From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1722AC77B7C for ; Mon, 23 Jun 2025 16:46:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A9AD16B00C0; Mon, 23 Jun 2025 12:46:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A721F6B00C1; Mon, 23 Jun 2025 12:46:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9AF2B6B00C3; Mon, 23 Jun 2025 12:46:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 8A43A6B00C0 for ; Mon, 23 Jun 2025 12:46:45 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id F097A140A0F for ; Mon, 23 Jun 2025 16:46:44 +0000 (UTC) X-FDA: 83587244328.07.42C165C Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) by imf21.hostedemail.com (Postfix) with ESMTP id F31B11C0003 for ; Mon, 23 Jun 2025 16:46:42 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=OQYkiE5W; spf=pass (imf21.hostedemail.com: domain of asml.silence@gmail.com designates 209.85.218.42 as permitted sender) smtp.mailfrom=asml.silence@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750697203; a=rsa-sha256; cv=none; b=CJNJKpmiPpur7BF0RLiKRQZ/QGkKHz1rQMpXbxCSJZClN2MeSAtkZlCn7xwmI4+y+4r6dm fFJi2WQxbiXVimYAHQ4nXQQmgc1EkCGXmDnKs4I4l9a9GUJ73JsNAx6qCCkkP/979pFeeO Bqhh+iJFuer48Ni0OnCtBKJGI11VUN8= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=OQYkiE5W; spf=pass (imf21.hostedemail.com: domain of asml.silence@gmail.com designates 209.85.218.42 as permitted sender) smtp.mailfrom=asml.silence@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750697203; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/DWnkVbhCelsSkMmNhV/IGRpglEYrrvHIBFGaENB+/Y=; b=sQh7UWP8Nc9QXjYEKPzqsGwRo0r+S5bMkGAw14CtHNKpIg8rPIGKbBx860W9MwjBNg5Sn2 noJk1hTZuiwoD+zmIJs7r9Oi5gxUITH7UZ2aMkcgCHUvwzlxusPszTM4eb4WyjCwJp88nr EA2m6tnJxqtWhJbOoR0rc9/2+fWZR1Q= Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-acbb85ce788so848959466b.3 for ; Mon, 23 Jun 2025 09:46:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1750697201; x=1751302001; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=/DWnkVbhCelsSkMmNhV/IGRpglEYrrvHIBFGaENB+/Y=; b=OQYkiE5WngPyzV3QnG56jptgL5hg9YjuPK0ZKU+WCp61Db96iS/v2b+KgjLk1+z4/3 ZOvSYQeucrEVV4vEGnD6R4v8638KoqrcYNWRwSQEiaKAp5wtH4NlgUQD4Y88CgBXy4rW pHtWNTTm+y3Qcm1x3cRjeusxu0FK6MgjoaNM80lxoIDIGuln+fQ0s9OYa6eDO9+NIwvF fD2snsFlmxJi+81bcmFBD248ndor3+71Bb9eEUX0H6Vrli8Mlo1JJmA8fMinnYwV+XzG dbWDMkgSulRGBZQQyib3kpWMyiHJzf8H35A2XBewcxAIRM4FYeKukpT6Pe4N9kd1uw5G gMIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750697201; x=1751302001; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/DWnkVbhCelsSkMmNhV/IGRpglEYrrvHIBFGaENB+/Y=; b=MOljPuD9XoAaF/yLha3RtFqxFNbNfvADzHJFFOPH2N4fIYWSr4enzVzGG+tTpyiCzG 1QbuFQx/iVeZBw/e7+q8QpF8LKz06MM/i6vdO3PcNzw0LSAUT4wwSP9Che8O+ng2cxJv HDNndm3oX8Whd3FnXcXzwO9CmzRv7RcrXYgwiGoF9nwJQ/efLSei50Yh//yERA9+t9lJ 4dDXWNPOf2yiUU+eZObomhkjaHWOu85D++60Y+fUSAAGIUF3cePeV2YZ6P8pklVYjAjj y4aq10fslLJ6Qd95EZPSnLa2hniWhwqb7C4p6STchALauNLUMPVs2ROes/clwYnAwKdj 10HQ== X-Forwarded-Encrypted: i=1; AJvYcCW1YMOsgiDtFHqCI03NjAPNCsV7HxVLH6IUzsnyqwKfv9MLVvNVUrKZgqiCe07d/1r2DMNFuLhCIA==@kvack.org X-Gm-Message-State: AOJu0YwNxw4aW+vhFkPYIMOk3KoLnVlruPI4XpgghfiaiTHtV9uAs3d4 R08FCYezpIOJI+Yo/i+Ll5PsSqnPHvkM0S1wvJQOJE+CQQdDxl7Crg8Q X-Gm-Gg: ASbGncsQVcNd5k63+rA6eJfM5aaMBesXq6iXxyY3KHgLXM2ciGrKVgimG3AiWqrovOJ RrEwIpFvN3oSdUst80iFN0lMVcjAnfzy0fNGvRcbjCo8a+eABg8dCvi+vVWmKtRWDsyMiDVqzKf UGuFAnuNIm0/LcGX35jlBIl0N6QBzUTtUVUJ+YkBWwW1S+d1pypwVyDI4OTIXOI5tIt1qv45i68 zmp8JMNT0947KadeXbmJ9I8Xd4VJ1AiWTqJy0+0hvOGJyzjdUTkfF8cnXXx1M3bZnCibzteXa/R K+nftpACWaQ9AL4Zzb+aPPZB9Waj8qaZ3Num15DNGYw6pS33IDEwqvOjrzUyj8HHjOegeyMktGi lGggNFGZ1bA== X-Google-Smtp-Source: AGHT+IGVk3hAk+zkZOObee7QtVbPeMGvaHD1uiWojMmGupfBDz2h+/EUWsPc/XulZI0q+i3kLQHVgg== X-Received: by 2002:a17:906:2c1b:b0:ad5:23e3:48b6 with SMTP id a640c23a62f3a-ae057bd6e23mr1054592466b.45.1750697200898; Mon, 23 Jun 2025 09:46:40 -0700 (PDT) Received: from ?IPV6:2620:10d:c096:325::2ef? ([2620:10d:c092:600::1:85c4]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ae0541b6f8asm731941866b.117.2025.06.23.09.46.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Jun 2025 09:46:40 -0700 (PDT) Message-ID: Date: Mon, 23 Jun 2025 17:48:03 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] kernel BUG in sanity_check_pinned_pages To: David Hildenbrand , Jens Axboe , Alexander Potapenko Cc: syzbot , akpm@linux-foundation.org, catalin.marinas@arm.com, jgg@ziepe.ca, jhubbard@nvidia.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, peterx@redhat.com, syzkaller-bugs@googlegroups.com References: <6857299a.a00a0220.137b3.0085.GAE@google.com> <56862a1d-71c0-4f07-9c1a-9d70069b4d9e@redhat.com> <014a3820-8082-43a6-8bb2-70859cabdbc0@kernel.dk> Content-Language: en-US From: Pavel Begunkov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: F31B11C0003 X-Stat-Signature: rxzuwu9xi3dppc8hpn9jwab4ruqfkjdq X-Rspam-User: X-HE-Tag: 1750697202-795560 X-HE-Meta: U2FsdGVkX1+kv9vT2jLl2rxZ6O6U+5s9H8tntX7KKZsbV6AuIXpQz1iAbprhIPYpqgLdyVo8ZxDVMxyhFQTMCop2e865kCu/0ntRud076crRPd0oP7q8rbJWz46qMpAnvpg3hd2RFgA8SJrJKViRQlq1eHh22my9r8YZ+NotDiS2axrrYaVr9YTeogTc8KcThRqCmfRZv6y4G031sW0Ab519njcWcTVyONQUPpN+kzM6oRXn7D3hZzDeKREfSqjGX6uMPZ0n4EJTzS/bqRHfJTpjel6tI6NFdkefrQuJto7cUssnNlqVLP/NpkWFYTbn16arqancv0hryzWvKec7c60Sav7acifkQa1y7U+yHg7NcoFDnrzk01bCQKehO7EIaXC0ueWJO5heXTrUq4TgZXriBzY8VIde3w96LlW3B0KijDoa+ZfniU6AcsCmJCaZSht15kcfgc7gRokI3H+8GXesoYQfPp2GrG2Ehu2vTu54g3O5+m2YgZmh541OfgMdAsTKptK4vGO9HbcZABi2Ozi2OaAPA6JWk9dz5V6fru1KjoIaiZyyIix2tG3zF8p7GjHm5mzwnroqM3oYqVwtF19Q72QfCjVYUbk4hSKE8oQ0HqbT7Hy4rRNfALcSYSSwt/PXxYeu3rWc9Jljx82YF8E6vyZIgkcNLwuf18v3EcVuMOKUHfQYVofFE39twe1aY3F5cP2IoQMbzzBFGdqa8nmGukj8frl38BfJEJeclF25OpHK6PF6pvMqVH8uaNeWPKipbc/H47vb9b4/1/hu4WbqUIPt5n4ibl4AJT4QISdzFNRdUzUZm79+g6BdvIjnd/GN7cnLjeuZYKrW+61p+Tsxic6CccNshkE69VP3e2TULddJUKWBq49vwTVin/JeQ5Co4X/xbdeeHsNvsZb09FtrRO7On8bwAw7gizrOF2EfsnQ+nYucgkDCsSDH2sfyTEwUYgS6LkmaEeB8OC/ Em4jEQ5I jyh0AS9JdTKJk6KwygfVDWEl3UKZjZWsd93ID9f2n9run8BCPk17Y0ACWjlQi6wm/xl/WKauTlEX7Zef4HCd1h33dALOkIW8tnr8k7ITajHqqAQZeGdGYX9E270bMIAQjQxeyHBk5UMSUbYFmSw6o5tN71MOAevJ2BnwLLPXwigQBJf6ZSwDI+XMIclW9HwLIqdIB/pTmOsu6LHHRehSe8Turv6SzAR05nEeOWspkjPMQBwRxg8xv35dLXJRMIehivK0D4NPSzyNwMP0nJD+t6iXLyml1kjymEcx/qdS82siN/nLPDomWAJXcHXuYBVafDp85JlO+htqzk24Vsr98xCAJ5jy9zvGRoyqGjtROxEyN2bS7N/bBf2AHL1KJKlfGarCtnOq1qeMmh31zrTk3wmN9wx7ohpnN52aozIOeee6R4D5vf+82fDTJN1a92lQYuZ1DqiuIgJLK/JIC1Ah3ss3wYT5cxNmO066ShOgnZZxK3UIrCi61cAiUom9Pg4GMfy42WjO6GTWchyb0kNRVQ33fzEfxaK7WNBjO7Iw44HLQda1gT+bSatAbir0znWbO/xjtEB8ORBw3C+nWyazsbZUsYRTOJLg1IWwXW18uqUcGSq/VHnBK4AMcWCqC76qxRkTs0WjpoM60u74qi45kggRT2xGkIFN5/fcQGPS7G5e9pVZqGSqbhxGxcpSlsPvsZR/Vt+yCeyxlMecsrdrllHGflOpjV8gtgKuWab2UlTXhvrqQuqv1/dSRHw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 6/23/25 16:11, David Hildenbrand wrote: > On 23.06.25 16:58, Jens Axboe wrote: >> On 6/23/25 6:22 AM, David Hildenbrand wrote: >>> On 23.06.25 12:10, David Hildenbrand wrote: >>>> On 23.06.25 11:53, Alexander Potapenko wrote: >>>>> On Mon, Jun 23, 2025 at 11:29?AM 'David Hildenbrand' via >>>>> syzkaller-bugs wrote: >>>>>> ...>>> When only pinning a single tail page (iovec.iov_len = pagesize), it works as expected. >>> >>> So, if we pinned two tail pages but end up calling io_release_ubuf()->unpin_user_page() >>> on the head page, meaning that "imu->bvec[i].bv_page" points at the wrong folio page >>> (IOW, one we never pinned). >>> >>> So it's related to the io_coalesce_buffer() machinery. >>> >>> And in fact, in there, we have this weird logic: >>> >>> /* Store head pages only*/ >>> new_array = kvmalloc_array(nr_folios, sizeof(struct page *), GFP_KERNEL); >>> ... >>> >>> >>> Essentially discarding the subpage information when coalescing tail pages. >>> >>> >>> I am afraid the whole io_check_coalesce_buffer + io_coalesce_buffer() logic might be >>> flawed (we can -- in theory -- coalesc different folio page ranges in >>> a GUP result?). >>> >>> @Jens, not sure if this only triggers a warning when unpinning or if we actually mess up >>> imu->bvec[i].bv_page, to end up pointing at (reading/writing) pages we didn't even pin in the first >>> place. >>> >>> Can you look into that, as you are more familiar with the logic? >> >> Leaving this all quoted and adding Pavel, who wrote that code. I'm >> currently away, so can't look into this right now. Chenliang Li did, but not like it matters > I did some more digging, but ended up being all confused about io_check_coalesce_buffer() and io_imu_folio_data(). > > Assuming we pass a bunch of consecutive tail pages that all belong to the same folio, then the loop in io_check_coalesce_buffer() will always > run into the > > if (page_folio(page_array[i]) == folio && >     page_array[i] == page_array[i-1] + 1) { >     count++; >     continue; > } > > case, making the function return "true" ... in io_coalesce_buffer(), we then store the head page ... which seems very wrong. > > In general, storing head pages when they are not the first page to be coalesced seems wrong. Yes, it stores the head page even if the range passed to pin_user_pages() doesn't cover the head page. It should be converted to unpin_user_folio(), which doesn't seem to do sanity_check_pinned_pages(). Do you think that'll be enough (conceptually)? Nobody is actually touching the head page in those cases apart from the final unpin, and storing the head page is more convenient than keeping folios. I'll take a look if it can be fully converted to folios w/o extra overhead. -- Pavel Begunkov