From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6DA54C54E71 for ; Tue, 19 Mar 2024 23:48:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A09DF6B0085; Tue, 19 Mar 2024 19:48:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9B8976B0088; Tue, 19 Mar 2024 19:48:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 858F86B0089; Tue, 19 Mar 2024 19:48:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 745536B0085 for ; Tue, 19 Mar 2024 19:48:04 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 3B1C8140D6D for ; Tue, 19 Mar 2024 23:48:04 +0000 (UTC) X-FDA: 81915429288.22.40553D1 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by imf23.hostedemail.com (Postfix) with ESMTP id 5790814000C for ; Tue, 19 Mar 2024 23:48:01 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=QYDnJuhE; spf=pass (imf23.hostedemail.com: domain of lokeshgidra@google.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=lokeshgidra@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710892081; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=lF+vHPHEf9YeLahZZShgwv2v9ZcnZC7w66VWnUTwgHE=; b=gE4J7RRmDTvy2GBren906TYyTvWYHwm6YZBS9zr+re/CzVx6rWHv79GKmlKxyd9T82sFmb lUINzBnTPk5AUl9KDzHkhpD7lpRsLUI1P7HfmfEkU81ktk/bd+e1rEZQ/WZtmJNx//B3HJ +7XwzOEFgyfenL+YJeGIt5pEWLUK+Zw= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=QYDnJuhE; spf=pass (imf23.hostedemail.com: domain of lokeshgidra@google.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=lokeshgidra@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710892081; a=rsa-sha256; cv=none; b=hP04KtKk1ovZXAYx2T4zMmF0UIfYUjNbe2wBJVphmtAZcCjJeNSmlbsZ6Du20NFzHR4bfM AcwhZGEvEkiWIGv0Lk19DRORZeMG7F05PJauI+tlpMjW/c6Zi/y4RsGSVtqab9Y9cfvVn+ 0UfK8jevD2OokDwH0psuMRTWy+5AfH4= Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-33fd8a2a407so1901002f8f.2 for ; Tue, 19 Mar 2024 16:48:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710892079; x=1711496879; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lF+vHPHEf9YeLahZZShgwv2v9ZcnZC7w66VWnUTwgHE=; b=QYDnJuhEUb5ruPVJvHmuahOix85EtWaaupq5G1s+/fPxYw0dyaAZQtgAvTld9Q/atT gttHFZRCthBIKIda/uKPGXK2+FPTcmOYY0uWr7+//7Fd58Cl0jsA3zs5/3ds0r2/5iMP klTYQgobT8ohCB1U+aR65zM0BaSb67ABGWrn6nKVazwnCWH8og7fBF5xMm2+MGDmhbTf qGJWfVwYCHYXvq+lvCPmD75wvPEdiHphaFeBoA0G1mPWFW8pIwpJwbieIWG+RZlMB9nK PI5j7ko2WpQK9++7qNI8KiWWTjHN56gaaoQiJLSKza+vL/lbPk5p9D823EYoyEGcFgjS x51Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710892079; x=1711496879; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lF+vHPHEf9YeLahZZShgwv2v9ZcnZC7w66VWnUTwgHE=; b=RotjWfBCg7oMlWva3ExH7CYvQXtsoNNrc9iavPT3hiX4DPSUfc+syL80L3X1dPLA0W hFmxX/SD5DRngyS+8xDOolfvoSmH1PFbZtc0Js6j+5W4zQvnaewd49H+TKq/qXi1xDyT LuobdhK9GRRZOT/0oMqwjxBy6njjupDZTaYToJ9RDFXIuYZevscSJGEDy2/aMrFdfeS9 0TeNmOZ28KOXbNVUiyGsCWo1owkuI9JpNpD2BAM+yQCSvATMAutn4SoxYQc7KCkNuaiD Ir5d7fiJlzC4fPSTHzXXzTY66J5muDJWOwToqAHIqh+bOJQ0g4zLafLG4bgc3elMxQ8n Os0g== X-Forwarded-Encrypted: i=1; AJvYcCXnBsmjRHwD4zFTJT7qLH9V4pDUnSjU2VbfiCucXXOs2Crp6UYA0lIYaZrVdrLG4/UImKC+k5R0026dcn3vohW83pY= X-Gm-Message-State: AOJu0YxpRlGMLUdo4+TD3dYqvMZxSBYzEToc01IELCCrGzsvYwPXTFXz UXJe+NpevCqQrAQUqmLyWT8P6fZgJVM2SCEZCfsBXa0xNJvVl0OaUcZD9JeBjrIdDbNoeX+0cf8 KvbSy1JyWPjRrdakEDubLrQTr6gzclHZh+Igp X-Google-Smtp-Source: AGHT+IF9YKylMKz4B+jT2x2r5YCy/s9u9lrBYM1Z3JFq6TC7eET5atpYROjdVKvqda5/Md5JxqQTtWIgnHCaKm8cIWQ= X-Received: by 2002:a05:6000:d04:b0:33d:8c86:e859 with SMTP id dt4-20020a0560000d0400b0033d8c86e859mr10469946wrb.60.1710892079417; Tue, 19 Mar 2024 16:47:59 -0700 (PDT) MIME-Version: 1.0 References: <000000000000e97f090614006d76@google.com> In-Reply-To: From: Lokesh Gidra Date: Tue, 19 Mar 2024 16:47:47 -0700 Message-ID: Subject: Re: [syzbot] [mm?] possible deadlock in move_pages To: David Hildenbrand Cc: syzbot , linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Suren Baghdasaryan , akpm@linux-foundation.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 5790814000C X-Rspam-User: X-Stat-Signature: sh6rnice8mdwbnqz83m1kshq7co9jrdw X-Rspamd-Server: rspam01 X-HE-Tag: 1710892081-244707 X-HE-Meta: U2FsdGVkX183FhnyB8eE2lcQpbt+7XFriMeMMo23X8JtHCNAqGIVXaLb+4FJxsBoG9QIc8rXU8w+iXu2c6Ae1QIIFhx/Agm2EMCIrBa2hVSd6h+4UtlQvtg+vCR4pIAP5zmxzRnOMqEsVkO4Z163P3oNz/96RgeYDZOv0IA6JQLXGPYcVAFvEpPzx7aeG7UpCi8Bf3DdKqEkb/3OUrFC6Tv55vNo4oqlHJt9TF6byOlJ43rliqa1L9yOUTgDS5vkRPNo6FVSAEoo1FTNi4isG1UQXWLcqayVp4b5GDt0BQ4txNvV07u8jNX9Xr9aHgL/ClEVhFk2TBbzyS8VRY/qRtC3/Xhwmx5VTqOZ4kOQXVP/L9BeaihItHptUB917wZ3kwBmFKVCheRMxJP7S+w7q7/9PLBtdQyM9xniD4e3h0igXK9JRiPGoLRaEioUgBEEHXyEGydudwu+FBzsH3yv1TOGY/vGK9LsdcX0hwUyKwlWb2I3peo4qyJan2A6a+hCwd2tUXj58f8GjKbCeHljk03redwpTqp1k3TZhrpSnwjpKhG696zo9Bc6jiAnm3pg1x1lYEuhM+WeAiNUrlXhtAwALt34E71rwkNYtnQW/XkJfUqmMe9ZaKtqBAOthBZ4KTqUEiI8qtJiqqqTeA00ugeFkAbPkF/QFlQw0bjeAplzXuIh+SU32HIbIdpBDLfYigrr1KZJafaUsQFEiI4dXcgMXciFQ4m9pwR/haMvdbO5s8ZaB9ZFsnnRRnSdqiU9W8JqrAgWQf96Hhv8tk6boEzhtCVlQl4IxpJz0mRWe4FjnZtCKZurMiq5RLwD0rMKAXa2FKXCCy3TeqsfrThxY57eXjevg3YbumXb8Cqhylrk9Cf7jvjTEQCGfTIsH2arc/7BXuYg4LDe4hu0uy7NLEVD2FbHU4Std3LwxaT4rfE58CxG6H/4ZOyeUrkfyBuzQDxTmyXAdkg9z3rWkz7 Q//jDI5F I/vtHIvzLM2MB8aVFASPaN7Kojatgf/Y+7O45cqr0BwVue7jAJKQezEomQm+PWMpukUq9BkPOGLum9z1JD3g1Nufez34beEAmMK77cMM6WLYzI/bgqFs8VaNltPUQSWYZ5MHkcDjQGY79vj6FehlbBYwPJo+pBK4BjyytdrF0mhUUPnUjqspoTPYm4ihFDsdZPkEWmVJUCkiTeVWDTvUlQOumYnDvzJIQjYe8E+Yey+ldwLAuWMoTVHszLFpQIgSkc+exGYE1jF6Ynf2WB6jytVz3KfFG9VNtM4snY3IB+TithkHAFwLUHle/uwrm4NDQ9F7+YZoDndZGpxNZNbtE7rUEsDSkhpxmvyG1m5nmsnp6EqpIV7Et4sXFnEqgfnvVcjskruS4x6ztMm9WvBMqhKJWCOXT1KuLN2qwl4A2qlkTg2W3A1yE80HdZAC4aHFMp9HL9eUiDT86mP3WgEeqfrvfD0HL+/BOU0RdlJk5lv4vry8XNh14+m7G6nlWV6Az7IuW1IPXu+T0OwhNCvMdA/ZbVwryol176SlrUxXw+n86EZR/nHRqzW83gQmIp3p7FMcvxVJ4UTIb39zQm/8JzZVDFX8GU+0nsiEOWP1sqHQzNepxVUhU5fEG04JkysZDgbInYuUAwc8c0ZZpsY8q6mlvtVDuBU1e98rI+DDXF0LTShJm8TM4y4ozD+X8LkbOF5hhuQloDFu7vixxOMYTr3OAfMbk4T+9Y9pWn2CGDO8WlgjsgQYoz1gIKerBc7hHsvWjesJd9FW9tljtA2wR9VUU9S2BL5kAtKdHLzctxMSjIbkX3vwMmiy+XXknxhN3kmzah7HDVEMlPXXts2Q2uYzteB0QVK93Czlacv/EybNVBVxRbjfOG9JWay13uQyWDQQgNSfzhA3n02naWKq7XnU18GOS1R67Jmw5Mp0F0cSa1kOUfn6La92LzMt7gWX6mKUpZedmMQJ0fP+Fxh9KNLd6jTg7 AtTsKC67 zhWeKm1hopvM/J0i2IgPyfk2k042dtpsUORK3LDxxWQ+krkrPXOqj8Y1xRgToXCz X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Mar 19, 2024 at 10:24=E2=80=AFAM Lokesh Gidra wrote: > > On Tue, Mar 19, 2024 at 6:37=E2=80=AFAM David Hildenbrand wrote: > > > > On 19.03.24 10:52, syzbot wrote: > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09= -36' .. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D160dc26e1= 80000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D4ffb85460= 6e658d > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D49056626fe4= 1e01f2ba7 > > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils f= or Debian) 2.40 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D10f467b= 9180000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D173b7ac91= 80000 > > > > > > Downloadable assets: > > > disk image (non-bootable): https://storage.googleapis.com/syzbot-asse= ts/7bc7510fe41f/non_bootable_disk-e5eb28f6.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/a5c7ad05d6b2/vm= linux-e5eb28f6.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/531cb19176= 12/bzImage-e5eb28f6.xz > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the = commit: > > > Reported-by: syzbot+49056626fe41e01f2ba7@syzkaller.appspotmail.com > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > WARNING: possible recursive locking detected > > > 6.8.0-syzkaller-09791-ge5eb28f6d1af #0 Not tainted > > > -------------------------------------------- > > > syz-executor258/5169 is trying to acquire lock: > > > ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_loc= k mm/userfaultfd.c:1447 [inline] > > > ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0x= bab/0x4970 mm/userfaultfd.c:1583 > > > > > > but task is already holding lock: > > > ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_loc= k mm/userfaultfd.c:1445 [inline] > > > ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0x= b6f/0x4970 mm/userfaultfd.c:1583 > > > > > > other info that might help us debug this: > > > Possible unsafe locking scenario: > > > > > > CPU0 > > > ---- > > > lock(&vma->vm_lock->lock); > > > lock(&vma->vm_lock->lock); > > > > > > *** DEADLOCK *** > > > > > > May be due to missing lock nesting notation > > > > > > 2 locks held by syz-executor258/5169: > > > #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lo= ck include/linux/mmap_lock.h:146 [inline] > > > #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: uffd_move_lo= ck mm/userfaultfd.c:1438 [inline] > > > #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: move_pages+0= x8df/0x4970 mm/userfaultfd.c:1583 > > > #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_mo= ve_lock mm/userfaultfd.c:1445 [inline] > > > #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pa= ges+0xb6f/0x4970 mm/userfaultfd.c:1583 > > > > > > stack backtrace: > > > CPU: 2 PID: 5169 Comm: syz-executor258 Not tainted 6.8.0-syzkaller-09= 791-ge5eb28f6d1af #0 > > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debia= n-1.16.2-1 04/01/2014 > > > Call Trace: > > > > > > __dump_stack lib/dump_stack.c:88 [inline] > > > dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 > > > check_deadlock kernel/locking/lockdep.c:3062 [inline] > > > validate_chain kernel/locking/lockdep.c:3856 [inline] > > > __lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137 > > > lock_acquire kernel/locking/lockdep.c:5754 [inline] > > > lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 > > > down_read+0x9a/0x330 kernel/locking/rwsem.c:1526 > > > uffd_move_lock mm/userfaultfd.c:1447 [inline] > > > move_pages+0xbab/0x4970 mm/userfaultfd.c:1583 > > > userfaultfd_move fs/userfaultfd.c:2008 [inline] > > > userfaultfd_ioctl+0x5e1/0x60e0 fs/userfaultfd.c:2126 > > > vfs_ioctl fs/ioctl.c:51 [inline] > > > __do_sys_ioctl fs/ioctl.c:904 [inline] > > > __se_sys_ioctl fs/ioctl.c:890 [inline] > > > __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:890 > > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > > do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83 > > > entry_SYSCALL_64_after_hwframe+0x6d/0x75 > > > RIP: 0033:0x7fd48da20329 > > > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 = 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f= 0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > > > RSP: 002b:00007ffd1244f8e8 EFLAGS: 00000246 ORIG_RAX: 000000000000001= 0 > > > RAX: ffffffffffffffda RBX: 00007ffd1244fab8 RCX: 00007fd48da20329 > > > RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003 > > > RBP: 00007fd48da93610 R08: 00007ffd1244fab8 R09: 00007ffd1244fab8 > > > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 > > > R13: 00007ffd1244faa8 R14: 0000000000000001 R15: 0000000000000001 > > > > > > > > > > > > --- > > > This report is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this issue. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > > > > If the report is already addressed, let syzbot know by replying with: > > > #syz fix: exact-commit-title > > > > > > If you want syzbot to run the reproducer, reply with: > > > #syz test: git://repo/address.git branch-or-commit-hash > > > If you attach or paste a git patch, syzbot will apply it before testi= ng. > > > > > > If you want to overwrite report's subsystems, reply with: > > > #syz set subsystems: new-subsystem > > > (See the list of subsystem names on the web dashboard) > > > > > > If the report is a duplicate of another one, reply with: > > > #syz dup: exact-subject-of-another-report > > > > > > If you want to undo deduplication, reply with: > > > #syz undup > > > > > > > Possibly > > > > commit 867a43a34ff8a38772212045262b2c9b77807ea3 > > Author: Lokesh Gidra > > Date: Thu Feb 15 10:27:56 2024 -0800 > > > > userfaultfd: use per-vma locks in userfaultfd operations > > > > All userfaultfd operations, except write-protect, opportunisticall= y use > > per-vma locks to lock vmas. On failure, attempt again inside mmap= _lock > > critical section. > > > > Write-protect operation requires mmap_lock as it iterates over mul= tiple > > vmas. > > > > and > > > > commit 5e4c24a57b0c126686534b5b159a406c5dd02400 > > Author: Lokesh Gidra > > Date: Thu Feb 15 10:27:54 2024 -0800 > > > > userfaultfd: protect mmap_changing with rw_sem in userfaulfd_ctx > > > > Increments and loads to mmap_changing are always in mmap_lock crit= ical > > section. This ensures that if userspace requests event notificati= on for > > non-cooperative operations (e.g. mremap), userfaultfd operations = don't > > occur concurrently. > > > > This can be achieved by using a separate read-write semaphore in > > userfaultfd_ctx such that increments are done in write-mode and lo= ads in > > read-mode, thereby eliminating the dependency on mmap_lock for thi= s > > purpose. > > > > This is a preparatory step before we replace mmap_lock usage with = per-vma > > locks in fill/move ioctls. > > > > might responsible. > > I tried reproducing the issue with the provided reproducer locally and with few additional checks: down_read(&(*dst_vmap)->vm_lock->lock); if (*dst_vmap !=3D *src_vmap) { BUG_ON((*src_vmap)->vm_lock =3D=3D (*dst_vmap)->vm_lock); BUG_ON(&(*src_vmap)->vm_lock->lock =3D=3D &(*dst_vmap)->vm_lock= ->lock); BUG_ON(rwsem_is_locked(&(*src_vmap)->vm_lock->lock)); down_read(&(*src_vmap)->vm_lock->lock); } None of the BUG_ONs are causing pani but the following down_read() is reporting the deadlock as above. Even if I change the if condition to if (&(*dst_vmap)->vm_lock->lock !=3D &(*src_vmap)->vm_lock->lock) I still get the deadlock trace. Possibly a bug in lockdep? > > CCin Lokesh > > Thanks for looping me in. Taking a look. > > > > -- > > Cheers, > > > > David / dhildenb > >