From: Jens Axboe <axboe@kernel.dk>
To: Ming Lei <tom.leiming@gmail.com>
Cc: io-uring <io-uring@vger.kernel.org>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
"Liam R. Howlett" <liam.howlett@oracle.com>
Subject: Re: RCU warning off ublk_buf_cleanup() -> mas_for_each()
Date: Tue, 21 Apr 2026 12:04:05 -0600 [thread overview]
Message-ID: <a976cbc5-f0ca-4042-a88b-e1b947ed4c29@kernel.dk> (raw)
In-Reply-To: <0349d72d-dff8-4f9f-b448-919fa5ae96da@kernel.dk>
On 4/21/26 11:47 AM, Jens Axboe wrote:
> Hi Ming,
>
> Ran into the below running tests on the current tree:
>
> =============================
> WARNING: suspicious RCU usage
> 7.0.0+ #16 Tainted: G N
> -----------------------------
> lib/maple_tree.c:759 suspicious rcu_dereference_check() usage!
FWIW, here's what claude spits out on the maple tree usage for
ublk. Simply passing it on...
Issue 1: ublk_buf_cleanup — missing RCU/lock for mas_for_each (line 5489)
ublk_buf_cleanup iterates the tree using mas_for_each without holding either
rcu_read_lock or mas_lock. The mas_find() documentation explicitly states: "Must
hold rcu_read_lock or the write lock." Internally, mas_find → mas_next_slot →
mt_slot → rcu_dereference_check(slots[offset], mt_locked(mt)). With neither RCU nor
the tree lock held, this will fire a lockdep splat on CONFIG_PROVE_RCU=y kernels.
While functionally safe (exclusive access during device release), the API contract
is violated. Fix: wrap the iteration in rcu_read_lock/unlock, or use
mas_lock/unlock.
Issue 2: __ublk_ctrl_unreg_buf — unpin_user_pages under spinlock (line 5431-5455)
This function holds mas_lock (a spinlock — atomic context) while unpinning
potentially many pages in a loop. For a large registered buffer with many disjoint
PFN ranges, this holds the spinlock for an extended period. unpin_user_pages →
gup_put_folio → folio_put could also grab additional locks if the folio's refcount
drops to zero.
A cleaner pattern would be to collect entries, drop mas_lock, then unpin. Compare
with ublk_buf_cleanup which does the same unpinning work outside any lock — the
asymmetry is notable.
Issue 3: ublk_buf_cleanup — kfree without mas_erase (line 5504)
The cleanup function does kfree(range) during iteration without first calling
mas_erase(). This leaves dangling pointers in the tree nodes until mtree_destroy is
called on line 5506. Not a bug (no concurrent access, mtree_destroy doesn't
dereference stored entries), but it's inconsistent with ublk_buf_erase_ranges and
__ublk_ctrl_unreg_buf which both properly erase before freeing.
--
Jens Axboe
next prev parent reply other threads:[~2026-04-21 18:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 17:47 RCU warning off ublk_buf_cleanup() -> mas_for_each() Jens Axboe
2026-04-21 18:04 ` Jens Axboe [this message]
2026-04-21 20:28 ` Liam R. Howlett
2026-04-21 21:41 ` Jens Axboe
2026-04-21 21:56 ` Liam R. Howlett
2026-04-21 22:03 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a976cbc5-f0ca-4042-a88b-e1b947ed4c29@kernel.dk \
--to=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=liam.howlett@oracle.com \
--cc=linux-block@vger.kernel.org \
--cc=tom.leiming@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox