From: Vlastimil Babka <vbabka@suse.cz>
To: Suren Baghdasaryan <surenb@google.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org,
syzbot+5b19bad23ac7f44bf8b8@syzkaller.appspotmail.com,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Subject: Re: [PATCH] mm: fix vma_start_write_killable() signal handling
Date: Wed, 26 Nov 2025 15:40:50 +0100 [thread overview]
Message-ID: <0f2c5c40-9c70-4b36-b1fa-f211f8ce9529@suse.cz> (raw)
In-Reply-To: <CAJuCfpEge7MJD1joXz=tKgcD7DQgPggjCKF9PLPr3NZEaw=ouw@mail.gmail.com>
On 11/26/25 3:26 PM, Suren Baghdasaryan wrote:
> On Tue, Nov 25, 2025 at 8:28 PM Suren Baghdasaryan <surenb@google.com> wrote:
>>
>> On Tue, Nov 25, 2025 at 7:44 PM Matthew Wilcox (Oracle)
>> <willy@infradead.org> wrote:
>>>
>>> If we get a signal, we need to restore the vm_refcnt. The wrinkle in
>>> that is that we might be the last reference. If that happens, fix the
>>> refcount to look like we weren't interrupted by a fatal signal.
>>>
>>> Reported-by: syzbot+5b19bad23ac7f44bf8b8@syzkaller.appspotmail.com
>>> Fixes: 2197bb60f890 ("mm: add vma_start_write_killable()")
>>> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
>>> Cc: Suren Baghdasaryan <surenb@google.com>
>>> Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
>>> Cc: Vlastimil Babka <vbabka@suse.cz>
>>> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
>>> ---
>>> Andrew, since the vma_start_write_killable() patch is in mm-stable,
>>> I don't think you can put this in as a fixup, right?
>>>
>>> Suren, Liam, Vlastimil, Lorenzo ... none of you spotted this bug.
>>
>> Doh! This is embarassing...
>>
>>> Any other stupid thing I've done? And am I doing the right thing
>>> with refcount_set()?
>>>
>>> mm/mmap_lock.c | 9 +++++++++
>>> 1 file changed, 9 insertions(+)
>>>
>>> diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c
>>> index e6e5570d1ec7..71af7f0a5fe1 100644
>>> --- a/mm/mmap_lock.c
>>> +++ b/mm/mmap_lock.c
>>> @@ -74,9 +74,18 @@ static inline int __vma_enter_locked(struct vm_area_struct *vma,
>>> refcount_read(&vma->vm_refcnt) == tgt_refcnt,
>>> state);
>>> if (err) {
>>> + if (refcount_sub_and_test(VMA_LOCK_OFFSET, &vma->vm_refcnt)) {
>>> + /* Oh cobblers. While we got a fatal signal, we
>>> + * raced with the last user. Pretend we didn't notice
>>> + * the signal
>>> + */
>>> + refcount_set(&vma->vm_refcnt, VMA_LOCK_OFFSET);
>>> + goto acquired;
>>
>> Wait, why do we consider this as a successful acquisition? The
>> vm_refcnt is 0, so this is similar situation to an earlier:
>>
>> if (!refcount_add_not_zero(VMA_LOCK_OFFSET, &vma->vm_refcnt))
>> return 0;
>>
>> IOW, the vma is not referenced, so we failed to lock it. I think the
>> fix should be:
>
> After sleeping on it, I don't think we should be masking EINTR error.
> __vma_enter_locked() result might be the only place where an outer
> loop is checking for fatal signals, so returning "failure to lock"
> instead of -EINTR might cause the loop to continue. I think this fix
> would be better:
>
> * If vma is detached then only vma_mark_attached() can raise the
> * vm_refcnt. mmap_write_lock prevents racing with vma_mark_attached().
> */
> - if (!refcount_add_not_zero(VMA_LOCK_OFFSET, &vma->vm_refcnt))
> + if (!refcount_add_not_zero(VMA_LOCK_OFFSET, &vma->vm_refcnt)) {
> + if (fatal_signal_pending(current))
> + return -EINTR;
Not necessary IMHO. It could become pending right after we return 0, no
point in testing it here. We should only care about the signals in the
part where we sleep, i.e. rcuwait_wait_event().
> return 0;
> + }
>
> rwsem_acquire(&vma->vmlock_dep_map, 0, 0, _RET_IP_);
> err = rcuwait_wait_event(&vma->vm_mm->vma_writer_wait,
> refcount_read(&vma->vm_refcnt) == tgt_refcnt,
> state);
> if (err) {
> + if (refcount_sub_and_test(VMA_LOCK_OFFSET, &vma->vm_refcnt)) {
> + /*
> + * No more users but fatal signal is present,
> + * still return the error.
> + */
> + }
Like I said in the other reply, the "no more users" should not happen,
so just WARN_ON_ONCE() on the result, but otherwise agreed.
> rwsem_release(&vma->vmlock_dep_map, _RET_IP_);
> return err;
> }
>
>
next prev parent reply other threads:[~2025-11-26 14:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-26 3:42 Matthew Wilcox (Oracle)
2025-11-26 4:28 ` Suren Baghdasaryan
2025-11-26 14:26 ` Suren Baghdasaryan
2025-11-26 14:40 ` Vlastimil Babka [this message]
2025-11-26 15:01 ` Matthew Wilcox
2025-11-26 14:36 ` Vlastimil Babka
2025-11-26 15:02 ` Lorenzo Stoakes
2025-11-26 15:05 ` Matthew Wilcox
2025-11-26 15:20 ` Lorenzo Stoakes
2025-11-26 15:49 ` Suren Baghdasaryan
2025-11-26 16:00 ` Lorenzo Stoakes
2025-11-26 16:11 ` Suren Baghdasaryan
2025-11-26 16:04 ` Vlastimil Babka
2025-11-26 16:06 ` Matthew Wilcox
2025-11-26 16:18 ` Lorenzo Stoakes
2025-11-26 18:06 ` Suren Baghdasaryan
2025-11-26 18:11 ` Lorenzo Stoakes
2025-11-26 15:53 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f2c5c40-9c70-4b36-b1fa-f211f8ce9529@suse.cz \
--to=vbabka@suse.cz \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=surenb@google.com \
--cc=syzbot+5b19bad23ac7f44bf8b8@syzkaller.appspotmail.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox