From 97bb7f154622301b94672d06ab0afd79528a95dc Mon Sep 17 00:00:00 2001 From: Cheng Lingfei Date: Sat, 30 May 2026 22:22:30 +0800 Subject: [PATCH] lkl: block: copy kernel buffers not in the linear map blk_rq_map_kern() relies on object_is_on_stack() to route stack-allocated buffers to the bio_copy_kern() bounce path, since a buffer on the stack cannot be mapped directly into a bio. object_is_on_stack() tests whether the buffer lies within [task_stack_page(current), task_stack_page(current) + THREAD_SIZE). On native architectures that range is the task's real execution stack, so the test works. Under LKL it does not: threads actually execute on host pthread stacks, and object_is_on_stack only checks whether it lies in init_thread_union.thread_info.stack. A buffer placed on the stack therefore lives on the host stack, outside the thread_info range, and object_is_on_stack() returns false. The bounce path is skipped and bio_map_kern() ends up calling virt_to_page() on a host-stack address that is not part of the kernel linear map, corrupting the I/O. Add blk_kern_needs_copy() to detect this case by checking that both the start and the last byte of the buffer are virt_addr_valid(), and force the bio_copy_kern() bounce path when they are not. The check is guarded by CONFIG_LKL and compiles to false on other builds, so non-LKL kernels are unchanged. Signed-off-by: Cheng Lingfei --- block/blk-map.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/block/blk-map.c b/block/blk-map.c index b5fd1d8574615e..8e0b67875a0c85 100644 --- a/block/blk-map.c +++ b/block/blk-map.c @@ -460,6 +460,17 @@ static void bio_copy_kern_endio_read(struct bio *bio) bio_copy_kern_endio(bio); } +static bool blk_kern_needs_copy(void *kbuf, unsigned int len) +{ +#ifdef CONFIG_LKL + char *buf = kbuf; + + return !virt_addr_valid(buf) || !virt_addr_valid(buf + len - 1); +#else + return false; +#endif +} + /** * bio_copy_kern - copy kernel address into bio * @q: the struct request_queue for the bio @@ -772,7 +783,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf, return -EINVAL; if (!blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf) || - blk_queue_may_bounce(q)) + blk_kern_needs_copy(kbuf, len) || blk_queue_may_bounce(q)) bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading); else bio = bio_map_kern(q, kbuf, len, gfp_mask);