From: David Hildenbrand <david@redhat.com>
To: Pavel Begunkov <asml.silence@gmail.com>, io-uring@vger.kernel.org
Subject: Re: [PATCH v2 1/3] io_uring/rsrc: fix folio unpinning
Date: Wed, 25 Jun 2025 09:53:55 +0200 [thread overview]
Message-ID: <d51f982c-f487-491e-b105-cd858f39e6e3@redhat.com> (raw)
In-Reply-To: <a28b0f87339ac2acf14a645dad1e95bbcbf18acd.1750771718.git.asml.silence@gmail.com>
On 24.06.25 15:40, Pavel Begunkov wrote:
> [ 108.070381][ T14] kernel BUG at mm/gup.c:71!
> [ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
> [ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025
> [ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work
> [ 108.174205][ T14] Call trace:
> [ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P)
> [ 108.178138][ T14] unpin_user_page+0x80/0x10c
> [ 108.180189][ T14] io_release_ubuf+0x84/0xf8
> [ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c
> [ 108.184345][ T14] io_rsrc_data_free+0x148/0x298
> [ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0
> [ 108.188991][ T14] io_ring_ctx_free+0x48/0x480
> [ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8
> [ 108.193207][ T14] process_one_work+0x7e8/0x155c
> [ 108.195431][ T14] worker_thread+0x958/0xed8
> [ 108.197561][ T14] kthread+0x5fc/0x75c
> [ 108.199362][ T14] ret_from_fork+0x10/0x20
>
> We can pin a tail page of a folio, but then io_uring will try to unpin
> the the head page of the folio. While it should be fine in terms of
> keeping the page actually alive, but mm folks say it's wrong and
> triggers a debug warning. Use unpin_user_folio() instead of
> unpin_user_page*.
>
> Cc: stable@vger.kernel.org
> Debugged-by: David Hildenbrand <david@redhat.com>
> Reported-by: syzbot+1d335893772467199ab6@syzkaller.appspotmail.com
> Closes: https://lkml.kernel.org/r/683f1551.050a0220.55ceb.0017.GAE@google.com
> Fixes: a8edbb424b139 ("io_uring/rsrc: enable multi-hugepage buffer coalescing")
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> ---
> io_uring/rsrc.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
> index c592ceace97d..e83a294c718b 100644
> --- a/io_uring/rsrc.c
> +++ b/io_uring/rsrc.c
> @@ -112,8 +112,11 @@ static void io_release_ubuf(void *priv)
> struct io_mapped_ubuf *imu = priv;
> unsigned int i;
>
> - for (i = 0; i < imu->nr_bvecs; i++)
> - unpin_user_page(imu->bvec[i].bv_page);
> + for (i = 0; i < imu->nr_bvecs; i++) {
> + struct folio *folio = page_folio(imu->bvec[i].bv_page);
> +
> + unpin_user_folio(folio, 1);
> + }
> }
>
> static struct io_mapped_ubuf *io_alloc_imu(struct io_ring_ctx *ctx,
> @@ -810,7 +813,8 @@ static struct io_rsrc_node *io_sqe_buffer_register(struct io_ring_ctx *ctx,
> imu->nr_bvecs = nr_pages;
> ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
> if (ret) {
> - unpin_user_pages(pages, nr_pages);
> + for (i = 0; i < nr_pages; i++)
> + unpin_user_folio(page_folio(pages[i]), 1);
> goto done;
> }
>
It should fix the issue, but it's a bit suboptimal in the case where we
didn't coalesc, but there are folio ranges to coalesc:
unpin_user_pages() does a per-folio coalescing.
So in an ideal world, we would cleanly split both paths, and work with
folios after we coalesced to use folios, and work with pages, when we
didn't coalesc to use folios.
Then, we can just use unpin_folios() after we coalesced.
In any case, for a fix this is good enough, but probably we can do
better later.
Acked-by: David Hildenbrand <david@redhat.com>
--
Cheers,
David / dhildenb
next prev parent reply other threads:[~2025-06-25 7:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-24 13:40 [PATCH v2 0/3] io_uring mm related abuses Pavel Begunkov
2025-06-24 13:40 ` [PATCH v2 1/3] io_uring/rsrc: fix folio unpinning Pavel Begunkov
2025-06-25 7:53 ` David Hildenbrand [this message]
2025-06-25 20:33 ` Pavel Begunkov
2025-06-24 13:40 ` [PATCH v2 2/3] io_uring/rsrc: don't rely on user vaddr alignment Pavel Begunkov
2025-06-26 9:30 ` David Hildenbrand
2025-06-24 13:40 ` [PATCH v2 3/3] io_uring: don't assume uaddr alignment in io_vec_fill_bvec Pavel Begunkov
2025-06-25 2:52 ` [PATCH v2 0/3] io_uring mm related abuses Jens Axboe
2025-06-25 20:24 ` Pavel Begunkov
2025-06-25 22:36 ` Jens Axboe
2025-06-25 2:52 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d51f982c-f487-491e-b105-cd858f39e6e3@redhat.com \
--to=david@redhat.com \
--cc=asml.silence@gmail.com \
--cc=io-uring@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox