From: Pavel Begunkov <asml.silence@gmail.com>
To: David Kahurani <k.kahurani@gmail.com>
Cc: Yang Xiuwei <yangxiuwei2025@163.com>,
axboe@kernel.dk, io-uring@vger.kernel.org,
Yang Xiuwei <yangxiuwei@kylinos.cn>
Subject: Re: [PATCH] io_uring: fix incorrect io_kiocb reference in io_link_skb
Date: Mon, 22 Sep 2025 08:52:59 +0100 [thread overview]
Message-ID: <a85ea039-9cf6-4ea2-b5f5-3049c27fe187@gmail.com> (raw)
In-Reply-To: <CAAZOf250CqN67DTXF+74-8q3JbRCAuaW=XbrxqoNaq09RNUOJA@mail.gmail.com>
On 9/19/25 15:28, David Kahurani wrote:
> On Fri, Sep 19, 2025 at 5:14 PM Pavel Begunkov <asml.silence@gmail.com> wrote:
>>
>> On 9/19/25 12:25, David Kahurani wrote:
>> ...>>>> Signed-off-by: Yang Xiuwei <yangxiuwei@kylinos.cn>
>>>>>>
>>>>>> diff --git a/io_uring/notif.c b/io_uring/notif.c
>>>>>> index 9a6f6e92d742..ea9c0116cec2 100644
>>>>>> --- a/io_uring/notif.c
>>>>>> +++ b/io_uring/notif.c
>>>>>> @@ -85,7 +85,7 @@ static int io_link_skb(struct sk_buff *skb, struct ubuf_info *uarg)
>>>>>> return -EEXIST;
>>>>>>
>>>>>> prev_nd = container_of(prev_uarg, struct io_notif_data, uarg);
>>>>>> - prev_notif = cmd_to_io_kiocb(nd);
>>>>>> + prev_notif = cmd_to_io_kiocb(prev_nd);
>>>>>>
>>>>>> /* make sure all noifications can be finished in the same task_work */
>>>>>> if (unlikely(notif->ctx != prev_notif->ctx ||
>>>>>
>>>>> --
>>>>> Pavel Begunkov
>>>>>
>>>>>
>>>
>>> This is something unrelated but just bringing it up because it is in
>>> the same locality.
>>>
>>> It doesn't seem like the references(uarg->refcnt) are well accounted
>>> for io_notif_data. Any node that gets passed to 'io_tx_ubuf_complete'
>>> will gets it's refcnt decremented but assuming there's a list of
>>> nodes, some of the nodes in the list will not get their reference
>>> count decremented and
>>
>> And not supposed to. Children reference the head, and the head dies
>> last.
>
> I am not sure about the mechanics of this. This is only based on
> analysing the code but it seems, if a child node gets completed, it
> will pull all the other nodes in that link by jumping to the head
It'll put its reference to the head, but nothing is going to
be destroyed until the head refs hit 0.
> node. But, I trust that you know better :-)
>
> What do you mean it's not supposed to? All the nodes eventually go
I was saying that the head isn't supposed to put the children's
references, it goes the other way around. Children have refs to
head, and everything is destroyed once the head is put down.
> through 'io_notif_tw_complete' to be queued back into request queues,
> if any nodes whose reference was not handled(all nodes get a reference
> of 1 at allocation) goes through the method, then the warning will
> trigger.
--
Pavel Begunkov
next prev parent reply other threads:[~2025-09-22 7:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 9:03 [PATCH] io_uring: fix incorrect io_kiocb reference in io_link_skb Yang Xiuwei
2025-09-19 11:18 ` Pavel Begunkov
[not found] ` <CAAZOf24YaETroWiDjmTxu=2b2KVTxA1+rq_p5uxqtJqTVBfsJw@mail.gmail.com>
2025-09-19 11:25 ` David Kahurani
2025-09-19 14:16 ` Pavel Begunkov
2025-09-19 14:28 ` David Kahurani
2025-09-22 7:52 ` Pavel Begunkov [this message]
2025-09-22 8:17 ` David Kahurani
2025-09-19 13:06 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a85ea039-9cf6-4ea2-b5f5-3049c27fe187@gmail.com \
--to=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=k.kahurani@gmail.com \
--cc=yangxiuwei2025@163.com \
--cc=yangxiuwei@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox