From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB05FC7115B for ; Mon, 23 Jun 2025 18:01:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 581D56B00BB; Mon, 23 Jun 2025 14:01:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 559E56B00BF; Mon, 23 Jun 2025 14:01:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 46F2E6B00C1; Mon, 23 Jun 2025 14:01:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 3315E6B00BB for ; Mon, 23 Jun 2025 14:01:04 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 9D7BB140B52 for ; Mon, 23 Jun 2025 18:01:03 +0000 (UTC) X-FDA: 83587431606.19.449EA66 Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) by imf25.hostedemail.com (Postfix) with ESMTP id 87C13A0020 for ; Mon, 23 Jun 2025 18:01:01 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=mVfEks81; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf25.hostedemail.com: domain of asml.silence@gmail.com designates 209.85.208.42 as permitted sender) smtp.mailfrom=asml.silence@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750701661; a=rsa-sha256; cv=none; b=yucShN00573YOqE35S323+7eZGNE4WQQ/pXig8UfStnTI7l/TnHlnCiz/YXLFR8531JhVH NSt/XMCXGcZqx7bnHFkhvpCW5rZiemcey2bFlNeytQ59MKvVXd7rz3UaQ7/HpUv/iKKlbn i1whAvjgYbV5cC87wZhniDt8oii0QlQ= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=mVfEks81; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf25.hostedemail.com: domain of asml.silence@gmail.com designates 209.85.208.42 as permitted sender) smtp.mailfrom=asml.silence@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750701661; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=D0Wn4FHAOI4GGZOGOV7lgNZvwN/fhscsGQ+OpVSAn/M=; b=llhzg6SuWSpF1daOS2Pe31ygfO8DUdlgUh44gI2bVgKwXqlbRa83nyBhoq22b0q4U3zGHk qhUnclQOIF7/aMISF8xNkWdb3LADvuulwGrs56Y2KI/soHBvx5SGDL/7wpeIM0AJIGt3+7 T4FoQSwbgbWJblus54if4eHoJmWg9Ig= Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-606b58241c9so7040007a12.3 for ; Mon, 23 Jun 2025 11:01:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1750701660; x=1751306460; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=D0Wn4FHAOI4GGZOGOV7lgNZvwN/fhscsGQ+OpVSAn/M=; b=mVfEks81z16fFy3aPA/M5xXR1w/g7E5ACIhsexojze/F1x/l0sdT60U8kyF3iTSSpz 3vPeqFKm6hts9wTxrwg4ygo8u8RLPFbhrw1rdIYL0AZpPHwlWukl9XMtfSlGlrOcJnJl NwGRxp+YqDzgCCuXfquCwoQ0EnLqGTBlxFGWQSj/F8v3aC8EAfEQECP1MG7oalf9B/0Z ogPBtDiTOfONaxo+9Q+kauTe16RsUg9XQvrS9+FqNT/qx5/r2o6aVmTJnpG7aR7Xywrh ewco+xTaUw7cDczW1G33LInTIBXz69rrJPANm8F2+BG3j+tlE8y7nejlpS+kB1v9rBYz G9PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750701660; x=1751306460; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=D0Wn4FHAOI4GGZOGOV7lgNZvwN/fhscsGQ+OpVSAn/M=; b=GfB4fI2/TrRMotOPLXqy1hpQ7OAVgJAbp43SfVzZeU2rE3fJSviegaNM+X6XDxkhbe nD4ngCw2ebn8a6FHo8+uoHqm+EeU4hdcx3Vzq290lbCjBk+g2J+0AGKpBYYh8ru4vJKe d1INPtkF6lSiO/ApF2WQZgJjwP0H5BicFj7VZQkqyXqH/O5mtDG1z/j8azOIguh3dPjO dwtFD7jLT6g7AjAT4D1y9FkO8cM1nPqSOKTxsxqhcySVkDWePcfZuIq0tNVFaPWKboY6 PMP6xm3dwyg0T/VJNBgKW7+HW8y5okIg+n5z7+Uc6JtjYO5ODhTKpV0HfO+5cbDmgaK1 oJGA== X-Forwarded-Encrypted: i=1; AJvYcCWQjmjmGmE1SwL/bB46c2PRurgpuNFidY+EUmEZ3sUrw4Axz+/oV3PQXY9jUoX/e18haUiEShvtgA==@kvack.org X-Gm-Message-State: AOJu0YyLTwOsy8RTpoThNjCKRAtJXfH7MTIts1JWDVNdmDTkOmZBa9zR Qg0LI9dw0k36hfFMFHA6PvKTn44cN1jVcjgMGXxeg1OuO+GqY7T5TJeP X-Gm-Gg: ASbGncs4TG0MEsPJ7Se6nv7PytbcEddN22Q9eo+3JSbe+J71j7FYY9SPJT/Ilb2dPH2 f2V1WqLIoWZ/oNfGnGktJ6lS46PMkgHSzGOAVt8z2/qYWLFN8eIfwa9Q10+pQGftqplwPwAQTah dzWrwS636repJmgJlyGAILOwLinHqHy/ZYbPDI0lOwvVgczQjV+Z8/07a5uVI7UWXN/k3UUPb5t Hay4vKP6hbrfhjwlG5OWOnp69hW0v3a17kx3SR4GVKZHhyldAspvR1aickNSTgfUtdcadU4IPdg dio/FHsHBpkByYdthl3MXrx0V/oSNEqXTJXoWO6vZTLTxQ6xhAqtqvGI7QwDmhBEFZlus2E= X-Google-Smtp-Source: AGHT+IH+WX5YjMaWSzQ+wgC6H1DgVK2YKPU0OPyIfBETYAwTkxu63TuCd7oKiw+ZMxEZJTytDHQoDA== X-Received: by 2002:a05:6402:50d0:b0:601:a681:4d5c with SMTP id 4fb4d7f45d1cf-60a1cf3dc39mr12447439a12.32.1750701659466; Mon, 23 Jun 2025 11:00:59 -0700 (PDT) Received: from [192.168.8.100] ([148.252.128.65]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-60a18cbab17sm6438828a12.64.2025.06.23.11.00.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Jun 2025 11:00:58 -0700 (PDT) Message-ID: Date: Mon, 23 Jun 2025 19:02:21 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] kernel BUG in sanity_check_pinned_pages To: David Hildenbrand , Jens Axboe , Alexander Potapenko Cc: syzbot , akpm@linux-foundation.org, catalin.marinas@arm.com, jgg@ziepe.ca, jhubbard@nvidia.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, peterx@redhat.com, syzkaller-bugs@googlegroups.com References: <6857299a.a00a0220.137b3.0085.GAE@google.com> <56862a1d-71c0-4f07-9c1a-9d70069b4d9e@redhat.com> <014a3820-8082-43a6-8bb2-70859cabdbc0@kernel.dk> <6f92b7d6-7d3c-4830-a591-75dc4d55c46c@redhat.com> Content-Language: en-US From: Pavel Begunkov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 87C13A0020 X-Stat-Signature: 6t3tqe3ete918o3ryje884nxhr5pu9qb X-HE-Tag: 1750701661-797203 X-HE-Meta: U2FsdGVkX19gpfm+gk1HKXw6ZszGzTIpmDo07TWIE7XDX8LQ/3kzj4LFUOLTIiSc3g5vZ8s5pKP2Um9tlAHGhQAo305LwsP2rufvj2JffqJiuhy9zhBq1fdWlH3+tywIXryLRB945BLGKFc/l7Y87HxA/Th2PcjlmdKK2/OKrCMiba2MySjoiKYxNpZhvRV6+RrwG8Y0pgfj99nunFHNbD6t0TpTU/5JoowqiXiw7kaFDKlV5NZPvbHrnLN6Y9aiqR38fw798SC7qGJCw/HJy+QjklkGgKpDtKznOjMF3+Imngoj0FdSB3zrxe7NjMgb5Qo0udq+Gkyul7txqh3VrqNdZ17kKkNbz9WGIBKZCaD/M7zmmMsA36CtFEc1oG+AbRyG40SSxb+qP6fdFwkNeCkJakjJ7DFwkDNgkp8m6lPKapPqh9uzuEr1llgs06qTY6vkZeIqzzG+nnDgZHcLs6bLFAhQlZyNViU6qX4HFdOEKc1eTAXv6BvIL0K3+VwNGoRcg3jq+6EYAicitMZ7sgn4ZHZGJIrVXXbAGrkdR0S4MAGzT2HX/+j/Gcr9gVc5nW36kvyMJa2/nGliNQiVTXQxazDygUSnrBhtMq+uFJC4rqVmDXqFciDTKmkrUnHdLd9M7r5TkJa66UVhzSeiRH/XMdfDLjOED1wIYWH7hFWQruSpjf/lbswleBL6Bz0DyUPWj9TX6WA4kqmDe2mDryni81okEN9jlt5fRpUjK7eWu1PIdXIqDraeTcUcstVmV+NJtY7/jyp0TtjGx1gJZGzXn3MIK40NjQyNEh9G8o2wQ16Ps9OQ4P2SmMMXVysxGLRet47A7z/6wF54xAjq9EpQlMg+kNOhJDRnod5sptvtEDTYf9wObULz7Ue6JNEDxpLuvxgktD5GETz8kj0zkZDjTwwFJVQDLhDx1NpFMxfpD2vAE+LuMEEgnctUpnF88TxWhZGskbpH5HjWXiR Zno/Edh6 ryhiyIkL9MTIkfWNwZEg+vik9kjnOJpSeTCel7xcxOf/A1FcFWvTuJlHqQ3feAij7FrAAQCPJclF1SV7USHp7b/Lblg2U5GCHZtlxZcOrGAhL5PHgfQMsfYWzx+JsuNbtj8TOJKWjiblnuckhYolwonS8xZAzGXWcZWoJwgVLvrlczkHHih9dEaAvc5wzcdy5g4tLNsvoTWXhvc4+8s76h6ivsyfGkCRhQS0Z4iYtb90/0uTikmurW6w2Vz8rCu/4yQEfh+Z9lNPY8YuiG2DjiKJvr80PlgsvPFzND9cYjRDr5B1vUIAvf5SgS+6H0n33rHa/frrRn44RrEYmhgdNCSVaIwV3f05NOB87gXNKv/nYxT9I34pMov2LLavy7oRLm79fa+8FfztuBTiacFqncR0Z60Dyhgnm3PaqZBaCPE78JfhWdZ9i2RdAVN7PltzRecXlor65atsTKvjOb6Tr4seuTmkRwza8DIqm2McdWpJgTBOlyTC144ejDXujqN/5VEGcZevSXZZ8ijJNsh2/rk9PuIc3Kfil9ULGdWKr3y4c0Uwz/cWw0S4ILOGgtpa/79kFljOPlx4b8MZnYMUX/DQzMius+xfWOo0biP3B4C/255J4EtcxRT91geHKNv2GQiaBg08bSDo2xfob1ja+3xK5THsX41AkJzHGmaerFgS90AoKDYoC0KmmGkg89qJC2X6z X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 6/23/25 18:36, David Hildenbrand wrote: > On 23.06.25 18:59, David Hildenbrand wrote: >> On 23.06.25 18:48, Pavel Begunkov wrote: >>> On 6/23/25 16:11, David Hildenbrand wrote: ...>>> Yes, it stores the head page even if the range passed to >>> pin_user_pages() doesn't cover the head page. >>   > > It should be converted to unpin_user_folio(), which doesn't seem >>> to do sanity_check_pinned_pages(). Do you think that'll be enough >>> (conceptually)? Nobody is actually touching the head page in those >>> cases apart from the final unpin, and storing the head page is >>> more convenient than keeping folios. I'll take a look if it can >>> be fully converted to folios w/o extra overhead. >> >> Assuming we had from GUP >> >> nr_pages = 2 >> pages[0] = folio_page(folio, 1) >> pages[1] = folio_page(folio, 2) >> >> After io_coalesce_buffer() we have >> >> nr_pages = 1 >> pages[0] = folio_page(folio, 0) >> >> >> Using unpin_user_folio() in all places where we could see something like >> that would be the right thing to do. The sanity checks are not in >> unpin_user_folio() for exactly that reason: we don't know which folio >> pages we pinned. Let's do that for starters >> But now I wonder where you make sure that "Nobody is actually touching >> the head page"? >> >> How do you get back the "which folio range" information after >> io_coalesce_buffer() ? >> >> >> If you rely on alignment in virtual address space for you, combined with >> imu->folio_shift, that might not work reliably ... > > FWIW, applying the following on top of origin/master: > > diff --git a/tools/testing/selftests/mm/cow.c b/tools/testing/selftests/mm/cow.c > index dbbcc5eb3dce5..e62a284dcf906 100644 > --- a/tools/testing/selftests/mm/cow.c > +++ b/tools/testing/selftests/mm/cow.c > @@ -946,6 +946,7 @@ static void do_run_with_thp(test_fn fn, enum thp_run thp_run, size_t thpsize) >                         log_test_result(KSFT_FAIL); >                         goto munmap; >                 } > +               mem = mremap_mem; >                 size = mremap_size; >                 break; >         case THP_RUN_PARTIAL_SHARED: > > > and then running the selftest, something is not happy: > > ... > # [RUN] R/O-mapping a page registered as iouring fixed buffer ... with partially mremap()'ed THP (512 kB) > [34272.021973] Oops: general protection fault, maybe for address 0xffff8bab09d5b000: 0000 [#1] PREEMPT SMP NOPTI > [34272.021980] CPU: 3 UID: 0 PID: 1048307 Comm: iou-wrk-1047940 Not tainted 6.14.9-300.fc42.x86_64 #1 > [34272.021983] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET53W (1.53 ) 03/22/2023 > [34272.021984] RIP: 0010:memcpy+0xc/0x20 > [34272.021989] Code: cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 48 89 f8 48 89 d1 a4 e9 4d f9 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 > [34272.021991] RSP: 0018:ffffcff459183c20 EFLAGS: 00010206 > [34272.021993] RAX: ffff8bab09d5b000 RBX: 0000000000000fff RCX: 0000000000000fff > [34272.021994] RDX: 0000000000000fff RSI: 0021461670800001 RDI: ffff8bab09d5b000 > [34272.021995] RBP: ffff8ba794866c40 R08: ffff8bab09d5b000 R09: 0000000000001000 > [34272.021996] R10: ffff8ba7a316f9d0 R11: ffff8ba92f133080 R12: 0000000000000fff > [34272.021997] R13: ffff8baa85d5b6a0 R14: 0000000000000fff R15: 0000000000001000 > [34272.021998] FS:  00007f16c568a740(0000) GS:ffff8baebf580000(0000) knlGS:0000000000000000 > [34272.021999] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [34272.022000] CR2: 00007fffb6a10b00 CR3: 00000003df9eb006 CR4: 0000000000f72ef0 > [34272.022001] PKRU: 55555554 > [34272.022002] Call Trace: > [34272.022004]  > [34272.022005]  copy_page_from_iter_atomic+0x36f/0x7e0 > [34272.022009]  ? simple_xattr_get+0x59/0xa0 > [34272.022012]  generic_perform_write+0x86/0x2e0 > [34272.022016]  shmem_file_write_iter+0x86/0x90 > [34272.022019]  io_write+0xe4/0x390 > [34272.022023]  io_issue_sqe+0x65/0x4f0 > [34272.022024]  ? lock_timer_base+0x7d/0xc0 > [34272.022027]  io_wq_submit_work+0xb8/0x320 > [34272.022029]  io_worker_handle_work+0xd5/0x300 > [34272.022032]  io_wq_worker+0xda/0x300 > [34272.022034]  ? finish_task_switch.isra.0+0x99/0x2c0 > [34272.022037]  ? __pfx_io_wq_worker+0x10/0x10 > [34272.022039]  ret_from_fork+0x34/0x50 > [34272.022042]  ? __pfx_io_wq_worker+0x10/0x10 > [34272.022044]  ret_from_fork_asm+0x1a/0x30 > [34272.022047]  > > > There, we essentially mremap a THP to not be aligned in VA space, and then register half the > THP as a fixed buffer. > > So ... my suspicion that this is all rather broken grows :) It's supposed to calculate the offset from a user pointer and then work with that, but I guess there are masking that violate it, I'll check. -- Pavel Begunkov