx);
>  int io_sqe_buffers_unregister(struct io_ring_ctx *ctx);
>  int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
> 
> -- 
> Jens Axboe
> 

Re: [PATCH] io_uring: rename "copy buffers" to "clone buffers"

[Jens Axboe]

On 10/15/24 7:57 PM, Lai, Yi wrote:
> Hi Jens Axboe,
> 
> Greetings!
> 
> I used Syzkaller and found that there is BUG: unable to handle kernel paging request in io_register_clone_buffers in v6.12-rc2
> 
> After bisection and the first bad commit is:
> "
> 636119af94f2 io_uring: rename "copy buffers" to "clone buffers"
> "

It must be the parent that introduced it, not just the rename. So bisect
perhaps a bit suspect, but it's dying in that code so surely where it
is.

> All detailed into can be found at:
> https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers
> Syzkaller repro code:
> https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/repro.c
> Syzkaller repro syscall steps:
> https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/repro.prog
> Syzkaller report:
> https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/repro.report
> Kconfig(make olddefconfig):
> https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/kconfig_origin
> Bisect info:
> https://github.com/laifryiee/syzkaller_logs/tree/main/241015_200715_io_register_clone_buffers/bisect_info.log
> bzImage:
> https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/241015_200715_io_register_clone_buffers/bzImage_8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b
> Issue dmesg:
> https://github.com/laifryiee/syzkaller_logs/blob/main/241015_200715_io_register_clone_buffers/8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b_dmesg.log
> 
> "
> [   29.812887] Oops: Oops: 0003 [#1] PREEMPT SMP KASAN NOPTI
> [   29.813730] CPU: 1 UID: 0 PID: 731 Comm: repro Not tainted 6.12.0-rc2-8cf0b93919e1 #1
> [   29.814907] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [   29.816616] RIP: 0010:io_register_clone_buffers+0x45e/0x810
> [   29.817524] Code: 3c 08 00 0f 85 3c 03 00 00 48 8b 1b be 04 00 00 00 41 bf 01 00 00 00 48 8d 43 14 48 89 c7 48 89 85 08 ff ff ff e8 82 de f0 fe <f0> 44 0f c1 7b 14 31 ff 44 89 fe e8 e2 02 89 fe 45 85 ff 0f 84 b1
> [   29.820286] RSP: 0018:ffff88801469fc50 EFLAGS: 00010246
> [   29.821100] RAX: 0000000000000001 RBX: ffffffff85f7ca20 RCX: ffffffff82de91ae
> [   29.822165] RDX: fffffbfff0bef947 RSI: 0000000000000004 RDI: ffffffff85f7ca34
> [   29.823328] RBP: ffff88801469fd98 R08: 0000000000000001 R09: fffffbfff0bef946
> [   29.823868] R10: ffffffff85f7ca37 R11: 0000000000000001 R12: ffff88800ef21560
> [   29.824407] R13: 0000000000000000 R14: ffff88801469fd70 R15: 0000000000000001
> [   29.824924] FS:  00007feaa461a600(0000) GS:ffff88806c500000(0000) knlGS:0000000000000000
> [   29.825512] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   29.825934] CR2: ffffffff85f7ca34 CR3: 00000000143a4000 CR4: 0000000000750ef0
> [   29.826473] PKRU: 55555554
> [   29.826683] Call Trace:
> [   29.826874]  <TASK>
> [   29.827047]  ? show_regs+0x6d/0x80
> [   29.827333]  ? __die+0x29/0x70
> [   29.827584]  ? page_fault_oops+0x391/0xc50
> [   29.827897]  ? __pfx_page_fault_oops+0x10/0x10
> [   29.828258]  ? __pfx_is_prefetch.constprop.0+0x10/0x10
> [   29.828650]  ? search_module_extables+0x3f/0x110
> [   29.829010]  ? io_register_clone_buffers+0x45e/0x810
> [   29.829404]  ? search_exception_tables+0x65/0x70
> [   29.829756]  ? fixup_exception+0x114/0xb10
> [   29.830082]  ? kernelmode_fixup_or_oops.constprop.0+0xcc/0x100
> [   29.830543]  ? __bad_area_nosemaphore+0x3b2/0x650
> [   29.830911]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
> [   29.831327]  ? spurious_kernel_fault_check+0xbf/0x1c0
> [   29.831724]  ? bad_area_nosemaphore+0x33/0x40
> [   29.832100]  ? do_kern_addr_fault+0x14e/0x180
> [   29.832441]  ? exc_page_fault+0x1b0/0x1d0
> [   29.832767]  ? asm_exc_page_fault+0x2b/0x30
> [   29.833101]  ? io_register_clone_buffers+0x45e/0x810
> [   29.833485]  ? io_register_clone_buffers+0x45e/0x810
> [   29.833892]  ? __pfx_io_register_clone_buffers+0x10/0x10
> [   29.834345]  ? rcu_is_watching+0x19/0xc0
> [   29.834663]  ? trace_contention_end+0xe1/0x120
> [   29.835018]  ? __mutex_lock+0x258/0x1490
> [   29.835340]  ? lock_release+0x441/0x870
> [   29.835650]  __io_uring_register+0x61d/0x20f0
> [   29.836002]  ? __pfx___io_uring_register+0x10/0x10
> [   29.836398]  ? __fget_files+0x23c/0x4b0
> [   29.836715]  ? trace_irq_enable+0x111/0x120
> [   29.837056]  __x64_sys_io_uring_register+0x172/0x2a0
> [   29.837445]  x64_sys_call+0x14bd/0x20d0
> [   29.837758]  do_syscall_64+0x6d/0x140
> [   29.838050]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [   29.838457] RIP: 0033:0x7feaa443ee5d
> [   29.838743] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48

Thanks, I'll take a look! A vmlinux would be handy to have, in terms of
looking up where it's fauling without spending too much time on it. But
if you don't have it, no worries, I'll give this a spin tomorrow.

-- 
Jens Axboe

Re: [PATCH] io_uring: rename "copy buffers" to "clone buffers"

[Jens Axboe]

On 10/15/24 8:27 PM, Jens Axboe wrote:
> Thanks, I'll take a look! A vmlinux would be handy to have, in terms of
> looking up where it's fauling without spending too much time on it. But
> if you don't have it, no worries, I'll give this a spin tomorrow.

Ah, it was just missing the dummy_ubuf check. The below should fix it,
I'll queue it up and add a test case to liburing too.

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 33a3d156a85b..6f3b6de230bd 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1176,7 +1176,8 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx
 	for (i = 0; i < nbufs; i++) {
 		struct io_mapped_ubuf *src = src_ctx->user_bufs[i];
 
-		refcount_inc(&src->refs);
+		if (src != &dummy_ubuf)
+			refcount_inc(&src->refs);
 		user_bufs[i] = src;
 	}
 

-- 
Jens Axboe