From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 073DBC54F30 for ; Wed, 28 May 2025 02:36:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 90F226B00AF; Tue, 27 May 2025 22:36:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8E68C6B00B0; Tue, 27 May 2025 22:36:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7FC816B00B1; Tue, 27 May 2025 22:36:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 599C96B00AF for ; Tue, 27 May 2025 22:36:05 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id C434A1603F2 for ; Wed, 28 May 2025 02:36:04 +0000 (UTC) X-FDA: 83490751848.12.5E476AC Received: from fanzine2.igalia.com (fanzine2.igalia.com [213.97.179.56]) by imf09.hostedemail.com (Postfix) with ESMTP id C3417140003 for ; Wed, 28 May 2025 02:36:02 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=ISo2mLCY; spf=pass (imf09.hostedemail.com: domain of gavinguo@igalia.com designates 213.97.179.56 as permitted sender) smtp.mailfrom=gavinguo@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748399763; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=xBWi4IQ15ST0BjHUIRly0HLO0C7dG6iOMz8SBird500=; b=pd78lRNvroYNhyJGHkLEXhnE2zGSMpQ0TE+Bny0gfF0UtV5bv1jcyuhw7MxDTTsBTdNtoX YQNef+b/usOXBv1n2lVvCQKBejlKCUKua0gsdmAhy7zbDndvC+MIHU5W4E/qmBfSUfdF8A XLL/24cOiGI50O7eKiop2grG2esZdHE= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=ISo2mLCY; spf=pass (imf09.hostedemail.com: domain of gavinguo@igalia.com designates 213.97.179.56 as permitted sender) smtp.mailfrom=gavinguo@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748399763; a=rsa-sha256; cv=none; b=2HMERSF0BZEchBC4lP18xFKyQ1pX71VvtLlJNbrAJTr07qjTRd8RdMrNQFEX/lNrv/HesA DXGFN+20HqPL9ITfPsVEsyCvcI0+9kmr5x421TnwC7nHaBRU/GDSsfSyqmILfimgHVG5iy ZqduSY/GbHqtbLBB1T9WR9vZ1f90p8s= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject: Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=xBWi4IQ15ST0BjHUIRly0HLO0C7dG6iOMz8SBird500=; b=ISo2mLCY5l8NfKQwVEgxdP2xrS bDKg5aOBL2CCRULeKp+OxcgQDj5MalphkaKxkBuAAl7/AeENs/948I+/Ne8jYhu05n6jirozuwTv/ 1Q0sVCxWm+gAjk6fo/wCTkW4sZtwpuzE+RAp2FXuYh8IJAZBWnat/X+ZGsHdoqIGMIR5yYXGIrC1U 1KykLT5IgIAETFGZAi/hzbHJJ0I/4A+FR9spcVe1TJ+UFVrgLI1xtn7MMDnDtNlXZVdSZ04nhG3xM Wjb8PR1grcReH5HaQvfUuixufvpO5a98cUg0FAXtkfY0tbZco7TK1OjEk6U4jUSC75JUVaCcHQNvB NxuKRHbQ==; Received: from 114-44-251-207.dynamic-ip.hinet.net ([114.44.251.207] helo=gavin-HP-Z840-Workstation..) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1uK6e3-00E25A-2X; Wed, 28 May 2025 04:35:55 +0200 From: Gavin Guo To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, muchun.song@linux.dev, osalvador@suse.de, akpm@linux-foundation.org, mike.kravetz@oracle.com, kernel-dev@igalia.com, Gavin Guo , stable@vger.kernel.org, Hugh Dickins , Florent Revest , Gavin Shan Subject: [PATCH v3] mm/hugetlb: fix a deadlock with pagecache_folio and hugetlb_fault_mutex_table Date: Wed, 28 May 2025 10:33:26 +0800 Message-ID: <20250528023326.3499204-1-gavinguo@igalia.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Stat-Signature: bp64czerbq17hztd4usmzzmfjwnq91hw X-Rspamd-Queue-Id: C3417140003 X-Rspamd-Server: rspam11 X-HE-Tag: 1748399762-273251 X-HE-Meta: U2FsdGVkX1/9tQP9wYDp/wg6DOT43tpOX8cavpmpue66G8ANP0WDXiJRxgpUD7VxFePjmYiBHqZk6ygtMYAOIWSQXwJmDsqLGNXrOq7nUFzafTRlFsPz8FS1nv0mMgnc+TeUYlzKO2g1BkENRZ0cxSxBrZKvWqP75Ym4m+zKofyxcloW7cA05u0M/ORbRT/Zl672/CW6B6Vis+919DuwWU5CJ0d1iHLxLj9fS74sB7ywmBKYpm91NE6mvz+3jeU2bTE6dptVgDYLe8yltJxOlN/y0BNOSgRaOiGk6xq1Br6PdueajAIIIzXMuE0N3QiuGDQaoozwg9UE/kqh0yPVAMrbfetLH+a7ay9rkw4s55aAm/koO9DTgvlN+Cpztydb5D+gEH2n2/Ob5giC6Xsx+bT28nXLFuawY9SHongtfu5HhOGlRiZKP6gxPM9Ow99NT+yqyqYe6V2V7DwQyZDAHn1OarqAJ3GUqnsthEWQY2JYIuFhJClxyhzYmHB2IexnV3MZwGjXjLfmJIrOzCb38F079FZrNAkMKPf2Tlhh6oGKFYZjurH7DrPCdQ878Rm2mm5X3zJPgY5JvelTDLxLhwG4t9yVJogmRwlNsCprNOSznB8MtS54WPUAFNasHNAyZk5sJwsCxN8FDNA/NzuCEXEpKg+rmm7OEHjZgT1DX5A8I893vJB+eTmQ8khotrCqmA+1sM0KGVZrpOLA1t19wssmcBq8nNiU4a4eqSUabl3FQPhe235Ln/ovJzv9EmOD1+pRLbBo3vr/oljpHztNAItoVVCIbf5JHSDCqL5kFinR/k8kLwAXNegq6E16tey885ye1hqn8YmtWUwourxraAqsNbjPuVGj0DfWFa4QrqboQQGlUbMwE6sRwfkXy/7pmbEuySEBlnf1F+oDkhF2vFBkCG2XiMNPw1PE7DLeXGNzD2F5MT/xhEffuKZL/MUXdkyLP2jNLs6aGhKJ9LS Dh2/qLwY YF+uSVYvw1ss7sx/tolC0kZhqYlchZUxmSl91/U3GOlB/1HrFooaMEX8t5hXu9oMeh17uCj9JxlTSnkwBHTnSQDRDpgYFEJuBnH6E2EKYrWnpwRpKq1QLzdqKwN1fuDs8qXmkswPTo9ufjiLAc9+d9wFa4Z0yEiV+bQoowx7vyMJZO6c8oP7eXTxYK+xcpYhE6CcGyIBJZnk6NWvrEYqMo1NWSERP5apBHL5Z59tSJ3Sl2NAAwoPaN6yepqBKEtemhndyZtTUHMwif1t50vugf6Ymj9uMipnJms0lZ2H5ve6x1MaEfyaoNhJpkfqOGoO+H6EZL+yKhIcztglaC1gUd/Do6Vn15+ZKzsG3rc0LUHhOrXGRAZld99nYTTure5Tf0ZqzYMDSVNtzRc5U7Wl64Q9izxnyD1uGCdB8 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: There is ABBA dead locking scenario happening between hugetlb_fault() and hugetlb_wp() on the pagecache folio's lock and hugetlb global mutex, which is reproducible with syzkaller [1]. As below stack traces reveal, process-1 tries to take the hugetlb global mutex (A3), but with the pagecache folio's lock hold. Process-2 took the hugetlb global mutex but tries to take the pagecache folio's lock. Process-1 Process-2 ========= ========= hugetlb_fault mutex_lock (A1) filemap_lock_hugetlb_folio (B1) hugetlb_wp alloc_hugetlb_folio #error mutex_unlock (A2) hugetlb_fault mutex_lock (A4) filemap_lock_hugetlb_folio (B4) unmap_ref_private mutex_lock (A3) Fix it by releasing the pagecache folio's lock at (A2) of process-1 so that pagecache folio's lock is available to process-2 at (B4), to avoid the deadlock. In process-1, a new variable is added to track if the pagecache folio's lock has been released by its child function hugetlb_wp() to avoid double releases on the lock in hugetlb_fault(). The similar changes are applied to hugetlb_no_page(). Link: https://drive.google.com/file/d/1DVRnIW-vSayU5J1re9Ct_br3jJQU6Vpb/view?usp=drive_link [1] Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Cc: Cc: Hugh Dickins Cc: Florent Revest Reviewed-by: Gavin Shan Signed-off-by: Gavin Guo --- V1 -> V2 Suggested-by Oscar Salvador: - Use folio_test_locked to replace the unnecessary parameter passing. V2 -> V3 - Dropped the approach suggested by Oscar. - Refine the code and git commit suggested by Gavin Shan. mm/hugetlb.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6a3cf7935c14..560b9b35262a 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -6137,7 +6137,8 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, * Keep the pte_same checks anyway to make transition from the mutex easier. */ static vm_fault_t hugetlb_wp(struct folio *pagecache_folio, - struct vm_fault *vmf) + struct vm_fault *vmf, + bool *pagecache_folio_locked) { struct vm_area_struct *vma = vmf->vma; struct mm_struct *mm = vma->vm_mm; @@ -6234,6 +6235,18 @@ static vm_fault_t hugetlb_wp(struct folio *pagecache_folio, u32 hash; folio_put(old_folio); + /* + * The pagecache_folio has to be unlocked to avoid + * deadlock and we won't re-lock it in hugetlb_wp(). The + * pagecache_folio could be truncated after being + * unlocked. So its state should not be reliable + * subsequently. + */ + if (pagecache_folio) { + folio_unlock(pagecache_folio); + if (pagecache_folio_locked) + *pagecache_folio_locked = false; + } /* * Drop hugetlb_fault_mutex and vma_lock before * unmapping. unmapping needs to hold vma_lock @@ -6588,7 +6601,7 @@ static vm_fault_t hugetlb_no_page(struct address_space *mapping, hugetlb_count_add(pages_per_huge_page(h), mm); if ((vmf->flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ - ret = hugetlb_wp(folio, vmf); + ret = hugetlb_wp(folio, vmf, NULL); } spin_unlock(vmf->ptl); @@ -6660,6 +6673,7 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, struct hstate *h = hstate_vma(vma); struct address_space *mapping; int need_wait_lock = 0; + bool pagecache_folio_locked = true; struct vm_fault vmf = { .vma = vma, .address = address & huge_page_mask(h), @@ -6814,7 +6828,8 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (flags & (FAULT_FLAG_WRITE|FAULT_FLAG_UNSHARE)) { if (!huge_pte_write(vmf.orig_pte)) { - ret = hugetlb_wp(pagecache_folio, &vmf); + ret = hugetlb_wp(pagecache_folio, &vmf, + &pagecache_folio_locked); goto out_put_page; } else if (likely(flags & FAULT_FLAG_WRITE)) { vmf.orig_pte = huge_pte_mkdirty(vmf.orig_pte); @@ -6832,7 +6847,9 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, spin_unlock(vmf.ptl); if (pagecache_folio) { - folio_unlock(pagecache_folio); + if (pagecache_folio_locked) + folio_unlock(pagecache_folio); + folio_put(pagecache_folio); } out_mutex: base-commit: 914873bc7df913db988284876c16257e6ab772c6 -- 2.43.0